Claroty CTD v4.8.0 Reference Guide 20230329
Claroty CTD v4.8.0 Reference Guide 20230329
Claroty CTD v4.8.0 Reference Guide 20230329
Confidential & Proprietary | Copyright © 2023 Claroty Ltd. All rights reserved
29-Mar-2023
CTD Reference Guide
TABLE OF CONTENTS
1. Introduction ...................................................................................................................... 7
2. Threat Detection ............................................................................................................... 8
2.1. Detection Engines .................................................................................................. 8
2.1.1. Behavior Anomalies Detector ..................................................................... 8
2.1.2. Signature Based Detector ........................................................................... 9
2.1.3. Security Behavioural Pattern Detector ......................................................... 9
2.1.4. Operational Behavioural Pattern Detector ................................................... 9
2.1.5. Rule-Based Threat Detector ........................................................................ 9
2.2. Events, Alerts, and Stories ...................................................................................... 9
2.3. Alerts Table .......................................................................................................... 10
2.3.1. .................................................................................................................. 10
2.4. Alert Resolution Options ...................................................................................... 12
2.4.1. Approve .................................................................................................... 13
2.4.2. Archive ...................................................................................................... 13
2.4.3. Ignore ....................................................................................................... 13
2.4.4. Approve Selected ...................................................................................... 13
2.4.5. Approve All ................................................................................................ 13
2.4.6. Acknowledge ............................................................................................. 13
2.4.7. Approve & Update Policy ........................................................................... 13
2.5. Managing Integrity Alerts ..................................................................................... 14
2.5.1. Asset Information Change ......................................................................... 14
2.5.2. Baseline Rule ............................................................................................. 15
2.5.3. Configuration Download ............................................................................ 16
2.5.4. Configuration Upload ................................................................................ 17
2.5.5. Firmware Download .................................................................................. 18
2.5.6. Mode Change ............................................................................................ 19
2.5.7. Monitor / Debug Mode .............................................................................. 21
2.5.8. New Asset ................................................................................................. 22
2.5.9. New Conflict Asset ..................................................................................... 23
2.5.10. Online Edit .............................................................................................. 24
2.5.11. Policy Rule Match .................................................................................... 25
2.5.12. Policy Violation ........................................................................................ 25
2.5.13. Settings Change ....................................................................................... 27
2.6. Managing Security Alerts ...................................................................................... 27
2.6.1. DCS Configuration Change Alert ................................................................ 28
2.6.2. Denial of Service ........................................................................................ 29
2.6.3. Failed Login ............................................................................................... 30
2.6.4. File System Change ................................................................................... 31
2.6.5. Host Scan .................................................................................................. 32
2.6.6. Known Threat Alerts .................................................................................. 33
2.6.7. Man-in-the-Middle Attack .......................................................................... 33
2.6.8. Memory Reset ........................................................................................... 34
2.6.9. Port Scan ................................................................................................... 35
2.6.10. Suspicious Activity ................................................................................... 36
2.6.11. Suspicious File Transfer ........................................................................... 37
3. Insights ........................................................................................................................... 38
3.1. Risk Management ................................................................................................ 38
3.1.1. Assets Accessed SMB Shares ..................................................................... 38
3.1.2. Assets Accessing SMB Pipes ....................................................................... 38
3.1.3. Assets with partial connection to the internet ............................................ 38
3.1.4. Clients Remotely Managed ........................................................................ 38
3.1.5. DHCP Clients ............................................................................................. 38
3.1.6. Data Acquisition Write (Operated PLCs) ..................................................... 39
3.1.7. End of Life (EoL) Assets .............................................................................. 39
3.1.8. Files Downloaded (clients) ......................................................................... 40
3.1.9. Highly Connected Assets ........................................................................... 41
3.1.10. Managed PLCs (by Rockwell users) .......................................................... 41
3.1.11. Multiple Interfaces ................................................................................... 41
3.1.12. Open Ports .............................................................................................. 41
3.1.13. PLCs exposed to program changes .......................................................... 41
3.1.14. PLCs exposed to Triton ............................................................................ 41
3.1.15. PLCs Talking IT Protocol ........................................................................... 42
3.1.16. Privileged Operations (Operated PLCs) .................................................... 42
3.1.17. Remote Desktop Application ................................................................... 42
3.1.18. SMBv1 Negotiate ..................................................................................... 42
3.1.19. SNMP Querying Assets ............................................................................ 42
3.1.20. Talking with External IPs .......................................................................... 42
3.1.21. Talking with Ghost Assets ........................................................................ 42
3.1.22. Top Risky Assets ...................................................................................... 42
3.1.23. Unsecured Protocols ............................................................................... 42
3.1.24. Unsupported OS ...................................................................................... 43
3.1.25. USB Devices Connected to Assets ............................................................ 43
3.1.26. Using Unencrypted & Weak Passwords .................................................... 43
3.1.27. Web Servers ............................................................................................ 43
3.2. Vulnerability Management ................................................................................... 43
3.2.1. Full Match CVEs ......................................................................................... 44
3.2.2. Model Match CVEs ..................................................................................... 44
3.2.3. Program Match CVEs ................................................................................. 44
3.2.4. Vendor Match CVEs ................................................................................... 45
3.2.5. Windows CVEs ........................................................................................... 45
3.2.6. Windows CVEs Full Match .......................................................................... 46
3.3. Updating Insight Statuses ..................................................................................... 46
3.4. Supported Vendor List for CVE Matching .............................................................. 47
4. Discovery Methods ......................................................................................................... 48
4.1. Active Detection ................................................................................................... 48
4.1.1. Changes in Alerting from Passive Behavior ................................................ 48
4.1.2. Baselines Generated from Active Detection ............................................... 48
4.1.3. Profiles ...................................................................................................... 48
4.1.4. Queries ..................................................................................................... 58
4.1.5. Discovery Tasks ....................................................................................... 114
4.2. IoT Asset Management and Monitoring .............................................................. 133
1. Introduction
This document provides reference material for Claroty’s Continuous Threat Detection (CTD) V4.8.0
and supplements the CTD User Guide.
2. Threat Detection
Threat detection in CTD provides alerts that indicate a potential threat in the environment and
tools for managing those threats. There are the two categories of alerts:
• Integrity Alerts – a process integrity alert is not necessarily malicious but has an impact on the
control of the process and should be investigated. These are events that regularly happen as a
part of approved engineering and maintenance tasks, but if they happen outside of this, require
attention. The Process Integrity Alerts generally appear while in Operational Mode.
• Security Alerts – security alerts represent malicious behavior and are not generally supposed to
occur within the OT environment and should always be evaluated at the highest priority.
Claroty CTD has five detection engines that detect various threats or anomalies based on their
role:
Generated alerts focus the operator’s attention on: network changes, vulnerabilities, threats, zero-
day exploits, malware, attacks in the ciphered traffic, resource misuse or misconfigurations.
This detector is designed to identify OT-targeted attacks and sophisticated payloads, by flagging
OT operations that occur within the network over any proprietary OT protocol. By identifying and
reporting such activities, operators can make an informed decision and determine the next steps
based on their Management of Change process.
• Events are the foundation of the CTD’s threat detection module. They are conversations or
activities logged by various engines in CTD, which are then categorized as either risky (Alert or
OT Alert) or non-risky (Non-Risky Change or an OT Operation) events.
• Events quantified and qualified as risky result in an Alert, which can be viewed in the Alert
screen.
Alerts
• Qualified and quantified event or chain of events which are based on various risk factors.
• Further categorized as either Security Alerts or Integrity Alerts depending on the nature of the
alert.
• Alerts are scored from a scale of 0 through 100. Actual alert score can be higher than 100
depending on the sum of various indicator scores, however it is capped at max 100.
Stories
This table summarizes all the alerts currently available in CTD, including their meaning, type, and
resolution options in Training Mode and Operational Mode.
• Mitre Info - Whether the alert is mapped to MITRE ATT&CK® for ICS Tactics and Techniques
• Capsaver - Whether a PCAP file is saved for the alert
• Retention Period - How long the alert is saved in the system
Asset Infor- This alert detects Integri- Automati- • Approve Yes No Forever
mation changes to asset- ty cally ap- All
Change related informa- proved by • Approve
(page 14) tion (such as Firm- CTD Selected
ware, OS, Host- • Archive
name, and Slot
Cards)
Denial of Serv- This alert detects Securi- • Approve • Approve Yes Yes 12
ice (page 29) DoS attacks ty • Archive • Archive months
File System This alert detects Integri- • Approve • Approve Yes Yes 12
Change events related to ty • Archive • Archive months
(page 31) changes to the File
System
Host Scan This alert detects Securi- • Approve • Approve Yes Yes 3
(page 32) Host Scan events ty • Archive • Archive months
by sending TCP
SYN or UDP re-
quests to multiple
hosts on the same
port
Memory Reset This alert detects Securi- • Approve • Approve Yes Yes 12
(page 34) Memory Reset ty • Archive • Archive months
events
Mode Change This alert detects Integri- • Approve • Approve Yes Yes 12
(page 19) events related to ty • Archive • Archive months
changes to the de-
vice Mode (Run,
Stop, Program)
New Asset This alert detects Integri- Automati- • Approve Yes No Forever
(page 22) new assets in the ty cally ap- and Up-
environment proved by date Poli-
CTD cy
• Ignore
• Acknowl-
edge
New Conflict This alert detects Integri- Automati- • Approve Yes No Forever
Asset conflicts between ty cally ap- and Up-
(page 23) assets having iden- proved by date Poli-
tical information CTD cy
(IP, MAC) • Ignore
• Acknowl-
edge
Port Scan This alert detects Securi- • Approve • Approve Yes Yes 12
(page 35) Port Scan events ty • Archive • Archive months
by sending TCP
SYN or UDP re-
quests to different
server ports on a
host to see which
ports it answers
on
Suspicious Ac- This alert detects Securi- • Approve • Approve Yes Yes 3
tivity suspicious events ty • Archive • Archive months
(page 36) based on OT pro-
tocol anomalies
Suspicious File This alert detects Securi- • Approve • Approve Yes Yes 12
Transfer suspicious events ty • Archive • Archive months
(page 37) based on Yara
Rule matching
NOTE
When the system is in training mode repetitive alerts are auto approved unless
there is a rejection from the user.
The following alert indicator is added when this action takes place: “this alert has
been repeated several times in the last 14 days with no rejection from the user while
the system is in training mode.”
2.4.1. APPROVE
Use “Approve” when the cause is acceptable and/or communication/activity is a legitimate network
communication. This action will result in all of the new policies associated with the alert to be
added as valid, this will ensure that the alert with the same policies is not triggered in the future.
2.4.2. ARCHIVE
Use "Archive" when the changed information is not acceptable or is not a legitimate network
communication/activity. This action will result in archival of all the information; and changed
information will not be added to the Asset. The alert will be marked as resolved with the status
of "Alert Archived."
2.4.3. IGNORE
Use “Ignore” when the event reported by the alert was expected or accepted as a one-time event,
and you would like to be notified of similar activity in the future. This action will result in new asset
information and associated baselines being rejected. The alert will be marked as resolved with the
status "Ignored."
2.4.6. ACKNOWLEDGE
Use “Acknowledge” in case an alert is identified as a valid or true positive security event. This
ensures future alerts are triggered for the same events. This action doesn't impact or change the
policies. It is the same as "Ignore" and the only difference is how it is logged to help with auditing.
This will result in an alert being resolved with the status of "Acknowledged."
This action will result in all of the new policies and asset information added as valid, this will
ensure that the alert with the same policies is not triggered in the future. The user has the option
to modify certain attributes of the asset such as Zone, and Criticality before approving the alert.
This system also provides the option to choose which zone rules (policies) to approve. The system
provides the list of suggested policy rule(s) for approval, once approved these rule(s) get added to
the policy.
NOTE
Ensure that policy rules are reviewed and validated before approving them, in case
of doubt only approve the asset by unchecking the policy rules.
1. Firmware
2. OS
3. Hostname
4. Slot Cards
• Inspect the Asset Information Changes section to find the information that has changed for the
asset.
• Understand whether this information change was expected or planned.
• Understand the purpose of the change (such as Firmware, OS, Hostname, and Slot Cards), and
determine if anyone has been notified about an upcoming modification.
• Look into changes and whether they can affect the operation or safety of the process.
• Check the Event Details section for the events that led to change in the information.
NOTE
Events will not be present if the change is detected by Active Query or AppDB.
• If changes seem suspicious, look into the asset that initiated the changes. Check if it is an
internal or external asset.
• Check if these changes appear as human error or malicious activity.
• In case of any doubt check with the respective asset owner, plant engineer, or IT for validation.
• Approve All
• Approve Selected
• Archive
Alert Example:
Baseline “E/IP: Get Network Request” has been inactive for more than xxx seconds/hours
• Understand the baseline rule that triggered the alert (inactive for / upon appearance). Of note,
after an alert is generated, all future events or triggers will be added to the same alert, until it’s
approved or archived.
• Review the original baseline and understand the activity that is being monitored.
• Contact the asset owner and notify him of the event.
• Ask the asset owner if this is due to a planned activity, maintenance, or an emergency activity.
• If not part of the planned activity, maintenance or an emergency activity, ask the asset owner to
verify the operations based on priority.
• Approve
• Archive
NOTE
The Configuration Change section, on the Alert page, includes the new configuration
files only for the 5 most recent alerts.
Alert Example:
In another scenario, the configuration or program could be altered in such a way that it can result
in incorrect process execution or alarm suppressions. All of these effects can result in unexpected
production outcomes, safety incidents, and loss of production.
• If it was a scheduled/planned activity, verify that the actual change that was done is the change
that was planned.
• Identify the system from which this activity is performed and if possible, the user who per-
formed this activity, validate if they are authorized to perform such an activity.
• In the Root Cause Analysis section, check past instances of similar activity being performed
between the same devices or on other controllers from the same system and/or zone.
• In case of doubt or suspicion, work with process and/or OT engineers, provide them with code
changes and understand what is the impact that the change can have on the process or OT
operations.
• Approve
• Archive
NOTE
The Configuration Change section, on the Alert page, includes the new configuration
files only for the 5 most recent alerts.
Alert Example:
• Approve
• Archive
Alert Example:
• Delayed Attack - The adversary might stage an attack in advance and choose when to launch it,
such as at a particularly damaging time.
• Brick the Ethernet Card - Malicious firmware might be programmed to result in an Ethernet
card failure, requiring a factory return.
• "Random" Attack or Failure - The adversary might load malicious firmware onto multiple field
devices. Execution of an attack and the time it occurs is generated by a pseudo-random number
generator.
• A Field Device Worm - The adversary may choose to identify all field devices of the same model,
with the end goal of performing a device-wide compromise.
• Attack Other Cards on the Field Device - Although it is not the most important module in a
field device, the Ethernet card is most accessible to the adversary and malware. Compromise of
the Ethernet card may provide a more direct route to compromising other modules, such as the
CPU module.
• Approve
• Archive
• Program - This mode must be enabled before changes can be made to a device’s program. This
allows program uploads and downloads between the device and an engineering workstation.
Often the PLC’s logic is halted, and all outputs may be forced off.
• Run - Execution of the device’s program occurs in this mode. Input and output (values, points,
tags, and elements) are monitored and used according to the program’s logic. Program Upload
and Program Download are disabled while in this mode.
• Remote - Allows for remote changes to a PLC’s operation mode.
• Stop - The PLC and program is stopped, while in this mode, outputs are forced off.
• Reset - Conditions on the PLC are reset to their original states. Warm resets may retain some
memory while cold resets will reset all I/O and data registers.
• Test / Monitor mode - Similar to run mode, I/O is processed, although this mode allows for
monitoring, force set, resets, and more general tuning or debugging of the system. Often moni-
tor mode may be used as a trial for initialization.
Alert Example:
Mode Change operation was performed for the first time by 192.168.152.153 on 192.168.45.129
• Review the Event Details section, which contains the details of the PLC’s mode that was changed,
and other associated events before or after the mode change if applicable.
• Confirm if this could be related to any ongoing, planned, or emergency maintenance, deploy-
ment project or activity.
• Identify the system and if possible, the user who usually performs this activity, validate if they
are authorized to perform such activity.
• Look into the asset that was changed, the assets criticality, and whether a mode change can
cause immediate damage to the process.
• If the activity was not planned, look at what kind of asset it is and whether it's external or
internal.
• In case of doubt or suspicion, work with process and/or OT engineers, provide them with code
changes and understand the impact that the change can have on process or OT operations.
• Approve
• Archive
NOTE
This alert does not occur for every controller model, and should rarely occur during
normal operation.
