Claroty v1.0.0

About the connector

Claroty CTD is a robust solution that delivers comprehensive cybersecurity controls for industrial environments.

This document provides information about the Claroty connector, which facilitates automated interactions, with a Claroty server using FortiSOAR™ playbooks. Add the Claroty connector as a step in FortiSOAR™ playbooks and perform automated operations with Claroty such as retrieving details of a specific asset from Claroty, retrieving alerts from Claroty, etc.

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alerts and their associated events from Claroty. Currently, the "alerts and their associated events" ingested from Claroty are mapped to "alerts" in FortiSOAR™. For more information, see the Data Ingestion Support section.

Version information

Connector Version: 1.0.0

FortiSOAR™ Version Tested on: 7.2.2-1098

Claroty Version Tested on: CTD version 4.6.0.38099

Authored By: Fortinet

Certified: Yes

Installing the connector

Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.

You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-claroty

Prerequisites to configuring the connector

• You must have the URL of the Claroty server to which you will connect and perform automated operations and credentials (username-password pair) to access that server.
• The FortiSOAR™ server should have outbound connectivity to port 443 on the Claroty server.

Minimum Permissions Required

In Claroty, users are assigned to groups, and groups are granted permissions. The group that is assigned to users who will be performing connection operations must be granted "View" permission on the following sections:

• Risk and Vulnerabilities
• Threat Detection
• Visibility

Configuring the connector

For the procedure to configure a connector, click here.

Configuration parameters

In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Claroty connector card. On the connector popup, click the Configurations tab to enter the required configuration details:

Parameter	Description
Server URL	Server name or IP address of the Claroty server to which you will connect and perform the automated operations.
Username	Username to access the Claroty server to which you will connect and perform the automated operations.
Password	Password to access the Claroty server to which you will connect and perform the automated operations.
Verify SSL	Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True.

Important: To know more about passing parameters or filters to actions, use https://<clarotyserverip>/ranger/apidocs

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations:

Function	Description	Annotation and Category
Get Assets	Retrieves all assets or specific assets from Claroty based on the input parameters you have specified.	get_assets Investigation
Get Asset Details	Retrieves details of a specific asset from Claroty based on the asset's resource ID you have specified.	get_asset_details Investigation
Get Alerts	Retrieves all alerts or specific alerts from Claroty based on the input parameters you have specified.	get_alerts Investigation
Get Alert Details	Retrieves details of a specific alert from Claroty based on the alert's resource ID you have specified.	get_alert_details Investigation
Get Tasks	Retrieves all tasks or specific tasks and their associated information from Claroty based on the input parameters you have specified.	get_tasks Investigation
Get Queries	Retrieves all queries or specific queries and their associated information from Claroty based on the input parameters you have specified.	get_queries Investigation
Get Insights	Retrieves the summary of specific insights from Claroty based on the format, sort by fields, and other input parameters you have specified.	get_insights Investigation
Get Events	Retrieves all events (associated with alerts) or specific events from Claroty based on the input parameters you have specified.	get_events Investigation

operation: Get Assets

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, of assets, is returned.

