Claroty Continuous Threat Detection (CTD)

Samurai [Local] CollectorSamurai [Cloud] CollectorSamurai [Cloud Native] Collector
Picture1.svg

This guide describes the steps required to configure Claroty CTD to send logs to a Samurai Local Collector deployed on your network. Claroty CTD requires access to the Local Collector via syslog on port 514/TCP.

Prerequisites

mceclip0.png This document supports Claroty CTD versions 3.x, and 4.x.

The following integration will configure Rules for Baseline, Event and Alert Logs. A user account is also created for read-only API access to gather additional telemetry.

To complete this Integration you will need to:

1) From the Claroty Web management user interface

2) From the Samurai MDR portal

Configure Save CAPs and Detect Known Threats

  1. Log in to Claroty’s web configuration dashboard.
  2. Click the Configuration tab.
  3. In the Networks area:
    • Select the checkbox to enable Save Caps
    • Select the checkbox to enable Detect Known Threats

Configuration of Rules

mceclip0.png If a field is not mentioned, please leave it unchanged

Baseline Rule

  1. Log in to Claroty’s web configuration dashboard.

  2. On the main menu on the left, click Configuration

  3. Select Integrations > SIEM Syslog

  4. Complete the following steps to add a rule to send baseline logs:

  5. In the SIEM Syslog screen click on the “+” button

  6. In the From list, click the relevant site(s)

  7. The Add new Syslog screen will appear

  8. Update the following fields:

    • Uncheck the LOCAL checkbox
    • From the MESSAGE CONTENTS list, click Baselines
    • From the MESSAGE FORMAT list, click CEF
    • Protocol - select all from the available list
    • Communication Type - select all available options
    • Access Type - select all available options
    • Server - enter in the IP address of your Samurai Local Collector
    • Port - enter 514
    • Protocol - TCP
  9. Click Save

Events Rule

  1. Log in to Claroty’s web configuration dashboard.

  2. On the main menu on the left, click Configuration

  3. Select Integrations > SIEM Syslog

  4. Complete the following steps to add a rule to send Events logs:

  5. In the SIEM Syslog screen click on the “+” button

  6. In the From list, click the relevant site(s)

  7. The Add new Syslog screen will appear

  8. Update the following fields:

    • Uncheck the LOCAL checkbox
    • From the MESSAGE CONTENTS list, click Events
    • From the MESSAGE FORMAT list, click CEF
    • Below Select Filters for the corresponding alerts configure:
    • Category - select all available selections
    • Protocol - select all from the available list
    • Server - enter in the IP address of your Samurai Local Collector
    • Port - enter 514
    • Protocol - TCP
  9. Click Save

Alert Rule

  1. Log in to Claroty’s web configuration dashboard.

  2. On the main menu on the left, click Configuration

  3. Select Integrations > SIEM Syslog

  4. Complete the following steps to add a rule to send Alerts logs:

  5. In the SIEM Syslog screen click on the “+” button

  6. In the From list, click the relevant site(s)

  7. The Add new Syslog screen will appear

  8. Update the following fields:

    • Uncheck the LOCAL checkbox
    • From the MESSAGE CONTENTS list, click Alerts
    • From the MESSAGE FORMAT list, click CEF
    • Category - select all available selections
    • Protocol - select all from the available list
    • Server - enter in the IP address of your Samurai Local Collector
    • Port - enter 514
    • Protocol - TCP
  9. Click Save

Create an account for API access

  1. Log in to Claroty’s web configuration dashboard.
  2. On the main menu select Configuration and Users
  3. In the User Management configuration screen, Click Add new users
  4. Enter a Username
  5. Enter a Full Name
  6. Enter a Password
  7. Repeat the Password
  8. Click Add

mceclip0.png You will need to provide these credentials to NTT during onboarding

mceclip0.png If your Security and Authentication > Password Expires are not set to 0 (0=unlimited) you will need to ensure you update the password before it expires.

Create a Group with permissions for the API access account

mceclip0.png If a field is not mentioned, please leave it unchanged

  1. Log in to Claroty’s web configuration dashboard.
  2. On the main menu select Configuration and Groups
  3. In the Group Management configuration screen, Click Add new groups
  4. Enter a Group Name
  5. Select the user created in Create an account for API access from the Add User dropdown list
  6. In the Systems Permissions area, Click Add permission
  7. Select specific sites to which the permissions applies, or All Sites
  8. From the All dropdown list, select relevant option
  9. Set the appropriate permission level to Read
  10. Click Save

Complete the Claroty Continuous Threat Detection (CTD) Integration

  1. Login to the Samurai MDR portal

  2. Click Telemetry and select Integrations from the main menu

  3. Click Create

  4. Find and select Claroty Continuous Threat Detection (CTD)

  5. Select the relevant Local Collector and click Next

  6. You will be presented with the Local Collector IP Address on the left of the screen

  7. To configure Extended Telemetry Collection ensure it is enabled via the toggle

  8. Enter the following information:

    • Name for the Integration - the name will appear in the Samurai MDR portal for you to easily reference
    • Description - optional but if completed will appear in the Samurai MDR portal for you to easily reference)
    • Devicename - an arbitrary name to identify the Claroty CTD device
    • IP Address - the IP address of Claroty CTD
    • Username - enter the username you created in Create an account for API access
    • Password - enter the password you created in Create an account for API access
    • Port (Optional)- if you have changed the default port enter the port number, if not, we default to 5000
  9. Click on Finish

mceclip0.png For general information on Integrations refer to the Integrations article.

Our Integration guide was accurate at the time of writing but vendors change things frequently! If you find errors or anything is outdated, let us know by raising a request in the Samurai MDR application and we shall get it updated.