Claroty - Treat detected

Back


Id	731e5ac4-7fe1-4b06-9941-532f2e008bb3
Rulename	Claroty - Treat detected
Description	Detects Collection of known malware commands and control servers.
Severity	High
Tactics	Discovery
Techniques	T1018
Required data connectors	CefAma Claroty ClarotyAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyTreat.yaml
Version	1.0.2
Arm template	731e5ac4-7fe1-4b06-9941-532f2e008bb3.json

KQL

ClarotyEvent
| where EventOriginalType has 'Treat' or EventType has 'Treat'
| project TimeGenerated, DstIpAddr
| extend IPCustomEntity = DstIpAddr

YAML

relevantTechniques:
- T1018
name: Claroty - Treat detected
requiredDataConnectors:
- dataTypes:
  - ClarotyEvent
  connectorId: Claroty
- dataTypes:
  - ClarotyEvent
  connectorId: ClarotyAma
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
triggerThreshold: 0
id: 731e5ac4-7fe1-4b06-9941-532f2e008bb3
tactics:
- Discovery
version: 1.0.2
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyTreat.yaml
queryPeriod: 1h
kind: Scheduled
queryFrequency: 1h
severity: High
status: Available
description: |
    'Detects Collection of known malware commands and control servers.'
query: |
  ClarotyEvent
  | where EventOriginalType has 'Treat' or EventType has 'Treat'
  | project TimeGenerated, DstIpAddr
  | extend IPCustomEntity = DstIpAddr  
triggerOperator: gt

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/731e5ac4-7fe1-4b06-9941-532f2e008bb3')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/731e5ac4-7fe1-4b06-9941-532f2e008bb3')]",
      "properties": {
        "alertRuleTemplateName": "731e5ac4-7fe1-4b06-9941-532f2e008bb3",
        "customDetails": null,
        "description": "'Detects Collection of known malware commands and control servers.'\n",
        "displayName": "Claroty - Treat detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyTreat.yaml",
        "query": "ClarotyEvent\n| where EventOriginalType has 'Treat' or EventType has 'Treat'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1018"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}