What Changed
Fixed a critical typo in the Claroty threat detection Analytic Rule where “Treat” was incorrectly used instead of “Threat” in multiple locations, updating the rule from version 1.0.3 to 1.0.4.
Detection Logic
Primary data source: ClarotyEvent table Core logic: Searches for events where EventOriginalType or EventType contains “Threat” (previously “Treat”), then projects TimeGenerated and DstIpAddr for IP entity mapping Entity mapping: IP addresses from DstIpAddr field
Security Impact
This was a data fidelity gap affecting threat detection coverage. The original rule searched for EventOriginalType has ‘Treat’ or EventType has ‘Treat’ which would have returned no results from legitimate Claroty threat events. SOC analysts using this rule would have missed critical threat indicators from the Claroty platform, creating a blind spot in OT/IoT threat detection.
MITRE Mapping
T1018 - System Network Discovery (from relevantTechniques field)
Affected Files
Solutions/Claroty/Analytic Rules/ClarotyThreat.yaml
(packaging artefacts: 3.0.4.zip, ReleaseNotes.md, Solution_Claroty.json, createUiDefinition.json, mainTemplate.json)