Fortinet black logo

External Systems Configuration Guide

Claroty Continuous Threat Detection

Claroty Continuous Threat Detection (CTD) Platform

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog Claroty Alert, Baseline and Event logs Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "ClarotyCTD" to see the event types associated with this device. In FortiSIEM 6.2.0, there are 20 event types defined.

Rules

There are no specific rules available for Claroty.

Reports

There are no specific reports available for Claroty. You can view all Claroty events by taking the following steps.

  1. From the ANALYTICS page, click in the Edit Filters and Time Range field.
  2. Under Filter, select Event Attribute.
  3. In the Attribute field, select/enter "Event Type".
  4. In the Operator field, select "CONTAIN".
  5. In the Value field, enter "ClarotyCTD".
  6. (Optional) Click Save to save the search parameters for future related searches.
  7. Click Apply & Run.

Configuration

Syslog

FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514.

Sample Syslog

<12>Sep 12 15:31:33 localhost.localdomain CEF:0|Claroty|CTD|2.7.0|Baseline|None|Unapproved|cs1Label=Site cs1=Site cs2Label=Network cs2=Default cs3Label=Transmission cs3=TCP / 44818 cs4Label=SiteId cs4=1 cs5Label=SrcZone cs5=Engineering Station: Rockwell cs6Label=DstZone cs6=PLC: Rockwell cs7Label=Category cs7=Protocol cs8Label=CategoryAccess cs8=Read cs9Label=Frequency cs9=NotTimed cs10Label=FirstSeen cs10=Sep 12 2018 15:31:29 src=10.1.30.40 smac=00:50:56:b9:e2:ad shost=N/A dst=10.1.30.1 dmac=00:1d:9c:c0:04:9d dhost=N/A externalId=2365 cat=Create rt=Sep 12 2018 15:31:29 msg=CIP : Service Get Attribute All called on ExtendedDevice

<12>Sep 12 15:18:03 localhost.localdomain CEF:0|Claroty|CTD|2.7.0|Alert|Configuration Download|Critical|cs1Label=Site cs1=Site cs2Label=Network cs2=Default cs3Label=ResolvedAs cs3=Unresolved cs4Label=SiteId cs4=1 cs5Label=SrcZone cs5=Engineering Station: Rockwell cs6Label=DstZone cs6=PLC: Rockwell cs7Label=Category cs7=Integrity cs8Label=AlertUrl cs8=https://10.210.16.2:5000/alert/74-1 src=10.1.30.40 smac=00:50:56:b9:e2:ad shost=N/A dst=10.1.30.1 dmac=00:1d:9c:c0:04:9d dhost=N/A externalId=74 cat=Create rt=Sep 12 2018 15:18:01 msg=A configuration has been downloaded to controller Chemical_plant by 10.1.30.40

Claroty Continuous Threat Detection (CTD) Platform

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog Claroty Alert, Baseline and Event logs Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "ClarotyCTD" to see the event types associated with this device. In FortiSIEM 6.2.0, there are 20 event types defined.

Rules

There are no specific rules available for Claroty.

Reports

There are no specific reports available for Claroty. You can view all Claroty events by taking the following steps.

  1. From the ANALYTICS page, click in the Edit Filters and Time Range field.
  2. Under Filter, select Event Attribute.
  3. In the Attribute field, select/enter "Event Type".
  4. In the Operator field, select "CONTAIN".
  5. In the Value field, enter "ClarotyCTD".
  6. (Optional) Click Save to save the search parameters for future related searches.
  7. Click Apply & Run.

Configuration

Syslog

FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514.

Sample Syslog

<12>Sep 12 15:31:33 localhost.localdomain CEF:0|Claroty|CTD|2.7.0|Baseline|None|Unapproved|cs1Label=Site cs1=Site cs2Label=Network cs2=Default cs3Label=Transmission cs3=TCP / 44818 cs4Label=SiteId cs4=1 cs5Label=SrcZone cs5=Engineering Station: Rockwell cs6Label=DstZone cs6=PLC: Rockwell cs7Label=Category cs7=Protocol cs8Label=CategoryAccess cs8=Read cs9Label=Frequency cs9=NotTimed cs10Label=FirstSeen cs10=Sep 12 2018 15:31:29 src=10.1.30.40 smac=00:50:56:b9:e2:ad shost=N/A dst=10.1.30.1 dmac=00:1d:9c:c0:04:9d dhost=N/A externalId=2365 cat=Create rt=Sep 12 2018 15:31:29 msg=CIP : Service Get Attribute All called on ExtendedDevice

<12>Sep 12 15:18:03 localhost.localdomain CEF:0|Claroty|CTD|2.7.0|Alert|Configuration Download|Critical|cs1Label=Site cs1=Site cs2Label=Network cs2=Default cs3Label=ResolvedAs cs3=Unresolved cs4Label=SiteId cs4=1 cs5Label=SrcZone cs5=Engineering Station: Rockwell cs6Label=DstZone cs6=PLC: Rockwell cs7Label=Category cs7=Integrity cs8Label=AlertUrl cs8=https://10.210.16.2:5000/alert/74-1 src=10.1.30.40 smac=00:50:56:b9:e2:ad shost=N/A dst=10.1.30.1 dmac=00:1d:9c:c0:04:9d dhost=N/A externalId=74 cat=Create rt=Sep 12 2018 15:18:01 msg=A configuration has been downloaded to controller Chemical_plant by 10.1.30.40