Connect this data source on your own, using the Hunters platform.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
|---|---|---|---|---|---|---|---|
Claroty CTD Events | ✅ | ✅ | claroty_ctd_events | CEF | S3 | ||
Claroty SRA Events | ✅ | ✅ | claroty_sra_logs | CEF | S3 |
Overview
Claroty is a cybersecurity company that specializes in industrial control systems (ICS) and operational technology (OT) security. It provides solutions to protect critical infrastructure and industrial networks from cyber threats. Claroty focuses on securing industrial control systems used in sectors such as energy, manufacturing, utilities, and transportation.
Supported data types
Claroty CTD Events
Table name: claroty_ctd_events
Claroty CTD Events are notifications or alerts generated by the Claroty CTD platform that indicate cybersecurity incidents, vulnerabilities, or other noteworthy activities detected within an OT network. These events are crucial for industrial operators and security teams to quickly respond to potential threats and ensure the safety, reliability, and continuity of industrial operations.
Learn more here.
Claroty SRA Events
Table name: claroty_sra_logs
Claroty SRA Events refer to the alerts and notifications generated by the Secure Remote Access system when it detects activities or attempts that fall outside of predefined security policies or represent potential security risks.
Learn more here.
Send data to Hunters
Hunters supports the integration of Claroty logs using an intermediary S3 bucket.
To send data to Hunters:
Contact Claroty support to learn how to route your Claroty logs to S3.
📘 Note
Each log type of the above should be shipped to a separate S3 Prefix.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
Expected format
Logs are expected in CEF format.
Claroty CTD Sample
<14>Jul 20 2022 13:22:18 zmc CEF:0|Claroty|CTD|4.4.1|Event/Known Threat Event|Known Threat Event|10|src=10.54.36.129 dst=10.45.21.181 smac=aa:bb:cc:dd:ee:ff shost=<hostname> dmac=aa:bb:cc:dd:fe:fe dhost=<hostname> externalId=1234567 cat=Security/Known Threat Event start=Jul 20 2022 13:05:12 msg=OS-WINDOWS Microsoft Windows SMB remote code execution attempt (<ip:port> -> <ip:port>). Signature: content:""|FF|SMB|A0 12 EF 00 00|""; depth:9; offset:4; content:""|01 00 00 00 00|""; within:5; distance:59; byte_test:4,>,0x8150,-33,relative,little; deviceExternalId=<device-id> cs1Label=SourceAssetType cs1=Endpoint cs3Label=SourceZone cs3=Endpoint: Other - External cs4Label=DestZone cs4=HMI: <site> - External - External - External - External - External - External - External - External - External - External cs6Label=CTDlink cs6=<alert-link> cn1Label=IndicatorScore cn1=100 cn2Label=AlertID cn2=123445
Claroty SRA Sample
<15>Sep 27 2023 20:54:05 12-4-test CEF:0|Claroty|SRA|3.6.0.50281|1000|Login to SRA succeeded|6|cs1=APAC cs1Label=site_name cs2=koko@shoko cs2Label=user cn1=583125 cn1Label=message_id cn3=User Management cn3Label=category msg=b"User 'koko@shoko' type ' Active Directory' logged into the system on site 'APAC' using IP address '['1.2.3.4:4321', '192.168.321.123']'"
<15>Sep 28 2023 19:00:40 12-4-test CEF:0|Claroty|SRA|3.6.0.50281|4006|Disconnect from server|8|cs1=APAC cs1Label=site_name cs2=shoko@koko cs2Label=user cn1=584314 cn1Label=message_id cn3=Session Management cn3Label=category msg=b"User 'shoko@koko' disconnected the server 'IOS3' in site 'HRB' (ID: 90). Session ID: (ID: 12289)"