Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Claroty - Suspicious file transfer

Claroty - Suspicious file transfer

Back
Id5cf35bad-677f-4c23-8927-1611e7ff6f28
RulenameClaroty - Suspicious file transfer
DescriptionDetects Claroty events where EventOriginalType or EventType contains Suspicious File Transfer and maps the destination IP as the primary entity for triage.
SeverityHigh
TacticsDiscovery
Exfiltration
TechniquesT1018
T1020
Required data connectorsCefAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotySuspiciousFileTransfer.yaml
Version1.0.4
Arm template5cf35bad-677f-4c23-8927-1611e7ff6f28.json
Deploy To Azure
ClarotyEvent
| where EventOriginalType has 'Suspicious File Transfer' or EventType has 'Suspicious File Transfer'
| project TimeGenerated, DstIpAddr, EventOriginalType, EventType
| extend IPCustomEntity = DstIpAddr
| project TimeGenerated, DstIpAddr, EventOriginalType, EventType, IPCustomEntity

entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
triggerOperator: gt
tactics:
- Discovery
- Exfiltration
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotySuspiciousFileTransfer.yaml
alertDetailsOverride:
  alertDescriptionFormat: Claroty flagged suspicious file transfer activity to {{DstIpAddr}} using event type {{EventType}}
  alertDisplayNameFormat: Claroty suspicious file transfer to {{DstIpAddr}}
version: 1.0.4
query: |
  ClarotyEvent
  | where EventOriginalType has 'Suspicious File Transfer' or EventType has 'Suspicious File Transfer'
  | project TimeGenerated, DstIpAddr, EventOriginalType, EventType
  | extend IPCustomEntity = DstIpAddr
  | project TimeGenerated, DstIpAddr, EventOriginalType, EventType, IPCustomEntity  
triggerThreshold: 0
relevantTechniques:
- T1018
- T1020
queryPeriod: 1h
status: Available
severity: High
kind: Scheduled
customDetails:
  EventOriginalType: EventOriginalType
  EventType: EventType
name: Claroty - Suspicious file transfer
queryFrequency: 1h
id: 5cf35bad-677f-4c23-8927-1611e7ff6f28
description: Detects Claroty events where EventOriginalType or EventType contains Suspicious File Transfer and maps the destination IP as the primary entity for triage.
requiredDataConnectors:
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma