![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
",
- "Description": "The [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection-ctd) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\r\n\n",
+ "Description": "The [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection-ctd) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.\n\r\n1. **Claroty via AMA** - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Claroty via Legacy Agent** - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Claroty via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
"Workbooks": [
"Workbooks/ClarotyOverview.json"
],
"Parsers": [
- "Parsers/ClarotyEvent.txt"
+ "Parsers/ClarotyEvent.yaml"
],
"Hunting Queries": [
"Hunting Queries/ClarotyBaselineDeviation.yaml",
@@ -22,7 +22,8 @@
"Hunting Queries/ClarotyWriteExecuteOperations.yaml"
],
"Data Connectors": [
- "Data Connectors/Connector_Claroty_CEF.json"
+ "Data Connectors/Connector_Claroty_CEF.json",
+ "Data Connectors/template_ClarotyAMA.json"
],
"Analytic Rules": [
"Analytic Rules/ClarotyAssetDown.yaml",
@@ -39,7 +40,7 @@
],
"Metadata": "SolutionMetadata.json",
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Claroty",
- "Version": "3.0.0",
+ "Version": "3.0.1",
"TemplateSpec": true,
"Is1PConnector": false
}
diff --git a/Solutions/Claroty/Data/system_generated_metadata.json b/Solutions/Claroty/Data/system_generated_metadata.json
new file mode 100644
index 00000000000..a8a795d3ffe
--- /dev/null
+++ b/Solutions/Claroty/Data/system_generated_metadata.json
@@ -0,0 +1,34 @@
+{
+ "Name": "Claroty",
+ "Author": "Microsoft - support@microsoft.com",
+ "Logo": "",
+ "Description": "The [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection-ctd) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.\n\r\n1. **Claroty via AMA** - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Claroty via Legacy Agent** - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Claroty via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).",
+ "Metadata": "SolutionMetadata.json",
+ "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Claroty",
+ "Version": "3.0.1",
+ "TemplateSpec": true,
+ "Is1PConnector": false,
+ "publisherId": "azuresentinel",
+ "offerId": "azure-sentinel-solution-claroty",
+ "providers": [
+ "Claroty"
+ ],
+ "categories": {
+ "domains": [
+ "Internet of Things (IoT)",
+ "Security - Others"
+ ]
+ },
+ "firstPublishDate": "2021-10-23",
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ },
+ "Data Connectors": "[\n \"Data Connectors/Connector_Claroty_CEF.json\",\n \"Data Connectors/template_ClarotyAMA.json\"\n]",
+ "Parsers": "[\n \"ClarotyEvent.yaml\"\n]",
+ "Workbooks": "[\n \"Workbooks/ClarotyOverview.json\"\n]",
+ "Analytic Rules": "[\n \"ClarotyAssetDown.yaml\",\n \"ClarotyCriticalBaselineDeviation.yaml\",\n \"ClarotyLoginToUncommonSite.yaml\",\n \"ClarotyMultipleFailedLogin.yaml\",\n \"ClarotyMultipleFailedLoginsSameDst.yaml\",\n \"ClarotyNewAsset.yaml\",\n \"ClarotyPolicyViolation.yaml\",\n \"ClarotySuspiciousActivity.yaml\",\n \"ClarotySuspiciousFileTransfer.yaml\",\n \"ClarotyTreat.yaml\"\n]",
+ "Hunting Queries": "[\n \"ClarotyBaselineDeviation.yaml\",\n \"ClarotyConflictAssets.yaml\",\n \"ClarotyCriticalEvents.yaml\",\n \"ClarotyPLCLogins.yaml\",\n \"ClarotySRAFailedLogins.yaml\",\n \"ClarotyScanSources.yaml\",\n \"ClarotyScantargets.yaml\",\n \"ClarotyUnapprovedAccess.yaml\",\n \"ClarotyUnresolvedAlerts.yaml\",\n \"ClarotyWriteExecuteOperations.yaml\"\n]"
+}
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml b/Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml
index ec3ea9b5ad7..46d6a2c13a8 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: Claroty
dataTypes:
- ClarotyEvent
+ - connectorId: ClarotyAma
+ dataTypes:
+ - ClarotyEvent
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml b/Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml
index a32ca641ecb..fabacda0da9 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: Claroty
dataTypes:
- ClarotyEvent
+ - connectorId: ClarotyAma
+ dataTypes:
+ - ClarotyEvent
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml b/Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml
index ea6ef0125a8..f62556d4420 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: Claroty
dataTypes:
- ClarotyEvent
+ - connectorId: ClarotyAma
+ dataTypes:
+ - ClarotyEvent
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml b/Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml
index 46d62ce29ce..629cbfbdb07 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: Claroty
dataTypes:
- ClarotyEvent
+ - connectorId: ClarotyAma
+ dataTypes:
+ - ClarotyEvent
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml b/Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml
index 55d81c920d5..87f0c37005f 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: Claroty
dataTypes:
- ClarotyEvent
+ - connectorId: ClarotyAma
+ dataTypes:
+ - ClarotyEvent
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml b/Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml
index e856a58babe..7ff4129e235 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: Claroty
dataTypes:
- ClarotyEvent
+ - connectorId: ClarotyAma
+ dataTypes:
+ - ClarotyEvent
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml b/Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml
index 4896246a9d0..d57bc40237a 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: Claroty
dataTypes:
- ClarotyEvent
+ - connectorId: ClarotyAma
+ dataTypes:
+ - ClarotyEvent
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml b/Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml
index 3529be3fb98..7264df96b45 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: Claroty
dataTypes:
- ClarotyEvent
+ - connectorId: ClarotyAma
+ dataTypes:
+ - ClarotyEvent
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml b/Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml
index bd809e64beb..7c0d17659e4 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: Claroty
dataTypes:
- ClarotyEvent
+ - connectorId: ClarotyAma
+ dataTypes:
+ - ClarotyEvent
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml b/Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml
index e342935dce6..8a3968bdecb 100755
--- a/Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml
+++ b/Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml
@@ -7,6 +7,9 @@ requiredDataConnectors:
- connectorId: Claroty
dataTypes:
- ClarotyEvent
+ - connectorId: ClarotyAma
+ dataTypes:
+ - ClarotyEvent
tactics:
- InitialAccess
relevantTechniques:
diff --git a/Solutions/Claroty/Package/3.0.1.zip b/Solutions/Claroty/Package/3.0.1.zip
new file mode 100644
index 00000000000..ee9758954ec
Binary files /dev/null and b/Solutions/Claroty/Package/3.0.1.zip differ
diff --git a/Solutions/Claroty/Package/createUiDefinition.json b/Solutions/Claroty/Package/createUiDefinition.json
index 8190a7ec3e0..ee180bf4dbc 100644
--- a/Solutions/Claroty/Package/createUiDefinition.json
+++ b/Solutions/Claroty/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Claroty/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection-ctd) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.\r\n \r\n **Underlying Microsoft Technologies used:** \r\n\r\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\r\n\n a. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\r\n\n\n\n**Data Connectors:** 1, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/Claroty/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [Claroty](https://claroty.com/) solution for Microsoft Sentinel enables ingestion of [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection-ctd) and [Secure Remote Access](https://claroty.com/industrial-cybersecurity/sra) events into Microsoft Sentinel.\n\r\n1. **Claroty via AMA** - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **Claroty via Legacy Agent** - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of Claroty via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Parsers:** 1, **Workbooks:** 1, **Analytic Rules:** 10, **Hunting Queries:** 10\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -80,6 +80,7 @@
}
}
}
+
]
},
{
@@ -301,7 +302,7 @@
"name": "huntingqueries-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view."
+ "text": "This solution installs the following hunting queries. After installing the solution, run these hunting queries to hunt for threats in Manage solution view. "
}
},
{
diff --git a/Solutions/Claroty/Package/mainTemplate.json b/Solutions/Claroty/Package/mainTemplate.json
index 01ce919134f..b766e9683f6 100644
--- a/Solutions/Claroty/Package/mainTemplate.json
+++ b/Solutions/Claroty/Package/mainTemplate.json
@@ -38,203 +38,321 @@
}
},
"variables": {
+ "solutionId": "azuresentinel.azure-sentinel-solution-claroty",
+ "_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
"_solutionName": "Claroty",
- "_solutionVersion": "3.0.0",
- "solutionId": "azuresentinel.azure-sentinel-solution-claroty",
- "_solutionId": "[variables('solutionId')]",
- "workbookVersion1": "1.0.0",
- "workbookContentId1": "ClarotyWorkbook",
- "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
- "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))),variables('workbookVersion1')))]",
- "_workbookContentId1": "[variables('workbookContentId1')]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
- "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+ "_solutionVersion": "3.0.1",
+ "uiConfigId1": "Claroty",
+ "_uiConfigId1": "[variables('uiConfigId1')]",
+ "dataConnectorContentId1": "Claroty",
+ "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
+ "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "_dataConnectorId1": "[variables('dataConnectorId1')]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
+ "dataConnectorVersion1": "1.0.0",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
+ "uiConfigId2": "ClarotyAma",
+ "_uiConfigId2": "[variables('uiConfigId2')]",
+ "dataConnectorContentId2": "ClarotyAma",
+ "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]",
+ "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "_dataConnectorId2": "[variables('dataConnectorId2')]",
+ "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]",
+ "dataConnectorVersion2": "1.0.0",
+ "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]",
"parserName1": "Claroty Data Parser",
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
- "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))),variables('parserVersion1')))]",
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
"parserVersion1": "1.0.0",
"parserContentId1": "ClarotyEvent-Parser",
"_parserContentId1": "[variables('parserContentId1')]",
"_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
+ "workbookVersion1": "1.0.0",
+ "workbookContentId1": "ClarotyWorkbook",
+ "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
+ "_workbookContentId1": "[variables('workbookContentId1')]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
+ "analyticRuleVersion1": "1.0.1",
+ "analyticRulecontentId1": "fd6e3416-0421-4166-adb9-186e555a7008",
+ "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
+ "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
+ "analyticRuleVersion2": "1.0.1",
+ "analyticRulecontentId2": "9a8b4321-e2be-449b-8227-a78227441b2a",
+ "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
+ "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]",
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]",
+ "analyticRuleVersion3": "1.0.1",
+ "analyticRulecontentId3": "e7dbcbc3-b18f-4635-b27c-718195c369f1",
+ "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
+ "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
+ "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]",
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]",
+ "analyticRuleVersion4": "1.0.1",
+ "analyticRulecontentId4": "4b5bb3fc-c690-4f54-9a74-016213d699b4",
+ "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
+ "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
+ "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]",
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]",
+ "analyticRuleVersion5": "1.0.1",
+ "analyticRulecontentId5": "1c2310ef-19bf-4caf-b2b0-a4c983932fa5",
+ "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
+ "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
+ "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]",
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]",
+ "analyticRuleVersion6": "1.0.1",
+ "analyticRulecontentId6": "6c29b611-ce69-4016-bf99-eca639fee1f5",
+ "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
+ "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
+ "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]",
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]",
+ "analyticRuleVersion7": "1.0.1",
+ "analyticRulecontentId7": "3b22ac47-e02c-4599-a37a-57f965de17be",
+ "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
+ "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
+ "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))))]",
+ "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]",
+ "analyticRuleVersion8": "1.0.1",
+ "analyticRulecontentId8": "99ad9f3c-304c-44c5-a61f-3a17f8b58218",
+ "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
+ "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
+ "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))))]",
+ "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]",
+ "analyticRuleVersion9": "1.0.1",
+ "analyticRulecontentId9": "5cf35bad-677f-4c23-8927-1611e7ff6f28",
+ "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
+ "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
+ "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))))]",
+ "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]",
+ "analyticRuleVersion10": "1.0.1",
+ "analyticRulecontentId10": "731e5ac4-7fe1-4b06-9941-532f2e008bb3",
+ "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]",
+ "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]",
+ "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))))]",
+ "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]",
"huntingQueryVersion1": "1.0.0",
"huntingQuerycontentId1": "6b24f3aa-01db-4d26-9d60-538dd9a56391",
"_huntingQuerycontentId1": "[variables('huntingQuerycontentId1')]",
"huntingQueryId1": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId1'))]",
- "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))),variables('huntingQueryVersion1')))]",
+ "huntingQueryTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId1'))))]",
"_huntingQuerycontentProductId1": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId1'),'-', variables('huntingQueryVersion1'))))]",
"huntingQueryVersion2": "1.0.0",
"huntingQuerycontentId2": "8038c683-f4dc-481e-94c6-f906d880b0ec",
"_huntingQuerycontentId2": "[variables('huntingQuerycontentId2')]",
"huntingQueryId2": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId2'))]",
- "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))),variables('huntingQueryVersion2')))]",
+ "huntingQueryTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId2'))))]",
"_huntingQuerycontentProductId2": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId2'),'-', variables('huntingQueryVersion2'))))]",
"huntingQueryVersion3": "1.0.0",
"huntingQuerycontentId3": "a81f3a44-049c-409d-8b98-b78aa256dacf",
"_huntingQuerycontentId3": "[variables('huntingQuerycontentId3')]",
"huntingQueryId3": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId3'))]",
- "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))),variables('huntingQueryVersion3')))]",
+ "huntingQueryTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId3'))))]",
"_huntingQuerycontentProductId3": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId3'),'-', variables('huntingQueryVersion3'))))]",
"huntingQueryVersion4": "1.0.0",
"huntingQuerycontentId4": "15569b45-4c34-4693-bf99-841e76b5da65",
"_huntingQuerycontentId4": "[variables('huntingQuerycontentId4')]",
"huntingQueryId4": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId4'))]",
- "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))),variables('huntingQueryVersion4')))]",
+ "huntingQueryTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId4'))))]",
"_huntingQuerycontentProductId4": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId4'),'-', variables('huntingQueryVersion4'))))]",
"huntingQueryVersion5": "1.0.0",
