Claroty - Suspicious activity

Back


Id	99ad9f3c-304c-44c5-a61f-3a17f8b58218
Rulename	Claroty - Suspicious activity
Description	Detects suspicious behavior that is generally indicative of malware.
Severity	High
Tactics	Discovery
Techniques	T1018
Required data connectors	CefAma
Kind	Scheduled
Query frequency	1h
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml
Version	1.0.4
Arm template	99ad9f3c-304c-44c5-a61f-3a17f8b58218.json

KQL

ClarotyEvent
| where EventOriginalType has 'Suspicious Activity' or EventType has 'Suspicious Activity'
| project TimeGenerated, DstIpAddr, EventOriginalType, EventType
| extend IPCustomEntity = DstIpAddr

YAML

triggerOperator: gt
alertDetailsOverride:
  alertDescriptionFormat: 'Claroty reported suspicious activity for {{IPCustomEntity}}. Event type: {{EventType}}. Original type: {{EventOriginalType}}.'
  alertDisplayNameFormat: Claroty suspicious activity on {{IPCustomEntity}}
description: Detects suspicious behavior that is generally indicative of malware.
customDetails:
  DestinationIP: DstIpAddr
  EventOriginalType: EventOriginalType
  EventType: EventType
kind: Scheduled
version: 1.0.4
id: 99ad9f3c-304c-44c5-a61f-3a17f8b58218
name: Claroty - Suspicious activity
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml
queryFrequency: 1h
status: Available
query: |
  ClarotyEvent
  | where EventOriginalType has 'Suspicious Activity' or EventType has 'Suspicious Activity'
  | project TimeGenerated, DstIpAddr, EventOriginalType, EventType
  | extend IPCustomEntity = DstIpAddr  
triggerThreshold: 0
queryPeriod: 1h
requiredDataConnectors:
- connectorId: CefAma
  dataTypes:
  - CommonSecurityLog
relevantTechniques:
- T1018
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
severity: High
tactics:
- Discovery

ARM