Claroty - Threat detected

ClarotyEvent
| where EventOriginalType has 'Threat' or EventType has 'Threat'
| extend IPCustomEntity = DstIpAddr

entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
tactics:
- Discovery
- Reconnaissance
requiredDataConnectors:
- dataTypes:
  - ClarotyEvent
  connectorId: Claroty
- dataTypes:
  - ClarotyEvent
  connectorId: ClarotyAma
- dataTypes:
  - CommonSecurityLog
  connectorId: CefAma
alertDetailsOverride:
  alertDisplayNameFormat: Claroty Threat detected on {{IPCustomEntity}}
  alertDescriptionFormat: Claroty event type {{EventType}} or original type {{EventOriginalType}} matched Threat on {{IPCustomEntity}}
id: 731e5ac4-7fe1-4b06-9941-532f2e008bb3
severity: High
status: Available
customDetails:
  EventType: EventType
  EventOriginalType: EventOriginalType
  TimeGenerated: TimeGenerated
query: |
  ClarotyEvent
  | where EventOriginalType has 'Threat' or EventType has 'Threat'
  | extend IPCustomEntity = DstIpAddr  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyThreat.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.5
name: Claroty - Threat detected
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1018
- T1595
description: Detects Claroty events where EventOriginalType or EventType contains 'Threat', identifying Threat-related activity and surfacing the destination IP address for investigation.
triggerOperator: gt