Claroty

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Claroty CTD Events

✅

✅

claroty_ctd_events

CEF

S3

Claroty SRA Events

✅

✅

claroty_sra_logs

CEF

S3


Overview

imageClaroty is a cybersecurity company that specializes in industrial control systems (ICS) and operational technology (OT) security. It provides solutions to protect critical infrastructure and industrial networks from cyber threats. Claroty focuses on securing industrial control systems used in sectors such as energy, manufacturing, utilities, and transportation.

Supported data types

Claroty CTD Events

Table name: claroty_ctd_events

Claroty CTD Events are notifications or alerts generated by the Claroty CTD platform that indicate cybersecurity incidents, vulnerabilities, or other noteworthy activities detected within an OT network. These events are crucial for industrial operators and security teams to quickly respond to potential threats and ensure the safety, reliability, and continuity of industrial operations.

Learn more here.

Claroty SRA Events

Table name: claroty_sra_logs

Claroty SRA Events refer to the alerts and notifications generated by the Secure Remote Access system when it detects activities or attempts that fall outside of predefined security policies or represent potential security risks.

Learn more here.

Send data to Hunters

Hunters supports the integration of Claroty logs using an intermediary S3 bucket.

To send data to Hunters:

  1. Contact Claroty support to learn how to route your Claroty logs to S3.

    📘 Note

    Each log type of the above should be shipped to a separate S3 Prefix.

  2. Once the export is completed and the logs are collected to S3, follow the steps in this section.

Expected format

Logs are expected in CEF format.

Claroty CTD Sample

<14>Jul 20 2022 13:22:18 zmc CEF:0|Claroty|CTD|4.4.1|Event/Known Threat Event|Known Threat Event|10|src=10.54.36.129 dst=10.45.21.181 smac=aa:bb:cc:dd:ee:ff shost=<hostname> dmac=aa:bb:cc:dd:fe:fe dhost=<hostname> externalId=1234567 cat=Security/Known Threat Event start=Jul 20 2022 13:05:12 msg=OS-WINDOWS Microsoft Windows SMB remote code execution attempt (<ip:port> -> <ip:port>). Signature:   content:""|FF|SMB|A0 12 EF 00 00|""; depth:9; offset:4; content:""|01 00 00 00 00|""; within:5; distance:59; byte_test:4,>,0x8150,-33,relative,little; deviceExternalId=<device-id> cs1Label=SourceAssetType cs1=Endpoint cs3Label=SourceZone cs3=Endpoint: Other - External cs4Label=DestZone cs4=HMI: <site> - External - External - External - External - External - External - External - External - External - External cs6Label=CTDlink cs6=<alert-link> cn1Label=IndicatorScore cn1=100 cn2Label=AlertID cn2=123445

Claroty SRA Sample

<15>Sep 27 2023 20:54:05 12-4-test CEF:0|Claroty|SRA|3.6.0.50281|1000|Login to SRA succeeded|6|cs1=APAC cs1Label=site_name cs2=koko@shoko cs2Label=user cn1=583125 cn1Label=message_id cn3=User Management cn3Label=category msg=b"User 'koko@shoko' type ' Active Directory' logged into the system on site 'APAC' using IP address '['1.2.3.4:4321', '192.168.321.123']'"
<15>Sep 28 2023 19:00:40 12-4-test CEF:0|Claroty|SRA|3.6.0.50281|4006|Disconnect from server|8|cs1=APAC cs1Label=site_name cs2=shoko@koko cs2Label=user cn1=584314 cn1Label=message_id cn3=Session Management cn3Label=category msg=b"User 'shoko@koko' disconnected the server 'IOS3' in site 'HRB' (ID: 90). Session ID: (ID: 12289)"