Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Claroty Continuous Threat Detection (CTD) Integration Guide

integrations OT claroty

Claroty Continuous Threat Detection (CTD) is an agentless and passive security solution designed to keep Industrial Control Systems (ICSs) operational. It provides real time visibility over assets and networks and uses both anomaly-based and behavior-based profiling to identify operational and security threats, including network failures, malicious attacks and operator errors.

The following instructions are for configuring CTD to facilitate log ingestion into Taegis™ XDR.

Logs can be sent from individual CTD Servers or the Enterprise Management Console (EMC).


Adding this integration to your Taegis XDR tenant requires Taegis™ XDR for OT. Contact your account manager or CSM to acquire the required license.

Connectivity Requirements

Source Destination Port/Protocol
CTD Server or EMC Taegis™ XDR Collector (mgmt IP) TCP/601

Data Provided from Integration

The following CTD event types are supported by Taegis™ XDR.


CTD event types not listed above are normalized to the generic schema.

  Antivirus Auth DHCP DNS Email Encrypt File HTTP Management Netflow NIDS Process Thirdparty
Claroty CTD                   D     V

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections


Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configure the Continous Threat Defense Platform

Follow the instructions in the Claroty CTD Administration Guide to configure Syslog forwarding.

Syslog Configuration

Syslog Configuration

Enter the following information:

Parameter Value
MESSAGE CONTENT Alerts (all Alert Categories and Types)
SEND FROM (when sending from the EMC) Select applicable CTD Servers
SYSTEM URL (when sending from the EMC) Read-Only Value
SEND TO External Syslog server
SYSLOG SERVER IP Taegis™ XDR Collector (mgmt IP)
PORT 601

Advanced Search using the Query Language

Claroty Advanced Search

Claroty Advanced Search

Example Query Language Searches

To search for thirdparty events from the last 24 hours:

FROM thirdparty WHERE sensor_type = 'Claroty' and EARLIEST=-24h

To search for netflow events:

FROM netflow WHERE sensor_type = 'Claroty'

To search for events that were classified by Claroty as "Critical":

WHERE sensor_type = 'Claroty' AND vendor_severity =  'Critical'

To search for thirdparty events from a specific CTD Server or EMC:

FROM thirdparty WHERE sensor_type = 'Claroty' AND sensor_id = ''

Event Details

CTD Event Details

CTD Event Details

Sample Logs

CTD Alerts

CEF:0|Claroty|CTD|4.2.3|Alert|Known Threat Alert|5| cn1Label=SiteId cn1=1 cs1Label=Site cs1=Default cs2Label=Network cs2=Default cs3Label=Resolve-dAs cs3=Unresolved cs5Label=Src Zone cs5=Default Zone cs6Label=Dst Zone cs6=Default Zone cs7Label=Category cs7=Security cs8Label=AlertUrl cs8=http://<IP.Address>/alert/1-1 outcome=Unresolved request=http://<IP.Address>/alert/1-1 cn2Label=Alert Score cn2=100 cs10Label=PrimaryAssetIP cs10= cs11Label=PrimaryAssetType cs11=Endpoint cs12Label=PrimaryAssetHostname cs12=N/A cs13Label=PrimaryAssetMAC cs13=00:00:00:00:00:00 cs14Label=PrimaryAssetOS cs14=Windows 7/Server 2008 R2 cs15Label=PrimaryAssetVendor cs15=Hewlett Packard cs16Label=NonPrimaryAssetIP cs16= cs17Label=NonPrimaryAssetType cs17=Endpoint cs18Label=NonPrimaryAssetHostname cs18=N/A cs19Label=NonPrimaryAssetMAC cs19=00:00:00:00:00:f1 cs20Label=NonPrimaryAssetOS cs20=N/A cs21Label=NonPrimaryAssetVendor cs21=Netgear cn3Label=StoryId cn3=1 src= smac=00:08:00:00:00:00 shost=N/A dst= dmac=00:00:00:00:00:00 dhost=N/A externalId=1 cat=Create rt=Nov 17 10:18:55 start=Oct 12 2020 17:28:33 msg=Out of working hours Known Threat: Threat Claroty Rule: GranCrab Ransomware - C2 Certificate was detected from to


On this page: