Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Claroty - Policy violation

Claroty - Policy violation

Back
Id3b22ac47-e02c-4599-a37a-57f965de17be
RulenameClaroty - Policy violation
DescriptionDetects Claroty policy violation events from ClarotyEvent when EventOriginalType or EventType contains ‘Policy

Violation’. Use this rule to identify policy enforcement events that may indicate unauthorized discovery or prohibited network

activity. This rule expects ClarotyEvent data to be available in the workspace.
SeverityHigh
TacticsDiscovery
TechniquesT1018
T1135
Required data connectorsCefAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyPolicyViolation.yaml
Version1.0.4
Arm template3b22ac47-e02c-4599-a37a-57f965de17be.json
Deploy To Azure
ClarotyEvent
  | where EventOriginalType has 'Policy Violation' or EventType has 'Policy Violation'
  | project TimeGenerated, DstIpAddr, EventOriginalType, EventType
  | extend IPCustomEntity = DstIpAddr

status: Available
queryFrequency: 1h
queryPeriod: 1h
triggerOperator: gt
query: |
  ClarotyEvent
    | where EventOriginalType has 'Policy Violation' or EventType has 'Policy Violation'
    | project TimeGenerated, DstIpAddr, EventOriginalType, EventType
    | extend IPCustomEntity = DstIpAddr  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyPolicyViolation.yaml
tactics:
- Discovery
triggerThreshold: 0
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
alertDetailsOverride:
  alertDescriptionFormat: 'Claroty reported a policy violation for {{IPCustomEntity}}. EventOriginalType: {{EventOriginalType}}. EventType: {{EventType}}'
  alertDisplayNameFormat: Claroty policy violation detected for {{IPCustomEntity}}
relevantTechniques:
- T1018
- T1135
customDetails:
  EventType: EventType
  EventOriginalType: EventOriginalType
  DestinationIP: DstIpAddr
description: |
  'Detects Claroty policy violation events from ClarotyEvent when EventOriginalType or EventType contains 'Policy
  Violation'. Use this rule to identify policy enforcement events that may indicate unauthorized discovery or prohibited network
  activity. This rule expects ClarotyEvent data to be available in the workspace.'  
name: Claroty - Policy violation
version: 1.0.4
kind: Scheduled
id: 3b22ac47-e02c-4599-a37a-57f965de17be
severity: High