Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Claroty - Policy violation

Claroty - Policy violation

Back
Id3b22ac47-e02c-4599-a37a-57f965de17be
RulenameClaroty - Policy violation
DescriptionDetects Claroty policy violation events from ClarotyEvent when EventOriginalType or EventType contains ‘Policy

Violation’. Use this rule to identify policy enforcement events that may indicate unauthorized discovery or prohibited network

activity. This rule expects ClarotyEvent data to be available in the workspace.
SeverityHigh
TacticsDiscovery
TechniquesT1018
T1135
Required data connectorsCefAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyPolicyViolation.yaml
Version1.0.4
Arm template3b22ac47-e02c-4599-a37a-57f965de17be.json
Deploy To Azure
ClarotyEvent
  | where EventOriginalType has 'Policy Violation' or EventType has 'Policy Violation'
  | project TimeGenerated, DstIpAddr, EventOriginalType, EventType
  | extend IPCustomEntity = DstIpAddr

relevantTechniques:
- T1018
- T1135
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
version: 1.0.4
id: 3b22ac47-e02c-4599-a37a-57f965de17be
severity: High
kind: Scheduled
queryFrequency: 1h
description: |
  'Detects Claroty policy violation events from ClarotyEvent when EventOriginalType or EventType contains 'Policy
  Violation'. Use this rule to identify policy enforcement events that may indicate unauthorized discovery or prohibited network
  activity. This rule expects ClarotyEvent data to be available in the workspace.'  
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
triggerOperator: gt
name: Claroty - Policy violation
tactics:
- Discovery
alertDetailsOverride:
  alertDescriptionFormat: 'Claroty reported a policy violation for {{IPCustomEntity}}. EventOriginalType: {{EventOriginalType}}. EventType: {{EventType}}'
  alertDisplayNameFormat: Claroty policy violation detected for {{IPCustomEntity}}
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyPolicyViolation.yaml
triggerThreshold: 0
queryPeriod: 1h
query: |
  ClarotyEvent
    | where EventOriginalType has 'Policy Violation' or EventType has 'Policy Violation'
    | project TimeGenerated, DstIpAddr, EventOriginalType, EventType
    | extend IPCustomEntity = DstIpAddr  
status: Available
customDetails:
  EventOriginalType: EventOriginalType
  EventType: EventType
  DestinationIP: DstIpAddr