October 2024

Claroty xDome is a cloud-based industrial cybersecurity platform designed to protect critical infrastructure and industrial environments. It provides comprehensive visibility, threat detection, and vulnerability management across operational technology (OT), Internet of Things (IoT), and IT networks.

The new integration includes:

• 6 supported logs -

  • Claroty xDome Devices

  • Claroty xDome Alerts

  • Claroty xDome Events

  • Claroty xDome Sites

  • Claroty xDome Device Alerts

  • Claroty xDome Device Vulnerabilities

• Ingestion of the data to the data lake

• Mapping the data to IOC Search

• 3rd party detection

Learn more here

Detector ID: claroty_xdome_threat_alerts

To support the new integration with Claroty xDome, we’ve created this new 3rd party detector that presents the alerts generated by xDome.

xDome generates a variety of alerts, including Posture-like alerts (e.g., Risk, OT Activity) which are repetitive and very noisy. Hence, the detector includes only alert_category of Threat as well as Custom (i.e., alerts created by the end users), which results in an estimated noise reduction of ~90%.

For some of the alerts, the source IP is not presented in a dedicated field. Hence, we extract it from the alert name and present it in a designated attribute.

Detector ID: edr_cmd_suspicious_silent_execution_patterns

The detector looks for the execution of cmd.exe (Command Prompt) with the “Echo Off” flag (“/Q”). This flag is known to be used as part of different tools, including tools of the Impacket Python collection, such as the well-known Wmiexec.

In addition, this detector might identify different attack tools’ usage and manual executions of cmd.exe that share the characteristic of silent execution (Echo Off) with Impacket tools.

In cases that WmiPrvSE.exe is the initiating process, investigating the content of its child processes’ executed command of all the child processes of the initiating “WmiPrvSE.exe” can be used to get a better understanding of the intent behind the suspicious execution. In addition, it is recommended to look for incoming traffic over port 135 toward the investigated host, to try and identify the source of suspicious execution in case of Wmiexec usage.

Detector ID: edr_suspicious_runkey_written

We've improved the "Suspicious registry run key was written" detector to reduce noise, enhance reliability, and streamline investigation.

• Noise reduction: Normalized the learning key and filtered out known legitimate executable behaviors, resulting in a 90% noise reduction.

• Reliability: The detector now only runs on EDRs from CrowdStrike, SentinelOne, and MDATP. It's disabled for PAN Cortex and Carbon Black, as these sources lack the necessary fields.

• Investigation: Two scoring models were added to improve scoring adjustment accuracy.

These updates improve accuracy and investigative efficiency for supported EDRs.

Detector ID: aws_console_login_from_machine_without_edr

We've updated the "Successful AWS console login from host without an EDR agent" detector to improve reliability and performance, and to reduce false positives.

Key changes:

• Noise reduction: The detector now looks back up to two days for EDR events from the login IP, reducing noise.

• Reliability: We're migrating to a new execution engine optimized for handling large data volumes, improving both reliability during traffic spikes and overall performance.

Detector ID:

cloudtrail_ssm_sendcommand_event

edr_macos_execution_from_tmp

The above-mentioned detectors will be disabled on 23.10.24.

Both detectors were found to be ineffective. The “SSM SendCommand” detector relies on an obfuscated field, rendering it obsolete. The “Execution from /tmp directory” detector generated excessive noise due to symbolic links, failing to meet our signal-to-noise standards.