Azure-Sentinel
Azure-Sentinel copied to clipboard
Azure
/Solutions/Claroty/Parsers/ClarotyEvent.yaml does not parce out additional extensions for when threats are sent to Sentinal
Describe the bug Claroty delivers technical data related to threats triggered via a SNORT or Yara Rule but this log is partially parced. The following oare the Additional extensions that are delivered when a log is sent to Sentinal:
AdditionalExtensions
CtdSourceIp CtdDestinationIp CtdSourceMac CtdDestinationMac CtdSourceHost CtdDestinationHost CtdTimeGenerated CtdExternalId CtdDeviceExternalId CtdMessage CtdProtocol CtdCategory CtdSourceAssetType CtdDestinationAssetType CtdSourceZone CtdDestinationZone CtdAlertLink CtdAlertId CtdStoryId CtdEventTypeId CtdResolvedAs
https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Parsers/ClarotyEvent.yaml
To Reproduce Steps to reproduce the behavior: Review the parcer and notice that the AdditionalExtensions are not configured to be parced out.
Expected behavior The extensions should be able to be queried.
Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @thibMP , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 06/02/2024. Thanks!
Hi @thibMP ,Could you please share sample data to email id ([email protected]),so can proceed with changes for additional extensions.
Hi @v-muuppugund thanks I will get our SIEM engineering department to pull that info. Do you need raw data or is it ok if it is the info for what is in Sentinal today?
Hi @v-muuppugund thanks I will get our SIEM engineering department to pull that info. Do you need raw data or is it ok if it is the info for what is in Sentinal today?
Hi @thibMP , Please share both the data will do some data analysis ,so will have data points for updating the parser.
Hi @thibMP ,gentle reminder,Could you please share both the data will do some data analysis ,so will have data points for updating the parser.
Hi @thibMP, since we have not received a response in the last 5 days, we are closing your issue #9860 as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation.