Alert Example:
• Approve
• Archive
Although the asset is new, its communication could be familiar because it was seen within the
same Virtual Zone. Therefore, it is possible the policy already contains rules that address this
communication. Virtual Zone criticality and asset type significantly contribute to the triggering of
the alert. For instance:
• If a new asset with type endpoint (low criticality type) is detected in a Virtual Zone with low
criticality and that asset is not communicating with any critical assets or critical virtual zones,
then no alert will be generated.
• If a new asset with type endpoint (low criticality type) is detected in a Virtual Zone with low
criticality and that asset is communicating with any critical assets or critical virtual zones, then
an alert will be generated.
• If a new asset with type endpoint (low criticality type) is detected in an External Virtual Zone and
that asset is communicating with an internal asset, then an alert will be generated.
• If a new PLC asset (high criticality type) is detected in a Virtual Zone with low criticality, then an
alert will be generated.
Alert Example:
New asset detected: A new RTU was detected in OT operations permitted zone: "RTU: IEC104",
performing data acquisition operation communication: 172.20.65.25
Some of these changes can result in increased threat exposure and unknown risk, while some are
a direct indication of an attack in progress.
• View the Asset Communication section, which shows if the communication is addressed by
existing policy rules.
• View the Baselines section, which shows baselines associated with the alert.
• Understand the zone where the asset is identified and whether it aligns with the zone.
• Confirm if the new asset detected is part of any ongoing, planned, or or emergency mainte-
nance, deployment project, or activity.
• In case of any doubt, check with the respective asset owner, plant engineer or IT for validation.
• If permitted, try to connect to the asset to obtain more details.
Alert Example:
A new asset has been detected AssetID1 and is conflicting with AssetID2.
For example, a change in your asset details may be done by attackers to perform authentication
based on an IP address. A common attack is to impersonate a highly privileged IP address, such as
an engineering station, and use it to run changes on critical equipment.
• Check the Assets to Merge section, which shows the asset information, the conflicting informa-
tion highlighted in RED, and allows selections of which assets to keep or merge.
• Check the Asset Information Changes section to view changes in asset information.
• Review attributes of the assets that have conflicting values. Verify whether this information
change was expected and understand what has led to the conflict.
• Review notifications of an upcoming change and information about the change.
• Check for MAC modifications. They are uncommon and might be suspicious.
• Review the Asset Communication section which shows if the communication is addressed by
existing policy rules.
• In case of any doubt, validate with the respective asset owner, plant engineer or IT.
Alert Example:
• Adversaries can use the online edit to modify or add a program on a controller to affect how it
interacts with the physical process, peripheral devices, and other hosts on the network.
• Adversaries may perform a program download to transfer a user program to a controller or
might modify the task of a controller to allow for the execution of their own programs using the
online edit mode.
• Check the Events Details section, to see the actions performed in online edit mode.
• Review the Configuration change to see code changes, where applicable.
• Confirm that detected communication was actually an Online Edit Operation.
• Confirm if this could be related to any ongoing, planned or emergency maintenance, deploy-
ment project or activity. If it was a scheduled/planned activity, verify that the actual change that
was done is the change that was planned.
• Identify changes performed as part of this activity.
• Identify the system where this activity is performed and if possible, the user who performed this
activity, validate if they are authorized to perform such activity
• In the Root Cause Analysis section, check past instances of similar activity being performed
between the same devices or on other controllers from the same system and/or zone.
• In case of doubt or suspicion, work with process and/or OT engineers, provide them with code
changes and understand the impact that the change can have on process or OT operations.
• Approve
• Archive
Alert Example:
Communication matching policy rule ID 182 was detected from 10.234.125.254 to 10.121.70.151
• Ignore
• Acknowledge
Alert Example:
Policy Violation: New authentication operation communication parameters were detected from
10.234.125.254 to 10.121.70.151
Alert Example:
• Approve
• Archive
NOTE
After an alert is approved, future alerts with similar characteristics (source, destina-
tion, protocol, ports, and signature as applicable to the type of alert) will be auto-ap-
proved. This auto-approval of the alert takes place if the alert has been approved in
the last 30 days.
In certain cases, the alert might still be generated if the alert score is still above the
configured threshold.
For example:
Alert Example:
For example, a command such as a 'stop' to a DCS could cause significant damage.
2.6.1.2. Analysis
You can use the Alerts page to find the necessary information when analyzing the alert.
• In the Root Cause Analysis section, check past instances of similar activity being performed
between the same devices or on other controllers from the same system and/or zone.
• In case of doubt or suspicion, work with process and/or OT engineers. Providing them with the
changes will help to understand the impact that the change could have on the process or on OT
operations.
• Approve
• Archive
In a SYN flood attack, the attacker sends repeated SYN packets to every port on the targeted
server, often using a fake IP address. The server, unaware of the attack, receives multiple, appa-
rently legitimate requests to establish communication. It responds to each attempt with a SYN-ACK
packet from each open port.
The malicious client either does not send the expected ACK, or—if the IP address is spoofed—
never receives the SYN-ACK in the first place. Either way, the server under attack will wait for
acknowledgement of its SYN-ACK packet for some time.
During this time, the server cannot close down the connection by sending an RST packet, and the
connection stays open. Before the connection can time out, another SYN packet will arrive. This
leaves an increasingly large number of connections half-open – and SYN flood attacks are also
referred to as “half-open” attacks. Eventually, as the server’s connection overflow tables fill, service
to legitimate clients will be denied, and the server may even malfunction or crash.
Alert Example:
• Review the device from where the SYN Flood is originating. Note, this information may or may
not be trustful. In fact, in such attacks usually fake IP addresses are used since attackers don't
want to respond to the SYN request.
• Use other tools or solutions such as NetFlow logs to identify where the communication is
actually originating from, which switch the traffic is coming from, which asset is connected to the
switch port from which this traffic is originating.
• Understand the asset that is being attacked, and the services that are provided by that asset.
• Approve
• Archive
Alert Example:
Failed Login: SMB Failed Login attempts were made to asset 141.122.111.218 from 10.77.106.12
For the most part these are common occurrences, however in some cases where it relates to an
adversary, these alerts could be an indicator of something malicious taking place. In fact, this alert
could represent an attacker attempting to gain access to an asset through a brute force attack or
use of valid accounts.
• Review the username that appears in the alert Description (where available).
• Review the multiple indicators to help understand the context and help with decision making
• Evaluate the details of the failed login attempts to determine if it is a user inputting incorrect
credentials, or if it is a malicious attempt. This can normally be determined by the source and
frequency of the authentication attempts:
• If the source of the authentication attempts is not a normal access point for a PLC (for
example, an engineering workstation or HMI), this may indicate malicious traffic.
• If the frequency of failed login attempts is significantly faster than a normal user would
attempt, this would also indicate malicious behavior.
• Check the Root Cause Analysis section, which shows other similar events and if multiple assets
are involved.
• Approve
• Archive
Alert Example:
• Approve
• Archive
• Scan Time Frame – The time frame that the threshold should pass in order to create a network
scan alert.
• Min Requests – Minimum requests required to trigger a scan alert.
Alert Example:
TCP Host scan: Asset 192.168.1.26 sent packets to different IP destinations on the same port: 80
• Review the source of the host scan, and the affected assets including the port which was
scanned on those assets.
• Check indicators that show:
• Whether similar scans were previously approved
• Whether the scan was performed on common or uncommon port
• Whether the scan was within or across subnets
• Whether the source asset was previously involved in network scans
• When a host scan occurs within the network, evaluate the asset that performed this scan,
notably:
• The pathway the attacker used, and the affected machine to ensure they are not vulnerable to
remote network attacks.
• Inspect the asset's last activities in the network, and whether this asset seems malicious.
• Inspect the assets that were scanned, notably:
• What services do they provide?
• Are the assets critical to any process or do other services depend on them?
• Inspect the port that was scanned on those hosts. Are there any vulnerabilities known in these
ports?
• Approve
• Archive
Alert Example:
Known Threat: Threat ET TROJAN Approx. Form Submission to C&C was detected from 10.0.0.130
to 216.150.79.226
• Review the Indicators section which shows whether this signature was triggered in the environ-
ment in the last 30 days and whether this alert is related to another alert.
• Check the Event Details section to view what is matched. Look at the individual events and
understand the signature that has resulted in this alert.
• Understand the nature of the threat that is linked to the Network Rule, such as whether the
malware referenced in the rule is ransomware or something else, and which vulnerabilities it
uses.
• Review both the source and destination asset involved in this communication, and whether they
are actually exposed to the vulnerability that is exploited by this threat vector. Check whether
this threat has been seen on other devices with which these assets are communicating.
• Consider scanning the assets involved in communication via AV software, to ensure that they are
not compromised.
• Approve
• Archive
• Approve
• Archive
Alert Example:
Depending on the action being performed, the effect could be from minor process disruption
to total loss of control. For example, if a program is erased, then no program remains in the
controller memory and the controller doesn’t control the production line and its equipment any
more.
• Approve
• Archive
• Scan Time Frame – The time frame that the threshold should pass in order to create a network
scan alert.
• Min Requests – Minimum requests required to trigger a scan alert.
• Relevant Ports– Ports above this are not considered as part of the port count
Alert Example:
TCP Port Scan: Asset 193.26.166.166 sent probe packets to 10.9.158.196 IP address on different
ports.
• When a port scan occurs within the network, evaluate the machine that performed this scan,
the pathway the attacker used, and the affected machine to ensure they are not vulnerable to
remote network attacks.
• Look into the asset that was scanning and its last activities in the network - whether this asset or
its activities seems malicious
• Look into the ports that were scanned - are there any vulnerabilities known in these ports?
• Look into the assets that were scanned - is there anything common to these assets? Are they all
in the same subnet? Are they all of the same kind? Are they critical to the process?
• Check Indicators showing, for instance:
• Whether a similar scan was approved previously.
• Whether the scan was performed on a common or uncommon port.
• Whether the scan was within or across subnets.
• Whether the source asset was previously involved in network scans.
• Approve
• Archive
• Malformed Packets
• Operational Error
• Invalid Sessions
• Unknown Object
• Protocol DDoS
• Review the Event Details section of the alert, which contains the details of the suspicious/mali-
cious activity that was detected.
• Identify the assets that exhibit the suspicious activity and determine whether this activity is the
result of a misconfiguration, or if it is potentially malicious.
• In case of doubt or suspicion, work with process and/or OT engineers to get access to the
affected assets and further investigate.
• Understand the impact on process or OT operations and develop a suitable response plan.
• Approve
• Archive
Alert Example:
Suspicious file transfer found! File 'unknown_file_name' was transferred via 'http' and matched
the following Yara rules: ['RANSOM_Kraken.yar/kraken_cryptor_ransomware'], Transferred from
10.243.188.213
• Review the alert Title, which provides the malicious file name. The title also includes the detail of
the Yara rule that led to this detection.
• Inspect the Event Details section, to review the signature that was matched in this alert.
• Understand the nature of the threat that is linked to the Yara rule, such as whether the malware
referenced in the rule is ransomware or something else, and which vulnerabilities it uses.
• Review both the source and destination asset involved in this communication, whether they
have the vulnerability that is exploited by this threat. Is this threat seen on other devices with
which these assets are communicating?
• Consider scanning the assets involved in communication with AV software, to ensure that they
are not compromised.
• Approve
• Archive
3. Insights
The CTD system identifies assets affected by potential security risks, based on a variety of out-of-
the-box use cases, and groups them together into insights. The purpose of the insights is to
provide knowledge regarding these security risks and indicate mitigation measures, which will
improve the overall security posture of the organization.
This chapter divides the available insights into two major categories: based on risk management
use cases (for example, network segmentation, remote access, password hygiene), and vulnerabili-
ty management ones. See the following sections for more information on a particular insight.
To identify assets that have reached End of Life (EOL) status, use the EOL Insight, which lists assets
belonging to a model series that is no longer supported by the vendor. These assets might pose a
security risk, since the vendor is no longer issuing security updates for them.
The following table describes in detail the Vendors and types of devices supported by CTD and
links to further information on the vendor's website.
NOTE
New EoL vendors and models are added to CTD on a regular basis and made
available via Threat Bundle Updates.
Additionally, security best practices advise that ports should be opened only on an “as-needed”
basis, dictated by the Internet communication needs of applications and services that run on the
servers.
NOTE
Shows open ports for the top 50 ports of the asset. If the port is above 30,000 it
will not be displayed. Open ports can be viewed in the Asset Page, under the Risk &
Vulnerabilities tab.
remote device. It is considered best practice to avoid setting the device in remote programmable
mode.
3.1.24. UNSUPPORTED OS
Unsupported operating systems no longer receive technical support or security updates from their
developers, which places assets with such operating systems at risk.
Claroty customers can receive regular Threat Definition Updates with the latest threats discovered
by Claroty’s Research team. The Threat Definition Updates include new CVEs, as well as network
traffic signatures and Yara signatures, and allow the users to stay up-to-date without a full up-
grade of the entire CTD software. For more information see Threat Definition Updates in the CTD
User Guide.
• Full match – This category represents the most accurate level of CVE matching. Insights belong-
ing to this category match CVE details against the following asset information:
• Vendor, Model, and Firmware version (Full Match CVEs)
• Windows OS version, Build and installed Security Patches (Windows CVEs Full Match).
• Installed Program versions (Program Match CVEs).
NOTE
It is possible that specific asset configurations actually solve some of the detected
vulnerabilities.
• Model match – This category matches CVE details against assets’ vendor name and model
only, since the system was unable to determine the firmware version. Therefore, it is possible
that non-vulnerable assets will still appear as vulnerable within this insight, due to the inherent
limitations of this type of matching. If this is the case, we recommend applying the “Mark as
Completed” action for those assets.
• Vendor match – This category matches CVE details against assets’ vendor name only. Therefore,
it is possible that non-vulnerable assets will still appear as vulnerable within this insight, due to
the inherent limitations of this type of matching. If this is the case, we recommend applying the
“Mark as Completed” action for those assets.
• Windows match – This category matches Windows CVE details against assets’ Windows OS
version. Since installed Service Pack versions or Security Updates are not typically factored, it
is possible that non-vulnerable assets will still appear as vulnerable within this insight, due to
the inherent limitations of this type of matching. If this is the case, we recommend applying the
“Mark as Completed” action for those assets.
Of note, due to inherent limitations in the Passive discovery method, this insight might not factor
in potential patches installed on the listed assets. Therefore, it is possible that assets will still
appear vulnerable, despite having already implemented security patches that resolve the vulnera-
bility.
Of note, due to inherent limitations in the Passive discovery method, this insight might not factor
in potential Service Pack version or Security Updates (patches) installed on the listed assets. There-
fore, it is possible that assets will still appear vulnerable, despite having already implemented
security patches that resolve the vulnerability.
Comments can be applied to Insights, so the handling of the Insight could be managed per need.
For instance, this allows the user to keep track of the open vulnerabilities and their remediation
process.
OPEN
• OPEN is the default status and insights with this status will appear on the Insights page.
• OPEN means the insight still needs to be addressed, and as long as it is opened it negatively
affects the Hygiene Score.
HIDDEN
• After the user changes the insight status to HIDDEN, the insight will no longer be visible on the
Insights page. All hidden insights can be seen by applying the Insights Status > Hidden filter.
• Changing the insight status to HIDDEN, will not improve the overall Hygiene Score or the Risk
Score of the involved assets.
COMPLETED
• After the user changes the insight status to COMPLETED, the insight will no longer be visible on
the Insights page. All completed insights can be seen by applying the Insight Status > Completed
filter.
• Changing the insight status to COMPLETED, will improve the overall Hygiene Score or the Risk
Score of the involved assets.
4. Discovery Methods
All other information changes will not trigger any alerts in either Training or Operational Mode.