"huntingQuerycontentId5": "917364b7-2925-4c5d-a27c-64137a3b75b5",
"_huntingQuerycontentId5": "[variables('huntingQuerycontentId5')]",
"huntingQueryId5": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId5'))]",
- "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))),variables('huntingQueryVersion5')))]",
+ "huntingQueryTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId5'))))]",
"_huntingQuerycontentProductId5": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId5'),'-', variables('huntingQueryVersion5'))))]",
"huntingQueryVersion6": "1.0.0",
"huntingQuerycontentId6": "6c43a50e-2e59-48d9-848b-825f50927bbf",
"_huntingQuerycontentId6": "[variables('huntingQuerycontentId6')]",
"huntingQueryId6": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId6'))]",
- "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))),variables('huntingQueryVersion6')))]",
+ "huntingQueryTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId6'))))]",
"_huntingQuerycontentProductId6": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId6'),'-', variables('huntingQueryVersion6'))))]",
"huntingQueryVersion7": "1.0.0",
"huntingQuerycontentId7": "8e70ddf9-32c3-4acd-9cb9-59570344335e",
"_huntingQuerycontentId7": "[variables('huntingQuerycontentId7')]",
"huntingQueryId7": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId7'))]",
- "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7'))),variables('huntingQueryVersion7')))]",
+ "huntingQueryTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId7'))))]",
"_huntingQuerycontentProductId7": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId7'),'-', variables('huntingQueryVersion7'))))]",
"huntingQueryVersion8": "1.0.0",
"huntingQuerycontentId8": "de0fca32-85f3-45df-872e-41e980e5d8d3",
"_huntingQuerycontentId8": "[variables('huntingQuerycontentId8')]",
"huntingQueryId8": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId8'))]",
- "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))),variables('huntingQueryVersion8')))]",
+ "huntingQueryTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId8'))))]",
"_huntingQuerycontentProductId8": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId8'),'-', variables('huntingQueryVersion8'))))]",
"huntingQueryVersion9": "1.0.0",
"huntingQuerycontentId9": "fad6cb81-9a05-4acb-9c5b-a7c62af28034",
"_huntingQuerycontentId9": "[variables('huntingQuerycontentId9')]",
"huntingQueryId9": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId9'))]",
- "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9'))),variables('huntingQueryVersion9')))]",
+ "huntingQueryTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId9'))))]",
"_huntingQuerycontentProductId9": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId9'),'-', variables('huntingQueryVersion9'))))]",
"huntingQueryVersion10": "1.0.0",
"huntingQuerycontentId10": "3882ffbf-6228-4e1f-ab8f-8d79a26da0fb",
"_huntingQuerycontentId10": "[variables('huntingQuerycontentId10')]",
"huntingQueryId10": "[resourceId('Microsoft.OperationalInsights/savedSearches', variables('_huntingQuerycontentId10'))]",
- "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10'))),variables('huntingQueryVersion10')))]",
+ "huntingQueryTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-hq-',uniquestring(variables('_huntingQuerycontentId10'))))]",
"_huntingQuerycontentProductId10": "[concat(take(variables('_solutionId'),50),'-','hq','-', uniqueString(concat(variables('_solutionId'),'-','HuntingQuery','-',variables('_huntingQuerycontentId10'),'-', variables('huntingQueryVersion10'))))]",
- "uiConfigId1": "Claroty",
- "_uiConfigId1": "[variables('uiConfigId1')]",
- "dataConnectorContentId1": "Claroty",
- "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
- "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))),variables('dataConnectorVersion1')))]",
- "dataConnectorVersion1": "1.0.0",
- "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
- "analyticRuleVersion1": "1.0.0",
- "analyticRulecontentId1": "fd6e3416-0421-4166-adb9-186e555a7008",
- "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
- "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
- "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))),variables('analyticRuleVersion1')))]",
- "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
- "analyticRuleVersion2": "1.0.0",
- "analyticRulecontentId2": "9a8b4321-e2be-449b-8227-a78227441b2a",
- "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
- "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
- "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))),variables('analyticRuleVersion2')))]",
- "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]",
- "analyticRuleVersion3": "1.0.0",
- "analyticRulecontentId3": "e7dbcbc3-b18f-4635-b27c-718195c369f1",
- "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
- "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
- "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))),variables('analyticRuleVersion3')))]",
- "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]",
- "analyticRuleVersion4": "1.0.0",
- "analyticRulecontentId4": "4b5bb3fc-c690-4f54-9a74-016213d699b4",
- "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
- "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
- "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))),variables('analyticRuleVersion4')))]",
- "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]",
- "analyticRuleVersion5": "1.0.0",
- "analyticRulecontentId5": "1c2310ef-19bf-4caf-b2b0-a4c983932fa5",
- "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
- "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
- "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))),variables('analyticRuleVersion5')))]",
- "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]",
- "analyticRuleVersion6": "1.0.0",
- "analyticRulecontentId6": "6c29b611-ce69-4016-bf99-eca639fee1f5",
- "_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
- "analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
- "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))),variables('analyticRuleVersion6')))]",
- "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]",
- "analyticRuleVersion7": "1.0.0",
- "analyticRulecontentId7": "3b22ac47-e02c-4599-a37a-57f965de17be",
- "_analyticRulecontentId7": "[variables('analyticRulecontentId7')]",
- "analyticRuleId7": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId7'))]",
- "analyticRuleTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId7'))),variables('analyticRuleVersion7')))]",
- "_analyticRulecontentProductId7": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId7'),'-', variables('analyticRuleVersion7'))))]",
- "analyticRuleVersion8": "1.0.0",
- "analyticRulecontentId8": "99ad9f3c-304c-44c5-a61f-3a17f8b58218",
- "_analyticRulecontentId8": "[variables('analyticRulecontentId8')]",
- "analyticRuleId8": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId8'))]",
- "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId8'))),variables('analyticRuleVersion8')))]",
- "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId8'),'-', variables('analyticRuleVersion8'))))]",
- "analyticRuleVersion9": "1.0.0",
- "analyticRulecontentId9": "5cf35bad-677f-4c23-8927-1611e7ff6f28",
- "_analyticRulecontentId9": "[variables('analyticRulecontentId9')]",
- "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId9'))]",
- "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId9'))),variables('analyticRuleVersion9')))]",
- "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId9'),'-', variables('analyticRuleVersion9'))))]",
- "analyticRuleVersion10": "1.0.0",
- "analyticRulecontentId10": "731e5ac4-7fe1-4b06-9941-532f2e008bb3",
- "_analyticRulecontentId10": "[variables('analyticRulecontentId10')]",
- "analyticRuleId10": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId10'))]",
- "analyticRuleTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId10'))),variables('analyticRuleVersion10')))]",
- "_analyticRulecontentProductId10": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId10'),'-', variables('analyticRuleVersion10'))))]",
"_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('workbookTemplateSpecName1')]",
+ "name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyOverviewWorkbook Workbook with template version 3.0.0",
+ "description": "Claroty data connector with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('workbookVersion1')]",
+ "contentVersion": "[variables('dataConnectorVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.Insights/workbooks",
- "name": "[variables('workbookContentId1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
- "kind": "shared",
- "apiVersion": "2021-08-01",
- "metadata": {
- "description": "Sets the time name for analysis"
- },
+ "kind": "GenericUI",
"properties": {
- "displayName": "[parameters('workbook1-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **ClarotyEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-claroty-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"color\":\"green\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"60\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(EventType)\\r\\n| summarize count() by EventType\\r\\n| join kind = inner (ClarotyEvent\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType)\\r\\n on EventType\\r\\n| project-away EventType1, TimeGenerated\",\"size\":3,\"title\":\"Event types\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"purple\"}},\"showBorder\":false}},\"customWidth\":\"30\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(DstIpAddr)\\r\\n| summarize dcount(DstIpAddr)\",\"size\":3,\"title\":\"Total Devices\",\"noDataMessage\":\"0\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventOriginalType =~ 'Alert'\\r\\n| summarize dcount(AlertUrl)\",\"size\":3,\"title\":\"Total Alerts\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventOriginalType =~ 'Alert'\\r\\n| where ResolvedAs =~ 'Unresolved'\\r\\n| project-rename AlertTime=EventEndTime\\r\\n| join (ClarotyEvent\\r\\n | where EventOriginalType =~ 'Alert'\\r\\n | where ResolvedAs =~ 'Resolved'\\r\\n | project-rename ResolvedTime=EventEndTime) on AlertUrl\\r\\n| where datetime_diff('day',ResolvedTime,AlertTime) > 0 or datetime_diff('hour',ResolvedTime,AlertTime) > 0 or datetime_diff('minute',ResolvedTime,AlertTime) > 0 or datetime_diff('second',ResolvedTime,AlertTime) > 0\\r\\n| summarize dcount(AlertUrl)\\r\\n\",\"size\":3,\"title\":\"Resolved Alerts\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"10\",\"name\":\"group - 9\",\"styleSettings\":{\"maxWidth\":\"100\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize count() by SrcIpAddr\\r\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Sources\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(DstIpAddr)\\r\\n| summarize count() by DstIpAddr\\r\\n| top 10 by count_ \",\"size\":3,\"title\":\"Top Targets\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"customWidth\":\"33\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(CategoryAccess)\\r\\n| where CategoryAccess !in ('None', 'Read')\\r\\n| project Destination=DstIpAddr, Source=SrcIpAddr, CategoryAccess\\r\\n\",\"size\":3,\"title\":\"Write and Execute Operations\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"34\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventOriginalType =~ 'Alert'\\r\\n| order by TimeGenerated\\r\\n| project TimeGenerated, EventType, Target=DstIpAddr, Status=strcat(iff(ResolvedAs =~ 'Resolved', '✅ - Resolved', '❌ - Unresolved')), AlertUrl\",\"size\":0,\"title\":\"Latest Alerts\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":50,\"filter\":true}},\"customWidth\":\"65\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventType has 'Login'\\r\\n| extend User = extract(@\\\"User\\\\s(\\\\S+)\\\\s\\\", 1, tostring(EventMessage))\\r\\n| sort by TimeGenerated desc \\r\\n| project TimeGenerated, User\",\"size\":0,\"title\":\"Latest logins to SRA\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":50,\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"33\"}}],\"fromTemplateId\":\"sentinel-ClarotyWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
- "version": "1.0",
- "sourceId": "[variables('workspaceResourceId')]",
- "category": "sentinel"
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId1')]",
+ "title": "[Deprecated] Claroty via Legacy Agent",
+ "publisher": "Claroty",
+ "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.",
+ "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Claroty",
+ "baseQuery": "ClarotyEvent"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Top 10 Destinations",
+ "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog (Claroty)",
+ "lastDataReceivedQuery": "ClarotyEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "ClarotyEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
+ },
+ {
+ "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
+ "innerSteps": [
+ {
+ "title": "1.1 Select or create a Linux machine",
+ "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
+ },
+ {
+ "title": "1.2 Install the CEF collector on the Linux machine",
+ "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
+ "instructions": [
+ {
+ "parameters": {
+ "fillWith": [
+ "WorkspaceId",
+ "PrimaryKey"
+ ],
+ "label": "Run the following command to install and apply the CEF collector:",
+ "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ],
+ "title": "1. Linux Syslog agent configuration"
+ },
+ {
+ "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**.",
+ "title": "2. Configure Claroty to send logs using CEF"
+ },
+ {
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "fillWith": [
+ "WorkspaceId"
+ ],
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
+ },
+ "type": "CopyableLabel"
+ }
+ ],
+ "title": "3. Validate connection"
+ },
+ {
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "4. Secure your machine "
+ }
+ ]
+ }
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
- "description": "@{workbookKey=ClarotyWorkbook; logoFileName=Azure_Sentinel.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Claroty; templateRelativePath=ClarotyOverview.json; subtitle=; provider=Claroty}.description",
- "parentId": "[variables('workbookId1')]",
- "contentId": "[variables('_workbookContentId1')]",
- "kind": "Workbook",
- "version": "[variables('workbookVersion1')]",
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -249,19 +367,6 @@
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
- },
- "dependencies": {
- "operator": "AND",
- "criteria": [
- {
- "contentId": "CommonSecurityLog",
- "kind": "DataType"
- },
- {
- "contentId": "Claroty",
- "kind": "DataConnector"
- }
- ]
}
}
}
@@ -272,129 +377,27 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_workbookContentId1')]",
- "contentKind": "Workbook",
- "displayName": "[parameters('workbook1-name')]",
- "contentProductId": "[variables('_workbookcontentProductId1')]",
- "id": "[variables('_workbookcontentProductId1')]",
- "version": "[variables('workbookVersion1')]"
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "[Deprecated] Claroty via Legacy Agent",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('parserTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ "[variables('_dataConnectorId1')]"
],
- "properties": {
- "description": "ClarotyEvent Data Parser with template version 3.0.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('parserVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
- {
- "name": "[variables('_parserName1')]",
- "apiVersion": "2022-10-01",
- "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "eTag": "*",
- "displayName": "Claroty Data Parser",
- "category": "Samples",
- "functionAlias": "ClarotyEvent",
