Emerging Sources

emerging sources refers to data ingested from new sources that are currently not natively supported within the flare platform we've built the emerging source system to enable rapid integration of previously uncovered datasets, reducing visibility gaps and expanding overall data coverage unlike events from standard collection data, emerging source events include basic metadata only and display raw, view only content they also do not include severity scoring or ai assist emerging source data may not be retained long term flare reserves the right to add or remove emerging sources at any time if you find value in one of our emerging sources and would like the data to be enriched or improved, please reach out to our support team https //support flare io future emerging sources new sources will be added to flare on a case by case basis as we discover them if you are aware of a new source that you would like to see in flare, please reach our to our support team https //support flare io and we will review its feasibility emerging sources the following emerging sources are currently available this list may change as flare adds and removes sources over time app store poses security risks because these app stores may host unverified and/or malicious apps gives you visibility into illegitimate versions of your mobile apps being disseminated on apk sites and app stores helpful for notable brand names and/or customers who have a portfolio of mobile applications on google play botnet threat actor groups often have access to networks of compromised devices or “botnets” that can be used in attacks flare’s research team has intelligence about these botnets like ip addresses and target/victim company names gives you visibility to see if you have been targeted by a botnet and/or if you have any assets that are unknowingly part of a botnet docker hub files we actively monitor public dockerhub repositories to identify exposed secrets and misconfigurations in container images by analyzing image manifests and selected layers, we help uncover potential security risks that could lead to supply chain attacks package registry monitoring we actively monitor public package registries (pypi, npm, crates io https //crates io/ , and hackage) to identify exposed secrets in published package versions by scanning package contents at each new release, we help uncover credential leaks that could enable supply chain attacks or unauthorized access to the services those credentials grant in many cases, affected organizations will see author email addresses tied to their domains, alongside any secrets embedded in the package itself such as cloud credentials, api tokens, or internal endpoints because published package versions remain publicly available indefinitely, exposures can persist long after the originating publisher has moved on or rotated the affected credentials potential stealer logs this contains "rejected" stealer logs from our traditional pipeline any files that appear to be stealer logs but are missing critical information or are of an unsupported layout can be found here ransomware files this source will consist of files related to ransomware attacks we'll be uploading these files and creating events in the platform based on the content extracted from them sec 8 k filings we are monitoring sec 8 k filings, specifically under item 1 05 material cybersecurity incidents these filings provide timely alerts when publicly traded companies report significant cybersecurity incidents shai hulud – github exfiltration repositories this emerging source tracks public github repositories created by the shai hulud 2 0 npm worm, which exfiltrates credentials and secrets from compromised systems the malware uses stolen github tokens to push harvested data (for example, files such as trufflesecrets json) into newly created repositories in many cases, affected organizations will see email addresses using their domains or other identifiers within these repositories because the worm can reuse previously compromised github tokens, the repository owner or committer is not always the same individual whose data was exfiltrated flare ingests these repositories so you can search for your identifiers and assess whether secrets or other sensitive data belonging to your organization have been exposed unparsed leaks includes various pii breaches, along with any "unverified" breaches we find online for example, the pii part of the pureincubation breach would have been a good fit here unparsed breaches refer to leaks posted on cybercrime forums where the origin can't be validated a breach is considered "verified" when it's recognized by services like haveibeenpwned (hibp) or included in "official" lists on dark web forums other found files this source will contain any other files identified by the flare team that hold potential value but don’t fit into the categories above how to see to emerging source data emerging source data is 'opt in', meaning that this data is not selected by default for any identifiers or for the event search configuring identifiers to view emerging source data for an identifier, select the emerging source category from the categories dropdown note that this category is not select when using the select all option and must be enabled manually searching in events to see events from the emerging source data, select this data category from the categories dropdown when viewing the events feed