Claroty - Suspicious activity

Back


Id	99ad9f3c-304c-44c5-a61f-3a17f8b58218
Rulename	Claroty - Suspicious activity
Description	Detects suspicious behavior that is generally indicative of malware.
Severity	High
Tactics	Discovery
Techniques	T1018
Required data connectors	CefAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml
Version	1.0.4
Arm template	99ad9f3c-304c-44c5-a61f-3a17f8b58218.json

KQL

ClarotyEvent
| where EventOriginalType has 'Suspicious Activity' or EventType has 'Suspicious Activity'
| project TimeGenerated, DstIpAddr, EventOriginalType, EventType
| extend IPCustomEntity = DstIpAddr

YAML

description: Detects suspicious behavior that is generally indicative of malware.
queryFrequency: 1h
status: Available
version: 1.0.4
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
customDetails:
  DestinationIP: DstIpAddr
  EventOriginalType: EventOriginalType
  EventType: EventType
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml
query: |
  ClarotyEvent
  | where EventOriginalType has 'Suspicious Activity' or EventType has 'Suspicious Activity'
  | project TimeGenerated, DstIpAddr, EventOriginalType, EventType
  | extend IPCustomEntity = DstIpAddr  
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
tactics:
- Discovery
severity: High
triggerThreshold: 0
triggerOperator: gt
alertDetailsOverride:
  alertDescriptionFormat: 'Claroty reported suspicious activity for {{IPCustomEntity}}. Event type: {{EventType}}. Original type: {{EventOriginalType}}.'
  alertDisplayNameFormat: Claroty suspicious activity on {{IPCustomEntity}}
name: Claroty - Suspicious activity
id: 99ad9f3c-304c-44c5-a61f-3a17f8b58218
relevantTechniques:
- T1018
kind: Scheduled
queryPeriod: 1h

ARM