Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Claroty - New Asset

Claroty - New Asset

Back
Id6c29b611-ce69-4016-bf99-eca639fee1f5
RulenameClaroty - New Asset
DescriptionTriggers when Claroty reports a new asset event in the environment, indicating that a previously unseen device

or system has been discovered and should be reviewed for authorization, ownership, and expected network placement.
SeverityHigh
TacticsInitialAccess
Discovery
TechniquesT1190
T1133
T1082
Required data connectorsCefAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyNewAsset.yaml
Version1.0.4
Arm template6c29b611-ce69-4016-bf99-eca639fee1f5.json
Deploy To Azure
ClarotyEvent
| where EventOriginalType has 'New Asset' or EventType has 'New Asset'
| extend IPCustomEntity = SrcIpAddr
| extend AlertTitle = strcat('Claroty new asset detected from ', coalesce(SrcIpAddr, 'unknown source'))
| extend AlertDescription = strcat('Claroty reported a new asset event from source IP ', coalesce(SrcIpAddr, 'unknown'), '.')
| project IPCustomEntity, AlertTitle, AlertDescription

triggerOperator: gt
kind: Scheduled
description: |
  'Triggers when Claroty reports a new asset event in the environment, indicating that a previously unseen device
  or system has been discovered and should be reviewed for authorization, ownership, and expected network placement.'  
version: 1.0.4
id: 6c29b611-ce69-4016-bf99-eca639fee1f5
name: Claroty - New Asset
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyNewAsset.yaml
queryFrequency: 1h
status: Available
query: |
  ClarotyEvent
  | where EventOriginalType has 'New Asset' or EventType has 'New Asset'
  | extend IPCustomEntity = SrcIpAddr
  | extend AlertTitle = strcat('Claroty new asset detected from ', coalesce(SrcIpAddr, 'unknown source'))
  | extend AlertDescription = strcat('Claroty reported a new asset event from source IP ', coalesce(SrcIpAddr, 'unknown'), '.')
  | project IPCustomEntity, AlertTitle, AlertDescription  
triggerThreshold: 0
queryPeriod: 1h
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
relevantTechniques:
- T1190
- T1133
- T1082
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
severity: High
tactics:
- InitialAccess
- Discovery