Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Claroty - Threat detected

Claroty - Threat detected

Back
Id731e5ac4-7fe1-4b06-9941-532f2e008bb3
RulenameClaroty - Threat detected
DescriptionDetects Claroty events where EventOriginalType or EventType contains ‘Threat’, identifying Threat-related activity and surfacing the destination IP address for investigation.
SeverityHigh
TacticsDiscovery
Reconnaissance
TechniquesT1018
T1595
Required data connectorsCefAma
Claroty
ClarotyAma
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyThreat.yaml
Version1.0.5
Arm template731e5ac4-7fe1-4b06-9941-532f2e008bb3.json
Deploy To Azure
ClarotyEvent
| where EventOriginalType has 'Threat' or EventType has 'Threat'
| extend IPCustomEntity = DstIpAddr

version: 1.0.5
id: 731e5ac4-7fe1-4b06-9941-532f2e008bb3
relevantTechniques:
- T1018
- T1595
requiredDataConnectors:
- connectorId: Claroty
  dataTypes:
  - ClarotyEvent
- connectorId: ClarotyAma
  dataTypes:
  - ClarotyEvent
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
alertDetailsOverride:
  alertDescriptionFormat: Claroty event type {{EventType}} or original type {{EventOriginalType}} matched Threat on {{IPCustomEntity}}
  alertDisplayNameFormat: Claroty Threat detected on {{IPCustomEntity}}
triggerOperator: gt
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP
name: Claroty - Threat detected
queryFrequency: 1h
triggerThreshold: 0
customDetails:
  TimeGenerated: TimeGenerated
  EventOriginalType: EventOriginalType
  EventType: EventType
description: Detects Claroty events where EventOriginalType or EventType contains 'Threat', identifying Threat-related activity and surfacing the destination IP address for investigation.
status: Available
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyThreat.yaml
queryPeriod: 1h
severity: High
kind: Scheduled
tactics:
- Discovery
- Reconnaissance
query: |
  ClarotyEvent
  | where EventOriginalType has 'Threat' or EventType has 'Threat'
  | extend IPCustomEntity = DstIpAddr