Claroty

Use the Claroty CTD integration to manage assets and alerts. This integration was integrated and tested with version 4.0.1 of Claroty

Claroty Playbook

Playbook 1: OT Asset Discovery Maintaining an accurate enterprise asset database is extremely difficult, but without it effective security is near impossible. This playbook automates the population and maintenance of the enterprise’s configuration management database (CMDB) with OT asset information. The rich contextual data provided for each asset makes it realistic to prioritize security processes and actions based on the CMDB. Proactive vulnerability management is a fundamental control because it hardens assets against the most common exploits seen in the wild. This playbook automates OT vulnerability management: it identifies high-severity vulnerabilities on OT assets, and creates context-rich tickets in the enterprise service manager for action. Crucially, it focuses on high-risk issues on truly important assets, so that non-critical issues do not overwhelm the vulnerability management process and obfuscate the issues that demand immediate attention.

Playbook 3: OT Threat Detection Alerts In order to scale, enterprises must centralize and automate the processing of alerts that are indicators of risk or compromise. This playbook automates the passing of OT threat detection alerts from the Claroty CTD system to the enterprise SIEM and ticketing system. CTD correlates the alert with asset and flow information observed in the OT environment and passes it upstream via the integration, allowing security analysts to quickly evaluate the alert and take corrective action if necessary.

Use Cases

Retrieve and resolve alerts related to OT devices (communicating outside of the network, policy violations such as active outside working hours, etc.)

Insights: get information about vulnerable assets in the network (retrieve vulnerabilities and CVEs per asset, divide according to CVE risk and mitigate accordingly (high will have different mitigation steps)

Configure Claroty on Demisto


  1. Navigate to Settings > Integrations > Servers & Services.
  2. Search for Claroty.
  3. Click Add instance to create and configure a new integration instance.
    • Name: a textual name for the integration instance.
    • CTD Server URL (e.g. https://\<IP>:5000)
    • Username
    • Trust any certificate (not secure)
    • Use system proxy settings
    • Incident type
    • Fetch incidents
    • The initial time to fetch from
    • Minimal severity to fetch by
    • Site ID to fetch by
    • Fetch by alert type
  4. Click Test to validate the URLs, token, and connection.

Fetched Incidents Data


Commands


You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details. 1. claroty-get-assets 2. claroty-query-alerts 3. claroty-resolve-alert 4. claroty-get-single-alert

1. claroty-get-assets


Gets all assets from CTD. You can apply one or more filters.

Required Permissions

Admin user.

Base Command

claroty-get-assets

Input
Argument NameDescriptionRequired
fieldsAsset fields to return. The default value is "all".Optional
criticalityReturns assets with this criticality. Can be "Low", "Medium", or "High".Optional
insight_nameGet assets with that include the given insight nameOptional
should_enrich_assetsAdd aditional value for the asset CVEs.Optional
asset_limitMaximal value of assets to query at once.Optional
assets_last_seenGet all assets seen last from the given date. Format - YYYY-MM-DDThh:mm:ssZ. Example - 2020-02-02T01:02:03ZOptional
Context Output
PathTypeDescription
Claroty.Asset.AssetIDNumberThe ID of the asset.
Claroty.Asset.AssetTypeStringThe asset type.
Claroty.Asset.CVE.CVSSStringCVE Score.
Claroty.Asset.CVE.DescriptionStringCVE Description.
Claroty.Asset.CVE.IDStringCVE ID.
Claroty.Asset.CVE.ModifiedDateCVE modification date.
Claroty.Asset.CVE.PublishedDateCVE publish date.
CVE.CVSSStringCVE Score.
CVE.DescriptionStringCVE Description.
CVE.IDStringCVE ID.
CVE.ModifiedDateCVE modification date.
CVE.PublishedDateCVE publish date.
Claroty.Asset.ClassTypeStringThe OT/IT class type.
Claroty.Asset.CriticalityStringThe criticality of the asset, according to the Purdue model.
Claroty.Asset.FirmwareVersionStringThe FM version of the asset.
Claroty.Asset.HighestCVEScoreNumberHighest CVE Score for the Asset.
Claroty.Asset.IPStringThe IPv4 address of the asset.
Claroty.Asset.InsightNameStringThe asset insight names generated by CTD.
Claroty.Asset.LastSeenDateThe date the asset was last seen.
Claroty.Asset.MACStringThe MAC address of the asset.
Claroty.Asset.NameStringThe asset name.
Claroty.Asset.ResourceIDStringThe asset RID (AssetID-SiteID).
Claroty.Asset.RiskLevelNumberThe risk indicator.
Claroty.Asset.SiteIDNumberThe site ID of the asset.
Claroty.Asset.SiteNameStringThe site name of the asset.
Claroty.Asset.VendorStringThe vendor of the asset.
Claroty.Asset.VirtualZoneStringThe virtual zone of the asset.
Claroty.Asset.WasParsedStringWhether the project was parsed.
Command Example