- "query": "\nCommonSecurityLog\r\n| where DeviceVendor =~ 'Claroty'\r\n| extend EventVendor = 'Claroty'\r\n| extend EventProduct = 'Claroty'\r\n| extend EventSchemaVersion = 0.2\r\n| extend EventCount = 1\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\r\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\r\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\r\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\r\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\r\n , DeviceCustomNumber2Label, DeviceCustomNumber2\r\n , DeviceCustomNumber3Label, DeviceCustomNumber3\r\n , DeviceCustomString1Label, DeviceCustomString1\r\n , DeviceCustomString2Label, DeviceCustomString2\r\n , DeviceCustomString3Label, DeviceCustomString3\r\n , DeviceCustomString4Label, DeviceCustomString4\r\n , DeviceCustomString5Label, DeviceCustomString5\r\n , DeviceCustomString6Label, DeviceCustomString6\r\n , DeviceCustomDate1Label, DeviceCustomDate1\r\n , DeviceCustomDate2Label, DeviceCustomDate2)\r\n| evaluate bag_unpack(packed)\r\n| parse-kv AdditionalExtensions as (cs7Label:string, cs7:string, cs8Label:string, cs8:string, cs9Label:string, cs9:string, cs10Label:string, cs10:string, cat:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend packed2 = pack(cs7Label, cs7\r\n , cs8Label, cs8\r\n , cs9Label, cs9\r\n , cs10Label, cs10)\r\n| evaluate bag_unpack(packed2)\r\n| extend EventEndTime = todatetime(ReceiptTime),\r\n cat = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"),cat)\r\n| project-rename EventProductVersion=DeviceVersion\r\n , EventSubType=cat\r\n , EventOriginalType=DeviceEventClassID\r\n , EventSeverity=LogSeverity\r\n , EventMessage=Message\r\n , DstPortNumber=DestinationPort\r\n , DstIpAddr=DestinationIP\r\n , DstDvcHostname=DestinationHostName\r\n , DstUserName=DestinationUserName\r\n , DvcIpAddr=DeviceAddress\r\n , DvcHostname=DeviceName\r\n , DstMacAddr=DestinationMACAddress\r\n , NetworkApplicationProtocol=Protocol\r\n , SrcPortNumber=SourcePort\r\n , SrcIpAddr=SourceIP\r\n , SrcMacAddr=SourceMACAddress\r\n , EventId=ExternalID\r\n , SrcDvcHostname=SourceHostName\r\n| extend EventType=Activity\r\n| project-away AdditionalExtensions\r\n , Activity\r\n , ReceiptTime\r\n , DeviceVendor\r\n , DeviceProduct\r\n , DeviceCustomNumber1\r\n , DeviceCustomNumber1Label\r\n , DeviceCustomNumber2\r\n , DeviceCustomNumber2Label\r\n , DeviceCustomNumber3\r\n , DeviceCustomNumber3Label\r\n , DeviceCustomString1\r\n , DeviceCustomString1Label\r\n , DeviceCustomString2\r\n , DeviceCustomString2Label\r\n , DeviceCustomString3\r\n , DeviceCustomString3Label\r\n , DeviceCustomString4\r\n , DeviceCustomString4Label\r\n , DeviceCustomString5\r\n , DeviceCustomString5Label\r\n , DeviceCustomString6\r\n , DeviceCustomString6Label\r\n , cs7Label\r\n , cs7\r\n , cs8Label\r\n , cs8\r\n , cs9Label\r\n , cs9\r\n , cs10Label\r\n , cs10",
- "functionParameters": "",
- "version": 1,
- "tags": [
- {
- "name": "description",
- "value": "Claroty Data Parser"
- }
- ]
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
- "dependsOn": [
- "[variables('_parserName1')]"
- ],
- "properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "contentId": "[variables('_parserContentId1')]",
- "kind": "Parser",
- "version": "[variables('parserVersion1')]",
- "source": {
- "name": "Claroty",
- "kind": "Solution",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_parserContentId1')]",
- "contentKind": "Parser",
- "displayName": "Claroty Data Parser",
- "contentProductId": "[variables('_parsercontentProductId1')]",
- "id": "[variables('_parsercontentProductId1')]",
- "version": "[variables('parserVersion1')]"
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "[variables('_parserName1')]",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "eTag": "*",
- "displayName": "Claroty Data Parser",
- "category": "Samples",
- "functionAlias": "ClarotyEvent",
- "query": "\nCommonSecurityLog\r\n| where DeviceVendor =~ 'Claroty'\r\n| extend EventVendor = 'Claroty'\r\n| extend EventProduct = 'Claroty'\r\n| extend EventSchemaVersion = 0.2\r\n| extend EventCount = 1\r\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\r\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\r\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\r\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\r\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\r\n , DeviceCustomNumber2Label, DeviceCustomNumber2\r\n , DeviceCustomNumber3Label, DeviceCustomNumber3\r\n , DeviceCustomString1Label, DeviceCustomString1\r\n , DeviceCustomString2Label, DeviceCustomString2\r\n , DeviceCustomString3Label, DeviceCustomString3\r\n , DeviceCustomString4Label, DeviceCustomString4\r\n , DeviceCustomString5Label, DeviceCustomString5\r\n , DeviceCustomString6Label, DeviceCustomString6\r\n , DeviceCustomDate1Label, DeviceCustomDate1\r\n , DeviceCustomDate2Label, DeviceCustomDate2)\r\n| evaluate bag_unpack(packed)\r\n| parse-kv AdditionalExtensions as (cs7Label:string, cs7:string, cs8Label:string, cs8:string, cs9Label:string, cs9:string, cs10Label:string, cs10:string, cat:string) with (pair_delimiter=';', kv_delimiter='=')\r\n| extend packed2 = pack(cs7Label, cs7\r\n , cs8Label, cs8\r\n , cs9Label, cs9\r\n , cs10Label, cs10)\r\n| evaluate bag_unpack(packed2)\r\n| extend EventEndTime = todatetime(ReceiptTime),\r\n cat = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"),cat)\r\n| project-rename EventProductVersion=DeviceVersion\r\n , EventSubType=cat\r\n , EventOriginalType=DeviceEventClassID\r\n , EventSeverity=LogSeverity\r\n , EventMessage=Message\r\n , DstPortNumber=DestinationPort\r\n , DstIpAddr=DestinationIP\r\n , DstDvcHostname=DestinationHostName\r\n , DstUserName=DestinationUserName\r\n , DvcIpAddr=DeviceAddress\r\n , DvcHostname=DeviceName\r\n , DstMacAddr=DestinationMACAddress\r\n , NetworkApplicationProtocol=Protocol\r\n , SrcPortNumber=SourcePort\r\n , SrcIpAddr=SourceIP\r\n , SrcMacAddr=SourceMACAddress\r\n , EventId=ExternalID\r\n , SrcDvcHostname=SourceHostName\r\n| extend EventType=Activity\r\n| project-away AdditionalExtensions\r\n , Activity\r\n , ReceiptTime\r\n , DeviceVendor\r\n , DeviceProduct\r\n , DeviceCustomNumber1\r\n , DeviceCustomNumber1Label\r\n , DeviceCustomNumber2\r\n , DeviceCustomNumber2Label\r\n , DeviceCustomNumber3\r\n , DeviceCustomNumber3Label\r\n , DeviceCustomString1\r\n , DeviceCustomString1Label\r\n , DeviceCustomString2\r\n , DeviceCustomString2Label\r\n , DeviceCustomString3\r\n , DeviceCustomString3Label\r\n , DeviceCustomString4\r\n , DeviceCustomString4Label\r\n , DeviceCustomString5\r\n , DeviceCustomString5Label\r\n , DeviceCustomString6\r\n , DeviceCustomString6Label\r\n , cs7Label\r\n , cs7\r\n , cs8Label\r\n , cs8\r\n , cs9Label\r\n , cs9\r\n , cs10Label\r\n , cs10",
- "functionParameters": "",
- "version": 1,
- "tags": [
- {
- "name": "description",
- "value": "Claroty Data Parser"
- }
- ]
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
"location": "[parameters('workspace-location')]",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
- "dependsOn": [
- "[variables('_parserId1')]"
- ],
"properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "contentId": "[variables('_parserContentId1')]",
- "kind": "Parser",
- "version": "[variables('parserVersion1')]",
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion1')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -413,143 +416,278 @@
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
- "apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName1')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
- "dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
- ],
+ "kind": "GenericUI",
"properties": {
- "description": "ClarotyBaselineDeviation_HuntingQueries Hunting Query with template version 3.0.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion1')]",
- "parameters": {},
- "variables": {},
- "resources": [
+ "connectorUiConfig": {
+ "title": "[Deprecated] Claroty via Legacy Agent",
+ "publisher": "Claroty",
+ "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.",
+ "graphQueries": [
{
- "type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "Claroty_Hunting_Query_1",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "eTag": "*",
- "displayName": "Claroty - Baseline deviation",
- "category": "Hunting Queries",
- "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has 'Baseline Deviation' or EventType has 'Baseline Deviation'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
- "version": 2,
- "tags": [
- {
- "name": "description",
- "value": "Query searches for baseline deviation events."
- },
- {
- "name": "tactics",
- "value": "InitialAccess"
- },
- {
- "name": "techniques",
- "value": "T1190"
- }
- ]
+ "metricName": "Total data received",
+ "legend": "Claroty",
+ "baseQuery": "ClarotyEvent"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog (Claroty)",
+ "lastDataReceivedQuery": "ClarotyEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "ClarotyEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Top 10 Destinations",
+ "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
}
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]",
- "properties": {
- "description": "Claroty Hunting Query 1",
- "parentId": "[variables('huntingQueryId1')]",
- "contentId": "[variables('_huntingQuerycontentId1')]",
- "kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Claroty",
- "sourceId": "[variables('_solutionId')]"
+ "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
+ "innerSteps": [
+ {
+ "title": "1.1 Select or create a Linux machine",
+ "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
},
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
+ {
+ "title": "1.2 Install the CEF collector on the Linux machine",
+ "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
+ "instructions": [
+ {
+ "parameters": {
+ "fillWith": [
+ "WorkspaceId",
+ "PrimaryKey"
+ ],
+ "label": "Run the following command to install and apply the CEF collector:",
+ "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
}
- }
+ ],
+ "title": "1. Linux Syslog agent configuration"
+ },
+ {
+ "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**.",
+ "title": "2. Configure Claroty to send logs using CEF"
+ },
+ {
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "fillWith": [
+ "WorkspaceId"
+ ],
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
+ },
+ "type": "CopyableLabel"
+ }
+ ],
+ "title": "3. Validate connection"
+ },
+ {
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "4. Secure your machine "
}
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId1')]",
- "contentKind": "HuntingQuery",
- "displayName": "Claroty - Baseline deviation",
- "contentProductId": "[variables('_huntingQuerycontentProductId1')]",
- "id": "[variables('_huntingQuerycontentProductId1')]",
- "version": "[variables('huntingQueryVersion1')]"
+ ],
+ "id": "[variables('_uiConfigId1')]",
+ "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
+ }
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName2')]",
+ "name": "[variables('dataConnectorTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyConflictAssets_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "Claroty data connector with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion2')]",
+ "contentVersion": "[variables('dataConnectorVersion2')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "Claroty_Hunting_Query_2",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
"location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
"properties": {
- "eTag": "*",
- "displayName": "Claroty - Conflict assets",
- "category": "Hunting Queries",
- "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has 'New Conflict Asset' or EventType has 'New Conflict Asset'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
- "version": 2,
- "tags": [
- {
- "name": "description",
- "value": "Query searches for conflicting assets."
+ "connectorUiConfig": {
+ "id": "[variables('_uiConfigId2')]",
+ "title": "[Recommended] Claroty via AMA",
+ "publisher": "Claroty",
+ "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.",
+ "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "Claroty",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Top 10 Destinations",
+ "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "CommonSecurityLog (Claroty)",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
},
- {
- "name": "tactics",
- "value": "InitialAccess"
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
},
- {
- "name": "techniques",
- "value": "T1190"
- }
- ]
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+
+ },
+ {
+ "title": "Step B. Configure Claroty to send logs using CEF",
+ "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**."
+
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "2. Secure your machine "
+ }
+ ]
+ }
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
"properties": {
- "description": "Claroty Hunting Query 2",
- "parentId": "[variables('huntingQueryId2')]",
- "contentId": "[variables('_huntingQuerycontentId2')]",
- "kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion2')]",
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion2')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -574,138 +712,198 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId2')]",
- "contentKind": "HuntingQuery",
- "displayName": "Claroty - Conflict assets",
- "contentProductId": "[variables('_huntingQuerycontentProductId2')]",
- "id": "[variables('_huntingQuerycontentProductId2')]",
- "version": "[variables('huntingQueryVersion2')]"
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "contentKind": "DataConnector",
+ "displayName": "[Recommended] Claroty via AMA",
+ "contentProductId": "[variables('_dataConnectorcontentProductId2')]",
+ "id": "[variables('_dataConnectorcontentProductId2')]",
+ "version": "[variables('dataConnectorVersion2')]"
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName3')]",
- "location": "[parameters('workspace-location')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]",
"dependsOn": [
- "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ "[variables('_dataConnectorId2')]"
],
+ "location": "[parameters('workspace-location')]",
"properties": {
- "description": "ClarotyCriticalEvents_HuntingQueries Hunting Query with template version 3.0.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion3')]",
- "parameters": {},
- "variables": {},
- "resources": [
+ "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "kind": "DataConnector",
+ "version": "[variables('dataConnectorVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Claroty",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ },
+ {
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]",
+ "apiVersion": "2021-03-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "location": "[parameters('workspace-location')]",
+ "kind": "GenericUI",
+ "properties": {
+ "connectorUiConfig": {
+ "title": "[Recommended] Claroty via AMA",
+ "publisher": "Claroty",
+ "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.",
+ "graphQueries": [
{
- "type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "Claroty_Hunting_Query_3",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "eTag": "*",
- "displayName": "Claroty - Critical Events",
- "category": "Hunting Queries",
- "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventSeverity == '5'\n| extend IPCustomEntity = DstIpAddr\n",
- "version": 2,
- "tags": [
- {
- "name": "description",
- "value": "Query searches for critical severity events."
- },
- {
- "name": "tactics",
- "value": "InitialAccess"
- },
- {
- "name": "techniques",
- "value": "T1190"
- }
- ]
- }
- },
+ "metricName": "Total data received",
+ "legend": "Claroty",
+ "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
+ }
+ ],
+ "dataTypes": [
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]",
- "properties": {
- "description": "Claroty Hunting Query 3",
- "parentId": "[variables('huntingQueryId3')]",
- "contentId": "[variables('_huntingQuerycontentId3')]",
- "kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion3')]",
- "source": {
- "kind": "Solution",
- "name": "Claroty",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
+ "name": "CommonSecurityLog (Claroty)",
+ "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "CommonSecurityLog\n |where DeviceVendor =~ 'Claroty'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description": "Top 10 Destinations",
+ "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_"
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": false
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
}
}
+ ],
+ "customs": [
+ {
+ "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
+ },
+ {
+ "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
+ "instructions": [
+ {
+ "parameters": {
+ "title": "1. Kindly follow the steps to configure the data connector",
+ "instructionSteps": [
+ {
+ "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
+ "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine"
+
+ },
+ {
+ "title": "Step B. Configure Claroty to send logs using CEF",
+ "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**."
