Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Claroty - Policy violation

Claroty - Policy violation

Back
Id3b22ac47-e02c-4599-a37a-57f965de17be
RulenameClaroty - Policy violation
DescriptionDetects Claroty policy violation events from ClarotyEvent when EventOriginalType or EventType contains ‘Policy

Violation’. Use this rule to identify policy enforcement events that may indicate unauthorized discovery or prohibited network

activity. This rule expects ClarotyEvent data to be available in the workspace.
SeverityHigh
TacticsDiscovery
TechniquesT1018
T1135
Required data connectorsCefAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyPolicyViolation.yaml
Version1.0.4
Arm template3b22ac47-e02c-4599-a37a-57f965de17be.json
Deploy To Azure
ClarotyEvent
  | where EventOriginalType has 'Policy Violation' or EventType has 'Policy Violation'
  | project TimeGenerated, DstIpAddr, EventOriginalType, EventType
  | extend IPCustomEntity = DstIpAddr

entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
tactics:
- Discovery
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
alertDetailsOverride:
  alertDisplayNameFormat: Claroty policy violation detected for {{IPCustomEntity}}
  alertDescriptionFormat: 'Claroty reported a policy violation for {{IPCustomEntity}}. EventOriginalType: {{EventOriginalType}}. EventType: {{EventType}}'
id: 3b22ac47-e02c-4599-a37a-57f965de17be
severity: High
status: Available
customDetails:
  EventType: EventType
  EventOriginalType: EventOriginalType
  DestinationIP: DstIpAddr
query: |
  ClarotyEvent
    | where EventOriginalType has 'Policy Violation' or EventType has 'Policy Violation'
    | project TimeGenerated, DstIpAddr, EventOriginalType, EventType
    | extend IPCustomEntity = DstIpAddr  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyPolicyViolation.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.4
name: Claroty - Policy violation
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1018
- T1135
description: |
  'Detects Claroty policy violation events from ClarotyEvent when EventOriginalType or EventType contains 'Policy
  Violation'. Use this rule to identify policy enforcement events that may indicate unauthorized discovery or prohibited network
  activity. This rule expects ClarotyEvent data to be available in the workspace.'  
triggerOperator: gt