!claroty-get-assets asset_limit=1 criticality=High should_enrich_assets=True

Context Example
{
"CVE": [
[
{
"ID": "RA-470154-1",
"Published": "2012-01-19",
"CVSS": "8.8",
"Modified": "2018-01-11",
"Description": "Denial of Service by receiving valid CIP message"
},
{
"ID": "RA-470154-3",
"Published": "2012-01-19",
"CVSS": "8.8",
"Modified": "2018-01-11",
"Description": "Denial of Service (reset the product) by receiving valid CIP message"
},
{
"ID": "RA-470155-1",
"Published": "2012-01-19",
"CVSS": "8.8",
"Modified": "2018-01-11",
"Description": "Denial of Service by receiving malformed CIP packet"
}
]
],
"Claroty.Asset": [
{
"ResourceID": "9-1",
"AssetType": "PLC",
"Vendor": "Rockwell Automation",
"Name": "10.1.0.10",
"Criticality": "High",
"AssetID": 9,
"ClassType": "OT",
"SiteName": "site-1",
"InsightName": [
"Full Match CVEs",
"Open Ports"
],
"VirtualZone": "PLC: Rockwell",
"RiskLevel": 1,
"MAC": [
"E4:90:69:A7:70:0F"
],
"SiteID": 1,
"HighestCVEScore": 8.8,
"IP": [
"10.1.0.10"
],
"WasParsed": null,
"CVE": [
{
"ID": "RA-470154-1",
"Published": "2012-01-19",
"CVSS": "8.8",
"Modified": "2018-01-11",
"Description": "Denial of Service by receiving valid CIP message"
},
{
"ID": "RA-470154-3",
"Published": "2012-01-19",
"CVSS": "8.8",
"Modified": "2018-01-11",
"Description": "Denial of Service (reset the product) by receiving valid CIP message"
},
{
"ID": "RA-470155-1",
"Published": "2012-01-19",
"CVSS": "8.8",
"Modified": "2018-01-11",
"Description": "Denial of Service by receiving malformed CIP packet"
}
],
"FirmwareVersion": "V4.003",
"LastSeen": "2020-02-19T07:42:16+00:00"
}
]
}
Human Readable Output

Claroty Asset List

AssetIDAssetTypeCVEClassTypeCriticalityFirmwareVersionHighestCVEScoreIPInsightNameLastSeenMACNameResourceIDRiskLevelSiteIDSiteNameVendorVirtualZoneWasParsed
9PLC{'ID': 'RA-470154-1', 'CVSS': '8.8', 'Published': '2012-01-19', 'Modified': '2018-01-11', 'Description': 'Denial of Service by receiving valid CIP message'},
{'ID': 'RA-470154-3', 'CVSS': '8.8', 'Published': '2012-01-19', 'Modified': '2018-01-11', 'Description': 'Denial of Service (reset the product) by receiving valid CIP message'},
{'ID': 'RA-470155-1', 'CVSS': '8.8', 'Published': '2012-01-19', 'Modified': '2018-01-11', 'Description': 'Denial of Service by receiving malformed CIP packet'}
OTHighV4.0038.810.1.0.10Full Match CVEs,
Open Ports
2020-02-19T07:42:16+00:00E4:90:69:A7:70:0F10.1.0.109-111site-1Rockwell AutomationPLC: Rockwell

2. claroty-query-alerts


Gets alerts from CTD.

Required Permissions

Admin user.

