Overview

In this page you’ll find an explanation on integrating your Claroty data source to Hunters.

This data source is used in the Hunters Pipeline for detection and investigation regarding the logged activity in the organization's network.

Supported Data Types

  • Claroty CTD Events - This table holds information about asset discovery, risk, and vulnerability management.

Sending Data to Hunters

In order to integrate your Claroty logs into Hunters, the logs need to be collected from your network (follow this guide for more details) to a Storage Service (e.g. to an S3 bucket or Azure Blob Storage) shared with Hunters.

Expected formats

Data should be pushed in a CEF format.

Claroty CTD Event Example
<14>Jul 20 2022 13:22:18 zmc CEF:0|Claroty|CTD|4.4.1|Event/Known Threat Event|Known Threat Event|10|src=10.54.36.129 dst=10.45.21.181 smac=aa:bb:cc:dd:ee:ff shost=<hostname> dmac=aa:bb:cc:dd:fe:fe dhost=<hostname> externalId=1234567 cat=Security/Known Threat Event start=Jul 20 2022 13:05:12 msg=OS-WINDOWS Microsoft Windows SMB remote code execution attempt (<ip:port> -> <ip:port>). Signature:   content:""|FF|SMB|A0 12 EF 00 00|""; depth:9; offset:4; content:""|01 00 00 00 00|""; within:5; distance:59; byte_test:4,>,0x8150,-33,relative,little; deviceExternalId=<device-id> cs1Label=SourceAssetType cs1=Endpoint cs3Label=SourceZone cs3=Endpoint: Other - External cs4Label=DestZone cs4=HMI: <site> - External - External - External - External - External - External - External - External - External - External cs6Label=CTDlink cs6=<alert-link> cn1Label=IndicatorScore cn1=100 cn2Label=AlertID cn2=123445
CODE