1. SNMP Queries
a. TCP connections (current)
b. ARP connections (historical)
c. CDP connections (historical)
2. TCP Queries
a. UDP/TCP
4.1.3. PROFILES
Table 2. Summary Profiles Table
B&R Profile (page 53) Uses proprietary B&R SNMP OIDs to collect information on B&R PLCs
Siprotec 5 Profile (page 56) Basic HTTPS: Uses the Digsi5 HTTPS Protocol
Advanced HTTPS: Uses the Digsi5 HTTPS protocol to collect advanced information
Task Name 31
Description • Uses proprietary B&R SNMP OIDs to collect information on B&R PLCs
Port -
Sub Query V3
Parameters
Port
Format number
Default 161
Example 1234
Task ID 25
Sub Query Description Use the SNMP protocol to query Cisco devices
Parameters
Task ID 21
Custom Info Fields • See SNMP (page 98), Telnet (page 114)
Sub Queries
Parameters
See SNMP,Telnet
Parameters
See SNMP,Telnet
Task ID 45
Parameters
IP
Meaning IP
Format ips
Default -
Example 10.1.39.1
Ports
Meaning ports
Example 5005
plc_side
Format dropdown
network number
Format number
Default 1
Example 4
pc station number
Meaning station number representing the engineering station - this is an internal Mitsubishi parameter
Format number
Default 1
Example 3
Meaning station number representing the PLC - this is an internal Mitsubishi parameter
Format number
Default 0
Example 1
target system
Format number
Default 0
Example 1
Task ID 24
Custom Info Fields • See EtherNet/IP (page 71), CIP (page 65)
Sub Queries
Parameters
Task ID 23
Port See S7
Sub Queries
Sub Query Description Uses the S7Comm Basic Query (page 95)
Sub Query Description Uses the S7Comm Advanced Query (page 95)
Sub Query Description Uses the S7Comm Advanced Query (page 95) as well as SNMP (page 98) (to also collect
communication information)
Parameters
Task ID 36
Description Uses the IoT matchers configured in the system to discover IoT devices
Sub Query Description Uses all IoT directed queries - banner, WSD, HTTP, HTTPS, SNMP
B&R Profile
Task Name 31
Description • Uses proprietary B&R SNMP OIDs to collect information on B&R PLCs
Port -
Sub Query V3
Parameters
Port
Format number
Default 161
Example 1234
Cisco Profile
Task ID 25
Sub Query Description Use the SNMP protocol to query Cisco devices
Parameters
IoT Query
Task ID 36
Description Uses the IoT matchers configured in the system to discover IoT devices
Sub Query Description Uses all IoT directed queries - banner, WSD, HTTP, HTTPS, SNMP
Hirschmann Profile
Task ID 21
Custom Info Fields • See SNMP (page 98), Telnet (page 114)
Sub Queries
Parameters
See SNMP,Telnet
Parameters
See SNMP,Telnet
Mitsubishi Profile
Task ID 45
Parameters
IP
Meaning IP
Format ips
Default -
Example 10.1.39.1
Ports
Meaning ports
Example 5005
plc_side
Format dropdown
network number
Format number
Default 1
Example 4
pc station number
Meaning station number representing the engineering station - this is an internal Mitsubishi parameter
Format number
Default 1
Example 3
Meaning station number representing the PLC - this is an internal Mitsubishi parameter
Format number
Default 0
Example 1
target system
Format number
Default 0
Example 1
Rockwell Profile
Task ID 24
Custom Info Fields • See EtherNet/IP (page 71), CIP (page 65)
Sub Queries
Parameters
Siemens Profile
Task ID 23
Port See S7
Sub Queries
Sub Query Description Uses the S7Comm Basic Query (page 95)
Sub Query Description Uses the S7Comm Advanced Query as well as SNMP (page 98) (to also collect communication
information)
Parameters
Siprotec 5 Profile
Task ID 33
Sub Query Description Uses the Siprotec 5 SNMP Query (page 100)
Sub Query Description Uses the Basic HTTPS Digsi5 (i.e. Siprotec5) Query (page 105)
Sub Query Description Uses the Advanced HTTPS Digsi5 (i.e. Siprotec5) Query (page 105)
Parameters
Windows Profile
Task ID 22
Custom Info Fields See Net Bios (page 87), WMI (page 109)
Sub Queries
Sub Query Description Uses the Net Bios (page 87) Query
Sub Query Description Uses the WMI (page 109) Basic Query
Sub Query Description Uses the WMI (page 109) Advanced Query
Parameters
Task ID 33
Sub Query Description Uses the Siprotec 5 SNMP Query (page 100)
Sub Query Description Uses the Basic HTTPS Digsi5 (i.e. Siprotec5) Query (page 105)
Sub Query Description Uses the Advanced HTTPS Digsi5 (i.e. Siprotec5) Query (page 105)
Parameters
Task ID 22
Custom Info Fields See Net Bios (page 87), WMI (page 109)
Sub Queries
Sub Query Description Uses the Net Bios (page 87) Query
Sub Query Description Uses the WMI (page 109) Basic Query
Sub Query Description Uses the WMI (page 109) Advanced Query
Parameters
4.1.4. QUERIES
Queries query distinct devices using specific protocols and need a specific IP or IP ranges.
Atlas Copco Open Protoco Atlas Copco Open Protocol Query. (Protocol needs to be enabled for this query).
Query (page 61)
BACnet Query (page 63) Query a device using the BACnet protocol
Beckhoff Query (page 64) Query using the Beckhoff AMS protocol
B&R HTTP Query (page 61) Use the B&R Automation SDM web interface to get information about the PLC
B&R Query (page 61) Uses proprietary B&R SNMP OIDs to collect information on B&R PLCs
CIP Query (page 65) Uses CIP to query PLCs for information and scan for nested devices
Cognex Query (page 67) Uses Cognex Discovery protocol to find basic information about Cognex devices (usually
cameras)
CrowdStrike Query (page 67) Retrieves data about a device running CrowdStrike Sensor and uses AppDB to parse OT
projects existing on it
CTI Query (page 66) Uses the CTI Proprietary protocol to query CTI2500 PLCs
DNP3 (page 70) Reads the Identity object from the RTU using DNP3 protocol
ENIP Query (page 71) Uses EtherNet/IP List Identity message to identify PLCs in the network
Exi 3000 Query (page 72) Exi 3000 Query over TCP
GE SRTP (page 73) Uses TCP GE-SRTP (TCP port 18245) to get GE PLC information
GE Station Manager Uses UDP Unicast GE Station Manager to get GE rx3i/rx7i device information
Query (page 74)
HTTP Query (page 75) Uses HTTP to get the home page of a device and extract information
Indraworks Query (page 77) Uses UDP in unicast to query Bosch IndraDrive devices
Lantronix Unicast Uses the Lantronix Discovery Protocol (LDP) in unicast to query Lantronix devices
Query (page 77)
mDNS Query (page 78) Uses the mDNS protocol to query devices. Uses mDNS matchers.
Mitsubishi GOT Establishes a GOT connection to query Mitsubishi GOT 1000 and 2000 HMIs
Query (page 82)
Mitsubishi Melsoft Using proprietary Mitsubishi Melsoft protocol to connect to Mitsubishi PLCs
Query (page 83)
MMS Query (page 78) Uses the IEC 61850 MMS Protocol over TCP to query ABB and other MMS-supporting
devices
Modbus Information Ob- Uses the Modbus protocol Get Information command to query PLCs
ject (page 85)
Moxa Broadcast Uses Moxa broadcast search to find Moxa devices- sent in multicast
Scan (page 85)
Moxa Unicast Scan (page 86) Uses Moxa broadcast search to find Moxa devices- sent in unicast
MS SQL (page 80) Uses TDS and SQL browser protocols to find MS SQL installations
Net Bios (page 87) Uses the Windows NetBIOS service to learn the hostname and OS version. Also uses
SMBv1
Omron FINS Query (page 87) Omron FINS protocol query over UDP/TCP
Opto22 Query (page 89) Uses the Opto22 protocol to query Opto PAC PLCs
PCCC Query (page 89) Query to extract code sections and slots from Rockwell SLC5 devices
P+F DCP Query (page 89) Collecting information about wireless gateways by Pepperl+Fuchs
Profinet-DCP Query (page 91) Uses the Profinet-DCP broadcast message to detect devices
RAFT Gateway Welding Technology Corp. (WTC) RAFT Gateway query over HTTP
Query (page 93)
Reverse DNS (page 93) Reverse DNS resolution is the querying technique of DNS to determine the domain
name associated with an IP address using PTR records.
S7CommPlus Query (page 96) S7CommPlus is a Siemens proprietary protocol that runs between programmable logic
controllers of the Siemens S7-1200/1500 family.
S7Comm Query (page 95) Uses the Siemens S7Comm to query PLCs for information and nested devices
Schneider TSX Uses the PL7 software proprietary protocol to query Schneider TSX devices
Query (page 102)
Schneider Unity Uses the Schneider Unity Modbus function code 90 to query PLCs
Query (page 103)
Sinumerik Query (page 104) Queries the Sinumerik series of Siemens CNC control systems
Siprotec Query (page 105) Uses the Siprotec protocol to query RTUs
SNMP Network Layout Using SNMP and a starting IP, the query recursively gets information about network
Query (page 97) switches and devices, and gets the entities connected to their interfaces
SNMP Query (page 98) Uses the SNMP Protocol to query devices for information
SNMP Siprotec 5 (page 100) Uses SNMP to query the Siprotec5 proprietary OIDs via SNMP
SSH Discovery (page 101) Uses SSH to remotely connect and collect data from SSH supporting servers
Telnet (page 114) Performs a telnet banner grabbing. Extracts info from Scalance, Hirschmann switches
Tridium Fox Query (page 106) Uses the Tridium Fox Protocol to query Tridium stations
Ubiquiti Query (page 107) Uses the Ubiquiti discovery protocol to query Ubiquiti devices
Unitronics Query (page 108) Uses the PCOM-TCP protocol to query Unitronics PLCs
WAGO Query (page 108) Uses IOCHECKD protocol to get basic information on a specific WAGO device
WinRM Query (page 111) Uses WinRM protocol to query information about Windows computers, using WMI and
registry. Uses SOAP over HTTP and must be configured
WMI Query (page 109) Uses WMI to query Windows hosts for information
WSD Query (page 110) Uses WSD and ONVIF to find network devices, based on the WSD IoT Matchers
Task Name 87
Description Atlas Copco Open Protocol Query. (Protocol needs to be enabled for this query.)
Sub Query Description Atlas Copco Open Protocol Query. (Protocol needs to be enabled for this query.)
Parameters
Port
Format Number
Default 4545
Example 1234
Task ID 63
Description Use the B&R Automation SDM web interface to get information about the PLC
Port 80 (TCP)
Intrusive Level
Sub Query Description Use the B&R Automation SDM web interface to get information about the PLC
Task ID 30
Description Uses proprietary B&R SNMP OIDs to collect information on B&R PLCs
Ports -
Sub Query V3
Parameters
Port
Format number
Default 161
Example 1234
Task ID 28
Port 47808
Sub Query Description Uses BACnet requests to collect information about devices
Potential Information Collected Firmware, Model, Application version, Object Name, hostname, Location, Object ID, Ven-
dor, IP, Description
Parameters
IP
Format IP
Default -
Example 10.0.0.1
Meaning Should use the BACnet Object ID as the hostname of the target
Format Checkbox
Default TRUE
Example FALSE
Task ID 26
Sub Query Description Uses the Beckhoff AMS protocol to collect information on Beckhoff devices
Potential Information Collected IP, hostname, OS, firmware, model, vendor, serial, installed programs, patches
Parameters
IP
Format IP
Default -
Example 10.0.0.1
Task ID 10
Description Uses CIP to query PLCs for information and scan for nested devices
Port 44818
Sub Queries TCP CIP, TCP CIP CONFIGURATION (page 65), TCP CIP HYBRID (page 65)
Sub Query Description Queries the controller for basic information using the CIP Identity request
Sub Query Description Queries the controller for information. Also scans for nested devices
Potential Information Collected IP, model, vendor, serial, slots, Mac, code sections, nested devices, firmware
Sub Query Description Performs Configuration Upload from the controller. Allows gathering information,
nested devices, and code sections.
Potential Information Collected IP, model, vendor, serial, slots, Mac, code sections, nested devices, firmware
Sub Query Description Combines both CIP Configuration upload and CIP Deep sub queries methodology. The
sub query first retrieves the queried device configuration and extract all of the slots
and nested devices. After retrieval it will initiate a scan of only these devices and get
the current information from the devices. This methodology reduces the need to scan
wide address ranges to detect slots and nested devices.
Potential Information Collected IP, model, vendor, serial, slots, Mac, code sections, nested devices, firmware
Parameters
IP
Format IP
Default -
Example 10.0.0.1
Port
Format Number
Default 44818
Example 1234
Format Number
Default 4
Example 3
Scanning Timeout
Default 5
Example 10
Specific Address
Default -
Format Bool
Default TRUE
Example FALSE
Example 10.0.0.0/24
Task ID 46
Port 1069
Sub Query Description Uses the CTI Proprietary protocol to query CTI2500 PLCs
Potential Information Collected IP, Vendor, Family, Model, Firmware, Rack Firmware
Parameters
Port
Format number
Default 1505
Example 1000
Task Name 38
Description Uses Cognex Discovery protocol to find basic information about Cognex devices (usu-
ally cameras)
Port 1069
Sub Queries
Sub Query Description Uses the Cognex Discovery protocol to identify and collect information from Cognex
devices
Potential Information Collected IP, hostname, Mac, serial, model, firmware, description
Parameters
Port
Format number
Default 1069
Example 51069
Task ID 54
Description Retrieves data about a device running CrowdStrike Sensor and uses AppDB to parse
OT projects existing on it.
Sub Queries
Sub Query Description Retrieves data about a device running CrowdStrike Sensor
Parameters
Client ID
Default -
Example f3bac176a05c544492e83aba9cba08fe
Client Secret
Default -
Example F5sd3J8f3wer67Plk
Cloud
Format dropdown
Default US
Example US-2
Sub Query Description Retrieves data about a device running CrowdStrike Sensor and uses AppDB to parse
OT projects existing on it.
On Devices from AppDB Files: IP, Mac, Hostname, Model, Firmware, Slots
Parameters
Client ID
Default -
Example f3bac176a05c544492e83aba9cba08fe
Client Secret
Default -
Example F5sd3J8f3wer67Plk
Cloud
Format dropdown
Default US
Example US-2
Default 20
Example 15
Meaning Should Use Windows Recently Opened Files (or only from AppDB locations)
Format checkbox
Default FALSE
Example TRUE
Meaning Should Get Project Files From Remote Paths like \\server-pc\files\my_file.acd
Format checkbox
Default FALSE
Example TRUE
Task ID 52
Intrusive Level -
Parameters
MSSQL
Format Checkbox
Default True
Example False
MySQL
Format Checkbox
Default True
Example False
Task ID 54
Description Reads the Identity object from the RTU using the DNP3 protocol
Port 20000
Target Devices Devices that implement the Identity object within DNP (PLCs, RTUs, IEDs)
Sub Query Description Use the DNP3 Information Object to query devices with this function implemented
Potential Information Collected Serial, hostname, model, vendor, HW version, SW version, location
Parameters
IP
Format IP address
Default -
Example 10.0.0.1
Port
Format Number
Default 20000
Example 20000
Protocol
Default TCP
Example UDP
Unit ID
Format Number
Default 0
Example 1
Task ID 11
Description Uses EtherNet/IP List Identity message to identify PLCs in the network
Port 44818
Sub Query Description Use the EtherNet/IP Identity Request command to collect basic information on Ether-
Net/IP compatible devices
Parameters
IP
Format IP
Default -
Example 10.0.0.1
Task ID 95
Description Uses the Siemens S7comm to query PLCs for information and nested devices
Port 3000
Sub Queries
Sub Query Description UDP Unicast to get model and hostname, gets device Information over TCP
Potential Information Collected IP, Entity Type, Vendor, Model, Hostname over UDP, Serial, Firmware, Slots
Sub Query Description Runs Basic query and gets extra interfaces and hostname
Potential Information Collected Information from Basic + all interfaces, hostname over TCP
Parameters
Port
Format Number
Default 3000
Example 1234
IP
Meaning IP
Format String
Default -
Example 1.1.1.1
Task Name 88
Potential Information Collected IP, Series, Model, Firmware, Mode, Serial, Order Number (MLFB), Vendor, Entity Type
Parameters
IP
Meaning IP
Format String
Default -
Example 1.1.1.1
Port
Format Number
Default 8193
Example 1234
4.1.4.15. GE SRTP
Task ID 61
Description Uses TCP GE-SRTP (TCP port 18245) to get GE PLC information
Intrusive Level
Potential Information Collected vendor, model, firmware, serial, type, mac address, slots
Parameters
IP
Meaning IP
Format String
Default- -
Example 1.1.1.1
Task ID 58
Description Uses UDP Unicast GE Station Manager to get GE rx3i/rx7i device information
Intrusive Level
Sub Query Description Uses UDP Unicast GE Station Manager to get GE rx3i/rx7i device information
Potential Information Collected vendor, model, firmware, serial, type, mac address
Parameters
port
Format number
Default 18245
Example 18245
IP
Meaning IP
Format String
Default -
Example 1.1.1.1
Task ID 34
Description Uses HTTP to get the home page of a device and extract information
Sub Queries
Parameters
Port
Format number
Default 161
Example 1234
Task ID 8
Port -
Sub Query Description Use the Hirschmann HiDiscovery protocol to query Hirschmann devices (2nd layer)
Parameters
Interface name
Meaning Network interface on the machine from which the packets are sent
Format String
Default -
Example en192
MAC address
Default -
Example 112233445566
Task ID 92
Sub Queries
Potential Information Collected IP, Vendor, Firmware, Family, Default Gateway, Serial Number, Entity Type, Model,
Type Code, Series
Potential Information Collected IP, Vendor, Firmware, Family, Default Gateway, Serial Number, Entity Type, Model,
Type Code, Series
Parameters
IP
Meaning IP
Format string
Default -
Example 1.1.1.1
Port
Format number
Default 35021
Example 1234
Task ID 72
Description Uses the Lantronix Discovery Protocol (LDP) in unicast to query Lantronix devices
Port 30718(UDP)
Intrusive Level
Parameters
IP
Meaning IP
Format string
Default
Example 1.1.1.1
Task ID 62
Description Uses the mDNS protocol to query devices. Uses mDNS matchers.