Base Command

claroty-query-alerts

Input
Argument NameDescriptionRequired
fieldsAlert fields to return.Optional
sort_byThe field by which to sort the results. The default value is "timestamp".
Default sort order is ascending
Optional
typeReturns alerts that match this alert type.Optional
date_fromThe start date from which to get alerts. Format - YYYY-MM-DDThh:mm:ssZ. Example - 2020-02-02T01:02:03ZOptional
sort_orderThe sorting order of the alerts - descending or ascendingOptional
alert_limitThe maximum number of alerts to query.Optional
minimal_severitySet minimal severity to query by.Optional
Context Output
PathTypeDescription
Claroty.Alert.AlertTypeStringThe alert type.
Claroty.Alert.AlertTypeIDNumberThe alert type int value
Claroty.Alert.DescriptionStringThe alert description.
Claroty.Alert.IndicatorStringThe alert indicators.
Claroty.Alert.NetworkIDNumberThe network ID.
Claroty.Alert.RelatedAssetsStringAssets related to the alert.
Claroty.Alert.RelatedAssets.AssetIDNumberThe ID of the asset.
Claroty.Alert.RelatedAssets.AssetTypeStringThe asset type.
Claroty.Alert.RelatedAssets.ClassTypeStringThe OT/IT class type.
Claroty.Alert.RelatedAssets.CriticalityStringThe criticality of the asset, according to the Purdue model.
Claroty.Alert.RelatedAssets.FirmwareVersionStringThe FM version of the asset.
Claroty.Alert.RelatedAssets.IPStringThe IPv4 address of the asset.
Claroty.Alert.RelatedAssets.InsightNameStringThe asset insight names generated by CTD.
Claroty.Alert.RelatedAssets.LastSeenDateThe date the asset was last seen.
Claroty.Alert.RelatedAssets.MACStringThe MAC address of the asset.
Claroty.Alert.RelatedAssets.NameStringThe asset name.
Claroty.Alert.RelatedAssets.ResourceIDStringThe asset RID (AssetID-SiteID).
Claroty.Alert.RelatedAssets.RiskLevelNumberThe risk indicator.
Claroty.Alert.RelatedAssets.SiteIDNumberThe site ID of the asset.
Claroty.Alert.RelatedAssets.SiteNameStringThe site name of the asset.
Claroty.Alert.RelatedAssets.VendorStringThe vendor of the asset.
Claroty.Alert.RelatedAssets.VirtualZoneStringThe virtual zone of the asset.
Claroty.Alert.RelatedAssets.WasParsedStringWhether the project was parsed.
Claroty.Alert.ResolvedNumberThe resolve status of the alert.
Claroty.Alert.ResourceIDStringThe alert resource ID (AlertID-SiteID).
Claroty.Alert.SeverityStringThe alert severity.
Claroty.Alert.CategoryStringThe alert category.
Command Example

``!claroty-query-alerts alert_limit=1 type=Known Threat Alert````

Context Example
{
"Claroty.Alert": [
{
"Category": "Security",
"NetworkID": 1,
"Indicator": "Alert ID - 14\r\nDescription - Event occurred out of working hours\r\nPoints - 10\r\n\nAlert ID - 14\r\nDescription - First time over the past 30 days, this Threat Signature is seen in the network\r\nPoints - 100\r\n\n",
"AlertType": "KnownThreatAlert",
"Description": "Known Threat: Threat ET TROJAN Conficker.b Shellcode was detected from 192.168.0.121 to 192.168.0.100",
"ResourceID": "14-1",
"AlertTypeID": 23,
"RelatedAssets": [
{
"ResourceID": "15-1",
"AssetType": "Endpoint",
"Vendor": "Advantech Technology",
"Name": "GTWB",
"Criticality": null,
"AssetID": 15,
"IP": null,
"SiteName": null,
"VirtualZone": null,
"RiskLevel": null,
"MAC": [
"00:0B:AB:1A:DD:DD"
],
"SiteID": 1,
"InsightName": null,
"ClassType": null,
"WasParsed": null,
"FirmwareVersion": null,
"LastSeen": null
},
{
"ResourceID": "33-1",
"AssetType": "Endpoint",
"Vendor": "Advantech Technology",
"Name": "OISERVM",
"Criticality": null,
"AssetID": 33,
"IP": null,
"SiteName": null,
"VirtualZone": null,
"RiskLevel": null,
"MAC": [
"00:0B:AB:1A:DE:BE",
"00:0B:AB:1A:DE:BF"
],
"SiteID": 1,
"InsightName": null,
"ClassType": null,
"WasParsed": null,
"FirmwareVersion": null,
"LastSeen": null
},
{
"ResourceID": "19-1",
"AssetType": "Endpoint",
"Vendor": "Advantech Technology",
"Name": "GTWA",
"Criticality": null,
"AssetID": 19,
"IP": null,
"SiteName": null,
"VirtualZone": null,
"RiskLevel": null,
"MAC": [
"00:0B:AB:1A:DD:F8"
],
"SiteID": 1,
"InsightName": null,
"ClassType": null,
"WasParsed": null,
"FirmwareVersion": null,
"LastSeen": null
},
{
"ResourceID": "18-1",
"AssetType": "Endpoint",
"Vendor": "Advantech Technology",
"Name": "DRWSTN",
"Criticality": null,
"AssetID": 18,
"IP": null,
"SiteName": null,
"VirtualZone": null,
"RiskLevel": null,
"MAC": [
"00:0B:AB:1A:DE:BC"
],
"SiteID": 1,
"InsightName": null,
"ClassType": null,
"WasParsed": null,
"FirmwareVersion": null,
"LastSeen": null
},
{
"ResourceID": "17-1",
"AssetType": "Endpoint",
"Vendor": "Dell",
"Name": "OISERVR",
"Criticality": null,
"AssetID": 17,
"IP": null,
"SiteName": null,
"VirtualZone": null,
"RiskLevel": null,
"MAC": [
"F0:4D:A2:EF:FF:11"
],
"SiteID": 1,
"InsightName": null,
"ClassType": null,
"WasParsed": null,
"FirmwareVersion": null,
"LastSeen": null
}
],
"Resolved": true,
"Severity": "Critical"
}
]
}
Human Readable Output