+
+ },
+ {
+ "title": "Step C. Validate connection",
+ "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
+ "instructions": [
+ {
+ "parameters": {
+ "label": "Run the following command to validate your connectivity:",
+ "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ]
+ },
+ "type": "InstructionStepsGroup"
+ }
+ ]
+ },
+ {
+ "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
+ "title": "2. Secure your machine "
}
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
- "contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId3')]",
- "contentKind": "HuntingQuery",
- "displayName": "Claroty - Critical Events",
- "contentProductId": "[variables('_huntingQuerycontentProductId3')]",
- "id": "[variables('_huntingQuerycontentProductId3')]",
- "version": "[variables('huntingQueryVersion3')]"
+ ],
+ "id": "[variables('_uiConfigId2')]",
+ "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
+ }
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName4')]",
+ "name": "[variables('parserTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyPLCLogins_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "ClarotyEvent Data Parser with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion4')]",
+ "contentVersion": "[variables('parserVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.OperationalInsights/savedSearches",
+ "name": "[variables('_parserName1')]",
"apiVersion": "2022-10-01",
- "name": "Claroty_Hunting_Query_4",
+ "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
- "displayName": "Claroty - PLC logins",
- "category": "Hunting Queries",
- "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType =~ 'Alert'\n| where EventType has 'Login'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+ "displayName": "Claroty Data Parser",
+ "category": "Microsoft Sentinel Parser",
+ "functionAlias": "ClarotyEvent",
+ "query": "CommonSecurityLog\n| where DeviceVendor =~ 'Claroty'\n| extend EventVendor = 'Claroty'\n| extend EventProduct = 'Claroty'\n| extend EventSchemaVersion = 0.2\n| extend EventCount = 1\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\n , DeviceCustomNumber2Label, DeviceCustomNumber2\n , DeviceCustomNumber3Label, DeviceCustomNumber3\n , DeviceCustomString1Label, DeviceCustomString1\n , DeviceCustomString2Label, DeviceCustomString2\n , DeviceCustomString3Label, DeviceCustomString3\n , DeviceCustomString4Label, DeviceCustomString4\n , DeviceCustomString5Label, DeviceCustomString5\n , DeviceCustomString6Label, DeviceCustomString6\n , DeviceCustomDate1Label, DeviceCustomDate1\n , DeviceCustomDate2Label, DeviceCustomDate2)\n| evaluate bag_unpack(packed)\n| parse-kv AdditionalExtensions as (cs7Label:string, cs7:string, cs8Label:string, cs8:string, cs9Label:string, cs9:string, cs10Label:string, cs10:string, cat:string) with (pair_delimiter=';', kv_delimiter='=')\n| extend packed2 = pack(cs7Label, cs7\n , cs8Label, cs8\n , cs9Label, cs9\n , cs10Label, cs10)\n| evaluate bag_unpack(packed2)\n| extend EventEndTime = todatetime(ReceiptTime),\n cat = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"),cat)\n| project-rename EventProductVersion=DeviceVersion\n , EventSubType=cat\n , EventOriginalType=DeviceEventClassID\n , EventSeverity=LogSeverity\n , EventMessage=Message\n , DstPortNumber=DestinationPort\n , DstIpAddr=DestinationIP\n , DstDvcHostname=DestinationHostName\n , DstUserName=DestinationUserName\n , DvcIpAddr=DeviceAddress\n , DvcHostname=DeviceName\n , DstMacAddr=DestinationMACAddress\n , NetworkApplicationProtocol=Protocol\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcMacAddr=SourceMACAddress\n , EventId=ExternalID\n , SrcDvcHostname=SourceHostName\n| extend EventType=Activity\n| project-away AdditionalExtensions\n , Activity\n , ReceiptTime\n , DeviceVendor\n , DeviceProduct\n , DeviceCustomNumber1\n , DeviceCustomNumber1Label\n , DeviceCustomNumber2\n , DeviceCustomNumber2Label\n , DeviceCustomNumber3\n , DeviceCustomNumber3Label\n , DeviceCustomString1\n , DeviceCustomString1Label\n , DeviceCustomString2\n , DeviceCustomString2Label\n , DeviceCustomString3\n , DeviceCustomString3Label\n , DeviceCustomString4\n , DeviceCustomString4Label\n , DeviceCustomString5\n , DeviceCustomString5Label\n , DeviceCustomString6\n , DeviceCustomString6Label\n , cs7Label\n , cs7\n , cs8Label\n , cs8\n , cs9Label\n , cs9\n , cs10Label\n , cs10\n",
+ "functionParameters": "",
"version": 2,
"tags": [
{
"name": "description",
- "value": "Query searches for PLC login security alerts."
- },
- {
- "name": "tactics",
- "value": "InitialAccess"
- },
- {
- "name": "techniques",
- "value": "T1190"
+ "value": ""
}
]
}
@@ -713,16 +911,18 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
+ "dependsOn": [
+ "[variables('_parserName1')]"
+ ],
"properties": {
- "description": "Claroty Hunting Query 4",
- "parentId": "[variables('huntingQueryId4')]",
- "contentId": "[variables('_huntingQuerycontentId4')]",
- "kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion4')]",
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
+ "contentId": "[variables('_parserContentId1')]",
+ "kind": "Parser",
+ "version": "[variables('parserVersion1')]",
"source": {
- "kind": "Solution",
"name": "Claroty",
+ "kind": "Solution",
"sourceId": "[variables('_solutionId')]"
},
"author": {
@@ -744,67 +944,108 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId4')]",
- "contentKind": "HuntingQuery",
- "displayName": "Claroty - PLC logins",
- "contentProductId": "[variables('_huntingQuerycontentProductId4')]",
- "id": "[variables('_huntingQuerycontentProductId4')]",
- "version": "[variables('huntingQueryVersion4')]"
+ "contentId": "[variables('_parserContentId1')]",
+ "contentKind": "Parser",
+ "displayName": "Claroty Data Parser",
+ "contentProductId": "[variables('_parsercontentProductId1')]",
+ "id": "[variables('_parsercontentProductId1')]",
+ "version": "[variables('parserVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "[variables('_parserName1')]",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "Claroty Data Parser",
+ "category": "Microsoft Sentinel Parser",
+ "functionAlias": "ClarotyEvent",
+ "query": "CommonSecurityLog\n| where DeviceVendor =~ 'Claroty'\n| extend EventVendor = 'Claroty'\n| extend EventProduct = 'Claroty'\n| extend EventSchemaVersion = 0.2\n| extend EventCount = 1\n| extend DeviceCustomNumber1 = coalesce(column_ifexists(\"FieldDeviceCustomNumber1\", long(null)),DeviceCustomNumber1),\n DeviceCustomNumber2 = coalesce(column_ifexists(\"FieldDeviceCustomNumber2\", long(null)),DeviceCustomNumber2),\n DeviceCustomNumber3 = coalesce(column_ifexists(\"FieldDeviceCustomNumber3\", long(null)),DeviceCustomNumber3),\n ExternalID = coalesce(column_ifexists(\"ExtID\", \"\"),tostring(ExternalID))\n| extend packed = pack(DeviceCustomNumber1Label, DeviceCustomNumber1\n , DeviceCustomNumber2Label, DeviceCustomNumber2\n , DeviceCustomNumber3Label, DeviceCustomNumber3\n , DeviceCustomString1Label, DeviceCustomString1\n , DeviceCustomString2Label, DeviceCustomString2\n , DeviceCustomString3Label, DeviceCustomString3\n , DeviceCustomString4Label, DeviceCustomString4\n , DeviceCustomString5Label, DeviceCustomString5\n , DeviceCustomString6Label, DeviceCustomString6\n , DeviceCustomDate1Label, DeviceCustomDate1\n , DeviceCustomDate2Label, DeviceCustomDate2)\n| evaluate bag_unpack(packed)\n| parse-kv AdditionalExtensions as (cs7Label:string, cs7:string, cs8Label:string, cs8:string, cs9Label:string, cs9:string, cs10Label:string, cs10:string, cat:string) with (pair_delimiter=';', kv_delimiter='=')\n| extend packed2 = pack(cs7Label, cs7\n , cs8Label, cs8\n , cs9Label, cs9\n , cs10Label, cs10)\n| evaluate bag_unpack(packed2)\n| extend EventEndTime = todatetime(ReceiptTime),\n cat = coalesce(column_ifexists(\"DeviceEventCategory\", \"\"),cat)\n| project-rename EventProductVersion=DeviceVersion\n , EventSubType=cat\n , EventOriginalType=DeviceEventClassID\n , EventSeverity=LogSeverity\n , EventMessage=Message\n , DstPortNumber=DestinationPort\n , DstIpAddr=DestinationIP\n , DstDvcHostname=DestinationHostName\n , DstUserName=DestinationUserName\n , DvcIpAddr=DeviceAddress\n , DvcHostname=DeviceName\n , DstMacAddr=DestinationMACAddress\n , NetworkApplicationProtocol=Protocol\n , SrcPortNumber=SourcePort\n , SrcIpAddr=SourceIP\n , SrcMacAddr=SourceMACAddress\n , EventId=ExternalID\n , SrcDvcHostname=SourceHostName\n| extend EventType=Activity\n| project-away AdditionalExtensions\n , Activity\n , ReceiptTime\n , DeviceVendor\n , DeviceProduct\n , DeviceCustomNumber1\n , DeviceCustomNumber1Label\n , DeviceCustomNumber2\n , DeviceCustomNumber2Label\n , DeviceCustomNumber3\n , DeviceCustomNumber3Label\n , DeviceCustomString1\n , DeviceCustomString1Label\n , DeviceCustomString2\n , DeviceCustomString2Label\n , DeviceCustomString3\n , DeviceCustomString3Label\n , DeviceCustomString4\n , DeviceCustomString4Label\n , DeviceCustomString5\n , DeviceCustomString5Label\n , DeviceCustomString6\n , DeviceCustomString6Label\n , cs7Label\n , cs7\n , cs8Label\n , cs8\n , cs9Label\n , cs9\n , cs10Label\n , cs10\n",
+ "functionParameters": "",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": ""
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "location": "[parameters('workspace-location')]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
+ "dependsOn": [
+ "[variables('_parserId1')]"
+ ],
+ "properties": {
+ "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
+ "contentId": "[variables('_parserContentId1')]",
+ "kind": "Parser",
+ "version": "[variables('parserVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Claroty",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName5')]",
+ "name": "[variables('workbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotySRAFailedLogins_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "ClarotyOverviewWorkbook Workbook with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion5')]",
+ "contentVersion": "[variables('workbookVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "Claroty_Hunting_Query_5",
+ "type": "Microsoft.Insights/workbooks",
+ "name": "[variables('workbookContentId1')]",
"location": "[parameters('workspace-location')]",
+ "kind": "shared",
+ "apiVersion": "2021-08-01",
+ "metadata": {
+ "description": "Sets the time name for analysis"
+ },
"properties": {
- "eTag": "*",
- "displayName": "Claroty - User failed logins",
- "category": "Hunting Queries",
- "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by SrcUsername\n| extend AccountCustomEntity = SrcUsername\n",
- "version": 2,
- "tags": [
- {
- "name": "description",
- "value": "Query searches for login failure events."
- },
- {
- "name": "tactics",
- "value": "InitialAccess"
- },
- {
- "name": "techniques",
- "value": "T1190"
- }
- ]
+ "displayName": "[parameters('workbook1-name')]",
+ "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **ClarotyEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-claroty-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"color\":\"green\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"60\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(EventType)\\r\\n| summarize count() by EventType\\r\\n| join kind = inner (ClarotyEvent\\r\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by EventType)\\r\\n on EventType\\r\\n| project-away EventType1, TimeGenerated\",\"size\":3,\"title\":\"Event types\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"EventType\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"count_\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"purple\"}},\"showBorder\":false}},\"customWidth\":\"30\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(DstIpAddr)\\r\\n| summarize dcount(DstIpAddr)\",\"size\":3,\"title\":\"Total Devices\",\"noDataMessage\":\"0\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventOriginalType =~ 'Alert'\\r\\n| summarize dcount(AlertUrl)\",\"size\":3,\"title\":\"Total Alerts\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 1\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventOriginalType =~ 'Alert'\\r\\n| where ResolvedAs =~ 'Unresolved'\\r\\n| project-rename AlertTime=EventEndTime\\r\\n| join (ClarotyEvent\\r\\n | where EventOriginalType =~ 'Alert'\\r\\n | where ResolvedAs =~ 'Resolved'\\r\\n | project-rename ResolvedTime=EventEndTime) on AlertUrl\\r\\n| where datetime_diff('day',ResolvedTime,AlertTime) > 0 or datetime_diff('hour',ResolvedTime,AlertTime) > 0 or datetime_diff('minute',ResolvedTime,AlertTime) > 0 or datetime_diff('second',ResolvedTime,AlertTime) > 0\\r\\n| summarize dcount(AlertUrl)\\r\\n\",\"size\":3,\"title\":\"Resolved Alerts\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"card\",\"textSettings\":{\"style\":\"bignumber\"}},\"name\":\"query - 0\"}]},\"name\":\"group - 2\"}]},\"customWidth\":\"10\",\"name\":\"group - 9\",\"styleSettings\":{\"maxWidth\":\"100\",\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(SrcIpAddr)\\r\\n| summarize count() by SrcIpAddr\\r\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Sources\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(DstIpAddr)\\r\\n| summarize count() by DstIpAddr\\r\\n| top 10 by count_ \",\"size\":3,\"title\":\"Top Targets\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"customWidth\":\"33\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where isnotempty(CategoryAccess)\\r\\n| where CategoryAccess !in ('None', 'Read')\\r\\n| project Destination=DstIpAddr, Source=SrcIpAddr, CategoryAccess\\r\\n\",\"size\":3,\"title\":\"Write and Execute Operations\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"34\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventOriginalType =~ 'Alert'\\r\\n| order by TimeGenerated\\r\\n| project TimeGenerated, EventType, Target=DstIpAddr, Status=strcat(iff(ResolvedAs =~ 'Resolved', '✅ - Resolved', '❌ - Unresolved')), AlertUrl\",\"size\":0,\"title\":\"Latest Alerts\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"rowLimit\":50,\"filter\":true}},\"customWidth\":\"65\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ClarotyEvent\\r\\n| where EventType has 'Login'\\r\\n| extend User = extract(@\\\"User\\\\s(\\\\S+)\\\\s\\\", 1, tostring(EventMessage))\\r\\n| sort by TimeGenerated desc \\r\\n| project TimeGenerated, User\",\"size\":0,\"title\":\"Latest logins to SRA\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":50,\"filter\":true}},\"customWidth\":\"35\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"33\"}}],\"fromTemplateId\":\"sentinel-ClarotyWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n",
+ "version": "1.0",
+ "sourceId": "[variables('workspaceResourceId')]",
+ "category": "sentinel"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
"properties": {
- "description": "Claroty Hunting Query 5",
- "parentId": "[variables('huntingQueryId5')]",
- "contentId": "[variables('_huntingQuerycontentId5')]",
- "kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion5')]",
+ "description": "@{workbookKey=ClarotyWorkbook; logoFileName=Azure_Sentinel.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Claroty; templateRelativePath=ClarotyOverview.json; subtitle=; provider=Claroty}.description",
+ "parentId": "[variables('workbookId1')]",
+ "contentId": "[variables('_workbookContentId1')]",
+ "kind": "Workbook",
+ "version": "[variables('workbookVersion1')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -819,63 +1060,105 @@
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
- }
- }
- }
- ]
- },
- "packageKind": "Solution",
- "packageVersion": "[variables('_solutionVersion')]",
- "packageName": "[variables('_solutionName')]",
- "packageId": "[variables('_solutionId')]",
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "contentId": "CommonSecurityLog",
+ "kind": "DataType"
+ },
+ {
+ "contentId": "Claroty",
+ "kind": "DataConnector"
+ },
+ {
+ "contentId": "ClarotyAma",
+ "kind": "DataConnector"
+ }
+ ]
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId5')]",
- "contentKind": "HuntingQuery",
- "displayName": "Claroty - User failed logins",
- "contentProductId": "[variables('_huntingQuerycontentProductId5')]",
- "id": "[variables('_huntingQuerycontentProductId5')]",
- "version": "[variables('huntingQueryVersion5')]"
+ "contentId": "[variables('_workbookContentId1')]",
+ "contentKind": "Workbook",
+ "displayName": "[parameters('workbook1-name')]",
+ "contentProductId": "[variables('_workbookcontentProductId1')]",
+ "id": "[variables('_workbookcontentProductId1')]",
+ "version": "[variables('workbookVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName6')]",
+ "name": "[variables('analyticRuleTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyScanSources_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "ClarotyAssetDown_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion6')]",
+ "contentVersion": "[variables('analyticRuleVersion1')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "Claroty_Hunting_Query_6",
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId1')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "eTag": "*",
- "displayName": "Claroty - Network scan sources",
- "category": "Hunting Queries",
- "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has_any ('Network Scan', 'TCP Scan', 'UDP Scan') or EventType has_any ('Network Scan', 'TCP Scan', 'UDP Scan')\n| project TimeGenerated, SrcIpAddr\n| extend IPCustomEntity = SrcIpAddr\n",
- "version": 2,
- "tags": [
+ "description": "Triggers asset is down.",
+ "displayName": "Claroty - Asset Down",
+ "enabled": false,
+ "query": "ClarotyEvent\n| where EventOriginalType has 'Asset Down' or EventType has 'Asset Down'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
{
- "name": "description",
- "value": "Query searches for sources of network scans."