Intrusive Level
Sub Query Description mDNS Query - Uses the mDNS protocol in unicast to query devices.
Potential Information Collected hostname, entity type, everything supported by IoT matchers
Parameters
Extended services
Meaning whether to use all known services (more network load), or just the main ones
Format Checkbox
Default FALSE
Example TRUE
Task ID 74
Description Uses the IEC 61850 MMS Protocol over TCP to query ABB and other MMS-supporting
devices
Potential Information Collected IP, model, vendor, firmware (ABB Devices). For other devices- depends on the match-
er
Parameters
IP
Meaning IP
Format string
Default
Example 1.1.1.1
Port
Format Number
Default 102
Example 1234
4.1.4.23. MS SQL
Task ID 52
Description Uses TDS and SQL browser protocols to find MS SQL installations
Sub Query Description Uses TDS and SQL browser protocols to find MS SQL installations
Task ID 85
6000 (TCP)
5900 (TCP)
23 (TCP)
Parameters
IP
Meaning IP
Format String
Default -
Example -
Format Number
Default 6001
Example 1234
Transfer Port
Format Number
Default 6000
Example 1234
Meaning Whether to use a mechanism to extract information that requires changing the device
mode
Format Checkbox
Default FALSE
Example FALSE
Task ID 84
Description Establishes a GOT connection to query Mitsubishi GOT 1000 and 2000 HMIs
Parameters
IP
Meaning IP
Format string
Default -
Example 10.1.39.1
Format Number
Default 5014
Example 1234
Format Number
Default 5015
Example 1234
Task ID 44
Sub Query Description Requires only parameters and only detects whether the PLC is a Mitsubishi PLC
Sub Query Description Requires most parameters and should extract most relevant data.
Sub Query Description Requires very few parameters and makes assumptions about common default config-
uration for Mitsubishi devices to gather the most information. This will not work for
advanced configuration for certain devices.
Sub Query Description Adds target system as well, which is relevant for multi-CPU PLCs.
Parameters
IP
Meaning IP
Format ips
Default -
Example 10.1.39.1
plc_side
Meaning type of connection in the side of the PLC (ethernet module/cpu/auto select)
Format dropdown
Format dropdown
network number
Format number
Default 1
Example 4
pc station number
Meaning station number representing the engineering station - this is an internal Mitsubishi
parameter
Format number
Default 1
Example 3
Meaning station number representing the PLC - this is an internal Mitsubishi parameter
Format number
Default 1
Example 2
target system
Format number
Default 0
Example 1
Task ID 15
Description Uses the Modbus protocol Get Information command to query PLCs
Port 502
Sub Query Description Use the Modbus Information Object to query devices with this function implemented
Parameters
IP
Format IP address
Default -
Example 10.0.0.1
Port
Format Number
Default 502
Example 1234
Unit ID
Default 0
Example 0-10,15
Is a gateway
Meaning Determine whether querying a gateway and the PLCs are nested
Format Boolean
Default FALSE
Example TRUE
Task ID 69
Description Uses Moxa broadcast search to find Moxa devices- sent in multicast
Intrusive Level
Sub Query Description Uses the Moxa Discovery protocol to discover Moxa devices
Task ID 70
Description Uses Moxa broadcast search to find Moxa devices- sent in unicast
Intrusive Level
Sub Query Description Uses the Moxa Discovery protocol to query Moxa devices
Parameters
IP
Meaning IP
Format string
Default
Example 1.1.1.1
Task ID 4
Description Uses the Windows NetBIOS service to learn the hostname and OS version. Also uses
SMBv1
Sub Query Description Use the NetBios Protocol to interrogate Windows devices using this basic discovery
protocol
Parameters
IP
Format IP address
Default -
Example 10.0.0.1
Port
Format Number
Default 139
Example 445
Task ID 75
Potential Information Collected IP, Vendor, Firmware, Serial, Hostname, Slots, Mode, Entity type
Parameters
Port
Format Number
Default 9600
Example 1234
Task ID 48
Sub Queries
Sub Query Description Uses the protocol to also upload the strategy archive from the device, if exists
Parameters
Port
Format number
Default 22001
Example 1234
Task ID 64
Intrusive Level
Potential Information Collected IP, MAC, Vendor, Model, Firmware, Firmware Revision, Family
Task ID 57
Description Query to extract code sections and slots from Rockwell SLC5 devices
Intrusive Level
Sub Query Description Query to extract code sections and slots from Rockwell SLC5 devices
Parameters
IP
Meaning IP
Format string
Default -
Example 1.1.1.1
Task ID 13
Port -
Sub Query Description Use the Profinet-DCP information collection packet to discover (layer 2) relevant net-
work devices
Parameters
Interface name
Meaning Network interface on the machine from the packets are sent
Format String
Default -
Example en192
MAC address
Default -
Example 112233445566
VLAN
Format 300,599,601
Default -
Task ID 14
Port -
Sub Query Description Use the Profinet-DCP information collection broadcast packet to discover (layer 2)
relevant network devices
Parameters
Interface name
Meaning Network interface on the machine from which the packets are sent
Format string
Default -
Example en192
Custom Label
Format string
Default -
VLAN
Format 300,599,601
Default -
Task ID 89
Description Welding Technology Corp. (WTC) RAFT Gateway query over HTTP
Sub Queries
Potential Information Collected IP, Vendor, Family, Model, Hostname, Serial, Order Number (MLFB)
Parameters
Port
Format number
Default 8080
Example 1234
IP
Meaning IP
Format string
Default -
Example 1.1.1.1
Task ID 55
Description Reverse DNS resolution is the querying technique of DNS to determine the domain
name associated with an IP address using PTR records.
Port 53
Target Devices
Intrusive Level
Parameters
DNS Server
Format ip address
Default
Example 192.168.1.13
Domain
Meaning Optional domain name to trim from the revised fully qualified domain name
Format string
Example claroty.com
Task ID 17
Description Uses the Siemens S7comm to query PLCs for information and nested devices
Port 102
Sub Queries
Sub Query Description S7Comm reads device information from the controller
Potential Information Collected Hostname, vendor, model, firmware, IP, serial, MLFB, mode, slots
Sub Query Description S7Comm reads configuration from the controller - extracts nested devices and code
sections
Potential Information Collected Hostname, vendor, model, firmware, IP, serial, MLFB, mode, slots, code sections,
nested devices
Parameters
IP
Format IP
Default -
Example 10.0.0.1
Password
Default -
Example Password
CPU slot
Format Number
Default 0
Example 2
Task ID 51
Siemens S71200
Siemens ET-200
Potential Information Collected Model, Firmware, MLFB, Mac, IP, Project Information, Slots
Parameters
Password
Meaning -
Format text
Default -
Example -
Task ID 40
Description Using SNMP and a starting IP, the query recursively gets information about network switches
and devices, and gets the entities connected to their interfaces
Port 161
Sub Queries
Parameters
SNMP Parameters
Meaning Maximum recursion depth to reach while querying switches and their neighbors.
Format number
Default 2
Example 3
Meaning Maximum Number of switches to get their CAM tables and neighbors.
Format number
Default 15
Example 10
Task ID 1
Port 161
Sub Queries
Sub Query V1
Sub Query Description Uses SNMP Version 1 to query devices based on the configured SNMP Matchers
Sub Query Description Uses SNMP Version 2 to query devices based on the configured SNMP Matchers
Sub Query V3
Sub Query Description Uses SNMP Version 3 to query devices based on the configured SNMP Matchers
Parameters
Sub query
Default -
IP
Format IP
Default -
Example 10.0.0.1
Format string
Default -
Example public
Format string
Default -
Example administrator
auth proto
Default Md5
Example sha224
priv_proto
Default des
Example aes128
auth_key
Format String
Default -
Example password
priv_key
Default -
Example
get_arp
Format Bool
Default FALSE
Example TRUE
get_cam
Format Bool
Default FALSE
Example TRUE
get_comms
Meaning Should generate baselines in the system for CDP, TCP connections
Format Bool
Default TRUE
Example FALSE
Task Name 32
Description Uses SNMP to query the Siprotec5 proprietary OIDs via SNMP
Sub Queries V3
Parameters
Port
Format number
Default 161
Example 1234
get_arp
Format Boolean
Default FALSE
Example TRUE
get_cam
Format Boolean
Default FALSE
Example TRUE
Task Name 43
Description Uses SSH to remotely connect and collect data from SSH supporting servers.
Port 22
Sub Query Description Uses the SSH protocol to connect to relevant hosts and run several commands to
attempt to collect information
Potential Information Collected OS, kernel version, hostname, vendor, serial model
Parameters
username
Meaning username
Format text
Default -
Example myuser
password
Meaning password
Format text
Default -
Example mypassword
port
Meaning port
Format number
Default 22
Example 22
Task Name 47
Description Uses the PL7 software proprietary protocol to query Schneider TSX devices
Sub Query Description Uses the PL7 software proprietary protocol to query Schneider TSX devices
Potential Information Collected IP, Vendor, Family, Model, Firmware, Project name
Parameters
Port
Format number
Default 502
Example 2000
Network ID
Format number
Default 0
Example 1
Station IDs
Default -
Example 0-1
Task Name 29
Description Uses the Schneider Unity Modbus function code 90 to query PLCs
Sub Query Description Uses basic Unity functions to learn information about the PLC
Potential Information Collected Model, Family, Firmware, Hardware ID, vendor, Project, Mode, Project path, Last Stop
Time (M221)
Sub Query Description Uses basic Unity functions as well as default FTP credentials to learn information
about the PLC
Potential Information Collected Model, Family, Firmware, Hardware ID, Vendor, Project, Mode, Mac, Project path, Last
Stop Time (M221)
Sub Query Description Uses advanced Unity functions to learn information and configuration about the PLC
Potential Information Collected Model, Family, Firmware, Hardware ID, Vendor, Project, Mode, Mac, Code sections,
Project path, Last Stop Time (M221)
Parameters
Modbus Port
Format Number
Default 502
Example 502
FTP Port
Format number
Default 21
Example 21
Unit ID
Format number
Default 0
Example 0
Task ID 91
Port 22 (TCP)
Sub Query Description Uses SCP or SFTP over SSH to collect information about Siemens Sinumerik CNCs.
Potential Information Collected IP, Vendor, Family, Model, Firmware, Serial, EntityType, Order Number (MLFB), Slot
Parameters
Port
Format Number
Default 2
Example 1234
Username
Format Text
Default -
Example myuser
Password
Format Text
Default -
Example mypassword
Password
Meaning Which file-transfer protocol to use for retrieving files - SCP or SFTP.
Default SCP
Example SCP
Task Name 6
Port 443
Sub Query Description Uses the DIGSI protocol version 5 to query the controller for basic information
Sub Query Description Uses the DIGSI protocol version 5 to query the controller for advanced information
Potential Information Collected IP, serial, slots, firmware, configuration version, mac, code sections
Parameters
IP
Format IP
Default -
Example 10.0.0.1
Task ID 79
Parameters
Username
Format Dropdown
Default User
Example User
Password
Meaning Password
Format String
Default --
Example 0000
Task ID 68
Intrusive Level
Sub Query Description Uses the Tridium Fox Protocol to query Tridium stations
Potential Information Collected hostname, entity type, os version, firmware version, model, vendor
Parameters
Port
Format number
Default 1911
Example 1912
Task Name 50
Sub Query Description Login with default credentials to provide basic info
Parameters
Port
Format number
Default 502
Example 501
Task ID 80
Table 74.
Task ID 49
Sub Query Description Uses the PCOM protocol to query Unitronics devices
Parameters
Port
Format number
Default 20256
Example 2000
Task ID 71
Description Uses IOCHECKD protocol to get basic information on a specific WAGO device
Port 6626(TCP)
Intrusive Level
Potential Information Collected Vendor, entity_type, ip, model, serial, version, hostname
Parameters
IP
Meaning IP
Format string
Default
Example
Task ID 19
Port 135
Sub Queries
Sub Query Description Use WMI to collect basic information about the host
Potential Information Collected IP, hostname, OS, Windows serial, Windows edition, model, serial, Mac, installed pro-
grams
Sub Query Description Uses WMI to collect information about the host, including installed software and
security patches
Potential Information Collected IP, hostname, OS, Windows serial, Windows edition, model, serial, Mac, installed pro-
grams, patches, USB connected devices
Parameters
IP
Format IP
Default -
Example 10.0.0.1
Username
Format String
Default -
Example Administrator
Password
Format String
Default -
Example Password1
Domain
Format String
Default -
Example domain01
Task Name 35
Description Uses WSD and ONVIF to query network devices, based on the WSD IoT Matchers
Port 3702
Sub Queries
Sub Query Description Uses the Web Services for Devices (WSD) generic discovery protocol to identify IoT
devices
Parameters
Port
Format number
Default 3702
Example 1234
Task ID 39
Description Uses WinRM protocol to query information about Windows computers, using WMI
and registry. Uses SOAP over HTTP and must be configured
Port 5985(HTTP)/5986(HTTPS)
Sub Queries
Sub Query Description Uses WinRM to collect basic information about the host
Potential Information Collected IP, hostname, OS, Windows serial, Windows edition, model, serial, Mac, installed pro-
grams
Sub Query Description Uses WMI to collect information about the host, including installed software and
security patches
Potential Information Collected IP, hostname, OS, Windows serial, Windows edition, model, serial, Mac, installed pro-
grams, patches, USB connected devices
Parameters
Username
Meaning username
Format string
Default -
Example myuser
Password
Meaning password
Format string
Default -
Example mypassword
Domain
Format string
Example mydomain
Service
Default HTTP
Example HTTP
Task ID 4
Description Uses the Windows NetBIOS service to learn the hostname and OS version. Also uses
SMBv1
Sub Query Description Use the NetBios Protocol to interrogate Windows devices using this basic discovery
protocol
Parameters
IP
Format IP address
Default -
Example 10.0.0.1
Port
Format Number
Default 139
Example 445
Task Name 20
Port -
Sub Query Description Uses TCP to attempt connection to all specified ports to detect whether those ports
are in "listen" mode
Parameters
IP
Format IP address
Default -
Example 10.0.0.1
Tcp_ports
Default 22,23,80,102,139,445,502,2222,44818
Example 123456678
4.1.4.60. Telnet
Task ID 3
Description Performs a telnet banner grabbing. Extracts info from Scalance, Hirschmann switches
Port 23
Sub Query Description Use the Telnet protocol to perform "banner grabbing" by connecting to the Telnet
service and identifying the returned banner
Parameters
IP
Format IP
Default -
Example 10.0.0.1
BACnet Discovery (page 115) Finds BACnet Devices using a broadcast request
CodesysV3 Discovery (page 116) Uses Codesysv3 protocol discovery to identify codesys devices
CrowdStrike Discovery (page 116) Discovers devices running CrowdStrike Sensors using CrowdStrike’s remote API
ENIP Scan (page 117) Uses EtherNet/IP broadcast List Identity message to identify PLCs in the net-
work
Exi 3000 Discovery (page 118) Exi 3000 Discovery over UDP
GE Station Manager Discov- Uses broadcast GE Station Manager to discover GE rx3i/rx7i devices
ery (page 119)
Hirschmann Discovery Scan (page 119) Queries Hirschmann switches using the HiDiscovery protocol. Transmits broad-
cast level 2 messages
Lantronix Broadcast Discov- Uses the lantronix discovery protocol (LDP) to discover Lantronix devices
ery (page 120)
LS Discovery (page 121) Uses the XG5000 discovery protcool to query LS devices
mDNS Discovery (page 121) Uses the mDNS protocol to discover devices. Uses mDNS matchers.
