Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai Help Center and we shall get it updated.
Product |
Samurai [Local] Collector |
Samurai [Cloud] Collector |
Claroty CTD |
|
This guide describes the steps required to configure Claroty CTD to send logs to a Samurai Local Collector deployed on your network. Claroty CTD requires access to the Local Collector via syslog on port 514/TCP.
Prerequisites
This document supports Claroty CTD versions 3.x, and 4.x.
The following integration will configure Rules for Baseline, Event and Alert Logs. A user account is also created for read-only API access to gather additional telemetry.
To complete this Integration you will need to:
1) From the Claroty Web management user interface
- Configure Save CAPs and Detect Known Threats
- Configure Rules for:
- Create an account for API access
- Create a Group with permissions for the API access account
2) From the Samurai application
Configure Save CAPs and Detect Known Threats
- Log in to Claroty's web configuration dashboard.
- Click the Configuration tab.
- In the Networks area:
- Select the checkbox to enable Save Caps
- Select the checkbox to enable Detect Known Threats
Configuration of Rules
If a field is not mentioned, please leave it unchanged
Baseline Rule
- Log in to Claroty's web configuration dashboard.
- On the main menu on the left, click Configuration
- Select Integrations > SIEM Syslog
- Complete the following steps to add a rule to send baseline logs:
- In the SIEM Syslog screen click on the "+" button
- In the From list, click the relevant site(s)
- The Add new Syslog screen will appear
-
Update the following fields:
- Uncheck the LOCAL checkbox
- From the MESSAGE CONTENTS list, click Baselines
- From the MESSAGE FORMAT list, click CEF
- Protocol - select all from the available list
- Communication Type - select all available options
- Access Type - select all available options
- Server - enter in the IP address of your Samurai Local Collector
- Port - enter 514
- Protocol - TCP
- Click Save
Events Rule
- Log in to Claroty's web configuration dashboard.
- On the main menu on the left, click Configuration
- Select Integrations > SIEM Syslog
- Complete the following steps to add a rule to send Events logs:
- In the SIEM Syslog screen click on the "+" button
- In the From list, click the relevant site(s)
- The Add new Syslog screen will appear
-
Update the following fields:
- Uncheck the LOCAL checkbox
- From the MESSAGE CONTENTS list, click Events
- From the MESSAGE FORMAT list, click CEF
- Below Select Filters for the corresponding alerts configure:
- Category - select all available selections
- Protocol - select all from the available list
- Server - enter in the IP address of your Samurai Local Collector
- Port - enter 514
- Protocol - TCP
- Click Save
Alert Rule
- Log in to Claroty's web configuration dashboard.
- On the main menu on the left, click Configuration
- Select Integrations > SIEM Syslog
- Complete the following steps to add a rule to send Alerts logs:
- In the SIEM Syslog screen click on the "+" button
- In the From list, click the relevant site(s)
- The Add new Syslog screen will appear
-
Update the following fields:
- Uncheck the LOCAL checkbox
- From the MESSAGE CONTENTS list, click Alerts
- From the MESSAGE FORMAT list, click CEF
- Category - select all available selections
- Protocol - select all from the available list
- Server - enter in the IP address of your Samurai Local Collector
- Port - enter 514
- Protocol - TCP
- Click Save
Create an account for API access
- Log in to Claroty's web configuration dashboard.
- On the main menu select Configuration and Users
- In the User Management configuration screen, Click Add new users
- Enter a Username
- Enter a Full Name
- Enter a Password
- Repeat the Password
- Click Add
You will need to provide these credentials to NTT during onboarding
If your Security and Authentication > Password Expires are not set to 0 (0=unlimited) you will need to ensure you update the password before it expires.
Create a Group with permissions for the API access account
If a field is not mentioned, please leave it unchanged
- Log in to Claroty's web configuration dashboard.
- On the main menu select Configuration and Groups
- In the Group Management configuration screen, Click Add new groups
- Enter a Group Name
- Select the user created in Create an account for API access from the Add User dropdown list
- In the Systems Permissions area, Click Add permission
- Select specific sites to which the permissions applies, or All Sites
- From the All dropdown list, select relevant option
- Set the appropriate permission level to Read
- Click Save
Complete the Claroty Continuous Threat Detection (CTD) Integration
- Login to the Samurai MDR web application
- Click Integrations from the main menu
- Click Create
- Find and select Claroty Continuous Threat Detection (CTD)
- Select the relevant Local Collector and click Next
- You will be presented with the Local Collector IP Address on the left of the screen
- To configure Extended Telemetry Collection ensure it is enabled via the toggle
- Enter the following information:
- Name for the Integration - the name will appear in the Samurai application for you to easily reference
- Description - optional but if completed will appear in the Samurai application for you to easily reference)
- Devicename - an arbitrary name to identify the Claroty CTD device
- IP Address - the IP address of Claroty CTD
- Username - enter the username you created in Create an account for API access
- Password - enter the password you created in Create an account for API access
- Port (Optional)- if you have changed the default port enter the port number, if not, we default to 5000
- Click on Finish
For general information on Integrations refer to the Integrations article.
Comments
0 comments
Article is closed for comments.