Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Claroty - New Asset

Claroty - New Asset

Back
Id6c29b611-ce69-4016-bf99-eca639fee1f5
RulenameClaroty - New Asset
DescriptionTriggers when Claroty reports a new asset event in the environment, indicating that a previously unseen device

or system has been discovered and should be reviewed for authorization, ownership, and expected network placement.
SeverityHigh
TacticsInitialAccess
Discovery
TechniquesT1190
T1133
T1082
Required data connectorsCefAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyNewAsset.yaml
Version1.0.4
Arm template6c29b611-ce69-4016-bf99-eca639fee1f5.json
Deploy To Azure
ClarotyEvent
| where EventOriginalType has 'New Asset' or EventType has 'New Asset'
| extend IPCustomEntity = SrcIpAddr
| extend AlertTitle = strcat('Claroty new asset detected from ', coalesce(SrcIpAddr, 'unknown source'))
| extend AlertDescription = strcat('Claroty reported a new asset event from source IP ', coalesce(SrcIpAddr, 'unknown'), '.')
| project IPCustomEntity, AlertTitle, AlertDescription

queryPeriod: 1h
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
relevantTechniques:
- T1190
- T1133
- T1082
triggerOperator: gt
triggerThreshold: 0
status: Available
name: Claroty - New Asset
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
id: 6c29b611-ce69-4016-bf99-eca639fee1f5
version: 1.0.4
description: |
  'Triggers when Claroty reports a new asset event in the environment, indicating that a previously unseen device
  or system has been discovered and should be reviewed for authorization, ownership, and expected network placement.'  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyNewAsset.yaml
query: |
  ClarotyEvent
  | where EventOriginalType has 'New Asset' or EventType has 'New Asset'
  | extend IPCustomEntity = SrcIpAddr
  | extend AlertTitle = strcat('Claroty new asset detected from ', coalesce(SrcIpAddr, 'unknown source'))
  | extend AlertDescription = strcat('Claroty reported a new asset event from source IP ', coalesce(SrcIpAddr, 'unknown'), '.')
  | project IPCustomEntity, AlertTitle, AlertDescription  
queryFrequency: 1h
kind: Scheduled
tactics:
- InitialAccess
- Discovery
severity: High