+ "dataTypes": [
+ "ClarotyEvent"
+ ],
+ "connectorId": "Claroty"
},
{
- "name": "tactics",
- "value": "InitialAccess"
- },
+ "dataTypes": [
+ "ClarotyEvent"
+ ],
+ "connectorId": "ClarotyAma"
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": [
+ "T1529"
+ ],
+ "entityMappings": [
{
- "name": "techniques",
- "value": "T1190"
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ],
+ "entityType": "IP"
}
]
}
@@ -883,13 +1166,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
"properties": {
- "description": "Claroty Hunting Query 6",
- "parentId": "[variables('huntingQueryId6')]",
- "contentId": "[variables('_huntingQuerycontentId6')]",
- "kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion6')]",
+ "description": "Claroty Analytics Rule 1",
+ "parentId": "[variables('analyticRuleId1')]",
+ "contentId": "[variables('_analyticRulecontentId1')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion1')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -914,53 +1197,78 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId6')]",
- "contentKind": "HuntingQuery",
- "displayName": "Claroty - Network scan sources",
- "contentProductId": "[variables('_huntingQuerycontentProductId6')]",
- "id": "[variables('_huntingQuerycontentProductId6')]",
- "version": "[variables('huntingQueryVersion6')]"
+ "contentId": "[variables('_analyticRulecontentId1')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Claroty - Asset Down",
+ "contentProductId": "[variables('_analyticRulecontentProductId1')]",
+ "id": "[variables('_analyticRulecontentProductId1')]",
+ "version": "[variables('analyticRuleVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName7')]",
+ "name": "[variables('analyticRuleTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyScantargets_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "ClarotyCriticalBaselineDeviation_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion7')]",
+ "contentVersion": "[variables('analyticRuleVersion2')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "Claroty_Hunting_Query_7",
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId2')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "eTag": "*",
- "displayName": "Claroty - Network scan targets",
- "category": "Hunting Queries",
- "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has_any ('Network Scan', 'TCP Scan', 'UDP Scan') or EventType has_any ('Network Scan', 'TCP Scan', 'UDP Scan')\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
- "version": 2,
- "tags": [
+ "description": "Detects when critical deviation from baseline occurs.",
+ "displayName": "Claroty - Critical baseline deviation",
+ "enabled": false,
+ "query": "ClarotyEvent\n| where EventOriginalType has 'Baseline Deviation' or EventType has 'Baseline Deviation'\n| where EventSeverity == '5'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
{
- "name": "description",
- "value": "Query searches for targets of network scans."
+ "dataTypes": [
+ "ClarotyEvent"
+ ],
+ "connectorId": "Claroty"
},
{
- "name": "tactics",
- "value": "InitialAccess"
- },
+ "dataTypes": [
+ "ClarotyEvent"
+ ],
+ "connectorId": "ClarotyAma"
+ }
+ ],
+ "tactics": [
+ "Impact"
+ ],
+ "techniques": [
+ "T1529"
+ ],
+ "entityMappings": [
{
- "name": "techniques",
- "value": "T1190"
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ],
+ "entityType": "IP"
}
]
}
@@ -968,13 +1276,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
"properties": {
- "description": "Claroty Hunting Query 7",
- "parentId": "[variables('huntingQueryId7')]",
- "contentId": "[variables('_huntingQuerycontentId7')]",
- "kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion7')]",
+ "description": "Claroty Analytics Rule 2",
+ "parentId": "[variables('analyticRuleId2')]",
+ "contentId": "[variables('_analyticRulecontentId2')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion2')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -999,67 +1307,93 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId7')]",
- "contentKind": "HuntingQuery",
- "displayName": "Claroty - Network scan targets",
- "contentProductId": "[variables('_huntingQuerycontentProductId7')]",
- "id": "[variables('_huntingQuerycontentProductId7')]",
- "version": "[variables('huntingQueryVersion7')]"
+ "contentId": "[variables('_analyticRulecontentId2')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Claroty - Critical baseline deviation",
+ "contentProductId": "[variables('_analyticRulecontentProductId2')]",
+ "id": "[variables('_analyticRulecontentProductId2')]",
+ "version": "[variables('analyticRuleVersion2')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName8')]",
+ "name": "[variables('analyticRuleTemplateSpecName3')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyUnapprovedAccess_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "ClarotyLoginToUncommonSite_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion8')]",
+ "contentVersion": "[variables('analyticRuleVersion3')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "Claroty_Hunting_Query_8",
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId3')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "eTag": "*",
- "displayName": "Claroty - Unapproved access",
- "category": "Hunting Queries",
- "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventSeverity =~ 'Unapproved'\n| where isnotempty(CategoryAccess)\n| extend IPCustomEntity = DstIpAddr\n",
- "version": 2,
- "tags": [
- {
- "name": "description",
- "value": "Query searches for unapproved access events."
- },
+ "description": "Detects user login to uncommon location.",
+ "displayName": "Claroty - Login to uncommon location",
+ "enabled": false,
+ "query": "let usr_sites = ClarotyEvent\n| where TimeGenerated > ago(14d)\n| where EventType has 'Login to SRA succeeded'\n| extend Site = column_ifexists(\"site_name\",\"\")\n| where isnotempty(Site)\n| extend SrcUsername = extract(@'User\\s(.*?)\\slogged', 1, EventMessage)\n| summarize all_loc = makeset(tostring(Site)) by SrcUsername\n| extend k = 1;\nClarotyEvent\n| where EventType has 'Login to SRA succeeded'\n| extend Site = column_ifexists(\"site_name\",\"\")\n| where isnotempty(Site)\n| extend SrcUsername = extract(@'User\\s(.*?)\\slogged', 1, EventMessage)\n| extend k = 1\n| join kind=innerunique (usr_sites) on k\n| where all_loc !contains Site\n| extend SrcIpAddr\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "P14D",
+ "severity": "Medium",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
{
- "name": "tactics",
- "value": "InitialAccess"
+ "dataTypes": [
+ "ClarotyEvent"
+ ],
+ "connectorId": "Claroty"
},
{
- "name": "techniques",
- "value": "T1190"
+ "dataTypes": [
+ "ClarotyEvent"
+ ],
+ "connectorId": "ClarotyAma"
}
- ]
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]",
- "properties": {
- "description": "Claroty Hunting Query 8",
- "parentId": "[variables('huntingQueryId8')]",
- "contentId": "[variables('_huntingQuerycontentId8')]",
- "kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion8')]",
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1190",
+ "T1133"
+ ],
+ "entityMappings": [
+ {
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "SrcIpAddr"
+ }
+ ],
+ "entityType": "IP"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
+ "properties": {
+ "description": "Claroty Analytics Rule 3",
+ "parentId": "[variables('analyticRuleId3')]",
+ "contentId": "[variables('_analyticRulecontentId3')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion3')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -1084,53 +1418,79 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId8')]",
- "contentKind": "HuntingQuery",
- "displayName": "Claroty - Unapproved access",
- "contentProductId": "[variables('_huntingQuerycontentProductId8')]",
- "id": "[variables('_huntingQuerycontentProductId8')]",
- "version": "[variables('huntingQueryVersion8')]"
+ "contentId": "[variables('_analyticRulecontentId3')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Claroty - Login to uncommon location",
+ "contentProductId": "[variables('_analyticRulecontentProductId3')]",
+ "id": "[variables('_analyticRulecontentProductId3')]",
+ "version": "[variables('analyticRuleVersion3')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName9')]",
+ "name": "[variables('analyticRuleTemplateSpecName4')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyUnresolvedAlerts_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "ClarotyMultipleFailedLogin_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion9')]",
+ "contentVersion": "[variables('analyticRuleVersion4')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "Claroty_Hunting_Query_9",
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId4')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "eTag": "*",
- "displayName": "Claroty - Unresolved alerts",
- "category": "Hunting Queries",
- "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType =~ 'Alert'\n| where ResolvedAs =~ 'Unresolved'\n| extend IPCustomEntity = DstIpAddr\n",
- "version": 2,
- "tags": [
+ "description": "Detects multiple failed logins by same user.",
+ "displayName": "Claroty - Multiple failed logins by user",
+ "enabled": false,
+ "query": "let threshold = 5;\nClarotyEvent\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by SrcUsername, bin(TimeGenerated, 5m)\n| where count_ > threshold\n| extend AccountCustomEntity = SrcUsername\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
{
- "name": "description",
- "value": "Query searches for alerts with unresolved status."
+ "dataTypes": [
+ "ClarotyEvent"
+ ],
+ "connectorId": "Claroty"
},
{
- "name": "tactics",
- "value": "InitialAccess"
- },
+ "dataTypes": [
+ "ClarotyEvent"
+ ],
+ "connectorId": "ClarotyAma"
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1190",
+ "T1133"
+ ],
+ "entityMappings": [
{
- "name": "techniques",
- "value": "T1190"
+ "fieldMappings": [
+ {
+ "identifier": "Name",
+ "columnName": "AccountCustomEntity"
+ }
+ ],
+ "entityType": "Account"
}
]
}
@@ -1138,13 +1498,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
"properties": {
- "description": "Claroty Hunting Query 9",
- "parentId": "[variables('huntingQueryId9')]",
- "contentId": "[variables('_huntingQuerycontentId9')]",
- "kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion9')]",
+ "description": "Claroty Analytics Rule 4",
+ "parentId": "[variables('analyticRuleId4')]",
+ "contentId": "[variables('_analyticRulecontentId4')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion4')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -1169,53 +1529,79 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId9')]",
- "contentKind": "HuntingQuery",
- "displayName": "Claroty - Unresolved alerts",
- "contentProductId": "[variables('_huntingQuerycontentProductId9')]",
- "id": "[variables('_huntingQuerycontentProductId9')]",
- "version": "[variables('huntingQueryVersion9')]"
+ "contentId": "[variables('_analyticRulecontentId4')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Claroty - Multiple failed logins by user",
+ "contentProductId": "[variables('_analyticRulecontentProductId4')]",
+ "id": "[variables('_analyticRulecontentProductId4')]",
+ "version": "[variables('analyticRuleVersion4')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('huntingQueryTemplateSpecName10')]",
+ "name": "[variables('analyticRuleTemplateSpecName5')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyWriteExecuteOperations_HuntingQueries Hunting Query with template version 3.0.0",
+ "description": "ClarotyMultipleFailedLoginsSameDst_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('huntingQueryVersion10')]",
+ "contentVersion": "[variables('analyticRuleVersion5')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.OperationalInsights/savedSearches",
- "apiVersion": "2022-10-01",
- "name": "Claroty_Hunting_Query_10",
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId5')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "eTag": "*",
- "displayName": "Claroty - Write and Execute operations",
- "category": "Hunting Queries",
- "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(CategoryAccess)\n| where CategoryAccess != 'Read'\n| extend IPCustomEntity = DstIpAddr\n",
- "version": 2,
- "tags": [
+ "description": "Detects multiple failed logins to same destinations.",
+ "displayName": "Claroty - Multiple failed logins to same destinations",
+ "enabled": false,
+ "query": "let threshold = 10;\nClarotyEvent\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend Site = column_ifexists(\"site_name\",\"\")\n| where isnotempty(Site)\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by Site, bin(TimeGenerated, 5m)\n| where count_ > threshold\n| extend SGCustomEntity = Site\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
{
- "name": "description",
- "value": "Query searches for operations with Write and Execute accesses."