Claroty Alert List

AlertTypeAlertTypeIDCategoryDescriptionIndicatorNetworkIDRelatedAssetsResolvedResourceIDSeverity
KnownThreatAlert23SecurityKnown Threat: Threat ET TROJAN Conficker.b Shellcode was detected from 192.168.0.121 to 192.168.0.100Alert ID - 14
Description - Event occurred out of working hours
Points - 10

Alert ID - 14
Description - First time over the past 30 days, this Threat Signature is seen in the network
Points - 100

1{'AssetID': 15, 'Name': 'GTWB', 'InsightName': None, 'Vendor': 'Advantech Technology', 'Criticality': None, 'AssetType': 'Endpoint', 'LastSeen': None, 'IP': None, 'MAC': ['00:0B:AB:1A:DD:DD'], 'VirtualZone': None, 'ClassType': None, 'SiteName': None, 'SiteID': 1, 'WasParsed': None, 'RiskLevel': None, 'FirmwareVersion': None, 'ResourceID': '15-1'},
{'AssetID': 33, 'Name': 'OISERVM', 'InsightName': None, 'Vendor': 'Advantech Technology', 'Criticality': None, 'AssetType': 'Endpoint', 'LastSeen': None, 'IP': None, 'MAC': ['00:0B:AB:1A:DE:BE', '00:0B:AB:1A:DE:BF'], 'VirtualZone': None, 'ClassType': None, 'SiteName': None, 'SiteID': 1, 'WasParsed': None, 'RiskLevel': None, 'FirmwareVersion': None, 'ResourceID': '33-1'},
{'AssetID': 19, 'Name': 'GTWA', 'InsightName': None, 'Vendor': 'Advantech Technology', 'Criticality': None, 'AssetType': 'Endpoint', 'LastSeen': None, 'IP': None, 'MAC': ['00:0B:AB:1A:DD:F8'], 'VirtualZone': None, 'ClassType': None, 'SiteName': None, 'SiteID': 1, 'WasParsed': None, 'RiskLevel': None, 'FirmwareVersion': None, 'ResourceID': '19-1'},
{'AssetID': 18, 'Name': 'DRWSTN', 'InsightName': None, 'Vendor': 'Advantech Technology', 'Criticality': None, 'AssetType': 'Endpoint', 'LastSeen': None, 'IP': None, 'MAC': ['00:0B:AB:1A:DE:BC'], 'VirtualZone': None, 'ClassType': None, 'SiteName': None, 'SiteID': 1, 'WasParsed': None, 'RiskLevel': None, 'FirmwareVersion': None, 'ResourceID': '18-1'},
{'AssetID': 17, 'Name': 'OISERVR', 'InsightName': None, 'Vendor': 'Dell', 'Criticality': None, 'AssetType': 'Endpoint', 'LastSeen': None, 'IP': None, 'MAC': ['F0:4D:A2:EF:FF:11'], 'VirtualZone': None, 'ClassType': None, 'SiteName': None, 'SiteID': 1, 'WasParsed': None, 'RiskLevel': None, 'FirmwareVersion': None, 'ResourceID': '17-1'}
true14-1Critical

3. claroty-resolve-alert


Resolves alerts.

Required Permissions

Admin user.

Base Command

claroty-resolve-alert

Input
Argument NameDescriptionRequired
selected_alertsThe ResourceId of the Alerts to resolve (in <alert_id>-<site_id> format)Required
resolve_asHow to resolve the alert. Can be "archive" or "resolve". The default value is "resolve".Optional
resolve_commentA comment to add when resolving an alert.Optional
Context Output
PathTypeDescription
Claroty.Resolve_out.successStringSuccess output of alert resolving.
Command Example

!claroty-resolve-alert selected_alerts="75-1" resolve_as=archive resolve_comment="Claroty is much wow!"

