ClarotyEvent
| where EventOriginalType has 'Suspicious Activity' or EventType has 'Suspicious Activity'
| project TimeGenerated, DstIpAddr, EventOriginalType, EventType
| extend IPCustomEntity = DstIpAddr
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
tactics:
- Discovery
requiredDataConnectors:
- dataTypes:
- CommonSecurityLog
connectorId: CefAma
alertDetailsOverride:
alertDisplayNameFormat: Claroty suspicious activity on {{IPCustomEntity}}
alertDescriptionFormat: 'Claroty reported suspicious activity for {{IPCustomEntity}}. Event type: {{EventType}}. Original type: {{EventOriginalType}}.'
id: 99ad9f3c-304c-44c5-a61f-3a17f8b58218
severity: High
status: Available
customDetails:
EventType: EventType
EventOriginalType: EventOriginalType
DestinationIP: DstIpAddr
query: |
ClarotyEvent
| where EventOriginalType has 'Suspicious Activity' or EventType has 'Suspicious Activity'
| project TimeGenerated, DstIpAddr, EventOriginalType, EventType
| extend IPCustomEntity = DstIpAddr
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.4
name: Claroty - Suspicious activity
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1018
description: Detects suspicious behavior that is generally indicative of malware.
triggerOperator: gt