Mitsubishi GOT Discovery (page 123) Discovery for Mitsubishi GOT 1000 and 2000 HMIs
Mitsubishi Melsoft Discovery (page 122) Uses proprietary Mitsubishi Melsoft protocol to discover Mitsubishi PLCs
Ping Sweep (page 124) Performs a ping sweep across all IPs specified to detect existing assets
RAFT Gateway Discovery (page 126) WTC RaftGateway Discovery Query over UDP
Schneider Modicon Discov- Uses the netmanage protocol to discover modicon plc's
ery (page 128)
SNMP Scan (page 126) Uses SNMP to read the ARP cache of devices to generate new assets
Speedwire Discovery Query (page 129) SMA Speedwire discovery query over UDP
SSDP Discovery (page 127) Uses broadcast SSDP to find UPNP devices in the network
TCP Port Discovery (page 129) IPs based on the specific ports. Will detect all IPs where the specified ports are
open
VMware ESX Discovery (page 131) Using VMWare Public API to discover VMs running on the specified ESX
WSD Discovery (page 132) Uses WSD and ONVIF to find network devices, based on the WSD IoT Matchers
Task ID 27
Port 47808
Sub Query Description Uses BACnet broadcast requests to collect information about devices
Potential Information Collected Firmware, model, application version, object Name, hostname, location, object ID,
vendor, IP, description
Parameters
Interface name
Meaning Network interface on the machine from which the packets are sent
Format string
Default -
Example en192
Subnet
Default -
Example 192.168.1.0/24
Meaning Should use the BACnet Object ID as the hostname of the target
Format Checkbox
Default TRUE
Example FALSE
Format Checkbox
Default TRUE
Example FALSE
Task ID 66
Intrusive Level -
Parameters
InterfaceName
Meaning Network interface on the machine from which the packets are sent
Format string
Default -
Example -
Task ID 53
Description Retrieves data about a device running CrowdStrike Sensor and uses AppDB to parse
OT projects existing on it.
Sub Queries
Sub Query Description Retrieves data about a device running CrowdStrike Sensor and uses AppDB to parse
OT projects existing on it.
Parameters
Client ID
Default -
Example f3bac176a05c544492e83aba9cba08fe
Client Secret
Default -
Example F5sd3J8f3wer67Plk
Cloud
Format dropdown
Default US
Example US-2
IP Range
Format IP range
Example 192.168.1.0/24
IP Range Exclude
Format IP range
Example 192.168.1.13
Sensor Tags
Example Claroty,SensorGroupingTags/Siemens
Task ID 12
Description Uses EtherNet/IP broadcast List Identity message to identify PLCs in the network
Port 44818
Sub Query Description Use the ENIP Identity Request command to collect basic information on ENIP compati-
ble devices
Parameters
Interface Name
Meaning Network interface on the machine from which the packets are sent
Format string
Default -
Example en192
Subnet
Default -
Example 192.168.1.0/24
Custom Label
Format string
Default -
Task ID 94
Parameters
Port
Format Number
Default 5680
Example 1234
Interface Name
Format String
Default -
Example en0
check_only_exi3000
Format Checkbox
Example True
Task ID 59
Intrusive Level -
Sub Query Description Uses broadcast GE Station Manager to discover GE rx3i/rx7i devices
Potential Information Collected vendor, model, firmware, serial, type, mac address
Parameters
Port
Format number
Default 18245
Example 18245
Interface name
Meaning Network interface on the machine from which the packets are sent
Format String
Default -
Example en192
Task ID 9
Description Queries Hirschmann switches using the HiDiscovery protocol. Transmits broadcast
level 2 messages
Port -
Sub Query Description Use the Hirschmann HiDiscovery protocol to query Hirschmann devices (2nd layer)
Parameters
Interface name
Meaning Network interface on the machine from which the packets are sent
Format string
Default -
Example en192
Custom label
Format string
Default -
Task ID 92
Potential Information Collected IP, Vendor, Firmware, Family, Default Gateway, Serial Number, EntityType, Model,
Type Code, Series
Parameters
Port
Format Number
Default 35021
Example 1234
Task ID 73
Description Uses the lantronix discovery protocol (LDP) to discover Lantronix devices
Port 30718(UDP)
Intrusive Level -
Parameters
InterfaceName
Format string
Default -
Example en0
4.1.5.10. LS Discovery
Task ID 78
Parameters
InterfaceName
Format string
Default -
Example en0
Task ID 60
Description Uses the mDNS protocol to discover devices. Uses mDNS matchers.
Intrusive Level -
Sub Query Description mDNS Discovery - Uses the Multicast DNS protocol to discover IOT devices.
Potential Information Collected hostname, entity type, everything supported by IoT matchers
Parameters
Interface name
Format string
Example en0
Extended services
Meaning whether to use all known services (more network load), or just the main ones
Format Checkbox
Default True
Example False
Task ID 65
Intrusive Level -
Potential Information Collected Vendor, entity_type, ip, model, serial, version, hostname
Parameters
IP
Meaning IP
Format string
Default -
Example -
Task ID 83
Port 49153
Parameters
Interface
Format string
Default -
Example en0
Task ID 76
Parameters
Port
Format Number
Default 9600
Example 1234
Interface
Format String
Default -
Example en0
Task ID 7
Description Performs a ping sweep across all IPs specified to detect existing assets
Port -
Target Devices All devices that respond to ping (endpoints, PLCs, networking)
Sub Query Description Send Ping requests to all listed IPs, and determine their existence in the network
based on the response
Parameters
IP Range
comma separated
Default -
Example work,192.168.1.0/24
IP Range exclude
comma separated
Default -
Concurrent scans
Format number
Default 50
Example 50
Retransmissions
Format number
Default 2
Example 2
Custom Label
Default -
Sub Query Description Performs a ping as well as a reverse DNS query on the found IPs, to collect hostnames
as well
Parameters
DNS Server
Meaning The IP of the DNS Server to query. If empty will use the default server configured to
CTD
Format IP address
Default -
Example 8.8.8.8
Domain Name
Format string
Default -
Example company.co
Task ID 14
Port -
Sub Query Description Use the Profinet-DCP information collection broadcast packet to discover (layer 2)
relevant network devices
Parameters
Interface name
Meaning Network interface on the machine from which the packets are sent
Format string
Default -
Example en192
Custom Label
Format string
Default -
VLAN
Format 300,599,601
Default -
Task ID 90
Broadcast
Parameters
Interface Name
Format String
Default -
Example en0
Port
Format Number
Default 50804
Example 1234
Task ID 16
Description Uses SNMP to read the ARP cache of devices to generate new assets
Port 161
Sub Query Description Uses SNMP to collect the ARP table from a network device, to discover all devices
connected to it
Parameters
Custom Label
Default -
Task ID 56
Intrusive Level -
Sub Query Description Uses SSDP to find devices in the network, not adding any information on them
Parameters
port
Format number
Default 1900
Example 1234
Interface name
Meaning Network interface on the machine from which the packets are sent
Format string
Default -
Example en192
Sub Query Description Uses SSDP to find devices in the network, and using the "location" field to get more
information
Parameters
Port
Format number
Default 1900
Example 1234
Interface name
Meaning Network interface on the machine from which the packets are sent
Format string
Default -
Example en192
Task ID 67
Intrusive Level -
Parameters
Interface Name
Meaning Network interface on the machine from which the packets are sent
Format String
Default -
Example -
Task ID 86
Potential Information Collected IP, Entity Type, Vendor, Family, Model, Hardware ID, Serial
Parameters
InterfaceName
Format String
Default --
Example en0
InterfaceName
Format String
Default 1594
Example 1234
Task ID 80
Parameters
IP
Meaning IP address
Format String
Default --
Example 1.1.1.1
Interface
Format String
Default -
Example en0
Task ID 41
Description Scans IPs based on the specified ports. Will detect all IPs where the specified ports are
open
Port 22,23,80,102,139,445,502,2222,44818
Sub Query Description Discovers assets in the network using the Port Knocking technique on the specified
ports
Parameters
IP range
Format IP range
Default -
Example 192.168.1.0/24
ip_range_exclude
Format IPs
Example 192.168.1.13
tcp_ports
Default 22,23,80,102,139,445,502,2222,44818
Example 1234
concurrent_ports
Format number
Default 1
Example 10
concurrent_ips
Format number
Default 50
Example 3
Task ID 79
Parameters
InterfaceName
Format string
Default -
Example en0
Task ID 42
Description Using VMWare Public API to discover VMs running on the specified ESX
Port 443
Sub Query Description Uses the VMWare API protocol to identify the ESX/VSphere server as well as all VMs
running on top of it
Potential Information Collected For Host: IP, OS For Guests: OS, UUID, hostname, vendor
Parameters
IP range
Format IP range
Default -
Example 192.168.1.0/24
port
Meaning port
Format number
Default 443
Example 443
username
Meaning username
Format text
Default -
Example root
password
Meaning password
Format text(number)
Default -
Example toor
Task ID 37
Description Uses WSD and ONVIF to find network devices, based on the WSD IoT Matchers
Port 3702
Sub Query Description Uses the Web Services for Devices (WSD) generic discovery protocol to identify IoT
devices
Parameters
Format number
Default 3702
Example 1234
IoT matchers are code sections, written in JSON format, that describe how to address IoT devices
using HTTP or Telnet communication protocols. They also describe how the response received
from the device should be interpreted to understand what the device is and what its attributes
are. These IoT matchers work with passive collection as well.
These predefined matchers unlike user defined custom matchers, cannot be edited or deleted.
They can only be disabled. Custom matcher’s rules can also be disabled to stop their activity and
enabled later if needed.
1. Navigate to the IoT Matchers configuration tab under Configuration > Data Sources >
IoT Matchers.
The file, which can be uploaded to CTD or edited within the console, contains parameters
used for the collection of information, such as:
• The ports, if they differ from the default (such as http:80)
• A “verify” statement, to make sure the accessed page is the one requested, and for which
the parsers can actually work, for example, looking for a vendor’s name like “Rockwell
Automation” in the HTTP page header.
A set of parsers are used to grab asset information from the device to be able to classify the IoT
device, such as:
IMPORTANT
Claroty recommends that Admins review the existing, predefined system IoT match-
ers to understand how the parsers are defined, before trying to create your own.
• module/model → Model
• firmware → Firmware version
• hostname → Hostname
• serial → Serial number
• vendor → Vendor
• type → Asset type (needs to be the asset type as appears in CTD, with “e” before - “ePLC”,
“eCamera”, “eEngineeringStation” etc.)
• family → Family
• description → Description
4.2.1.2. Links
https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers
https://www.softpedia.com/get/Network-Tools/Misc-Networking-Tools/SnmpWalk.shtml
JSON
SNMP
HTTP
Banner
WSD
1. Navigate to the Active Detection query configuration tab under Configuration > Data
Sources > Active Detection > Queries tab.
3. Provide a name for the query, and in Type dropdown menu, select “IoT Query”
4. Choose a Sub-Type
5. Enable the Recurring Task toggle button.
6. Choose the Start and Expire date.
7. Choose Run Every (hour, day, or week).
8. Choose the Time Frame (From and the To time).
9. Click Create.
1. Navigate to the Active Detection query configuration tab under Settings >Extended Discov-
ery > Active Detection > Tasks
2. Click Add New Task to open the New Task popup:
3. Provide a name for the task and select your desired Task Type in the dropdown menu.
4. Choose the Network from the dropdown menu.
5. Enable the Recurring Task toggle button.
6. Choose the Start and Expire date.
7. Choose Run Every (hour, day, or week).
8. Choose the Time Frame (From and the To time).
9. Click Create.
using Active Task and Query, or passively by listening to traffic sent from/to the IoT asset that
discloses the required asset information.
To configure IoT Matchers using Active Task and Query, follow these steps:
In the following example, a Vending Machine was classified, and its Virtual Zone, Risk Level, Type,
Criticality, and Class were obtained:
2. From the dropdown, ‘Assign learned assets to network’, select the network:
3. Click Choose file to browse the relevant files;repeat this step as needed:
• The system displays the filename/s of the uploaded files, including their sizes.
4. Click Start Parsing.
5. The system displays the status of the files on the bottom of the One-time parsing area:
6. Navigate to the Visibility > Assets. Then show the Parsed Assets column in the table by
clicking the More menu in the tool bar, selecting Select Columns, and selecting the
Parsed Asset item from the Select Columns list.
Figure 21. Selecting the Parsed Assets column for the Assets View
1. Navigate to the Recurring Parsing area of Settings > Data Sources > App DB.
2. Provide the Configuration Projects path. After you type a valid path, the Test button
becomes enabled.
This input is mandatory. This can be either a local path on the CTD Server or a Share on a
remote Windows machine. Use the Fully Qualified Domain Name (FQDN) format to specify the
share (for example \\1.1.1.1\share).
For the local path:
• You must provide permissions for the lkpo user for this path/folder.
• The folder should be above and outside of the "root" folder, and the folder's ownership
should be given to user 'lkpo'.
• The set of commands needed to run a viable folder is as follows:
cd / mkdir <local folder name> sudo chown -R lkpo /<local folder name>/
3. Username – If the share is protected with an account, enter the username.
4. Password – If the share is protected with an account, enter the password.
5. Provide the Interval (in hours). The Read files from path every (hours) determines how
often the system checks for new configuration projects. This input is mandatory. The default is
1 hour.
• The set interval enables users to control the overhead on the system and balance it with the
speed at which it parses the configuration projects. As soon as these assets are parsed, the
system onboards the assets and logs the activity.
6. Select the Network from Assign learned assets to network in which the onboarded assets
will be assigned. This input is mandatory. It defaults to the default network.
7. Retain Old Files (in MB). Set the limit in MB for the maximum space for retaining old files.
After the parsing process is done and all relevant data has been extracted from the configura-
tion file, the file is moved automatically to an Old folder.
8. Click the Test button to test if the Configuration Projects path you provided to the
configuration projects (in Step 2) is to a valid folder on the machine and that both read and
write permissions were given.
ABB AC800M ABB AC 800M Compact Control Builder Directory with *.con
and *.hwu files
CodeSys V3 ZIP/PROJECT
Generic
GP-4000
SP-5000
LT-3000
LT-4000
4.4.1. PREREQUISITES
• Only users with admin rights working on a Site can use the Import Asset feature.
• Select a site. If you are working in the EMC, select a target site before proceeding:
4.4.1.1. Recommendations
• Instead of building the CSV file from scratch, download your existing asset list, from the Assets
Page, to minimize input errors. Then, modify the CSV file.
Figure 26. CSV File with Default Columns highlighted in Red; system added columns ‘Asset ID’, ‘Site ID’, ‘Is Ghost’ in
Blue
3. Choose the TestFile button to check the validity of your CSV file.
4. Check the Test Summary output to determine the success of the Import Assets operation.
• This response tells you how many assets will be imported successfully; how many are
expected to fail; and the reasons for any failures.
IMPORTANT
Claroty recommends that users use the Test feature to determine the success
of your CSV file. The Import operation displays the results in the same man-
ner as with the ‘Test’ feature.
5. If necessary, modify your CSV input file according to the Summary output and repeat the Test
step.
6. After you are satisfied with the test summary results, press the Import button to implement
your changes.
For more details on the Summary Results, see Summary Results (page 156).
NOTE
If the system is in Operational mode when the CSV file is imported, it is possible that
New Asset alerts or Information Change alerts will be displayed.
The alerts raised will need to be approved; until these approvals are done, the
system will not honor the new values.
4.4.3. TABLE & GUIDELINES FOR STRUCTURING THE CSV IMPORT FILE
Table 110. CSV Import Table: Parameters whose Values can be Modified
Display Name The display name for the asset Text 10.91.6.91
High
Custom At- Any user defined custom at- List As configured LOB
tributes tributes by Admin and
See notes: Custom Attrib-
defined by
utes (page 155)
user
OS The Operating System for this List See notes: Supported Operating
asset Systems - Passive (page 165)
Virtual Zone The name of the assigned vir- Text PLC: Rockwell
tual zone
See notes: Custom Attrib-
utes (page 155)
Additional values can be added for these properties (except for VLAN)
NOTE
No addi-
tional val-
ues for
VLAN are
possible.
DEFAULT PARAMETERS
These parameters can be modified, but preference is given to the information obtained from sniffing/active query/
etc.
WARNING
Any changes to these parameters will be ignored
Active Queries Queries used to actively monitor the system and discover assets Not supported
Class Whether the asset is a security (IT) or an ICS (IOT) type device or an Not supported
Internet of Things (IoT) device
First Seen The first date and time this asset was seen in the communication in the Not supported
network
Last Seen The last date and time this asset was seen in the communication in the Not supported
network
Old IPs List of previous identified IPs for this asset Not supported
Parsed Asset Whether this asset was identified by sniffing the network or from parsing Not supported
a configuration file (Yes/No)
Protocols The list of protocols that the asset uses for communication Not supported
Risk Level The risk level assigned to this asset; How often the asset generates alerts, Not supported
and the severity of these alerts
NOTE
The asset can only be overridden by the Admin.
