Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Claroty - Suspicious file transfer

Claroty - Suspicious file transfer

Back
Id5cf35bad-677f-4c23-8927-1611e7ff6f28
RulenameClaroty - Suspicious file transfer
DescriptionDetects Claroty events where EventOriginalType or EventType contains Suspicious File Transfer and maps the destination IP as the primary entity for triage.
SeverityHigh
TacticsDiscovery
Exfiltration
TechniquesT1018
T1020
Required data connectorsCefAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotySuspiciousFileTransfer.yaml
Version1.0.4
Arm template5cf35bad-677f-4c23-8927-1611e7ff6f28.json
Deploy To Azure
ClarotyEvent
| where EventOriginalType has 'Suspicious File Transfer' or EventType has 'Suspicious File Transfer'
| project TimeGenerated, DstIpAddr, EventOriginalType, EventType
| extend IPCustomEntity = DstIpAddr
| project TimeGenerated, DstIpAddr, EventOriginalType, EventType, IPCustomEntity

entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
tactics:
- Discovery
- Exfiltration
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
alertDetailsOverride:
  alertDisplayNameFormat: Claroty suspicious file transfer to {{DstIpAddr}}
  alertDescriptionFormat: Claroty flagged suspicious file transfer activity to {{DstIpAddr}} using event type {{EventType}}
id: 5cf35bad-677f-4c23-8927-1611e7ff6f28
severity: High
status: Available
customDetails:
  EventType: EventType
  EventOriginalType: EventOriginalType
query: |
  ClarotyEvent
  | where EventOriginalType has 'Suspicious File Transfer' or EventType has 'Suspicious File Transfer'
  | project TimeGenerated, DstIpAddr, EventOriginalType, EventType
  | extend IPCustomEntity = DstIpAddr
  | project TimeGenerated, DstIpAddr, EventOriginalType, EventType, IPCustomEntity  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotySuspiciousFileTransfer.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.4
name: Claroty - Suspicious file transfer
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1018
- T1020
description: Detects Claroty events where EventOriginalType or EventType contains Suspicious File Transfer and maps the destination IP as the primary entity for triage.
triggerOperator: gt