Context Example
{
"Claroty.Resolve_out": {
"success": true
}
}
Human Readable Output

Alert was resolved successfully

4. claroty-get-single-alert


Get a single alert from CTD.

Required Permissions

Admin user.

Base Command

claroty-get-single-alert

Input
Argument NameDescriptionRequired
fieldsAsset fields to return. The default value is "all".Optional
alert_ridResource ID of the desired alert. Expected value - <alert_id>-<site_id>Required
Context Output
PathTypeDescription
Claroty.Alert.AlertTypeStringThe alert type.
Claroty.Alert.AlertTypeIDNumberThe alert type int value
Claroty.Alert.DescriptionStringThe alert description.
Claroty.Alert.IndicatorStringThe alert indicators.
Claroty.Alert.NetworkIDNumberThe network ID.
Claroty.Alert.RelatedAssetsStringAssets related to the alert.
Claroty.Alert.ResolvedNumberThe resolve status of the alert.
Claroty.Alert.ResourceIDStringThe alert resource ID (AlertID-SiteID).
Claroty.Alert.SeverityStringThe alert severity.
Command Example

!claroty-get-single-alert alert_rid="75-1"

Context Example
{
"Claroty.Alert": {
"Category": "Integrity",
"NetworkID": 1,
"Indicator": "Alert ID - 75\r\nDescription - This Event does not currently support Alert Indicators\r\nPoints - 100\r\n\n",
"AlertType": "PortScan",
"Description": "UDP Port scan: Asset 192.168.1.10 sent probe packets to 192.168.1.25 IP address on different ports",
"ResourceID": "75-1",
"AlertTypeID": 28,
"RelatedAssets": [
{
"ResourceID": "47-1",
"AssetType": "Endpoint",
"Vendor": "Hewlett Packard",
"Name": "192.168.1.10",
"Criticality": "Low",
"AssetID": 47,
"IP": null,
"SiteName": "site-1",
"VirtualZone": "Endpoint: Other",
"RiskLevel": 0,
"MAC": [
"00:1A:4B:6A:CE:FE"
],
"SiteID": 1,
"InsightName": null,
"ClassType": "IT",
"WasParsed": null,
"FirmwareVersion": null,
"LastSeen": null
},
{
"ResourceID": "48-1",
"AssetType": "Endpoint",
"Vendor": "VMware",
"Name": "192.168.1.25",
"Criticality": "Low",
"AssetID": 48,
"IP": null,
"SiteName": "site-1",
"VirtualZone": "Endpoint: Other",
"RiskLevel": 0,
"MAC": [
"00:0C:29:86:C8:36"
],
"SiteID": 1,
"InsightName": null,
"ClassType": "IT",
"WasParsed": null,
"FirmwareVersion": null,
"LastSeen": null
}
],
"Resolved": false,
"Severity": "Critical"
}
}
Human Readable Output

Claroty Alert List

AlertTypeAlertTypeIDCategoryDescriptionIndicatorNetworkIDRelatedAssetsResolvedResourceIDSeverity
PortScan28IntegrityUDP Port scan: Asset 192.168.1.10 sent probe packets to 192.168.1.25 IP address on different portsAlert ID - 75
Description - This Event does not currently support Alert Indicators
Points - 100

1{'AssetID': 47, 'Name': '192.168.1.10', 'InsightName': None, 'Vendor': 'Hewlett Packard', 'Criticality': 'Low', 'AssetType': 'Endpoint', 'LastSeen': None, 'IP': None, 'MAC': ['00:1A:4B:6A:CE:FE'], 'VirtualZone': 'Endpoint: Other', 'ClassType': 'IT', 'SiteName': 'site-1', 'SiteID': 1, 'WasParsed': None, 'RiskLevel': 0, 'FirmwareVersion': None, 'ResourceID': '47-1'},
{'AssetID': 48, 'Name': '192.168.1.25', 'InsightName': None, 'Vendor': 'VMware', 'Criticality': 'Low', 'AssetType': 'Endpoint', 'LastSeen': None, 'IP': None, 'MAC': ['00:0C:29:86:C8:36'], 'VirtualZone': 'Endpoint: Other', 'ClassType': 'IT', 'SiteName': 'site-1', 'SiteID': 1, 'WasParsed': None, 'RiskLevel': 0, 'FirmwareVersion': None, 'ResourceID': '48-1'}
false75-1Critical