• However, on free text fields, the UI will display the exact parameter names and capitalization.
• Empty fields will be ignored by the system, whether they are any of the following:
• Blank
• A dash (-)
• ‘N/A’
• Max Length of text fields – 256 characters
• Changing these values in the imported CSV file will have the same effect as changing these fields
from the UI. The new value will be kept unless you change it again.
• Type – The specific type of asset; includes IoT types in addition to IT and OT ones. The system
derives the Class based on the Asset Type.
• The system gives preference to the information it can obtain from the sniffing or from an active
query. The system will only take the information from the imported CSV file for these default
values when it cannot get the information from any other source.
• If an asset’s Firmware is changed through the Import CSV, when the system sniffs this asset
again in Operational mode, if it conflicts with the data supplied via the CSV, it will raise an Asset
Information Change alert.
• Network
• Network is always a mandatory column
• Note there may be only one network.
• When only the Default network exists, the network column should be present, and labelled
‘Default’.
• An entry without a network value will result in an error.
• When a new network is added, the Administrator must associate assets to it.
• When parsing an asset from one network to another, the system will duplicate it and not
move it between the networks.
• Key Parameters - Asset ID and Site ID:
• Asset ID and Site ID are used to uniquely identify the asset for the CSV.
• Rack Slots and Nested Devices use these keys to correlate information.
NOTE
The tool is not intended for editing multiple IPs and MACs simultaneously. A
common consequence of this is merging assets unintentionally.
• Adding new assets with multiple IP and MAC addresses simultaneously is supported as follows:
• Multiple IPs work with a single MAC
• A single IP with Multiple MACs works
• A combination of a new asset with both. It will only consider the newly added IPs
• Editing assets with multiple IP and MAC addresses simultaneously is supported as follows:
• All the information should be added only to the first IP address
• The first MAC address is taken when no IP address previously exists
• When there is no MAC address, it gets added to the asset by its Asset ID
• If a user makes a mistake in the Import CSV, delete the specific asset/s via the UI and import
it/them again.
• If a virtual zone already exists for an asset being imported via CSV, the zone is editable.
• New assets can be added to the existing zones.
• Assets can be moved between zones.
• You cannot create a virtual zone via the CSV.
• There should not be a Virtual Zone column in the CSV when importing assets for a new site or
when you want to import new assets without assigning them to a pre-existing zones.
4.4.4.9. Model
If an asset’s Model number is changed through the Import CSV, when the system sniffs this
asset again in Operational mode, if it conflicts with the data from the CSV, it will raise an Asset
Information Change alert.
4.4.4.10. Hostname
The Hostname is not editable, even if it is from a new asset.
NOTE
‘Success’ means the system added these assets to the queue for processing.
The Summary Results pop-up displays the amount of assets successfully onboarded and the
amount of assets that failed, with the relevant failure message.
NOTE
CTD can import an asset that has no data other than its network. In this case, it is
imported as ‘Asset# ‘.
Message Meaning/Resolution/Notes
Network <network name> does not ex- The network name in the CSV file is not configured in the CTD as a valid network
ist and cannot be used.
Network <network name> does not ex- The selected CSV file is empty
ist
Invalid CSV structure Please use the same structure of the asset CSV report; See Guidelines for Struc-
turing the CSV Import File (page 133)
Internal errors while processing asset Check that the CSV file meets the guidelines for structuring the file.
details
Figure 31. Setting up the Assets View Page with the Relevant Parameters
2. Press More > Download to export your existing assets from the Assets Page.
• Choose the CSV format.
• Only choose the Rack Slots and/or Nested Devices options when you intend to modify
them.
NOTE
If you choose Nested Devices, ensure you include the Address parameter in
the Assets Page display before downloading (it is not a default parameter).
• The resulting file will contain your current assets inside a file with the valid CSV structure.
• Pressing Download will download selected assets or filtered assets. If you select assets, it
shows only the selection from the partial filtered list.
If you don’t select assets, it downloads all the assets in the specific applied filter.
3. Open and modify the exported CSV file while retaining the existing structure.
• Be careful to only modify the parameters that you need to change
• Beware that a change you make in the CSV file will only be applied if the input conditions
are met as per Parameter Details.
In versions 4.3.2 and previous of CTD, user groups were assigned access on a site-by-site basis to
an entire site or to groups of assets on a site. The permission also specified Admin, Write, or Read
access to the site or assets.
In version 4.4.0 and above of CTD, user groups can not only be assigned access to specific sites
and groups of assets, they can also be restricted to the areas of CTD that they can access and what
they are permitted to do in those areas.
When upgrading from version 4.3.2 and below to version 4.4.0 and above, permissions are as-
signed as follows:
Visibility Manage
Investigation Manage
Settings Denied
For further information about permissions in version 4.4.0 and above, see Assigning Role-based
Permissions (RBAC) to Groups in the Administration Guide.
CTD Site
Sensor
Edge
Customer Net- EMC HTTPS (443) Access to the EMC web interface Inbound
work
Customer Net- EMC SSH (22) Access to the EMC CLI Inbound
work
EMC Multiple Serv- Multiple Services SRA, DNS, LDAP, NTP, SMTP, etc Outbound
ices
CTD EMC SSH (22) (Default) Reverse SSH Tunnel between the Inbound (EMC)
Site and the EMC.
SSL (443) (If configured) Outbound (Site)
Customer CTD HTTPS (443) Access to the CTD web interface Inbound
Network
CTD Multiple Multiple Services SRA, DNS, LDAP, NTP, SMTP, etc Outbound
Services
CTD EMC SSH (22) (Default) Reverse SSH Tunnel between the Inbound (EMC)
Site and the EMC.
SSL (443) (if configured) Outbound (Site)
Sensor CTD SSH (22) (Default) Reverse SSH Tunnel between the Inbound (CTD)
Sensor and the CTD.
SSL (443) (If configured) Outbound (Sensor)
Customer Net- Sensor SSH (22) Access to the Sensor CLI Inbound
work
Sensor CTD SSH (22) (Default) Reverse SSH Tunnel between Inbound (CTD)
the Sensor and the CTD.
SSL (443) (If configured) Outbound (Sensor)
CTD Edge Host SSL (443) Sending processed Edge file to CTD Inbound
NOTE
Edge can be run offline and saved to a file, which does not require the above
connectivity.
Customer CTD HTTPS (443) Access to the CTD web interface Inbound
Network
CTD Multiple Multiple Services SRA, DNS, LDAP, NTP, SMTP, etc Outbound
Services
CTD EMC SSH (22) (Default) Reverse SSH Tunnel between the Inbound (EMC)
Site and the EMC.
SSL (443) (if configured) Outbound (Site)
Sensor CTD SSH (22) (Default) Reverse SSH Tunnel between the Inbound (CTD)
Sensor and the CTD.
SSL (443) (If configured) Outbound (Sensor)
Customer Net- Sensor SSH (22) Access to the Sensor CLI Inbound
work
Sensor CTD SSH (22) (Default) Reverse SSH Tunnel between Inbound (CTD)
the Sensor and the CTD.
SSL (443) (If configured) Outbound (Sensor)
CTD Edge Host SSL (443) Sending processed Edge file to CTD Inbound
NOTE
Edge can be run offline and saved to a file, which does not require the above
connectivity.
7. System Boundaries
The system boundaries show the data collection boundaries status, baselines retention, and the
number of sensors you can use.
NOTE
The red status occurs only in uncommon situations.
NOTE
The limits are configurable via the CLI.
NOTE
CTD is optimized for display resolutions of 1680 X 1050 and higher.
Base- Baselines not active in the system are removed after one month. This affects all the system components such
lines as Insights and Assets.
NOTE
If you need to save inactive Baselines for more than a month, contact Claroty Support for
assistance with configuration via the CLI.
Assets Inactive Assets are deleted from the system if last seen under the following conditions:
• IT and IoT Assets - If last seen more than 12 months ago on an internal subnet, or more than 6 months ago
on an external or out-of-scope subnet
• OT Assets - Retained regardless of date last seen
• Ghost Assets - If last seen more than 3 months ago
NOTE
This limit does not cover Sensor Lite integrations, which are limited by the accumu-
lated bandwidth aggregated by all Sensor Lites.
If an adjustment is required to these settings, contact your Claroty Support representative for
assistance.
CTD passively detects traffic from all devices in the network, and can identify many device operat-
ing systems from passive traffic only.
For other devices, further information can be captured through other means, such as Active
Detection, AppDB, or Edge.
The following passive protocols are supported by CTD. Not all of them are configured by default.
For information on configuring the protocols, see Configuring Passive Protocols in CTD User Guide.
NOTE
In most cases, when CTD intercepts OS from passive protocols, the information in
the packet will just be the version number (such as, 5.0, 6.1). CTD then translates it
to the OS name (6.1 --> Windows 7/Server 2008 R2).
You can see the mapping of the version number and OS name in the following link:
https://docs.microsoft.com/en-us/windows/win32/sysinfo/operating-system-version
Protocol Vendor
B32 Enedis
BACNET -
Bailey ABB
BSAP Bristol
CAPWAP -
CIP Rockwell
Citect HMI -
Codesys V2 Codesys
CodesysV3 Codesys
CoLa-A SICK
Protocol Vendor
Cotp -
Cspv4 -
DACP Willowglen
DeltaV Emerson
DHCP -
Digsi5 Siemens
DLMS COSEM -
DNP3 -
E-Terra Alstom
E-Terra Workstation -
ENIP Rockwell
EtherCAT Beckhoff
Ethernet POWERLINK -
ETHERNET/IP -
FINS Omron
FactoryTalk RNA -
GE PAC8000 (AXE) GE
GE QuickPanel (TRAPI+HTTP) GE
GE SDI (MarkVie) GE
GE SRTP GE
GE-ALM GE
GE-EGD GE
GE-EGD-CMP GE
GE-iFix GE
HART-IP -
Protocol Vendor
HiDiscovery Hirschmann
HP Switch HP
HTTP -
IEC101 -
IEC103 -
IEC104 -
IQ3 Trend
Knapp Knapp
Kongsberg Kongsberg
LLDP -
Melsec Mitsubishi
Melsoft Mitsubishi
Microsoft RDP -
Microsoft SAMR -
MMS (IEC-61850/ICCP/TASE.2) -
MNDP Mikrotik
Modbus -
Protocol Vendor
Modbus Execload -
Modbus GE Enervista GE
Modbus Xinje
MQTT -
NASNavigator Buffalo
NDP Nortel
NMEA-0183 NMEA
Odeq Yokogawa
OPC-DA -
OPC-UA
OPTO OPTO
Ovation Emerson
OvationRPC Emerson
P2 Siemens
PCCC Rockwell
PCWin Toyoda
PI1 OSISoft
PI3 OSISoft
POP3 -
Portwell Portwell
Profinet DCP -
Profinet I/O -
Profinet Real-Time -
Prosoft Discovery -
PRP -
PTP -
Radius -
RCDP Ruggedcomm
Protocol Vendor
RNRP ABB
RTCP -
S7Comm Siemens
Sattbus -
SBUS SAIAS
SECSGEM -
SIP -
SNMP -
Spirit ABB
SSH -
Synchrophasor -
TDS Microsoft
TFTP -
Totalflow ABB
Tridium Niagara
UDLD Cisco
Protocol Vendor
VNC -
WAGO WAGO
X-Pact Data -
The following are common questions asked about data encryption and password management in
CTD.
Are there any hard-coded passwords (encrypted or not) in the product code? If so, how can
they be changed during installation?
• Admin user and password - Configured during installation. Stored in the DB, encrypted with RSA
algorithm
• Bootstrap password - Set by the user during installation
• DBs passwords - Can be configured in the lkpo.conf file
What is the encryption level (or technology) used to store any password within the CTD per
application/module?
• Passwords are stored in the DB and encrypted with the best practice RSA encryption algorithm.
What is the encryption level (or technology/protocol) used when credential passwords are
sent over the network?
Does CTD transfer any type of password in cleartext over the network using insecure proto-
cols such as HTTP, LDAP, FTP, or Telnet?
• CTD does not transfer any data under any circumstances using cleartext.
Activity Types
Active Baseline
Alert Acknowledged
Alert Assign
Alert Enrichment
Alert Ignored
Alert New
Alert Non-Relevant
Alert Resolved
Alerts Resolved
Asset Changed IP
Comment Add
Communication Down
Communication Up
Message
Policy Invalidated
Policy Updated
Policy Validated
Rule Added
Site Down
Site Up
Training Mode On
13.1. Introduction
CTD can be configured to send Syslog messages to external tools such as SIEM solutions, analytic
tools, and log collectors. Syslog messages can be configured to be sent automatically for:
• Alerts
• Events (of which an alert is composed)
• Insights
• System health monitoring information.
NOTE
Since Syslog is essentially a real-time solution, there might be mismatches between
Syslog logs and data that was subsequently updated in CTD.
The system can send the above configured messages to Syslog, allowing users to connect CTD
data into 3rd party systems such as SIEMs and System Management Tools.
NOTE
Currently TLS 1.2 is supported through Syslog.
SYSLOG CONFIGURATION
For information on Syslog configuration, see Configuring Syslog Integration in the CTD Admin Guide.
IMPORTANT
Prior to CTD 4.3.0, the CEF format did not fully align with the CEF Specification
and as a result created parsing errors. As part of the 4.3.0 release, we rebuilt the
CEF format to align with the industry specification. The previously CEF format was
renamed "CEF (Legacy) and is being retained to minimize any integration disruption
during upgrades. We recommend all customers to reconfigure their syslog logging
to use the the new CEF format going forward. The CEF Legacy format is not being
supported going forward and will be removed altogether in a later release.
Each CEF message consist of 3 parts: The Syslog prefix, the CEF Header, and CEF Extensions. For
example:
1 CEF CEF
• Event/Baseline Deviation
• Event/Host Scan
For Insights:
• Insight Name
8 Severity (between 0 - 10) CTD uses these default severity values to map Alerts, Events and Insights
• 2 = Low
• 5 = Medium
• 7 = High
• 10 = Critical
Examples:
IMPORTANT
Only use keys that are explicitly listed in the table.
NOTE
These alerts are not sent by default because they can cause performance issues.
If your organization needs these alerts to be sent, contact Claroty Support for
assistance.
src The IPv4 address of the primary asset involved in the event. src=123.45.56.78
c6a2=SourceIPv6 Address The IP address of the primary (source) asset involved in the c6a2=SourceIPv6
insight (if IPv6)
Address c6a2=[addr]
smac The MAC address of the primary asset involved in the event
dst The IPv4 address of the secondary asset involved in the dst=123.45.56.78
event. If multiple destinations exist for the alert, do not
include them
c6a3=Destination IPv6 Address The IP address of the destination asset involved in the event c6a3=Destination IPv6
(if IPv6) Address c6a3=[addr]
cs1label=SourceAssetType The asset type of the primary asset, e.g. Engineering Station cs1label=SourceAsset-
Type
cs2label=DestAssetType The asset type of the secondary asset, e.g. Engineering Sta- cs2label=DestAsset-
tion Type
cs3=Manufacturing
cs6=https://[insert ctd
url to alert]
Signature The category of the underlying object that the sy- Alert/Test
slog refers to:
Alert/Event/Baseline/Status Check/HealthCheck
Name The type of event. Test Alert
Severity The degree of impact of the alert, represented as 0
an integer ranging from 2 to 5 where the Severity
scale is as follows:
• 2 = Low
• 5 = Medium
• 7 = High
• 10 = Critical
start The alert creation timestamp May 12 2021 17:28:33
src The IPv4 address of the primary asset involved in the event. src=123.45.56.78
c6a2=SourceIPv6 Address The IP address of the primary (source) asset involved in the c6a2=SourceIPv6
insight (if IPv6)
Address c6a2=[addr]
smac The MAC address of the primary asset involved in the event
dst The IPv4 address of the secondary asset involved in the dst=123.45.56.78
event. If multiple destinations exist, do not include them
c6a3=Destination IPv6 Address The IP address of the destination asset involved in the event c6a3=Destination IPv6
(if IPv6) Address c6a3=[addr]
dpt Destination Port; If multiple destination ports exist this key dpt=443
will not be logged
cs1label=SourceAssetType The asset type of the primary asset, e.g. Engineering Station cs1label=SourceAsset-
Type
cs2label=DestAssetType The asset type of the secondary asset, e.g. Engineering Sta- s2label=DestAssetType
tion
cs2=[Asset Type]
cs3=Manufacturing
cs4=Manufacturing
cn2label=AlertID Alert reference for any events that map to an alert cn2label=AlertID
cn2=AlertID cn2=Alert#
cs6=https://[insert ctd
url to related alert]
filepath The filepath for the suspicious file transfer filepath = filename
Signature The category of the underlying object that the sy- Event/Test
slog refers to:
Alert/Event/Baseline/Status Check/HealthCheck
Name The type of event. Test Event
Severity The degree of impact of the event, represented as 0
an integer ranging from 2 to 5 where the Severity
scale is as follows:
• 0 = Test purposes
• 2 = Low severity
• 3 = Medium severity
• 4 = High severity
• 5 = Critical severity
start The alert creation timestamp May 12 2021 17:28:33
c6a2=SourceIPv6 Ad- The IP address of the primary (source) asset in- c6a2=SourceIPv6
dress volved in the insight (if IPv6)
Address c6a2=[addr]
c6a3=Destination The IP address of the destination asset involved in c6a3=Destination IPv6 Address
IPv6 Address the insight (if IPv6) c6a3=[addr]
cs#=CVE-2017-3803
cfp1=4.7
Software Login
Enhancements Login
cs1label=SourceAs- The asset type of the primary asset, e.g. Engineer- cs1label=SourceAssetType
setType ing Station
cs1 = [Asset Type]
cs2label=DestAsset- The asset type of the secondary asset, e.g. Engi- cs2label=DestAssetType
Type neering Station
cs2=[Asset Type]
cs3=Manufacturing
cs4=Manufacturing
IMPORTANT
The CEF(Legacy) formatted messages do not comply with the CEF specification and
will not be fully parsed by SIEMs. Customers can leverage them on a "as is" basis
and should expect these formats to be removed from the product at a later date.