Parameter	Description
Asset Type	Select one or more asset types using which you want to filter assets retrieved from Claroty. You can select from options such as Endpoint, OT, PLC, etc.
Protocol	Select one or more asset protocols using which you want to filter assets retrieved from Claroty. You can select from options such as ARP, CIP, DNS, etc.
Asset Criticality	Select one or more asset criticalities using which you want to filter assets retrieved from Claroty. You can select from High, Medium, or Low.
Start Time	Start time from when you want to retrieve assets from Claroty.
End Time	End time till when you want to retrieve assets from Claroty.
Other Filters	Enter JSON key values to filter the assets response, from Claroty, based on the specified parameters. For example, {"ipv4__exact": "1.1.1.1", "insight_status__exact": 1}. The list of fields that can be used as keys on the filters paramaters page are: ipv4__exact, ipv6__exact, mac__icontains, vlan__exact, address__exact, gateway__exact, asset_type__exact, host_name__exact, os__exact, model__icontains, vendor__icontains, state__exact, domain_names__exact, firmware__exact, serial__exact, generic__icontains, display_name__icontains, criticality__exact, old_ip__exact, protocol__exact, last_seen__exact, q__icontains, alert_id__exact, baseline__exact, arp_baselines__exact, insight_status__exact, insights_insight_name__exact, insight_timestamp__gte, insight_timestamp__lte, baseline_category__exact, baseline_access_type__exact, insight_name__exact, insight_row_key__exact, ghost__exact, tasks__exact, active_queries__exact, subnet_tag__exact, custom_attributes__exact, class_type__exact, domain_name__exact, involved_in_tags__exact, hosted_tags__icontains, id__exact, site_id__exact, timestamp__exact, approved__exact, valid__exact, parsed__exact, special_hint__exact, risk_level__exact, network_id__exact, virtual_zone_id__exact, subnet_id__exact, and purdue_level__exact Note: We can use the following filters in place of 'exact': exact, iexact (case-sensitive), contains, icontains (case-sensitive), in, neq (!=), gt (>), gte (>=), lt (<), lte (<=), startswith, relative_time
Limit	The maximum number of results, per page, that this operation should return. By default, this is set to 10.
Page	Page number from which you want to retrieve the response.
Format	Select the format of the response (list of fields) returned by the query. You can select from Asset List, Insight Assets, or Resource IDs. Note: If you do not select any option, then all the properties of the assets are returned, which could affect performance.

Output

The output contains the following populated JSON schema:

Output schema when you choose "Format" as "Asset List":
{
"objects": [
{
"id": "",
"os": "",
"mac": [],
"ipv4": [],
"name": "",
"vlan": [],
"ghost": "",
"state": "",
"valid": "",
"parsed": "",
"subnet": {
"name": ""
},
"vendor": "",
"edge_id": "",
"network": {
"id": "",
"name": "",
"site_id": "",
"resource_id": ""
},
"site_id": "",
"approved": "",
"hostname": "",
"os_build": "",
"protocol": [],
"last_seen": "",
"site_name": "",
"subnet_id": "",
"timestamp": "",
"asset_type": "",
"class_type": "",
"first_seen": "",
"network_id": "",
"risk_level": "",
"criticality": "",
"resource_id": "",
"subnet_type": "",
"asset_type__": "",
"display_name": "",
"purdue_level": "",
"special_hint": "",
"criticality__": "",
"edge_last_run": "",
"project_parsed": "",
"special_hint__": "",
"default_gateway": "",
"os_architecture": "",
"os_service_pack": "",
"virtual_zone_id": "",
"domain_workgroup": "",
"custom_attributes": [],
"virtual_zone_name": "",
"active_tasks_names": [],
"custom_informations": [],
"installed_antivirus": "",
"active_queries_names": []
}
],
"count_total": "",
"count_in_page": "",
"count_filtered": ""
}

Output schema when you choose "Format" as "Insight Assets":
{
"objects": [
{
"id": "",
"os": "",
"mac": [],
"ipv4": [],
"name": "",
"ghost": "",
"vendor": "",
"site_id": "",
"site_name": "",
"asset_type": "",
"network_id": "",
"risk_level": "",
"criticality": "",
"resource_id": "",
"asset_type__": "",
"criticality__": ""
}
],
"count_total": "",
"count_in_page": "",
"count_filtered": ""
}

Output schema when you choose "Format" as "Resource IDs":
{
"objects": [
{
"resource_id": ""
}
],
"count_total": "",
"count_in_page": "",
"count_filtered": ""
}

