Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Claroty - Suspicious file transfer

Claroty - Suspicious file transfer

Back
Id5cf35bad-677f-4c23-8927-1611e7ff6f28
RulenameClaroty - Suspicious file transfer
DescriptionDetects Claroty events where EventOriginalType or EventType contains Suspicious File Transfer and maps the destination IP as the primary entity for triage.
SeverityHigh
TacticsDiscovery
Exfiltration
TechniquesT1018
T1020
Required data connectorsCefAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotySuspiciousFileTransfer.yaml
Version1.0.4
Arm template5cf35bad-677f-4c23-8927-1611e7ff6f28.json
Deploy To Azure
ClarotyEvent
| where EventOriginalType has 'Suspicious File Transfer' or EventType has 'Suspicious File Transfer'
| project TimeGenerated, DstIpAddr, EventOriginalType, EventType
| extend IPCustomEntity = DstIpAddr
| project TimeGenerated, DstIpAddr, EventOriginalType, EventType, IPCustomEntity

name: Claroty - Suspicious file transfer
query: |
  ClarotyEvent
  | where EventOriginalType has 'Suspicious File Transfer' or EventType has 'Suspicious File Transfer'
  | project TimeGenerated, DstIpAddr, EventOriginalType, EventType
  | extend IPCustomEntity = DstIpAddr
  | project TimeGenerated, DstIpAddr, EventOriginalType, EventType, IPCustomEntity  
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
queryPeriod: 1h
version: 1.0.4
tactics:
- Discovery
- Exfiltration
triggerOperator: gt
kind: Scheduled
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotySuspiciousFileTransfer.yaml
alertDetailsOverride:
  alertDescriptionFormat: Claroty flagged suspicious file transfer activity to {{DstIpAddr}} using event type {{EventType}}
  alertDisplayNameFormat: Claroty suspicious file transfer to {{DstIpAddr}}
relevantTechniques:
- T1018
- T1020
id: 5cf35bad-677f-4c23-8927-1611e7ff6f28
customDetails:
  EventOriginalType: EventOriginalType
  EventType: EventType
severity: High
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
status: Available
description: Detects Claroty events where EventOriginalType or EventType contains Suspicious File Transfer and maps the destination IP as the primary entity for triage.
queryFrequency: 1h