Skip to main content

Claroty

Download With Dependencies

Use the Claroty CTD to manage assets and alerts.

Claroty Continuous Threat Detection (CTD)

Effective network security starts with an accurate asset database. The integration between Claroty Continuous Threat Detection (CTD) and Palo Alto Networks Cortex XSOAR enables comprehensive IT-OT asset coverage through discovery & enrichment, vulnerability management, and automated threat alerts. Integrating these tools provides coverage through a single-pane-of-glass while eliminating the need for OT-specific monitoring expertise & dedicated tools.

Supporting the broadest list of OT protocols in the industry and multiple asset discovery methodologies, Claroty’s integration with Cortex XSOAR allows organizations to:

  • Identify all OT assets and corresponding asset data to populate the CMDB
  • Automate vulnerability management with context-rich playbooks for event resolution
  • Threat detection engines identify and parse events to alert Cortex XSOAR for further ticketing and analysis

For more information:

Claroty Continuous Threat Detection (CTD)

Cortex XSIAM SIEM Content

This pack includes Cortex XSIAM SIEM content, which is supported directly by Palo Alto Networks.

The SIEM content contains parsing and modeling rules for ingesting and mapping events and alerts that are sent from Claroty CTD to Cortex XSIAM.

This section describes the configurations required on Claroty CTD for forwarding events and alerts to Cortex XSIAM and the configurations required on Cortex XSIAM for ingesting and mapping them.

Configuration on Claroty CTD

Follow these steps to configure Claroty CTD to forward Syslog messages to Cortex XSIAM.


  1. Login to your account on the Claroty CTD web management console.

  2. Go to Configuration and navigate to Log SettingsSyslog.

  3. Click + Add to add a new syslog configuration.

  4. Clear the Local checkbox and fill in the following settings:

    Parameter Value
    Message Contents Select the log type to forward to Cortex XSIAM.
    Message Format Select CEF.
    Server Enter the IP address of the target Cortex XSIAM Broker VM syslog server.
    Port Enter the port number which the target Cortex XSIAM Broker VM syslog server would be listening on for receiving syslog messages from Claroty CTD.
    Protocol Select the requested forwarding transport protocol (UDP, TCP or TLS).
  5. Click Save.

Remark

Since the syslog forwarding configuration is set for each log type individually,
repeat the steps above for each log type (Alerts, Events, etc.) to monitor on Cortex XSIAM.

Configuration on Cortex XSIAM

In order to use the collector for Claroty CTD, use the Broker VM option.

Broker VM

To create or configure the Broker VM, use the information described here.

You can configure the specific vendor and product for this instance.

  1. Navigate to SettingsConfigurationData BrokerBroker VMs.
  2. Go to the apps tab and add the Syslog app for the relevant broker instance. If the Syslog app already exists, hover over it and click Configure.
  3. Click Add New.
  4. When configuring the Syslog Collector, set the following parameters:
    | Parameter | Value
    | :--- | :---
    | Protocol | Select the forwarding transport protocol in correspondence to the protocol defined on Claroty CTD (UDP, TCP or Secure TCP for TLS).
    | Format | Select CEF.
    | Port | Enter the syslog service port number that this Cortex XSIAM Broker VM should listen on for receiving forwarded events from Claroty CTD.
    | Vendor | Enter Claroty.
    | Product | Enter CTD.

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

CertificationRead more
Supported ByPartner
CreatedSeptember 23, 2020
Last ReleaseDecember 4, 2024
WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.