This is the default output schema:
{
"objects": [
{
"id": "",
"os": "",
"mac": [],
"ipv4": [],
"name": "",
"vlan": [],
"ghost": "",
"state": "",
"valid": "",
"parsed": "",
"subnet": {
"name": ""
},
"vendor": "",
"edge_id": "",
"network": {
"id": "",
"name": "",
"site_id": "",
"resource_id": ""
},
"site_id": "",
"approved": "",
"hostname": "",
"os_build": "",
"protocol": [],
"last_seen": "",
"site_name": "",
"subnet_id": "",
"timestamp": "",
"asset_type": "",
"class_type": "",
"first_seen": "",
"network_id": "",
"risk_level": "",
"criticality": "",
"resource_id": "",
"subnet_type": "",
"asset_type__": "",
"display_name": "",
"purdue_level": "",
"special_hint": "",
"criticality__": "",
"edge_last_run": "",
"project_parsed": "",
"special_hint__": "",
"default_gateway": "",
"os_architecture": "",
"os_service_pack": "",
"virtual_zone_id": "",
"domain_workgroup": "",
"custom_attributes": [],
"virtual_zone_name": "",
"active_tasks_names": [],
"custom_informations": [],
"installed_antivirus": "",
"active_queries_names": []
}
],
"count_total": "",
"count_in_page": "",
"count_filtered": ""
}

operation: Get Asset Details

Input parameters

Parameter	Description
Resource ID	Specify the resource ID of the asset for which you want to retrieve details from Claroty. The resource ID should be specified in the format <asset-id>-<site-id>.

Output

The output contains the following populated JSON schema:
{
"id": "",
"os": "",
"mac": [],
"ipv4": [],
"name": "",
"vlan": [],
"ghost": "",
"state": "",
"valid": "",
"parsed": "",
"subnet": {
"name": ""
},
"vendor": "",
"edge_id": "",
"network": {
"id": "",
"name": "",
"site_id": "",
"resource_id": ""
},
"site_id": "",
"approved": "",
"children": [],
"hostname": "",
"os_build": "",
"protocol": [],
"last_seen": "",
"site_name": "",
"subnet_id": "",
"timestamp": "",
"asset_type": "",
"class_type": "",
"first_seen": "",
"network_id": "",
"num_alerts": "",
"risk_level": "",
"risk_score": "",
"criticality": "",
"patch_count": "",
"resource_id": "",
"subnet_type": "",
"asset_type__": "",
"display_name": "",
"purdue_level": "",
"special_hint": "",
"code_sections": [],
"criticality__": "",
"edge_last_run": "",
"insight_names": [],
"has_interfaces": "",
"project_parsed": "",
"special_hint__": "",
"default_gateway": "",
"os_architecture": "",
"os_service_pack": "",
"virtual_zone_id": "",
"domain_workgroup": "",
"custom_attributes": [],
"usb_devices_count": "",
"virtual_zone_name": "",
"active_tasks_names": [],
"custom_informations": [],
"installed_antivirus": "",
"active_queries_names": [],
"installed_programs_count": ""
}

operation: Get Alerts

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, of alerts, is returned.

Parameter	Description
Status	Select one or more alert statuses using which you want to filter alerts retrieved from Claroty. You can select Resolved Unresolved, or select both to retrieve both resolved and unresolved alerts from Claroty.
Category	Select one or more alert categories using which you want to filter alerts retrieved from Claroty. You can select Security Integrity, or select both to retrieve both categories of alerts from Claroty.
Alert Severity	Select one or more alert severities using which you want to filter alerts retrieved from Claroty. You can select from Critical High, Medium, or Low.
Start Time	Start time from when you want to retrieve alerts from Claroty.
End Time	End time till when you want to retrieve alerts from Claroty.
Other Filters	Enter JSON key values to filter the alert response, from Claroty, based on the specified parameters. For example, {"asset_id__exact": "122", "severity__exact": 4} The list of fields that can be used as keys on the filters paramaters page are: per_page, asset_id__exact, asset__exact, for_asset__exact, q__exact, primary_asset__exact, non_primary_assets__exact, virtual_zone__exact, alert_id__exact, ot_alerts__exact, family__exact, story_severity__exact, id__exact, site_id__exact, data__exact, description__exact, type__exact, category__exact, severity__exact, timestamp__exact, relevant__exact, resolved__exact, resolution__exact, protocol__exact, score__exact, is_qualified__exact, network_id__exact, resolved_id__exact, assigned_id__exact, story_id__exact, or sort
Limit	The maximum number of results, per page, that this operation should return.
Page	Page number from which you want to retrieve the response.

