Claroty v1.0.34
Use the Claroty CTD to manage assets and alerts.
- Author:
- Claroty
- Support:
- partner
Classifiers (2)
Incident fields (7)
Incident types (2)
Integrations (1)
Layouts (2)
Modeling rules (1)
Playbooks (2)
README
Claroty Continuous Threat Detection (CTD)
<~XSOAR>
Effective network security starts with an accurate asset database. The integration between Claroty Continuous Threat Detection (CTD) and Palo Alto Networks Cortex XSOAR enables comprehensive IT-OT asset coverage through discovery & enrichment, vulnerability management, and automated threat alerts. Integrating these tools provides coverage through a single-pane-of-glass while eliminating the need for OT-specific monitoring expertise & dedicated tools.
Supporting the broadest list of OT protocols in the industry and multiple asset discovery methodologies, Claroty’s integration with Cortex XSOAR allows organizations to:
- Identify all OT assets and corresponding asset data to populate the CMDB
- Automate vulnerability management with context-rich playbooks for event resolution
- Threat detection engines identify and parse events to alert Cortex XSOAR for further ticketing and analysis
For more information:
</~XSOAR>
<~XSIAM>
Cortex XSIAM SIEM Content
This pack includes Cortex XSIAM SIEM content, which is supported directly by Palo Alto Networks.
The SIEM content contains parsing and modeling rules for ingesting and mapping events and alerts that are sent from Claroty CTD to Cortex XSIAM.
This section describes the configurations required on Claroty CTD for forwarding events and alerts to Cortex XSIAM and the configurations required on Cortex XSIAM for ingesting and mapping them.
Configuration on Claroty CTD
Follow these steps to configure Claroty CTD to forward Syslog messages to Cortex XSIAM.
- Login to your account on the Claroty CTD web management console.
- Go to Configuration and navigate to Log Settings → Syslog.
- Click + Add to add a new syslog configuration.
-
Clear the Local checkbox and fill in the following settings:
Parameter Value Message ContentsSelect the log type to forward to Cortex XSIAM. Message FormatSelect CEF. ServerEnter the IP address of the target Cortex XSIAM Broker VM syslog server. PortEnter the port number which the target Cortex XSIAM Broker VM syslog server would be listening on for receiving syslog messages from Claroty CTD. ProtocolSelect the requested forwarding transport protocol (UDP, TCP or TLS). - Click Save.
Remark
Since the syslog forwarding configuration is set for each log type individually,
repeat the steps above for each log type (Alerts, Events, etc.) to monitor on Cortex XSIAM.
Configuration on Cortex XSIAM
In order to use the collector for Claroty CTD, use the Broker VM option.
Broker VM
To create or configure the Broker VM, use the information described here.
You can configure the specific vendor and product for this instance.
- Navigate to Settings → Configuration → Data Broker → Broker VMs.
- Go to the apps tab and add the Syslog app for the relevant broker instance. If the Syslog app already exists, hover over it and click Configure.
- Click Add New.
-
When configuring the Syslog Collector, set the following parameters:
Parameter Value ProtocolSelect the forwarding transport protocol in correspondence to the protocol defined on Claroty CTD (UDP, TCP or Secure TCP for TLS). FormatSelect CEF. PortEnter the syslog service port number that this Cortex XSIAM Broker VM should listen on for receiving forwarded events from Claroty CTD. VendorEnter Claroty. ProductEnter CTD.
</~XSIAM>