Accenture MxDR Quick Start Guide for Claroty Continuous Threat Detection
- Dinesh Murugaiyan
This quick start guide will help Accenture MxDR customers configure Claroty Continuous Threat Detection to send logs to the Log collection Platform (LCP).
This document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in Accenture MDR Portal.
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
Claroty | LCP | 514 (UDP) or 601 (TCP) | Default port
|
Configuring CTD
If the user is connected to a CTD Server and configures the Syslog from within that site, the syslog message will be sent from that site and there will not be an option from that site to select the other sites.
If the user is connected to the EMC and defines a new syslog, the message will be forwarded from the EMC Server (and not from the site/s).
To configure Syslog from Claroty Site :
Navigate to Settings -> Integrations -> SIEM Syslog
Uncheck Local as we are sending logs to another target.
Below points are mapped exactly as per the reference screenshot:
From (Site) – Select one or multiple sites (i.e. CTD Servers) from the dropdown
Message Contents – select which level to log: Alerts, Baselines, Events. Make category selected is "ALL".
Message Format – Select CEF
Server – Host/IP of the LCP
Port – 514 or 601 or 6514 (based on the protocol used)
Protocol – UDP or TCP or TLS
System URL – Automatically shows the source URL; this field is not editable
Save – Choose to commit your entries
To configure Syslog from EMC Server :
Login to EMC (need user with admin access)
Navigate to Settings > Integrations > SIEM Syslog
Click the “+” to Create New.
4. Enter Configuration
a.To: Uncheck “LOCAL” because we are sending logs to a remote server
b.From: Select one or multiple CTD sites or ALL from which your want to send syslog for
c.Vendor name: Select vendor as “Other”
d.Select Alerts, Baselines, Events from Message Contents drop-down and select ALL from Category drop-down.
e.Message Format – Select CEF
f.Type – This dropdown enables you to select one, several or all Alert Types
g.Server – Host/IP of the LCP
h.Port – 514 or 601 or 6514 (based on the protocol used)
i.Protocol – UDP or TCP or TLS
j.System URL – Automatically shows the source URL; this field is not editable and does not need to be configured
k.Save – Choose to commit your entries.
LCP Configuration Parameters
Table 1-2: The Claroty Continuous Threat Detection event collector (Syslog -3949) properties to be configured by Accenture are given in the table.
Property | Default Value | Description |
|---|---|---|
Time Offset | +00:00 | Specify a time offset to convert timestamps of all logged events to the time zone of the collector computer |
Signatures | |Claroty|CTD| |
|
Protocol | UDP | UDP or TCP or TLS |
Port Number | 514 | Default port number for UDP. For TCP preferred port is 601, for TLS please use 6514. |
Host Names / IP Addresses | * |
|
Enable Signatures | TRUE | Let you enable or disable the signature filtering. |
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.