Claroty

Claroty Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com
Categories	domains
Version	3.0.3
Author	Microsoft - support@microsoft.com
First Published	2021-10-23
Last Updated	2026-04-08
Solution Folder	Claroty
Marketplace	Azure Marketplace · Rating: ★★★★★ 5.0/5 (1 ratings) · Popularity: 🔵 Medium (65%)
Pre-requisites	Common Event Format

The Claroty solution for Microsoft Sentinel enables ingestion of  Continuous Threat Detection and Secure Remote Access events into Microsoft Sentinel.

This solution is dependent on the Common Event Format solution containing the CEF via AMA connector to collect the logs. The CEF solution will be installed as part of this solution installation.

NOTE: Microsoft recommends installation of CEF via AMA Connector. The existing connectors were deprecated on Aug 31, 2024.

Pre-requisites
Data Connectors
Tables Used
Content Items

Pre-requisites

This solution depends on 1 other solution(s):

Solution
Common Event Format

Data Connectors

This solution has 2 discovered data connector(s)⚠️ (not in Solution definition):

[Deprecated] Claroty via Legacy Agent ⚠️
[Deprecated] Claroty via AMA ⚠️

Connectors from dependency solutions:

Common Event Format (CEF) (dependency on Common Event Format)
Common Event Format (CEF) via AMA (dependency on Common Event Format)

🔍 Discovered: This item was discovered by scanning the solution folder but is not listed in the Solution JSON file.

Tables Used

This solution uses 1 table(s):

Table	Used By Connectors	Used By Content
`CommonSecurityLog`	Common Event Format (CEF) (dependency), Common Event Format (CEF) via AMA (dependency), [Deprecated] Claroty via AMA, [Deprecated] Claroty via Legacy Agent	Analytics, Hunting, Workbooks

Content Items

This solution includes 22 content item(s):

Content Type	Count
Analytic Rules	10
Hunting Queries	10
Workbooks	1
Parsers	1

Analytic Rules

Name	Severity	Tactics	Tables Used
Claroty - Asset Down	High	Impact	`CommonSecurityLog`
Claroty - Critical baseline deviation	High	Impact	`CommonSecurityLog`
Claroty - Login to uncommon location	Medium	InitialAccess	`CommonSecurityLog`
Claroty - Multiple failed logins by user	High	InitialAccess	`CommonSecurityLog`
Claroty - Multiple failed logins to same destinations	High	InitialAccess	`CommonSecurityLog`
Claroty - New Asset	High	InitialAccess	`CommonSecurityLog`
Claroty - Policy violation	High	Discovery	`CommonSecurityLog`
Claroty - Suspicious activity	High	Discovery	`CommonSecurityLog`
Claroty - Suspicious file transfer	High	Discovery	`CommonSecurityLog`
Claroty - Threat detected	High	Discovery	`CommonSecurityLog`

Hunting Queries

Name	Tactics	Tables Used
Claroty - Baseline deviation	InitialAccess	`CommonSecurityLog`
Claroty - Conflict assets	InitialAccess	`CommonSecurityLog`
Claroty - Critical Events	InitialAccess	`CommonSecurityLog`
Claroty - Network scan sources	InitialAccess	`CommonSecurityLog`
Claroty - Network scan targets	InitialAccess	`CommonSecurityLog`
Claroty - PLC logins	InitialAccess	`CommonSecurityLog`
Claroty - Unapproved access	InitialAccess	`CommonSecurityLog`
Claroty - Unresolved alerts	InitialAccess	`CommonSecurityLog`
Claroty - User failed logins	InitialAccess	`CommonSecurityLog`
Claroty - Write and Execute operations	InitialAccess	`CommonSecurityLog`

Workbooks

Name	Tables Used
ClarotyOverview	`CommonSecurityLog`

Parsers

Name	Description	Tables Used
ClarotyEvent	-	`CommonSecurityLog` (read)

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.4	03-04-2026	Fixed typo error in analytical rule
3.0.3	18-11-2024	Removed Deprecated Data Connectors
3.0.2	10-07-2024	Deprecated Data Connector
3.0.1	11-09-2023	Addition of new Claroty AMA Data Connector
3.0.0	27-07-2023	Corrected the links in the solution.