NOTE
In Syslog CEF legacy, the maximum number of assets supported per alert is 10.
Signature The category of the underlying object that the sy- Alert
slog refers to: Alert/Event/Baseline/Status Check/
HealthCheck
Name The type of event. Known Threat Alert
Severity The degree of impact of the alert, represented as 5
an integer ranging from 2 to 5 where the Severity
An alert is considered
scale is as follows:
critical if its calcula-
• 2 = Low severity ted score is in the
highest 20% of the
• 3 = Medium severity
section above the
• 4 = High severity
threshold
• 5 = Critical severity
SiteID The ID of the site 1
Parameters: The format of the list of parameters is:
where:
• Resolved or Unresolved
Src Zone The source zone Default Zone
Dst Zone The destination zone Default Zone
Category The type of event: Integrity or Security Security
AlertURL The URL for this alert http://<IP.Ad-
dress>/alert/1-1 out-
come=Unresolved re-
quest=http://<IP.Ad-
dress>/alert/1-1
Alert Score The score for this alert 100
NOTE
The Primary IP, hostname and MAC parameters support multiple values, with the full list of asset address-
es output as:
NOTE
The Non-Primary IP, hostname and MAC parameters support multiple values, with the full list of asset
addresses output as:
Sig- The category of the underlying object that the syslog Alert
na- refers to: Alert/Event/Baseline/Status Check/Health-
ture Check
Name The type of event. Login
Severity The degree of impact of the alert, represented as an 5
integer ranging from 2 to 5 where the Severity scale
An alert is considered critical if
is as follows:
its calculated score is in the high-
• 2 = Low severity est 20% of the section above the
threshold
• 3 = Medium severity
• 4 = High severity
• 5 = Critical severity
SiteID The ID of the site 1
where:
Site The Site from which the message is being sent. site-1
• Resolved or Unresolved
Src Zone The source zone Endpoint: Other
Dst Zone The destination zone Endpoint: Other
Category The type of event: Integrity or Security Security
AlertURL The URL for this alert https://10.91.2.188/alert/14-1
outcome=Unresolved re-
quest=https://10.91.2.188/alert/
14-1
Alert The score for this alert 100
Score
NOTE
The Primary IP, hostname and MAC parameters support multiple values, with the full list of asset address-
es output as: ip1, ip2, ip3 …
NOTE
The Non-Primary IP, hostname and MAC parameters support multiple values, with the full list of asset
addresses output as: asset1_ip1, asset1_ip2, asset1_ip3, …; asset2_ip1, asset2_ip2, as-
set2_ip3, …;
Signature The category of the underlying object that the sy- Alert
slog refers to: Alert/Event/Baseline/Status Check/
HealthCheck
Name The type of event. Configuration Down-
load
Severity The degree of impact of the alert, represented as 5
an integer ranging from 2 to 5 where the Severity
An alert is considered
scale is as follows:
critical if its calcula-
• 2 = Low severity ted score is in the
highest 20% of the
• 3 = Medium severity
section above the
• 4 = High severity
threshold
• 5 = Critical severity
Timestamp The timestamp of the alert rt=Nov 01 2020
11:04:44
SiteID The ID of the site 1
where:
Site The Site from which the message is being sent. site-1
• Resolved or Unresolved
Src Zone The source zone Engineering Station:
Rockwell
Dst Zone The destination zone Rockwell
Category The type of event: Integrity or Security Integrity
AlertURL The URL for this alert https://10.91.2.188/
alert/40-1 out-
come=Unresolved
request=https://
10.91.2.188/alert/
40-1
Alert Score The score for this alert 100
NOTE
The Primary IP, hostname and MAC parameters support multiple values, with the full list of asset address-
es output as:
NOTE
The Non-Primary IP, hostname and MAC parameters support multiple values, with the full list of asset
addresses output as:
Signature The category of the underlying object that the sy- Alert
slog refers to:
Alert/Event/Baseline/Status Check/HealthCheck
Name The type of event. Host Scan
Severity The degree of impact of the alert, represented as 5
an integer ranging from 2 to 5 where the Severity
An alert is considered
scale is as follows:
critical if its calcula-
• 2 = Low severity ted score is in the
highest 20% of the
• 3 = Medium severity
section above the
• 4 = High severity
threshold
• 5 = Critical severity
SiteID The ID of the site 7
Parameters: The format of the list of parameters is:
where:
• Resolved or Unresolved
Src Zone The source zone 10.77.109.0/24 -End-
point: Other
Dst Zone The destination zone 10.77.119.0/24 -End-
point: Other
Category The type of event: Integrity or Security Security
AlertURL The URL for this alert https://claroty/alert/
286659-71 out-
come=Unresolved re-
quest=https://claroty/
alert/286659-71
Alert Score The score for this alert 100
NOTE
The Primary IP, hostname and MAC parameters support multiple values, with the full list of asset address-
es output as:
84:a9:3e:8c:6d:86,
c8:d3:ff:bc:46:0c
PrimaryAssetOS The OS of the primary asset Windows 10/Server
2016
PrimaryAsset- The vendor of the primary asset Hewlett Packard
Vendor
NOTE
The Non-Primary IP, hostname and MAC parameters support multiple values, with the full list of asset
addresses output as:
NOTE
In scan alert types, the dst as-
set data is “multiple assets” to
avoid spam and to comply with
the CEF format
Signature The category of the underlying object that the sy- Alert
slog refers to:
Alert/Event/Baseline/Status Check/HealthCheck
Name The type of event. Suspicious File Trans-
fer
Severity The degree of impact of the alert, represented as 5
an integer ranging from 2 to 5 where the Severity
An alert is considered
scale is as follows:
critical if its calcula-
• 2 = Low severity ted score is in the
highest 20% of the
• 3 = Medium severity
section above the
• 4 = High severity
threshold
• 5 = Critical severity
SiteID The ID of the site 1
where:
Site The Site from which the message is being sent. Default
• Resolved or Unresolved
Src Zone The source zone Endpoint: Other
Dst Zone The destination zone Endpoint: Other
Category The type of event: Integrity or Security Security
AlertURL The URL for this alert http://<IP.Ad-
dress>/alert/60-1 out-
come=Unresolved re-
quest=http://<IP.Ad-
dress>/alert/60-1
Alert Score The score for this alert 100
NOTE
The Primary IP, hostname and MAC parameters support multiple values, with the full list of asset address-
es output as:
NOTE
The Non-Primary IP, hostname and MAC parameters support multiple values, with the full list of asset
addresses output as:
known_threats/
yara_exported_files/
match-
ed_yara_files/1/smb/
1597600276270606_0
.bin
src The IP address of the primary asset involved in the 10.20.6.205
event
smac The MAC address of the primary asset involved in f0:18:98:66:5a:0c
the event
shost The host name of the primary asset involved in the N/A
event
dst The IP address of the secondary asset involved in 10.10.10.10
the event
dmac The MAC address of the secondary asset involved N/A
in the event
dhost The host address of the secondary asset involved N/A
in the event
externalId The ID of the alert which this event is part of. 60
cat The type of notification, depending on whether Create
this event is a new event in the system (Create)
or an existing event being updated (Update)
rt The timestamp of the current time (not of the Nov 17 10:18:55
alert)
start The alert creation timestamp Oct 12 2020 17:28:33
msg The message containing the description of the Suspicious file
event transfer found!
File '/Teams/QA/all/
imain.bin' was trans-
ferred via 'smb'
and matched the
following Yara
rules: ['ics_cert_hat-
man.yara/hat-
man_payload',
'ics_cert_hat-
man.yara/hatman'],
Transferred from
10.20.6.205
Signature The category of the underlying object that the sy- Alert
slog refers to: Alert/Event/Baseline/Status Check/
HealthCheck
Name The type of alert. There are several types of alerts New Asset
(e.g. ‘baseline deviation’, ‘new asset’, ‘configuration
downloaded to PLC’, ‘known attack signature de-
tected’, etc. See Common Alerts.
Severity The degree of impact of the alert, represented as 5
an integer ranging from 2 to 5 where the Severity
An alert is considered
scale is as follows:
critical if its calcula-
• 2 = Low severity ted score is in the
highest 20% of the
• 3 = Medium severity
section above the
• 4 = High severity
threshold
• 5 = Critical severity
SiteID The ID of the site 1
Parameters: The format of the list of parameters is:
where:
• Resolved or Unresolved
SiteID The ID of the site 1
Src Zone The source zone Endpoint: Other
Dst Zone The destination zone Endpoint: Other
Category The type of event: Integrity or Security Integrity
AlertURL The URL for this alert https://10.91.1.20/
alert.105-1
Alert Score The score for this alert 80
NOTE
The Primary IP, hostname and MAC parameters support multiple values, with the full list of asset address-
es output as:
NOTE
The Non-Primary IP, hostname and MAC parameters support multiple values, with the full list of asset
addresses output as: asset1_ip1, asset1_ip2, asset1_ip3, …; asset2_ip1, asset2_ip2, as-
set2_ip3, …;
NOTICE
An event with externalId 7
is associated with an alert with
externalId 7
Signature The category of the underlying object that the sy- Event
slog refers to:
Alert/Event/Baseline/Status Check/HealthCheck
Name The type of event. Protocol
Severity The degree of impact of the alert, represented as 5
an integer ranging from 2 to 5 where the Severity
An alert is considered
scale is as follows:
critical if its calcula-
• 2 = Low severity ted score is in the
highest 20% of the
• 3 = Medium severity
section above the
• 4 = High severity
threshold
• 5 = Critical severity
Timestamp The timestamp of the alert rt=Nov 01 2020
11:04:44
SiteID The ID of the site 1
Parameters: The format of the list of parameters is:
where:
• Resolved or Unresolved
SiteID The ID of the site 2
Src Zone The source zone Engineering Station:
Rockwell
Dst Zone The destination zone PLC: Rockwell
Category The type of event: Integrity or Security Integrity
AlertURL The URL for this alert https://
10.91.1.186:5000/
alert/25-2
Alert Score The score for this alert 100
NOTE
The Primary IP, hostname and MAC parameters support multiple values, with the full list of asset address-
es output as:
NOTE
The Non-Primary IP, hostname and MAC parameters support multiple values, with the full list of asset
addresses output as:
Signature The category of the underlying object that the sy- Baseline
slog refers to:
• Alert/Event/Baseline/Status Check/HealthCheck
Name The type of baseline None
Approved Whether this baseline is approved or not, repre- 1
sented as an integer of 0 or 1 where
• 0 = Baseline Approved
• 1 = Baseline Unapproved
SiteID The ID of the site 1
Parameters: The format of the list of parameters is:
where:
• Integrity/Security/Network/Other
Otherwise: NotTimed
FirstSeen Timestamp of when the baseline was first detec- Aug 16 2020 17:50:52
ted
src The IP address of the primary asset involved in the N/A
event
smac The MAC address of the primary asset involved in 00:80:f4:12:8b:10
the event
shost The host name of the primary asset involved in the N/A
event
dst The IP address of the secondary asset involved in N/A
the event
dmac The MAC address of the secondary asset involved ff:ff:ff:ff:ff:ff
in the event
dhost The host address of the secondary asset involved N/A
in the event
externalId The ID of the alert which this event is part of. 41
cat The type of notification, depending on whether Create
this event is a new event in the system (Create)
or an existing event being updated (Update)
rt The timestamp of the current time (not of the Nov 17 10:18:55
baseline)
msg The message containing the description of the msg=ARP : Gratuitous
event ARP for ipv4 ad-
dress 84.18.139.16
with mac address
00:80:f4:12:8b:10
• Alert/Event/Baseline/Status Check/
HealthCheck
Name The name of the message Sniffer Status
Severity The severity of the status message- 3
For a Sniffer Status alert, the Severity
is always 3.
• Site Down = 8
• Site up = 0
Timestamp The timestamp of the event rt=Nov 01 2020
11:04:44
SiteID The ID of the site 1
Parameters: The format of the list of parameters is:
where:
• Up or Down
rt The timestamp of the status check Jul 15 2020 09:04:53
msg The message containing the descrip- interface ens224 is
tion of the sniffer status check currently not receiving
any packets
NOTE
The labeling in the values in this example changes according to the user’s running
environment.
where:
Disk Utilization
How frequently the particular disk partition is in use (as a percentage between 0 and 1)
busy_sda 0.84
busy_sda1 0.0
busy_sda2 0.84
busy_sr0 0.0
busy_dm-0 0.93
busy_sdb 0.19
busy_sdb1 0.19
The number of packets that are dropped when using this network interface
drop_ens192 0
drop_lo 0
Services Running
Queue Purges
Event Handling
The number of events that have not been handled by the system
unhandled_events 0
Conclusion Time
The number of events that have not been handled by the system
conclude_time 0
Logs Exceptions
Dropped Entities
The number of entities dropped by the system due to reaching the limit of number of entities
dropped_entities 0
Worker Info
The number of events that have not been handled by the system and status of specific workers
workers The total number of workers (processes) in the 26
system
workers_stop The total number of stopped workers 0
workers_restart The total number of workers restarted 0
workers_info_mitre Availability and last restart info for the Mitre 'Not Available',
worker 'last_restart': '5
min, 41 sec'
workers_info_sensor Availability and last restart info for the Sensor 'Available',
worker 'last_restart': '5
min, 42 sec'
workers_info_web Availability and last restart info for the Web 'Available',
worker 'last_restart': '5
min, 34 sec'
msg The message containing the description of the health check monitoring test Successfully ran
health monitor-
ing
This information is configured via the CLI only, and can be enabled by contacting Claroty Support.
• active_executor
• sensor
• authentication
• mailer
• mitre
• notifications (Syslog DB pollers, mail notifications)
• processor
• export_data
• export_data_puller
• cloud_agent
• cloud_client
• scheduler
• known_threats
• cacher
• insights
• active
• enricher
• indicators
• indicators_api
• concluder
• preprocessor
• leecher
• sync_manager
• bridge
• web
• configurator
• capsaver
• baseline_tracker
CTD Inactive assets from the last week Report with unicast assets that didn’t communicate in the last week.
CTD Resolved alerts from the last week Activities report for alerts that resolved in the last week.
CTD Site connectivity from the last Site connectivity status from the last week (site up or down).
week
CTD New Alerts from the last week Critical and High alerts that created in the last week and their status.
CTD Alerts Ignored/Acknowledged Activities of alerts that marked as ignored or acknowledge from the last week.
from the last week
CTD Top Risky Assets This is a report for the top risky assets.
CTD Assets that talk with external IP Unicast and remote assets that are talking with external assets. External IPs
coupled with respective network interfaces expose the asset to users outside of
the company's perimeter, enabling attackers to enter the OT network.
CTD Assets discovered in the last week All assets discovered in the last week.
CTD Assets with unsecured protocols All assets that are using unsecured protocols. Assets with unsecured protocols
contain security weaknesses that attackers can leverage to compromise the
network's security.
CTD Assets from the Industrial Security Assets in the industrial security zone (level 3).
Zone
CTD Assets with unpatched CVEs All assets with unpatched vulnerabilities that have Full Match CVEs. Assets that
run software versions that are vulnerable and can be leveraged by attackers for
various malicious purposes such as remote code execution, DDoS, etc.