Output

The output contains the following populated JSON schema:
{
"objects": [
{
"id": "",
"type": "",
"score": "",
"story": "",
"type__": "",
"network": {
"id": "",
"name": "",
"site_id": "",
"resource_id": ""
},
"site_id": "",
"category": "",
"protocol": "",
"relevant": "",
"resolved": "",
"severity": "",
"story_id": "",
"timestamp": "",
"category__": "",
"network_id": "",
"resolution": "",
"severity__": "",
"description": "",
"resource_id": "",
"threat_type": "",
"is_qualified": "",
"resolution__": "",
"actionable_caps": [
{
"id": "",
"cap": {
"id": "",
"deleted": "",
"site_id": "",
"file_name": "",
"resource_id": ""
},
"role": "",
"role__": "",
"site_id": "",
"resource_id": "",
"actionable_id": ""
}
],
"actionable_diffs": [],
"alert_indicators": [
{
"id": "",
"site_id": "",
"alert_id": "",
"resource_id": "",
"indicator_id": "",
"indicator_info": {
"id": "",
"type": "",
"points": "",
"site_id": "",
"description": "",
"resource_id": ""
},
"indicator_result": "",
"parent_indicator_id": ""
}
],
"mitre_techniques": [],
"story_group_name": [
"Host Scan (1 alert)"
],
"actionable_assets": [
{
"id": "",
"role": "",
"asset": {
"id": "",
"os": "",
"mac": [],
"ipv4": [],
"name": "",
"vendor": "",
"site_id": "",
"hostname": "",
"asset_type": "",
"network_id": "",
"resource_id": "",
"asset_type__": ""
},
"role__": "",
"site_id": "",
"resource_id": "",
"actionable_id": ""
}
],
"actionable_policies": [],
"actionable_information": [],
"significant_indicators": [
{
"id": "",
"icon": "",
"site_id": "",
"alert_id": "",
"resource_id": "",
"indicator_id": "",
"indicator_info": {
"id": "",
"type": "",
"points": "",
"site_id": "",
"description": "",
"resource_id": ""
},
"indicator_result": "",
"parent_indicator_id": ""
}
],
"actionable_suspicious_files": [],
"actionable_virtual_zones_names": [
"Endpoint: Other - External"
]
}
],
"count_total": "",
"count_in_page": "",
"count_filtered": ""
}

operation: Get Alert Details

Input parameters

Parameter	Description
Resource ID	Specify the resource ID of the alert for which you want to retrieve details from Claroty. The resource ID should be specified in the format <asset-id>-<site-id>

