Claroty - Threat detected

Back


Id	731e5ac4-7fe1-4b06-9941-532f2e008bb3
Rulename	Claroty - Threat detected
Description	Detects Collection of known malware commands and control servers.
Severity	High
Tactics	Discovery
Techniques	T1018
Required data connectors	CefAma Claroty ClarotyAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyThreat.yaml
Version	1.0.4
Arm template	731e5ac4-7fe1-4b06-9941-532f2e008bb3.json

KQL

ClarotyEvent
| where EventOriginalType has 'Threat' or EventType has 'Threat'
| project TimeGenerated, DstIpAddr
| extend IPCustomEntity = DstIpAddr

YAML

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyThreat.yaml
queryPeriod: 1h
description: |
    'Detects Collection of known malware commands and control servers.'
triggerThreshold: 0
name: Claroty - Threat detected
triggerOperator: gt
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
kind: Scheduled
requiredDataConnectors:
- connectorId: Claroty
  dataTypes:
  - ClarotyEvent
- connectorId: ClarotyAma
  dataTypes:
  - ClarotyEvent
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
queryFrequency: 1h
tactics:
- Discovery
id: 731e5ac4-7fe1-4b06-9941-532f2e008bb3
status: Available
version: 1.0.4
query: |
  ClarotyEvent
  | where EventOriginalType has 'Threat' or EventType has 'Threat'
  | project TimeGenerated, DstIpAddr
  | extend IPCustomEntity = DstIpAddr  
severity: High
relevantTechniques:
- T1018

ARM