Skip to main content

Claroty Continuous Threat Detection (CTD)

  • Updated

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we shall get it updated.

Product

Samurai [Local] Collector

Samurai [Cloud] Collector
Claroty CTD

Picture1.svg

  
 

 

This guide describes the steps required to configure Claroty CTD to send logs to a Samurai XDR Local Collector deployed on your network.  Claroty CTD requires access to the Local Collector via syslog on port 514/TCP.

 

Prerequisites

mceclip0.png This document supports Claroty CTD versions 3.x, and 4.x.

The following integration will configure Rules for Baseline, Event and Alert Logs. A user account is also created for read-only API access to gather additional telemetry.

 

To complete this Integration you will need to:

1) From the Claroty Web management user interface

2) From the Samurai XDR application

 

Configure Save CAPs and Detect Known Threats

  1. Log in to Claroty's web configuration dashboard.
  2. Click the Configuration tab.
  3. In the Networks area:
    • Select the checkbox to enable Save Caps 
    • Select the checkbox to enable Detect Known Threats

 

Configuration of Rules

mceclip0.png If a field is not mentioned, please leave it unchanged

Baseline Rule

  1. Log in to Claroty's web configuration dashboard.
  2. On the main menu on the left, click Configuration 
  3. Select Integrations > SIEM Syslog
  4. Complete the following steps to add a rule to send baseline logs:
  5. In the SIEM Syslog screen click on the "+" button
  6. In the From list, click the relevant site(s)
  7. The Add new Syslog screen will appear
  8. Update the following fields:
    • Uncheck the LOCAL checkbox
    • From the MESSAGE CONTENTS list, click Baselines
    • From the MESSAGE FORMAT list, click CEF 
    • Protocol - select all from the available list
    • Communication Type - select all available options
    • Access Type - select all available options
    • Server - enter in the IP address of your Samurai XDR Local Collector
    • Port - enter 514
    • Protocol - TCP
  9. Click Save

 

Events Rule

  1. Log in to Claroty's web configuration dashboard.
  2. On the main menu on the left, click Configuration 
  3. Select Integrations > SIEM Syslog
  4. Complete the following steps to add a rule to send Events logs:
  5. In the SIEM Syslog screen click on the "+" button
  6. In the From list, click the relevant site(s)
  7. The Add new Syslog screen will appear
  8. Update the following fields:
    • Uncheck the LOCAL checkbox
    • From the MESSAGE CONTENTS list, click Events
    • From the MESSAGE FORMAT list, click CEF
    • Below Select Filters for the corresponding alerts configure:
    • Category - select all available selections
    • Protocol - select all from the available list
    • Server - enter in the IP address of your Samurai XDR Local Collector
    • Port - enter 514
    • Protocol - TCP
  9. Click Save

 

Alert Rule

  1. Log in to Claroty's web configuration dashboard.
  2. On the main menu on the left, click Configuration 
  3. Select Integrations > SIEM Syslog
  4. Complete the following steps to add a rule to send Alerts logs:
  5. In the SIEM Syslog screen click on the "+" button
  6. In the From list, click the relevant site(s)
  7. The Add new Syslog screen will appear
  8. Update the following fields:
    • Uncheck the LOCAL checkbox
    • From the MESSAGE CONTENTS list, click Alerts
    • From the MESSAGE FORMAT list, click CEF
    • Category - select all available selections
    • Protocol - select all from the available list
    • Server - enter in the IP address of your Samurai XDR Local Collector
    • Port - enter 514
    • Protocol - TCP
  9. Click Save

 

Create an account for API access

  1. Log in to Claroty's web configuration dashboard.
  2. On the main menu select Configuration and Users
  3. In the User Management configuration screen, Click Add new users
  4. Enter a Username
  5. Enter a Full Name
  6. Enter a Password
  7. Repeat the Password
  8. Click Add

mceclip0.png You will need to provide these credentials to NTT during onboarding

mceclip0.png If your Security and Authentication > Password Expires are not set to 0 (0=unlimited) you will need to ensure you update the password before it expires.

 

Create a Group with permissions for the API access account

mceclip0.png If a field is not mentioned, please leave it unchanged

  1. Log in to Claroty's web configuration dashboard.
  2. On the main menu select Configuration and Groups
  3. In the Group Management configuration screen, Click Add new groups
  4. Enter a Group Name
  5. Select the user created in Create an account for API access from the Add User dropdown list
  6. In the Systems Permissions area, Click Add permission
  7. Select specific sites to which the permissions applies, or All Sites
  8. From the All dropdown list, select relevant option
  9. Set the appropriate permission level to Read
  10. Click Save

 

Complete the Claroty Continuous Threat Detection (CTD) Integration

  1. Login to your Samurai XDR application tenant
  2. Click Telemetry > Integrations from the main menu
  3. Click Create
  4. Find and select Claroty Continuous Threat Detection (CTD)
  5. Select the relevant Local Collector and click Next
  6. You will be presented with the Local Collector IP Address on the left of the screen
  7. To configure Extended Telemetry Collection ensure it is enabled via the toggle
  8. Enter the following information:
    • Name for the Integration - the name will appear in the XDR application for you to easily reference
    • Description - optional but if completed will appear in the XDR application for you to easily reference)
    • Devicename - an arbitrary name to identify the Claroty CTD device
    • IP Address - the IP address of Claroty CTD
    • Username - enter the username you created in Create an account for API access
    • Password - enter the password you created in Create an account for API access
    • Port (Optional)- if you have changed the default port enter the port number, if not, we default to 5000
  9. Click on Finish

mceclip0.png For general information on Integrations refer to the Integrations article.

Was this article helpful?
0 out of 0 found this helpful
Return to top

Related articles

Comments

0 comments

Article is closed for comments.