+ "dataTypes": [
+ "ClarotyEvent"
+ ],
+ "connectorId": "Claroty"
},
{
- "name": "tactics",
- "value": "InitialAccess"
- },
+ "dataTypes": [
+ "ClarotyEvent"
+ ],
+ "connectorId": "ClarotyAma"
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1190",
+ "T1133"
+ ],
+ "entityMappings": [
{
- "name": "techniques",
- "value": "T1190"
+ "fieldMappings": [
+ {
+ "identifier": "DistinguishedName",
+ "columnName": "SGCustomEntity"
+ }
+ ],
+ "entityType": "SecurityGroup"
}
]
}
@@ -1223,13 +1609,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
"properties": {
- "description": "Claroty Hunting Query 10",
- "parentId": "[variables('huntingQueryId10')]",
- "contentId": "[variables('_huntingQuerycontentId10')]",
- "kind": "HuntingQuery",
- "version": "[variables('huntingQueryVersion10')]",
+ "description": "Claroty Analytics Rule 5",
+ "parentId": "[variables('analyticRuleId5')]",
+ "contentId": "[variables('_analyticRulecontentId5')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion5')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -1254,166 +1640,93 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_huntingQuerycontentId10')]",
- "contentKind": "HuntingQuery",
- "displayName": "Claroty - Write and Execute operations",
- "contentProductId": "[variables('_huntingQuerycontentProductId10')]",
- "id": "[variables('_huntingQuerycontentProductId10')]",
- "version": "[variables('huntingQueryVersion10')]"
+ "contentId": "[variables('_analyticRulecontentId5')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Claroty - Multiple failed logins to same destinations",
+ "contentProductId": "[variables('_analyticRulecontentProductId5')]",
+ "id": "[variables('_analyticRulecontentProductId5')]",
+ "version": "[variables('analyticRuleVersion5')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
+ "name": "[variables('analyticRuleTemplateSpecName6')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "Claroty data connector with template version 3.0.0",
+ "description": "ClarotyNewAsset_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
+ "contentVersion": "[variables('analyticRuleVersion6')]",
"parameters": {},
"variables": {},
"resources": [
{
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId6')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
"location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
"properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "Claroty",
- "publisher": "Claroty",
- "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Claroty",
- "baseQuery": "ClarotyEvent"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Destinations",
- "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (Claroty)",
- "lastDataReceivedQuery": "ClarotyEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "ClarotyEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
+ "description": "Triggers when a new asset has been added into the environment.",
+ "displayName": "Claroty - New Asset",
+ "enabled": false,
+ "query": "ClarotyEvent\n| where EventOriginalType has 'New Asset' or EventType has 'New Asset'\n| extend IPCustomEntity = SrcIpAddr\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "ClarotyEvent"
+ ],
+ "connectorId": "Claroty"
+ },
+ {
+ "dataTypes": [
+ "ClarotyEvent"
+ ],
+ "connectorId": "ClarotyAma"
+ }
+ ],
+ "tactics": [
+ "InitialAccess"
+ ],
+ "techniques": [
+ "T1190",
+ "T1133"
+ ],
+ "entityMappings": [
+ {
+ "fieldMappings": [
{
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**.",
- "title": "2. Configure Claroty to send logs using CEF"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ]
- }
+ ],
+ "entityType": "IP"
+ }
+ ]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
"properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
+ "description": "Claroty Analytics Rule 6",
+ "parentId": "[variables('analyticRuleId6')]",
+ "contentId": "[variables('_analyticRulecontentId6')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion6')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -1438,198 +1751,261 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "contentKind": "DataConnector",
- "displayName": "Claroty",
- "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
- "id": "[variables('_dataConnectorcontentProductId1')]",
- "version": "[variables('dataConnectorVersion1')]"
+ "contentId": "[variables('_analyticRulecontentId6')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Claroty - New Asset",
+ "contentProductId": "[variables('_analyticRulecontentProductId6')]",
+ "id": "[variables('_analyticRulecontentProductId6')]",
+ "version": "[variables('analyticRuleVersion6')]"
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "name": "[variables('analyticRuleTemplateSpecName7')]",
+ "location": "[parameters('workspace-location')]",
"dependsOn": [
- "[variables('_dataConnectorId1')]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
- "location": "[parameters('workspace-location')]",
"properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Claroty",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
+ "description": "ClarotyPolicyViolation_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion7')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId7')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Detects policy violations.",
+ "displayName": "Claroty - Policy violation",
+ "enabled": false,
+ "query": "ClarotyEvent\n| where EventOriginalType has 'Policy Violation' or EventType has 'Policy Violation'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "ClarotyEvent"
+ ],
+ "connectorId": "Claroty"
+ },
+ {
+ "dataTypes": [
+ "ClarotyEvent"
+ ],
+ "connectorId": "ClarotyAma"
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": [
+ "T1018"
+ ],
+ "entityMappings": [
+ {
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ],
+ "entityType": "IP"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
+ "properties": {
+ "description": "Claroty Analytics Rule 7",
+ "parentId": "[variables('analyticRuleId7')]",
+ "contentId": "[variables('_analyticRulecontentId7')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion7')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Claroty",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ }
+ ]
},
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId7')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Claroty - Policy violation",
+ "contentProductId": "[variables('_analyticRulecontentProductId7')]",
+ "id": "[variables('_analyticRulecontentProductId7')]",
+ "version": "[variables('analyticRuleVersion7')]"
}
},
{
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('analyticRuleTemplateSpecName8')]",
"location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
"properties": {
- "connectorUiConfig": {
- "title": "Claroty",
- "publisher": "Claroty",
- "descriptionMarkdown": "The [Claroty](https://claroty.com/) data connector provides the capability to ingest [Continuous Threat Detection](https://claroty.com/resources/datasheets/continuous-threat-detection) and [Secure Remote Access](https://claroty.com/secure-remote-access/) events into Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "Claroty",
- "baseQuery": "ClarotyEvent"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (Claroty)",
- "lastDataReceivedQuery": "ClarotyEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "ClarotyEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
+ "description": "ClarotySuspiciousActivity_AnalyticalRules Analytics Rule with template version 3.0.1",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('analyticRuleVersion8')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
{
- "description": "Top 10 Destinations",
- "query": "ClarotyEvent\n | where isnotempty(DstIpAddr)\n | summarize count() by DstIpAddr\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
+ "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
+ "name": "[variables('analyticRulecontentId8')]",
+ "apiVersion": "2022-04-01-preview",
+ "kind": "Scheduled",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "description": "Detects suspicious behavior that is generally indicative of malware.",
+ "displayName": "Claroty - Suspicious activity",
+ "enabled": false,
+ "query": "ClarotyEvent\n| where EventOriginalType has 'Suspicious Activity' or EventType has 'Suspicious Activity'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+ "queryFrequency": "PT1H",
+ "queryPeriod": "PT1H",
+ "severity": "High",
+ "suppressionDuration": "PT1H",
+ "suppressionEnabled": false,
+ "triggerOperator": "GreaterThan",
+ "triggerThreshold": 0,
+ "status": "Available",
+ "requiredDataConnectors": [
+ {
+ "dataTypes": [
+ "ClarotyEvent"
+ ],
+ "connectorId": "Claroty"
+ },
+ {
+ "dataTypes": [
+ "ClarotyEvent"
+ ],
+ "connectorId": "ClarotyAma"
+ }
+ ],
+ "tactics": [
+ "Discovery"
+ ],
+ "techniques": [
+ "T1018"
+ ],
+ "entityMappings": [
+ {
+ "fieldMappings": [
+ {
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
+ }
+ ],
+ "entityType": "IP"
+ }
+ ]
}
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
},
{
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
+ "properties": {
+ "description": "Claroty Analytics Rule 8",
+ "parentId": "[variables('analyticRuleId8')]",
+ "contentId": "[variables('_analyticRulecontentId8')]",
+ "kind": "AnalyticsRule",
+ "version": "[variables('analyticRuleVersion8')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Claroty",
+ "sourceId": "[variables('_solutionId')]"
},
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Configure log forwarding using CEF:\n\n1. Navigate to the **Syslog** section of the Configuration menu.\n\n2. Select **+Add**.\n\n3. In the **Add New Syslog Dialog** specify Remote Server **IP**, **Port**, **Protocol** and select **Message Format** - **CEF**.\n\n4. Choose **Save** to exit the **Add Syslog dialog**.",
- "title": "2. Configure Claroty to send logs using CEF"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
}
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
+ }
}
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**ClarotyEvent**](https://aka.ms/sentinel-claroty-parser) which is deployed with the Microsoft Sentinel Solution."
- }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId8')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Claroty - Suspicious activity",
+ "contentProductId": "[variables('_analyticRulecontentProductId8')]",
+ "id": "[variables('_analyticRulecontentProductId8')]",
+ "version": "[variables('analyticRuleVersion8')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName1')]",
+ "name": "[variables('analyticRuleTemplateSpecName9')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyAssetDown_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "ClarotySuspiciousFileTransfer_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion1')]",
+ "contentVersion": "[variables('analyticRuleVersion9')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId1')]",
+ "name": "[variables('analyticRulecontentId9')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Triggers asset is down.",
- "displayName": "Claroty - Asset Down",
+ "description": "Detects suspicious file transfer activity.",
+ "displayName": "Claroty - Suspicious file transfer",
"enabled": false,
- "query": "ClarotyEvent\n| where EventOriginalType has 'Asset Down' or EventType has 'Asset Down'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+ "query": "ClarotyEvent\n| where EventOriginalType has 'Suspicious File Transfer' or EventType has 'Suspicious File Transfer'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
@@ -1640,24 +2016,30 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Claroty",
"dataTypes": [
"ClarotyEvent"
- ]
+ ],
+ "connectorId": "Claroty"
+ },
+ {
+ "dataTypes": [
+ "ClarotyEvent"
+ ],
+ "connectorId": "ClarotyAma"
}
],
"tactics": [
- "Impact"
+ "Discovery"
],
"techniques": [
- "T1529"
+ "T1018"
],
"entityMappings": [
{
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
],
"entityType": "IP"
@@ -1668,13 +2050,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
"properties": {
- "description": "Claroty Analytics Rule 1",
- "parentId": "[variables('analyticRuleId1')]",
- "contentId": "[variables('_analyticRulecontentId1')]",
+ "description": "Claroty Analytics Rule 9",
+ "parentId": "[variables('analyticRuleId9')]",
+ "contentId": "[variables('_analyticRulecontentId9')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion1')]",
+ "version": "[variables('analyticRuleVersion9')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -1699,41 +2081,41 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId1')]",
+ "contentId": "[variables('_analyticRulecontentId9')]",
"contentKind": "AnalyticsRule",
- "displayName": "Claroty - Asset Down",
- "contentProductId": "[variables('_analyticRulecontentProductId1')]",
- "id": "[variables('_analyticRulecontentProductId1')]",
- "version": "[variables('analyticRuleVersion1')]"
+ "displayName": "Claroty - Suspicious file transfer",
+ "contentProductId": "[variables('_analyticRulecontentProductId9')]",
+ "id": "[variables('_analyticRulecontentProductId9')]",
+ "version": "[variables('analyticRuleVersion9')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName2')]",
+ "name": "[variables('analyticRuleTemplateSpecName10')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyCriticalBaselineDeviation_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "ClarotyTreat_AnalyticalRules Analytics Rule with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion2')]",
+ "contentVersion": "[variables('analyticRuleVersion10')]",
"parameters": {},
"variables": {},
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId2')]",
+ "name": "[variables('analyticRulecontentId10')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Detects when critical deviation from baseline occurs.",
- "displayName": "Claroty - Critical baseline deviation",
+ "description": "Detects Collection of known malware commands and control servers.",
+ "displayName": "Claroty - Treat detected",
"enabled": false,
- "query": "ClarotyEvent\n| where EventOriginalType has 'Baseline Deviation' or EventType has 'Baseline Deviation'\n| where EventSeverity == '5'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+ "query": "ClarotyEvent\n| where EventOriginalType has 'Treat' or EventType has 'Treat'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
@@ -1744,24 +2126,30 @@
"status": "Available",
"requiredDataConnectors": [
{
- "connectorId": "Claroty",
"dataTypes": [
"ClarotyEvent"
- ]
+ ],
+ "connectorId": "Claroty"
+ },
+ {
+ "dataTypes": [
+ "ClarotyEvent"
+ ],
+ "connectorId": "ClarotyAma"
}
],
"tactics": [
- "Impact"
+ "Discovery"
],
"techniques": [
- "T1529"
+ "T1018"
],
"entityMappings": [
{
"fieldMappings": [
{
- "columnName": "IPCustomEntity",
- "identifier": "Address"
+ "identifier": "Address",
+ "columnName": "IPCustomEntity"
}
],
"entityType": "IP"
@@ -1772,13 +2160,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]",
"properties": {
- "description": "Claroty Analytics Rule 2",
- "parentId": "[variables('analyticRuleId2')]",
- "contentId": "[variables('_analyticRulecontentId2')]",
+ "description": "Claroty Analytics Rule 10",
+ "parentId": "[variables('analyticRuleId10')]",
+ "contentId": "[variables('_analyticRulecontentId10')]",
"kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion2')]",
+ "version": "[variables('analyticRuleVersion10')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -1803,73 +2191,223 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId2')]",
+ "contentId": "[variables('_analyticRulecontentId10')]",
"contentKind": "AnalyticsRule",
- "displayName": "Claroty - Critical baseline deviation",
- "contentProductId": "[variables('_analyticRulecontentProductId2')]",
- "id": "[variables('_analyticRulecontentProductId2')]",
- "version": "[variables('analyticRuleVersion2')]"
+ "displayName": "Claroty - Treat detected",
+ "contentProductId": "[variables('_analyticRulecontentProductId10')]",
+ "id": "[variables('_analyticRulecontentProductId10')]",
+ "version": "[variables('analyticRuleVersion10')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryTemplateSpecName1')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "ClarotyBaselineDeviation_HuntingQueries Hunting Query with template version 3.0.1",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('huntingQueryVersion1')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Claroty_Hunting_Query_1",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "Claroty - Baseline deviation",
+ "category": "Hunting Queries",
+ "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has 'Baseline Deviation' or EventType has 'Baseline Deviation'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "Query searches for baseline deviation events."
