Claroty - Treat detected

Back


Id	731e5ac4-7fe1-4b06-9941-532f2e008bb3
Rulename	Claroty - Treat detected
Description	Detects Collection of known malware commands and control servers.
Severity	High
Tactics	Discovery
Techniques	T1018
Required data connectors	CefAma Claroty ClarotyAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyTreat.yaml
Version	1.0.3
Arm template	731e5ac4-7fe1-4b06-9941-532f2e008bb3.json

KQL

ClarotyEvent
| where EventOriginalType has 'Treat' or EventType has 'Treat'
| project TimeGenerated, DstIpAddr
| extend IPCustomEntity = DstIpAddr

YAML

kind: Scheduled
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
description: |
    'Detects Collection of known malware commands and control servers.'
severity: High
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1018
status: Available
tactics:
- Discovery
name: Claroty - Treat detected
id: 731e5ac4-7fe1-4b06-9941-532f2e008bb3
query: |
  ClarotyEvent
  | where EventOriginalType has 'Treat' or EventType has 'Treat'
  | project TimeGenerated, DstIpAddr
  | extend IPCustomEntity = DstIpAddr  
requiredDataConnectors:
- dataTypes:
  - ClarotyEvent
  connectorId: Claroty
- dataTypes:
  - ClarotyEvent
  connectorId: ClarotyAma
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
version: 1.0.3
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyTreat.yaml
queryPeriod: 1h

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/731e5ac4-7fe1-4b06-9941-532f2e008bb3')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/731e5ac4-7fe1-4b06-9941-532f2e008bb3')]",
      "properties": {
        "alertRuleTemplateName": "731e5ac4-7fe1-4b06-9941-532f2e008bb3",
        "customDetails": null,
        "description": "'Detects Collection of known malware commands and control servers.'\n",
        "displayName": "Claroty - Treat detected",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyTreat.yaml",
        "query": "ClarotyEvent\n| where EventOriginalType has 'Treat' or EventType has 'Treat'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1018"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}