Output

The output contains the following populated JSON schema:
{
"id": "",
"type": "",
"score": "",
"story": {
"id": "",
"score": "",
"alerts": [
{
"id": "",
"type": "",
"type__": "",
"resolved": "",
"severity": "",
"timestamp": "",
"severity__": "",
"description": ""
}
],
"site_id": "",
"timestamp": "",
"description": "",
"total_alert_count": "",
"baseline_activities": [
{
"id": "",
"site_id": "",
"story_id": "",
"timestamp": "",
"baseline_id": "",
"resource_id": "",
"baseline_description": ""
}
]
},
"type__": "",
"network": {
"id": "",
"name": "",
"site_id": "",
"resource_id": ""
},
"site_id": "",
"category": "",
"protocol": "",
"relevant": "",
"resolved": "",
"severity": "",
"story_id": "",
"timestamp": "",
"category__": "",
"network_id": "",
"resolution": "",
"severity__": "",
"description": "",
"resource_id": "",
"threat_type": "",
"is_qualified": "",
"resolution__": "",
"actionable_caps": [
{
"id": "",
"cap": {
"id": "",
"deleted": "",
"site_id": "",
"file_name": "",
"resource_id": ""
},
"role": "",
"role__": "",
"site_id": "",
"resource_id": "",
"actionable_id": ""
}
],
"actionable_diffs": [],
"alert_indicators": [
{
"id": "",
"site_id": "",
"alert_id": "",
"resource_id": "",
"indicator_id": "",
"indicator_info": {
"id": "",
"type": "",
"points": "",
"site_id": "",
"description": "",
"resource_id": ""
},
"indicator_result": "",
"parent_indicator_id": ""
}
],
"mitre_techniques": [],
"actionable_assets": [
{
"id": "",
"role": "",
"asset": {
"id": "",
"os": "",
"mac": [],
"ipv4": [],
"name": "",
"parsed": "",
"vendor": "",
"network": {
"id": "",
"name": "",
"site_id": "",
"resource_id": ""
},
"site_id": "",
"hostname": "",
"site_name": "",
"asset_type": "",
"class_type": "",
"network_id": "",
"risk_level": "",
"criticality": "",
"resource_id": "",
"asset_type__": "",
"purdue_level": "",
"criticality__": "",
"project_parsed": "",
"virtual_zone_name": ""
},
"role__": "",
"site_id": "",
"resource_id": "",
"actionable_id": ""
}
],
"actionable_policies": [],
"actionable_information": [],
"significant_indicators": [
{
"id": "",
"icon": "",
"site_id": "",
"alert_id": "",
"resource_id": "",
"indicator_id": "",
"indicator_info": {
"id": "",
"type": "",
"points": "",
"site_id": "",
"description": "",
"resource_id": ""
},
"indicator_result": "",
"parent_indicator_id": ""
}
],
"actionable_suspicious_files": [],
"actionable_virtual_zones_names": [
"Endpoint: Other - External"
]
}

operation: Get Tasks

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, of tasks, is returned.

Parameter	Description
Name Contains (Case-Sensitive)	Name using which you want to filter tasks retrieved from Claroty to those tasks whose name contains the specified input string.
Site ID	The ID of the site using which you want to filter tasks retrieved from Claroty.
Limit	The maximum number of results, per page, that this operation should return.
Page	Page number from which you want to retrieve the response.
Sort By	Select the parameter using which you want to sort the response retrieved from Claroty. You can choose from the following options: "name","status","enabled","interval","start_time","end_time","allowed_run_time_start","allowed_run_time_end", or "last_run_results"
Sort Order	Select the order in which you want to sort the response retrieved from Claroty. You can choose between Ascending or Descending.

Output

The output contains the following populated JSON schema:
{
"count_filtered": "",
"count_total": "",
"count_in_page": "",
"objects": [
{
"allowed_days": "",
"allowed_run_time_end": "",
"allowed_run_time_start": "",
"type": "",
"end_time": "",
"interval": "",
"is_recurring": "",
"name": "",
"resource_id": "",
"site_id": "",
"status": "",
"valid": "",
"start_time": "",
"assets_count": "",
"extra_params": {
"Query_Discovered_Devices": "",
"port": "",
"sub_query": ""
},
"enabled": "",
"id": "",
"last_start_run_time": "",
"network_id": "",
"active_type": ""
}
]
}

operation: Get Queries

Input parameters

Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, of tasks, is returned.

Parameter	Description
Name Contains(case-sensitive)	Name using which you want to filter queries retrieved from Claroty to those queries whose name contains the specified input string.
Site ID	The ID of the site using which you want to filter queries retrieved from Claroty.
Sort By	Select the parameter using which you want to sort the response retrieved from Claroty. You can choose from the following options: "name","status","enabled","interval","start_time","end_time","allowed_run_time_start","allowed_run_time_end", or "last_run_results"
Sort Order	Select the order in which you want to sort the response retrieved from Claroty. You can choose between Ascending or Descending.
Limit	The maximum number of results, per page, that this operation should return.
Page	Page number from which you want to retrieve the response.