+ },
+ {
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
+ {
+ "name": "techniques",
+ "value": "T1190"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId1'),'/'))))]",
+ "properties": {
+ "description": "Claroty Hunting Query 1",
+ "parentId": "[variables('huntingQueryId1')]",
+ "contentId": "[variables('_huntingQuerycontentId1')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion1')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Claroty",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId1')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Claroty - Baseline deviation",
+ "contentProductId": "[variables('_huntingQuerycontentProductId1')]",
+ "id": "[variables('_huntingQuerycontentProductId1')]",
+ "version": "[variables('huntingQueryVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryTemplateSpecName2')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "ClarotyConflictAssets_HuntingQueries Hunting Query with template version 3.0.1",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('huntingQueryVersion2')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Claroty_Hunting_Query_2",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "Claroty - Conflict assets",
+ "category": "Hunting Queries",
+ "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has 'New Conflict Asset' or EventType has 'New Conflict Asset'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "Query searches for conflicting assets."
+ },
+ {
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
+ {
+ "name": "techniques",
+ "value": "T1190"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId2'),'/'))))]",
+ "properties": {
+ "description": "Claroty Hunting Query 2",
+ "parentId": "[variables('huntingQueryId2')]",
+ "contentId": "[variables('_huntingQuerycontentId2')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion2')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Claroty",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId2')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Claroty - Conflict assets",
+ "contentProductId": "[variables('_huntingQuerycontentProductId2')]",
+ "id": "[variables('_huntingQuerycontentProductId2')]",
+ "version": "[variables('huntingQueryVersion2')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName3')]",
+ "name": "[variables('huntingQueryTemplateSpecName3')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyLoginToUncommonSite_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "ClarotyCriticalEvents_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion3')]",
+ "contentVersion": "[variables('huntingQueryVersion3')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId3')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Claroty_Hunting_Query_3",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Detects user login to uncommon location.",
- "displayName": "Claroty - Login to uncommon location",
- "enabled": false,
- "query": "let usr_sites = ClarotyEvent\n| where TimeGenerated > ago(14d)\n| where EventType has 'Login to SRA succeeded'\n| extend Site = column_ifexists(\"site_name\",\"\")\n| where isnotempty(Site)\n| extend SrcUsername = extract(@'User\\s(.*?)\\slogged', 1, EventMessage)\n| summarize all_loc = makeset(tostring(Site)) by SrcUsername\n| extend k = 1;\nClarotyEvent\n| where EventType has 'Login to SRA succeeded'\n| extend Site = column_ifexists(\"site_name\",\"\")\n| where isnotempty(Site)\n| extend SrcUsername = extract(@'User\\s(.*?)\\slogged', 1, EventMessage)\n| extend k = 1\n| join kind=innerunique (usr_sites) on k\n| where all_loc !contains Site\n| extend SrcIpAddr\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "P14D",
- "severity": "Medium",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
+ "eTag": "*",
+ "displayName": "Claroty - Critical Events",
+ "category": "Hunting Queries",
+ "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventSeverity == '5'\n| extend IPCustomEntity = DstIpAddr\n",
+ "version": 2,
+ "tags": [
{
- "connectorId": "Claroty",
- "dataTypes": [
- "ClarotyEvent"
- ]
- }
- ],
- "tactics": [
- "InitialAccess"
- ],
- "techniques": [
- "T1190",
- "T1133"
- ],
- "entityMappings": [
+ "name": "description",
+ "value": "Query searches for critical severity events."
+ },
{
- "fieldMappings": [
- {
- "columnName": "SrcIpAddr",
- "identifier": "Address"
- }
- ],
- "entityType": "IP"
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
+ {
+ "name": "techniques",
+ "value": "T1190"
}
]
}
@@ -1877,13 +2415,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId3'),'/'))))]",
"properties": {
- "description": "Claroty Analytics Rule 3",
- "parentId": "[variables('analyticRuleId3')]",
- "contentId": "[variables('_analyticRulecontentId3')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion3')]",
+ "description": "Claroty Hunting Query 3",
+ "parentId": "[variables('huntingQueryId3')]",
+ "contentId": "[variables('_huntingQuerycontentId3')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion3')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -1908,73 +2446,53 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId3')]",
- "contentKind": "AnalyticsRule",
- "displayName": "Claroty - Login to uncommon location",
- "contentProductId": "[variables('_analyticRulecontentProductId3')]",
- "id": "[variables('_analyticRulecontentProductId3')]",
- "version": "[variables('analyticRuleVersion3')]"
+ "contentId": "[variables('_huntingQuerycontentId3')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Claroty - Critical Events",
+ "contentProductId": "[variables('_huntingQuerycontentProductId3')]",
+ "id": "[variables('_huntingQuerycontentProductId3')]",
+ "version": "[variables('huntingQueryVersion3')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName4')]",
+ "name": "[variables('huntingQueryTemplateSpecName4')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyMultipleFailedLogin_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "ClarotyPLCLogins_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion4')]",
+ "contentVersion": "[variables('huntingQueryVersion4')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId4')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Claroty_Hunting_Query_4",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Detects multiple failed logins by same user.",
- "displayName": "Claroty - Multiple failed logins by user",
- "enabled": false,
- "query": "let threshold = 5;\nClarotyEvent\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by SrcUsername, bin(TimeGenerated, 5m)\n| where count_ > threshold\n| extend AccountCustomEntity = SrcUsername\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "High",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
+ "eTag": "*",
+ "displayName": "Claroty - PLC logins",
+ "category": "Hunting Queries",
+ "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType =~ 'Alert'\n| where EventType has 'Login'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+ "version": 2,
+ "tags": [
{
- "connectorId": "Claroty",
- "dataTypes": [
- "ClarotyEvent"
- ]
- }
- ],
- "tactics": [
- "InitialAccess"
- ],
- "techniques": [
- "T1190",
- "T1133"
- ],
- "entityMappings": [
+ "name": "description",
+ "value": "Query searches for PLC login security alerts."
+ },
{
- "fieldMappings": [
- {
- "columnName": "AccountCustomEntity",
- "identifier": "Name"
- }
- ],
- "entityType": "Account"
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
+ {
+ "name": "techniques",
+ "value": "T1190"
}
]
}
@@ -1982,13 +2500,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId4'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId4'),'/'))))]",
"properties": {
- "description": "Claroty Analytics Rule 4",
- "parentId": "[variables('analyticRuleId4')]",
- "contentId": "[variables('_analyticRulecontentId4')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion4')]",
+ "description": "Claroty Hunting Query 4",
+ "parentId": "[variables('huntingQueryId4')]",
+ "contentId": "[variables('_huntingQuerycontentId4')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion4')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -2013,73 +2531,53 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId4')]",
- "contentKind": "AnalyticsRule",
- "displayName": "Claroty - Multiple failed logins by user",
- "contentProductId": "[variables('_analyticRulecontentProductId4')]",
- "id": "[variables('_analyticRulecontentProductId4')]",
- "version": "[variables('analyticRuleVersion4')]"
+ "contentId": "[variables('_huntingQuerycontentId4')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Claroty - PLC logins",
+ "contentProductId": "[variables('_huntingQuerycontentProductId4')]",
+ "id": "[variables('_huntingQuerycontentProductId4')]",
+ "version": "[variables('huntingQueryVersion4')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName5')]",
+ "name": "[variables('huntingQueryTemplateSpecName5')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyMultipleFailedLoginsSameDst_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "ClarotySRAFailedLogins_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion5')]",
+ "contentVersion": "[variables('huntingQueryVersion5')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId5')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Claroty_Hunting_Query_5",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Detects multiple failed logins to same destinations.",
- "displayName": "Claroty - Multiple failed logins to same destinations",
- "enabled": false,
- "query": "let threshold = 10;\nClarotyEvent\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend Site = column_ifexists(\"site_name\",\"\")\n| where isnotempty(Site)\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by Site, bin(TimeGenerated, 5m)\n| where count_ > threshold\n| extend SGCustomEntity = Site\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "High",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
+ "eTag": "*",
+ "displayName": "Claroty - User failed logins",
+ "category": "Hunting Queries",
+ "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventType has 'Login to SRA'\n| where EventType !has 'succeeded'\n| extend SrcUsername = extract(@'User\\s(.*?)\\sfailed', 1, EventMessage)\n| summarize count() by SrcUsername\n| extend AccountCustomEntity = SrcUsername\n",
+ "version": 2,
+ "tags": [
{
- "connectorId": "Claroty",
- "dataTypes": [
- "ClarotyEvent"
- ]
- }
- ],
- "tactics": [
- "InitialAccess"
- ],
- "techniques": [
- "T1190",
- "T1133"
- ],
- "entityMappings": [
+ "name": "description",
+ "value": "Query searches for login failure events."
+ },
{
- "fieldMappings": [
- {
- "columnName": "SGCustomEntity",
- "identifier": "DistinguishedName"
- }
- ],
- "entityType": "SecurityGroup"
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
+ {
+ "name": "techniques",
+ "value": "T1190"
}
]
}
@@ -2087,13 +2585,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId5'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]",
"properties": {
- "description": "Claroty Analytics Rule 5",
- "parentId": "[variables('analyticRuleId5')]",
- "contentId": "[variables('_analyticRulecontentId5')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion5')]",
+ "description": "Claroty Hunting Query 5",
+ "parentId": "[variables('huntingQueryId5')]",
+ "contentId": "[variables('_huntingQuerycontentId5')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion5')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -2118,73 +2616,53 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId5')]",
- "contentKind": "AnalyticsRule",
- "displayName": "Claroty - Multiple failed logins to same destinations",
- "contentProductId": "[variables('_analyticRulecontentProductId5')]",
- "id": "[variables('_analyticRulecontentProductId5')]",
- "version": "[variables('analyticRuleVersion5')]"
+ "contentId": "[variables('_huntingQuerycontentId5')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Claroty - User failed logins",
+ "contentProductId": "[variables('_huntingQuerycontentProductId5')]",
+ "id": "[variables('_huntingQuerycontentProductId5')]",
+ "version": "[variables('huntingQueryVersion5')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName6')]",
+ "name": "[variables('huntingQueryTemplateSpecName6')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyNewAsset_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "ClarotyScanSources_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion6')]",
+ "contentVersion": "[variables('huntingQueryVersion6')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId6')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Claroty_Hunting_Query_6",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Triggers when a new asset has been added into the environment.",
- "displayName": "Claroty - New Asset",
- "enabled": false,
- "query": "ClarotyEvent\n| where EventOriginalType has 'New Asset' or EventType has 'New Asset'\n| extend IPCustomEntity = SrcIpAddr\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "High",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
+ "eTag": "*",
+ "displayName": "Claroty - Network scan sources",
+ "category": "Hunting Queries",
+ "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has_any ('Network Scan', 'TCP Scan', 'UDP Scan') or EventType has_any ('Network Scan', 'TCP Scan', 'UDP Scan')\n| project TimeGenerated, SrcIpAddr\n| extend IPCustomEntity = SrcIpAddr\n",
+ "version": 2,
+ "tags": [
{
- "connectorId": "Claroty",
- "dataTypes": [
- "ClarotyEvent"
- ]
- }
- ],
- "tactics": [
- "InitialAccess"
- ],
- "techniques": [
- "T1190",
- "T1133"
- ],
- "entityMappings": [
+ "name": "description",
+ "value": "Query searches for sources of network scans."
+ },
{
- "fieldMappings": [
- {
- "columnName": "IPCustomEntity",
- "identifier": "Address"
- }
- ],
- "entityType": "IP"
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
+ {
+ "name": "techniques",
+ "value": "T1190"
}
]
}
@@ -2192,13 +2670,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId6'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]",
"properties": {
- "description": "Claroty Analytics Rule 6",
- "parentId": "[variables('analyticRuleId6')]",
- "contentId": "[variables('_analyticRulecontentId6')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion6')]",
+ "description": "Claroty Hunting Query 6",
+ "parentId": "[variables('huntingQueryId6')]",
+ "contentId": "[variables('_huntingQuerycontentId6')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion6')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -2223,72 +2701,53 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId6')]",
- "contentKind": "AnalyticsRule",
- "displayName": "Claroty - New Asset",
- "contentProductId": "[variables('_analyticRulecontentProductId6')]",
- "id": "[variables('_analyticRulecontentProductId6')]",
- "version": "[variables('analyticRuleVersion6')]"
+ "contentId": "[variables('_huntingQuerycontentId6')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Claroty - Network scan sources",
+ "contentProductId": "[variables('_huntingQuerycontentProductId6')]",
+ "id": "[variables('_huntingQuerycontentProductId6')]",
+ "version": "[variables('huntingQueryVersion6')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName7')]",
+ "name": "[variables('huntingQueryTemplateSpecName7')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyPolicyViolation_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "ClarotyScantargets_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion7')]",
+ "contentVersion": "[variables('huntingQueryVersion7')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId7')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Claroty_Hunting_Query_7",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Detects policy violations.",
- "displayName": "Claroty - Policy violation",
- "enabled": false,
- "query": "ClarotyEvent\n| where EventOriginalType has 'Policy Violation' or EventType has 'Policy Violation'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "High",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
+ "eTag": "*",
+ "displayName": "Claroty - Network scan targets",
+ "category": "Hunting Queries",
+ "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType has_any ('Network Scan', 'TCP Scan', 'UDP Scan') or EventType has_any ('Network Scan', 'TCP Scan', 'UDP Scan')\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
+ "version": 2,
+ "tags": [
{
- "connectorId": "Claroty",
- "dataTypes": [
- "ClarotyEvent"
- ]
- }
- ],
- "tactics": [
- "Discovery"
- ],
- "techniques": [
- "T1018"
- ],
- "entityMappings": [
+ "name": "description",
+ "value": "Query searches for targets of network scans."
