Claroty - Suspicious activity

Back


Id	99ad9f3c-304c-44c5-a61f-3a17f8b58218
Rulename	Claroty - Suspicious activity
Description	Detects suspicious behavior that is generally indicative of malware.
Severity	High
Tactics	Discovery
Techniques	T1018
Required data connectors	CefAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml
Version	1.0.3
Arm template	99ad9f3c-304c-44c5-a61f-3a17f8b58218.json

KQL

ClarotyEvent
| where EventOriginalType has 'Suspicious Activity' or EventType has 'Suspicious Activity'
| project TimeGenerated, DstIpAddr
| extend IPCustomEntity = DstIpAddr

YAML

id: 99ad9f3c-304c-44c5-a61f-3a17f8b58218
tactics:
- Discovery
queryPeriod: 1h
triggerThreshold: 0
name: Claroty - Suspicious activity
query: |
  ClarotyEvent
  | where EventOriginalType has 'Suspicious Activity' or EventType has 'Suspicious Activity'
  | project TimeGenerated, DstIpAddr
  | extend IPCustomEntity = DstIpAddr  
severity: High
triggerOperator: gt
kind: Scheduled
relevantTechniques:
- T1018
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml
queryFrequency: 1h
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
description: |
    'Detects suspicious behavior that is generally indicative of malware.'
status: Available
version: 1.0.3
entityMappings:
- fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
  entityType: IP

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/99ad9f3c-304c-44c5-a61f-3a17f8b58218')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/99ad9f3c-304c-44c5-a61f-3a17f8b58218')]",
      "properties": {
        "alertRuleTemplateName": "99ad9f3c-304c-44c5-a61f-3a17f8b58218",
        "customDetails": null,
        "description": "'Detects suspicious behavior that is generally indicative of malware.'\n",
        "displayName": "Claroty - Suspicious activity",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml",
        "query": "ClarotyEvent\n| where EventOriginalType has 'Suspicious Activity' or EventType has 'Suspicious Activity'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Discovery"
        ],
        "techniques": [
          "T1018"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}