Output

The output contains the following populated JSON schema:
{
"count_filtered": "",
"count_total": "",
"count_in_page": "",
"objects": [
{
"allowed_days": "",
"allowed_run_time_end": "",
"allowed_run_time_start": "",
"type": "",
"end_time": "",
"interval": "",
"is_recurring": "",
"name": "",
"resource_id": "",
"site_id": "",
"status": "",
"valid": "",
"start_time": "",
"assets_count": "",
"extra_params": {
"Query_Discovered_Devices": "",
"port": "",
"sub_query": ""
},
"enabled": "",
"id": "",
"last_start_run_time": "",
"network_id": "",
"active_type": ""
}
]
}

operation: Get Insights

Input parameters

Parameter	Description
Format	Specify the format of the insights whose summaries you want to retrieve from Claroty. For example, insight_page
Sort By	Specify the parameter using which you want to sort the response retrieved from Claroty.
Sort Order	Select the order in which you want to sort the response retrieved from Claroty. You can choose between Ascending or Descending.
Host Exact	Select this option if you want to filter the response data retrieved from Claroty to that which exactly matches the host specified in the input string.
Special Hint Exact	Select the special hint using which you want to filter the response retrieved from Claroty. You can choose from the following options: 0, 1, 2, 3, or 4.
Insight Status Exact	Select the insight status using which you want to filter the response retrieved from Claroty. You can choose from the following options: 0, 1, or 2.
Site ID	The ID of the site using which you want to filter insights retrieved from Claroty.
Limit	The maximum number of results, per page, that this operation should return.
Page	Page number from which you want to retrieve the response.

Output

The output contains the following populated JSON schema:
{
"name": "",
"headers": [
{
"name": "",
"type": "",
"hidden": "",
"sortable": "",
"header_num": ""
}
],
"severity": "",
"description": "",
"default_sort": "",
"other_side_name": "",
"other_side_headers": [],
"aggregated_description": "",
"other_side_default_sort": ""
}

operation: Get Events

Input parameters

Parameter	Description
Site ID	The ID of the site using which you want to filter events retrieved from Claroty
ID	Specify the resource ID of the event whose details you want to retrieve from Claroty. The resource ID should be specified in the format <event-id>-<site-id>.
Alert Resource ID	Specify the resource ID of the alert whose associated event details you want to retrieve from Claroty. The resource ID should be specified in the format <alert-id>-<site-id>.
Start Time	Start time from when you want to retrieve alerts (and associated events) from Claroty.
End Time	End time till when you want to retrieve alerts (and associated events) from Claroty.
Description	The description using which you want to filter events data retrieved from Claroty.
Description (case-sensitive)	The description (case-sensitive) using which you want to filter events data retrieved from Claroty.
Type	Select one or more alert types using which you want to filter events retrieved from Claroty. You can select from options such as 3 - Threat, 10 - FTP Data, etc.
Status	Select the alert status using which you want to filter events retrieved from Claroty. You can choose from the following options: OT Alert, OT Operation, Alert, or Not Risky Change.
Sort By	Select the parameter using which you want to sort the response retrieved from Claroty. You can select from options such as id, -site-id, type, etc.
Sort Order	Select the order in which you want to sort the response retrieved from Claroty. You can choose between Ascending or Descending.
Limit	The maximum number of results, per page, that this operation should return.
Page	Page number from which you want to retrieve the response.

Output

The output contains the following populated JSON schema:
{
"objects": [
{
"id": "",
"type": "",
"status": "",
"type__": "",
"site_id": "",
"alert_id": "",
"timestamp": "",
"description": "",
"resource_id": ""
}
],
"count_total": "",
"count_in_page": "",
"count_filtered": ""
}

Included playbooks

The Sample - Claroty - 1.0.0 playbook collection comes bundled with the Claroty connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Claroty connector.