+ },
{
- "fieldMappings": [
- {
- "columnName": "IPCustomEntity",
- "identifier": "Address"
- }
- ],
- "entityType": "IP"
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
+ {
+ "name": "techniques",
+ "value": "T1190"
}
]
}
@@ -2296,13 +2755,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId7'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]",
"properties": {
- "description": "Claroty Analytics Rule 7",
- "parentId": "[variables('analyticRuleId7')]",
- "contentId": "[variables('_analyticRulecontentId7')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion7')]",
+ "description": "Claroty Hunting Query 7",
+ "parentId": "[variables('huntingQueryId7')]",
+ "contentId": "[variables('_huntingQuerycontentId7')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion7')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -2327,72 +2786,53 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId7')]",
- "contentKind": "AnalyticsRule",
- "displayName": "Claroty - Policy violation",
- "contentProductId": "[variables('_analyticRulecontentProductId7')]",
- "id": "[variables('_analyticRulecontentProductId7')]",
- "version": "[variables('analyticRuleVersion7')]"
+ "contentId": "[variables('_huntingQuerycontentId7')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Claroty - Network scan targets",
+ "contentProductId": "[variables('_huntingQuerycontentProductId7')]",
+ "id": "[variables('_huntingQuerycontentProductId7')]",
+ "version": "[variables('huntingQueryVersion7')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName8')]",
+ "name": "[variables('huntingQueryTemplateSpecName8')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotySuspiciousActivity_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "ClarotyUnapprovedAccess_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion8')]",
+ "contentVersion": "[variables('huntingQueryVersion8')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId8')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Claroty_Hunting_Query_8",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Detects suspicious behavior that is generally indicative of malware.",
- "displayName": "Claroty - Suspicious activity",
- "enabled": false,
- "query": "ClarotyEvent\n| where EventOriginalType has 'Suspicious Activity' or EventType has 'Suspicious Activity'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "High",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
+ "eTag": "*",
+ "displayName": "Claroty - Unapproved access",
+ "category": "Hunting Queries",
+ "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventSeverity =~ 'Unapproved'\n| where isnotempty(CategoryAccess)\n| extend IPCustomEntity = DstIpAddr\n",
+ "version": 2,
+ "tags": [
{
- "connectorId": "Claroty",
- "dataTypes": [
- "ClarotyEvent"
- ]
- }
- ],
- "tactics": [
- "Discovery"
- ],
- "techniques": [
- "T1018"
- ],
- "entityMappings": [
+ "name": "description",
+ "value": "Query searches for unapproved access events."
+ },
{
- "fieldMappings": [
- {
- "columnName": "IPCustomEntity",
- "identifier": "Address"
- }
- ],
- "entityType": "IP"
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
+ {
+ "name": "techniques",
+ "value": "T1190"
}
]
}
@@ -2400,13 +2840,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId8'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]",
"properties": {
- "description": "Claroty Analytics Rule 8",
- "parentId": "[variables('analyticRuleId8')]",
- "contentId": "[variables('_analyticRulecontentId8')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion8')]",
+ "description": "Claroty Hunting Query 8",
+ "parentId": "[variables('huntingQueryId8')]",
+ "contentId": "[variables('_huntingQuerycontentId8')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion8')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -2431,72 +2871,53 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId8')]",
- "contentKind": "AnalyticsRule",
- "displayName": "Claroty - Suspicious activity",
- "contentProductId": "[variables('_analyticRulecontentProductId8')]",
- "id": "[variables('_analyticRulecontentProductId8')]",
- "version": "[variables('analyticRuleVersion8')]"
+ "contentId": "[variables('_huntingQuerycontentId8')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Claroty - Unapproved access",
+ "contentProductId": "[variables('_huntingQuerycontentProductId8')]",
+ "id": "[variables('_huntingQuerycontentProductId8')]",
+ "version": "[variables('huntingQueryVersion8')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName9')]",
+ "name": "[variables('huntingQueryTemplateSpecName9')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotySuspiciousFileTransfer_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "ClarotyUnresolvedAlerts_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion9')]",
+ "contentVersion": "[variables('huntingQueryVersion9')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId9')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
- "location": "[parameters('workspace-location')]",
- "properties": {
- "description": "Detects suspicious file transfer activity.",
- "displayName": "Claroty - Suspicious file transfer",
- "enabled": false,
- "query": "ClarotyEvent\n| where EventOriginalType has 'Suspicious File Transfer' or EventType has 'Suspicious File Transfer'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "High",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Claroty_Hunting_Query_9",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "Claroty - Unresolved alerts",
+ "category": "Hunting Queries",
+ "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where EventOriginalType =~ 'Alert'\n| where ResolvedAs =~ 'Unresolved'\n| extend IPCustomEntity = DstIpAddr\n",
+ "version": 2,
+ "tags": [
{
- "connectorId": "Claroty",
- "dataTypes": [
- "ClarotyEvent"
- ]
- }
- ],
- "tactics": [
- "Discovery"
- ],
- "techniques": [
- "T1018"
- ],
- "entityMappings": [
+ "name": "description",
+ "value": "Query searches for alerts with unresolved status."
+ },
{
- "fieldMappings": [
- {
- "columnName": "IPCustomEntity",
- "identifier": "Address"
- }
- ],
- "entityType": "IP"
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
+ {
+ "name": "techniques",
+ "value": "T1190"
}
]
}
@@ -2504,13 +2925,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId9'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]",
"properties": {
- "description": "Claroty Analytics Rule 9",
- "parentId": "[variables('analyticRuleId9')]",
- "contentId": "[variables('_analyticRulecontentId9')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion9')]",
+ "description": "Claroty Hunting Query 9",
+ "parentId": "[variables('huntingQueryId9')]",
+ "contentId": "[variables('_huntingQuerycontentId9')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion9')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -2535,72 +2956,53 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId9')]",
- "contentKind": "AnalyticsRule",
- "displayName": "Claroty - Suspicious file transfer",
- "contentProductId": "[variables('_analyticRulecontentProductId9')]",
- "id": "[variables('_analyticRulecontentProductId9')]",
- "version": "[variables('analyticRuleVersion9')]"
+ "contentId": "[variables('_huntingQuerycontentId9')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Claroty - Unresolved alerts",
+ "contentProductId": "[variables('_huntingQuerycontentProductId9')]",
+ "id": "[variables('_huntingQuerycontentProductId9')]",
+ "version": "[variables('huntingQueryVersion9')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
"apiVersion": "2023-04-01-preview",
- "name": "[variables('analyticRuleTemplateSpecName10')]",
+ "name": "[variables('huntingQueryTemplateSpecName10')]",
"location": "[parameters('workspace-location')]",
"dependsOn": [
"[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ClarotyTreat_AnalyticalRules Analytics Rule with template version 3.0.0",
+ "description": "ClarotyWriteExecuteOperations_HuntingQueries Hunting Query with template version 3.0.1",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('analyticRuleVersion10')]",
+ "contentVersion": "[variables('huntingQueryVersion10')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('analyticRulecontentId10')]",
- "apiVersion": "2022-04-01-preview",
- "kind": "Scheduled",
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "Claroty_Hunting_Query_10",
"location": "[parameters('workspace-location')]",
"properties": {
- "description": "Detects Collection of known malware commands and control servers.",
- "displayName": "Claroty - Treat detected",
- "enabled": false,
- "query": "ClarotyEvent\n| where EventOriginalType has 'Treat' or EventType has 'Treat'\n| project TimeGenerated, DstIpAddr\n| extend IPCustomEntity = DstIpAddr\n",
- "queryFrequency": "PT1H",
- "queryPeriod": "PT1H",
- "severity": "High",
- "suppressionDuration": "PT1H",
- "suppressionEnabled": false,
- "triggerOperator": "GreaterThan",
- "triggerThreshold": 0,
- "status": "Available",
- "requiredDataConnectors": [
+ "eTag": "*",
+ "displayName": "Claroty - Write and Execute operations",
+ "category": "Hunting Queries",
+ "query": "ClarotyEvent\n| where TimeGenerated > ago(24h)\n| where isnotempty(CategoryAccess)\n| where CategoryAccess != 'Read'\n| extend IPCustomEntity = DstIpAddr\n",
+ "version": 2,
+ "tags": [
{
- "connectorId": "Claroty",
- "dataTypes": [
- "ClarotyEvent"
- ]
- }
- ],
- "tactics": [
- "Discovery"
- ],
- "techniques": [
- "T1018"
- ],
- "entityMappings": [
+ "name": "description",
+ "value": "Query searches for operations with Write and Execute accesses."
+ },
{
- "fieldMappings": [
- {
- "columnName": "IPCustomEntity",
- "identifier": "Address"
- }
- ],
- "entityType": "IP"
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
+ {
+ "name": "techniques",
+ "value": "T1190"
}
]
}
@@ -2608,13 +3010,13 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId10'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]",
"properties": {
- "description": "Claroty Analytics Rule 10",
- "parentId": "[variables('analyticRuleId10')]",
- "contentId": "[variables('_analyticRulecontentId10')]",
- "kind": "AnalyticsRule",
- "version": "[variables('analyticRuleVersion10')]",
+ "description": "Claroty Hunting Query 10",
+ "parentId": "[variables('huntingQueryId10')]",
+ "contentId": "[variables('_huntingQuerycontentId10')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion10')]",
"source": {
"kind": "Solution",
"name": "Claroty",
@@ -2639,12 +3041,12 @@
"packageName": "[variables('_solutionName')]",
"packageId": "[variables('_solutionId')]",
"contentSchemaVersion": "3.0.0",
- "contentId": "[variables('_analyticRulecontentId10')]",
- "contentKind": "AnalyticsRule",
- "displayName": "Claroty - Treat detected",
- "contentProductId": "[variables('_analyticRulecontentProductId10')]",
- "id": "[variables('_analyticRulecontentProductId10')]",
- "version": "[variables('analyticRuleVersion10')]"
+ "contentId": "[variables('_huntingQuerycontentId10')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Claroty - Write and Execute operations",
+ "contentProductId": "[variables('_huntingQuerycontentProductId10')]",
+ "id": "[variables('_huntingQuerycontentProductId10')]",
+ "version": "[variables('huntingQueryVersion10')]"
}
},
{
@@ -2652,12 +3054,12 @@
"apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "3.0.0",
+ "version": "3.0.1",
"kind": "Solution",
"contentSchemaVersion": "3.0.0",
"displayName": "Claroty",
"publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
- "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Claroty solution for Microsoft Sentinel enables ingestion of Continuous Threat Detection and Secure Remote Access events into Microsoft Sentinel.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\n\nData Connectors: 1, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Claroty solution for Microsoft Sentinel enables ingestion of Continuous Threat Detection and Secure Remote Access events into Microsoft Sentinel.
\nClaroty via AMA - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.
\nClaroty via Legacy Agent - This data connector helps in ingesting Claroty logs into your Log Analytics Workspace using the legacy Log Analytics agent.
\nNOTE: Microsoft recommends installation of Claroty via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 10, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2683,9 +3085,14 @@ "operator": "AND", "criteria": [ { - "kind": "Workbook", - "contentId": "[variables('_workbookContentId1')]", - "version": "[variables('workbookVersion1')]" + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId2')]", + "version": "[variables('dataConnectorVersion2')]" }, { "kind": "Parser", @@ -2693,59 +3100,9 @@ "version": "[variables('parserVersion1')]" }, { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId1')]", - "version": "[variables('huntingQueryVersion1')]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId2')]", - "version": "[variables('huntingQueryVersion2')]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId3')]", - "version": "[variables('huntingQueryVersion3')]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId4')]", - "version": "[variables('huntingQueryVersion4')]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId5')]", - "version": "[variables('huntingQueryVersion5')]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId6')]", - "version": "[variables('huntingQueryVersion6')]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId7')]", - "version": "[variables('huntingQueryVersion7')]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId8')]", - "version": "[variables('huntingQueryVersion8')]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId9')]", - "version": "[variables('huntingQueryVersion9')]" - }, - { - "kind": "HuntingQuery", - "contentId": "[variables('_huntingQuerycontentId10')]", - "version": "[variables('huntingQueryVersion10')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" + "kind": "Workbook", + "contentId": "[variables('_workbookContentId1')]", + "version": "[variables('workbookVersion1')]" }, { "kind": "AnalyticsRule", @@ -2796,6 +3153,56 @@ "kind": "AnalyticsRule", "contentId": "[variables('analyticRulecontentId10')]", "version": "[variables('analyticRuleVersion10')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId1')]", + "version": "[variables('huntingQueryVersion1')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId2')]", + "version": "[variables('huntingQueryVersion2')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId3')]", + "version": "[variables('huntingQueryVersion3')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId4')]", + "version": "[variables('huntingQueryVersion4')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId5')]", + "version": "[variables('huntingQueryVersion5')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId6')]", + "version": "[variables('huntingQueryVersion6')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId7')]", + "version": "[variables('huntingQueryVersion7')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId8')]", + "version": "[variables('huntingQueryVersion8')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId9')]", + "version": "[variables('huntingQueryVersion9')]" + }, + { + "kind": "HuntingQuery", + "contentId": "[variables('_huntingQuerycontentId10')]", + "version": "[variables('huntingQueryVersion10')]" } ] }, diff --git a/Solutions/Claroty/ReleaseNotes.md b/Solutions/Claroty/ReleaseNotes.md index fe42770159c..6c976c5c573 100644 --- a/Solutions/Claroty/ReleaseNotes.md +++ b/Solutions/Claroty/ReleaseNotes.md @@ -1,3 +1,4 @@ -| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | -|-------------|--------------------------------|-------------------------------------| -| 3.0.0 | 27-07-2023 | Corrected the links in the solution.| +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|------------------------------------------------| +| 3.0.1 | 11-09-2023 | Addition of new Claroty AMA **Data Connector** | +| 3.0.0 | 27-07-2023 | Corrected the links in the solution. | diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json index e0153c21a03..11c1148e0f8 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json @@ -2857,7 +2857,8 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "Claroty" + "Claroty", + "ClarotyAma" ], "previewImagesFileNames": [ "ClarotyBlack.png",