CTD Assets performed Data Acquisi- All assets that performed data acquisition write. These assets should be consid-
tion Write (Operated PLCs) ered as potential assets that can change the process by changing values.
CTD Assets using remote connections All assets using remote connections.
CTD Assets from the Enterprise Securi- CTD assets from the Enterprise Security Zone and assets from the enterprise
ty Zone network (level 4 and level 5).
CTD Assets Changed IP in the last Activities about assets that changed their IP in the last month.
month
CTD Parsed Assets All assets discovered as parsed assets via App DB.
CTD Insights Report All open Insights (severity: High, Medium, Low)
Asset Types
OT PLC Printer
Vision Sensor
Autonomous Vehicle 0
Remote IO 0
Robot 0
UPS 0
Access Control 1
Controller 1
GPS Device 1
IED 1
Infusion Pump 1
Medical Device 1
Microscope 1
PLC 1
RTU 1
Smart Light 1
Vision Sensor 1
Firewall 1.5
Gateway 1.5
Networking 1.5
Router 1.5
Switch 1.5
Engineering Station 2
HMI 2
OPC Server 2
OT 2
SCADA Client 2
SCADA Master 2
SCADA Server 2
Vision Camera 2
Barcode Reader 2
Vision Controller 2
Broadcast 2.5
Cleaning Device 3
Data Logger 3
Endpoint 3
Home Assistant 3
Media Server 3
NTP Server 3
Proxy Server 3
Streamer 3
Syslog Server 3
User Console 3
User Workstation 3
Video Recorder 3
DNS Server 3
AAA Server 4
AD Server 4
AV Server 4
Barcode Scanner 4
Bluetooth Device 4
Camera 4
DB Server 4
Domain Controller 4
File Server 4
GPS Clock 4
Historian 4
Modem 4
Printer 4
Smart Phone 4
Smart Watch 4
Storage Array 4
Terminal Server 4
TV Screen 4
Vending Machine 4
Virtualization Server 4
VOIP Phone 4
VOIP Server 4
Web Server 4
Vulnerability Scanner 4
SNMP Server/Scanner 4
Biometric Scanner 4
AAA Server IT
Access Point IT
AD Server IT
Autonomous Vehicle OT
AV Server IT
Barcode Reader OT
Broadcast IT
Camera IoT
Controller OT
Data Logger IT
DB Server IT
DNS Server IT
Domain Controller IT
Endpoint IT
Engineering Station OT
File Server IT
Firewall IT
Gateway OT
GPS Device IT
Historian OT
HMI OT
IED OT
Media Server IT
Microscope IoT
Modem UT
Networking IT
NTP Server IT
OPC Server OT
OT OT
PLC OT
Printer IT
Proxy Server IT
Remote IO OT
Robot OT
Router IoT
RTU OT
SCADA Client OT
SCADA Master OT
SCADA Server OT
SNMP Server/Scanner IT
Storage Array IT
Streamer IoT
Switch IoT
Syslog Server IT
Terminal Server IT
TV Screen IoT
UPS IoT
User Console IT
User Workstation IT
Virtualization Server IT
Vision Camera OT
Vision Controller OT
Vision Sensor OT
Vulnerability Scanner IT
Web Server IT
16. Terminology
Term Meaning
AD Active Directory
Alert An event that may cause a threat or a risk to the security of the network and requires attention and
investigation.
Alert Indica- A predefined characteristic of an alert that affects the alert score.
tor
Alert Score A number representing the overall alert importance, resulting from the collection of observed indicators
and network activities.
ARP Address Resolution Protocol. A communication protocol used for discovering the link layer address associ-
ated with a given IPv4 address, a critical function in the Internet protocol suite. Used for mapping a network
address such as an IPv4 address, to a physical address, such as a MAC address.
Attack Vec- A path or means by which a hacker can gain access to a computer or network server to deliver a payload or
tor a malicious outcome. Attack vectors enable hackers to exploit system vulnerabilities.
Baseline The CTD collection of valid network behaviors. An individual baseline represents a command or an instance
of communication between two assets.
Baseline De- During training mode, the system learns the existing asset communication and defines a baseline for how
viation a normal asset (or group of assets) behaves on the network in terms of its communication patterns. A
baseline deviation occurs when a communication occurs that has not been defined yet. During operational
mode, baselines can be changed or further defined by auto-generated virtual zones and user approved
alerts.
BPF Berkeley Packet Filter. A mechanism to write/read packets to/from the network interface.
CAM Content Addressable Memory table. Used to record a station’s MAC address and its corresponding switch
port location. Common in Layer 2 switching.
Cloud Repu- Indications about the common rates of policy zone rules among different sites. This feature enables com-
tation mon rate of a specific rule among sites around the world.
CDP Cisco Discovery Protocol. A proprietary Data Link Layer protocol developed by Cisco Systems. Used to share
information about other directly connected Cisco equipment, such as the operating system version and IP
address.
CEF Common Event Format. A proprietary syslog-based event format that can be used by other vendors.
Chain of A series of alerts/events that are correlated with each other and generated an alert and require investiga-
Events tion as group.
CIDR Classless Inter-Domain Routing. IP Address syntax that uses IPv4 address space and prefix aggregation,
known as route summarization or super-netting.
CIP Common Industrial Protocol. Industrial protocol for industrial automation applications.
ClarotyOS A hardened, purposely built Linux OS, ready for use for CTD out-of-the-box. Every Claroty Appliance is
delivered pre-installed with ClarotyOS for quick deployment.
CMDB Configuration Management Database. A data repository that acts as a data warehouse or inventory for
information technology (IT) installations. It holds data relating to a collection of IT assets, the relationships
between assets and enables understanding the composition of critical assets such as information systems.
Also help organizations track the configuration of components in the system.
Community Group of CTD devices that are interconnected with the same EMC.
Term Meaning
CQL CTD Query Language. Provided for users to build swift SQL-like query statements for filtering data in the
system.
CSV Comma-separated values. A delimited text file that uses a comma to separate values. A CSV file stores
tabular data (numbers and text) in plain text. Each line of the file is a data record. Each record consists of
one or more fields, separated by commas. The use of the comma as a field separator is the source of the
name for this file format.
CTD Continuous Threat Detection. The anomaly detection product within the Claroty Platform for ICS networks,
providing rapid and concrete situational awareness through real-time alerting. Constantly monitors ICS
network traffic and generates alerts for anomalous network behavior that indicates a malicious presence
and for changes that have the potential for disrupting the industrial processes.
CTI Claroty Threat Intelligence. A highly curated, multi-source and tailored feed that enriches Claroty’s RCA with
proprietary research and analysis of OT zero-day vulnerabilities and ICS-specific Indicators of compromise
(IoC) linked to adversary tactics, techniques and procedures (TTP). CTI’s YARA rules, for example, run on OT
asset configuration changes and code sections, not just IT artifacts. CTI equips threat hunters and incident
responders with the relevant context needed to detect and prevent targeted attacks early in the kill chain
and mitigate the consequences of malware infections.
CVE Common Vulnerabilities and Exposures. A catalog of known security threats. The threats are classified as
vulnerabilities or exposures. The CVEs originate in software or firmware, and are identified, standardized
and cataloged into a free “dictionary” for organizations to improve their security.
CVSS Common Vulnerability Scoring System. A standardized method to indicate how critical a specific CVE is.
DCP Discovery and Basic Configuration Protocol. A protocol definition within the PROFINET context. A link
layer-based protocol to configure station names and IP addresses. It is restricted to one subnet and mainly
used in small and medium applications without an installed DHCP server.
DDoS Distributed Denial-of-Service. An attempt to make an online service unavailable by overwhelming it with
traffic from multiple sources. In this type of attack, multiple compromised computer systems attack a
target, such as a server, website or other network resource, and cause a denial of service for users of the
targeted resource.
DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an
IP address to a computer from a defined range of numbers configured for a given network.
DNP Distributed Network Protocol. A set of communication protocols used between components in process
automation systems.
DNS Domain Name System. A hierarchical decentralized naming system for computers, services, or other re-
sources connected to the Internet or a private network.
DPI Deep Packet Inspection. A form of computer network packet filtering that examines the header and data
part of a packet as it passes an inspection point, searching for protocol non-compliance, viruses, spam,
intrusions, or defined criteria. This method is used for identifying specific assets in the ICS network, lines of
asset communication, communication timing, protocol communication between assets, types of commands
and registers used, and the values of valid responses.
EMC Enterprise Management Console, i.e. the Central Appliance at operation headquarters.
Event A single network event that CTD has collected using Deep Packet Inspection (DPI). Some of the events will
be classified as alerts, e.g. when they pose a risk or threat to the network. See also Master Event.
EWS Engineering WorkStation. A high-end very reliable computing platform designed for configuration, mainte-
nance and diagnostics of control system applications and other control system equipment.
FW Firewall
Term Meaning
GDPR General Data Protection Regulation. A European Union regulation that specifies standards for data protec-
tion and electronic privacy in the European Economic Area, and the rights of European citizens to control
the processing and distribution of personally identifiable information. Aims primarily to give control to
individuals over their personal data and to simplify the regulatory environment for international business
by unifying the regulation within the EU.
HMI Human-Machine Interface. A software application that presents information to an operator about the state
of a process and accepts and implements the operator’s control instructions.
HTTP Hypertext Transfer Protocol. An application protocol for distributed, collaborative, and hypermedia infor-
mation systems. HTTP is the foundation for data communication on the web.
Hygiene CTD widget displaying the current cumulative risk level posed to the system by the insights. This score
Score comprises the critical security insights, CVEs and anomalies that were detected, as well as how many critical
assets were identified. A low hygiene score indicates that the system is highly vulnerable to attacks.
ICMP Internet Control Message Protocol. A supporting protocol in the Internet protocol suite used by network
devices.
ICS Industrial Control Systems. Control systems used in industrial production, including supervisory control and
data acquisition (SCADA) systems.
IdP Identity Provider. A system entity that creates, maintains, and manages identity information for principals
while providing authentication services to relying applications within a federation or distributed network
Incident An instance of invalid network activity (network failure, malicious attack, user error, etc.)
Indicator • Static Indicator – Static information that con potentially affect the score of an alert.
For example: The asset type, subnet, and virtual zone group.
• Event Indicator – An observed related network activity that can potentially affect the score of an alert
and provides context to the given alert.
For example: Whether an asset has performed write operations, or whether an asset has communicated
using SMBv1.
Knowledge mined from CTD about the system or about one of the entities in the system.
Insight
IoT Internet of Things. A system of interrelated computing devices, machines or objects that transfer data over
a network. CTD’s proprietary framework swiftly incorporates and processing these devices and provides
micro-segmentation in the same manner as it does for IT and OT assets, with unified visibility, security
monitoring and risk assessment. By automatically discovering and classifying IoT devices in the network,
CTD correlates them with known vulnerabilities and continuously monitors them.
IoT Matcher Simple code section in JSON format describing the retrieval of information from an IoT device. These Active
HTTP and Telnet queries made to the assets obtain important device information (such as vendor, model,
type, OS version, role).
IP Internet Protocol. A numerical label assigned to each device connected to a computer network that uses
the Internet Protocol for communication. It provides identification of the host or network interface and the
device’s location address.
IT Information Technology
JSON A lightweight format for storing and transporting data, usually used when data is sent from a server to a
web page. It is "self-describing" and easy to understand.
Known CTD uses a sophisticated signatures-based database to enhance its capability for identifying known attacks.
Threats
KPI Key Process Indicator. A quantifiable measure used to evaluate the success of an organization, employee,
etc., in meeting performance objectives.
MAC Media Access Control address. This device address is a unique identifier assigned to a network interface for
communication at the data link layer of a network segment.
Master An event that occurs whose sensitivity value determines that it is not interesting or relevant enough to be
Event classified as an alert.
Term Meaning
MitM Man-in-the-Middle. Type of attack in which the attacker secretly relays and possibly alters the communica-
tion between two parties who believe they are communicating with each other directly.
ML Machine Learning. CTD’s ML alert algorithm delivers fast response without the distracting noise of unneces-
sary alerts.
NetFlow Source of asset data and network anomaly detection whose summarized data flows through the network.
Enhances CTD’s statistical data for network analytics.
Operational System mode in which the system raises alerts about new assets, baselines, and abnormal communication,
mode having already learned the necessary information about the network communications in the site from
Training mode
OS Operating System
OT Operational Technology. Hardware and software that detect or cause a change through the direct monitor-
ing and/or control of physical devices, processes and events in the enterprise.
PCAP Packet Capture. By using PCAPs to records events, CTD can display which information was changed during
a particular action/activity.
Ping Sweep AKA an Internet Control Message Protocol (ICMP) sweep. A supporting protocol in the Internet protocol
suite used by network devices, including routers, to send error messages and operational information
indicating, for example, that a requested service is not available or that a host or router could not be
reached. Whereas a single ping will tell you whether one specified host computer exists on the network, a
ping sweep consists of ICMP ECHO requests sent to multiple hosts; if a given address is live, it will return an
ICMP ECHO reply.
PLC Programmable Logic Controller. An industrial digital computer that has been ruggedized and adapted for
the control of manufacturing processes.
Policy Rule An expression that differentiates between communication that is considered a corporate policy violation
and that which is allowed.
Policy Viola- Type of alert triggered when the detected communication did not match any explicit ‘Allow’ or ‘Alert’ policy
tion rule
PsExec A lightweight telnet-replacement that lets you execute processes on other systems, complete with full
interactivity for console applications, without having to manually install client software.
RCA Root Cause Analytics. This CTD feature provides visibility into the chain of events leading up to every single
alert, which is particularly important for OT security alerts. RCA enables fast and easy triage of alerts, as
well as proactive threat hunting. By providing the context surrounding the associated threat and risk, RCA
helps users hunt for threats and resolve security events.
RTU Remote Terminal Unit. A multipurpose device used for remote monitoring and control of various devices
and systems for automation. It is typically deployed in an industrial environment and serves a similar
purpose to PLCs but to a higher degree.
SAML Security Assertion Markup Language. An open standard for exchanging authentication and authorization
data between parties, in particular, between an identity provider (IdP) and a service provider SP. SAML
is an XML-based markup language for security assertions (statements that service providers use to make
access-control decisions).
S7Comm Siemens proprietary protocol that runs between PLCs of the Siemens S7-300/400 family
Sensitivity Entity that controls the level to be used when correlating between associated alerts. For example, high
sensitivity is in effect when the user trusts the communication between zones.
SMB Server Message Block. SMB operates as an application-layer network protocol mainly used for providing
shared access to files, printers, and serial ports and miscellaneous communications between nodes on a
network. It also provides an authenticated inter-process communication mechanism.
Term Meaning
SMTP Simple Mail Transfer Protocol. An Internet standard for electronic mail (email) transmission.
SOC Security Operations Center. A centralized unit dealing with security issues on an organizational and techni-
cal level.
SP Service Provider. A system entity that receives and accepts authentication assertions
SPAN Switched Port Analyzer. Used to monitor network traffic. With port mirroring enabled, the SPAN switch
sends a copy of all network packets seen on one port (or an entire VLAN) to another port, where the packet
can be analyzed.
SSH Secure Shell. Cryptographic network protocol for operating network services securely over an unsecured
network. Provides administrators with a secure way to access a remote computer. This encryption and pro-
tocol technology is used to connect two computers to lock out eavesdroppers by encrypting the connection
and scrambling the transmitted data so it is meaningless to anyone outside of the two computers.
SSL Secure Sockets Layer. Standard security technology for establishing an encrypted link between a web
server and a browser. This link ensures that all data passed between the web server and browsers remain
private and integral.
SYN A type of Distributed Denial of Service (DDoS) attack that exploits part of the normal TCP three-way
handshake to consume resources on the targeted server and render it unresponsive.
Training Learning mode in which CTD dynamically profiles the site’s normal process behavior, assembling a baseline
mode by observing all network traffic and registering it as valid. Alerts are triggered for critical changes and
security risks, and newly discovered assets and communication patterns are recorded in the baseline as
shown on the System Management page.
UEFI Unified Extensible Firmware Interface. A specification for a software program that connects a computer's
firmware to its operating system (OS). UEFI is expected to eventually replace BIOS. Like BIOS, UEFI is
installed at the time of manufacturing and is the first program that runs when a computer is turned on.
UI User Interface
Virtual Capability for grouping related assets in a logical view. Virtual Zones allow definition of a Baseline Deviation
Zones alert policy for each Virtual Zone or communication between Virtual Zones.
VM Virtual Machine
WMI Windows Management Instrumentation. The infrastructure for management data and operations on Win-
dows-based operating systems.