• > Claroty > Fetch
• >> Claroty > Fetch Associated Events for Alerts
• Claroty > Ingest
• Get Alert Details
• Get Alerts
• Get Asset Details
• Get Assets
• Get Events
• Get Insights
• Get Queries
• Get Tasks

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during the connector upgrade and delete.

Data Ingestion Support

Use the Data Ingestion Wizard to easily ingest data into FortiSOAR™ by pulling alerts and their associated events from Claroty. Currently, alerts and their associated events ingested from Claroty are mapped to "alerts" in FortiSOAR™. For more information on the Data Ingestion Wizard, see the "Connectors Guide" in the FortiSOAR™ product documentation.

Configure Data Ingestion

You can configure data ingestion using the “Data Ingestion Wizard” to seamlessly map the incoming Claroty alerts and their associated events to FortiSOAR™ "Alerts".

The Data Ingestion Wizard enables you to configure the scheduled pulling of data from Claroty into FortiSOAR™. It also lets you pull some sample data from Claroty using which you can define the mapping of data between Claroty and FortiSOAR™. The mapping of common fields is generally already done by the Data Ingestion Wizard; users are mostly required to only map any custom fields that are added to alerts and their associated events from Claroty.

1. To begin configuring data ingestion, click Configure Data Ingestion on the Claroty connector’s "Configurations" page.
   Click Let’s Start by fetching some data, to open the “Fetch Sample Data” screen.
   
   Sample data is required to create a field mapping between the Claroty alerts and their associated events data and FortiSOAR™. The sample data is pulled from connector actions or ingestion playbooks.
2. On the Fetch Data screen, provide the configurations required to fetch alerts and their associated events data from Claroty.
   Specify the time in minutes in the Pull Alerts Created in Last X Mins field to specify the time from when you want to pull alerts and their associated events from Claroty. You can also filter the alerts fetched from Claroty based on the alert status, category, or severity. You can also specify JSON key values in the Other Filters field to filter the alerts pulled from Claroty, based on the specified input parameters. You can also specify the maximum number of alerts to be returned in the response in the Limit field, the default is set to 1000, and the maximum number of events to be pulled per alert in the Event Count to Pull Per Alert field, the default is set to 5:
   
   The fetched data is used to create a mapping between the alerts and their associated events retrieved from Claroty and FortiSOAR™ alerts.
   Once you have completed specifying the configurations, click Fetch Data.

3. On the Field Mapping screen, map the fields of alerts and their associated events ingested from Claroty to the fields of an alert present in FortiSOAR™.
   To map a field, click the key in the sample data to add the “jinja” value of the field. For example, to map the type-- parameter of an alert and their associated events ingested from Claroty to the Source Type parameter of a FortiSOAR™ alert, click the Source Type field and then click the type-- field to populate its keys:
   
   For more information on field mapping, see the Data Ingestion chapter in the "Connectors Guide" in the FortiSOAR™ product documentation. Once you have completed the mapping of fields, click Save Mapping & Continue.

4. Use the Scheduling screen to configure schedule-based ingestion, i.e., specify the polling frequency to Claroty, so that the content gets pulled from the Claroty integration into FortiSOAR™.
   On the Scheduling screen, from the Do you want to schedule the ingestion? drop-down list, select Yes.
   In the “Configure Schedule Settings” section, specify the Cron expression For example, if you want to pull data from Claroty every morning at 5 am, click Daily, and in the hour box enter 5, and in the minute box enter 0:
   
   Once you have completed scheduling, click Save Settings & Continue.

5. The Summary screen displays a summary of the mapping done, and it also contains links to the Ingestion playbooks. Click Done to complete the data ingestion and exit the Data Ingestion Wizard.