Claroty CTD – QRadar:

Installation Guide
Version 7

05-Jan-2022
Confidential & Proprietary |Copyright © 2022 Claroty Ltd. All rights reserved
 CTD - QRadar Installation Solution Overview
Guide

1. Solution Overview

The Claroty Continuous Threat Detection (CTD) add-on for IBM's QRadar delivers comprehensive
security, visibility, and alert management capabilities for operational technology (OT) environ-
ments. This integration enables QRadar to automatically ingest OT events, alerts and traffic base-
lines from Claroty CTD.

Users can monitor all assets and potential threats in their OT environment on a single pane of
glass in real-time, leading to more effective and efficient OT security monitoring and stronger OT
security posture. Benefits include:

• Continuous monitoring of ICS and industrial network assets - With a unified, real-time view into
security threats targeting PLCs/RTs, embedded PCs, process control software and additional net-
work assets, enterprises can identify threats early before they can impact their business.
• Single view for IT SOC teams to identify threats across both IT and OT environments -- enabling
Companies to have a true enterprise view of all threats and risks across the business.

05-Jan-2022 Version 7 Page 2 of 15

 CTD - QRadar Installation Solution Overview
Guide

05-Jan-2022 Version 7 Page 3 of 15

 CTD - QRadar Installation Setup and Configure
Guide

2. Setup and Configure

2.1. CTD Prerequisites

• CTD Version 4.2.4 or later

2.2. QRadar Prerequisites

• QRadar Version 7.3.3 or above

2.3. Setup Instructions

2.3.1. The DSM

• IBM® QRadar® uses the Device Support Modules (DSMs) to log and correlate the data that is
collected from external log sources, such as firewalls, switches, or routers. DSMs are regularly
updated to ensure that QRadar can correctly interpret and parse security event information that
is provided by external devices.
• DSMs can be updated both automatically from IBM's AppExchange and manually.
• This DSM integration supports both CTD's legacy CEF and the new CEF structure.
• See the FAQ (page 15) for the log types supported.

2.3.2. Installing the Claroty DSM in QRadar

1. Download the DSM .zip file from the IBM App Exchange, IBM X-Force Exchange.
2. In QRadar under the Admin tab go to Extensions Management:

3. Click Add.
4. Select the .zip file and select the Install immediately checkbox, then click Add:

05-Jan-2022 Version 7 Page 4 of 15

 CTD - QRadar Installation Setup Instructions
Guide

5. If you get a message like the following, select Replace existing items:

6. Follow the wizard to complete the installation.

2.3.3. Updating the Claroty DSM Version

Either set all of your DSMs to be updated automatically or manually update the DSM by download-
ing the new version from the IBM App Exchange and following the Installing the Claroty DSM in
QRadar (page 4) instructions.

To update automatically:

1. In QRadar go to Admin > Auto Update:

2. Click on the Change Setting > Basic tab.

3. Under DSM > Scanner > Protocol Updates, select Auto install:

4. Select Save.

05-Jan-2022 Version 7 Page 5 of 15

 CTD - QRadar Installation Setup Instructions
Guide

2.3.4. Setting up the Connection in QRadar

2.3.4.1. Using the QRadar Log Source Management App

1. On the main dashboard go to Admin -> QRadar Log Source Management:

2. Click on New Log Source:

3. Select Single Log Source.

4. Search for Claroty and click on Step 2:

5. Select Syslog and click on Step 3:

6. Give this source a name and click on Step 4:

7. Select ClarotyCustom_ext as the Extension:

05-Jan-2022 Version 7 Page 6 of 15

 CTD - QRadar Installation Setup Instructions
Guide

8. Type your EMC IP address in the Log Source Identifier field and click on Finish:

9. Go back to the Admin page and click on Deploy Changes to deploy the new changes:

2.3.4.2. Using Log Sources

1. On the main dashboard go to Admin > Log Sources:

2. Click on Add:

05-Jan-2022 Version 7 Page 7 of 15

 CTD - QRadar Installation Setup Instructions
Guide

3. Fill in the Edit a Log Source fields:

a. Log Source Name - A given name for this source

b. Log Source Type - Must be Claroty
c. Protocol Configuration - Set to Syslog
d. Log Source Identifier - Enter the IP address of the EMC machine
e. Log Source Extension - Select ClarotyCustom_ext
f. Click Save.
4. Go back to the Admin page and click Deploy Changes to apply your new changes:

2.3.5. Setting up the Connection in the CTD EMC

1. In the CTD EMC, click on the gear icon and then Integrations > SIEM Syslog.

05-Jan-2022 Version 7 Page 8 of 15

 CTD - QRadar Installation Setup Instructions
Guide

2. Click on the Add icon.

3. Fill in the Add New Syslog details and click Save:

05-Jan-2022 Version 7 Page 9 of 15

 CTD - QRadar Installation Displaying the Data
Guide

a. To - Unselect the Local checkbox

b. From - Select All or specify the sites from which data will be sent
c. Vendor Name - Select IBM QRadar
d. Message Content - Select the data type to be sent (one option only)
e. Server - The IP of the QRadar machine
f. Port - Enter 514
g. Protocol - Select TCP/UDP

IMPORTANT
TCP is the recommended protocol.

4. Click Save.

2.4. Displaying the Data

After you have installed or updated the Claroty DSM, created two way connection between QRadar
and CTD and have deployed the changes, your data mapping is ready.

05-Jan-2022 Version 7 Page 10 of 15

 CTD - QRadar Installation Displaying the Data
Guide

Go to Log Activity and create a new filter as follows:

1. Click on Add Filter:

2. Select Log Source [Index] as the Parameter:

3. Select the log source name that you defined in the Log Source Management app as the Log
Source.
4. Click on Add Filter again.
5. Select the relevant time interval for your search and you should see the mapped data:

05-Jan-2022 Version 7 Page 11 of 15

 CTD - QRadar Installation Displaying the Data
Guide

05-Jan-2022 Version 7 Page 12 of 15

 CTD - QRadar Installation Troubleshooting
Guide

3. Troubleshooting

3.1. Message Event Name is Unknown

If the message event name is unknown as is shown below:

• Make sure you correctly defined the connection between QRadar and your EMC:
• Claroty is selected as the Log Source Type
• The current identifier of your EMC is correct
• ClarotyCustom_ext is selected as the Log Source Extension
• Make sure you click on the Deploy Changes button after setting up the connection in your QRa-
dar machine:

3.2. Syslog Message was Split into Parts

If the Syslog message was split into parts as follows:

• Make sure your select TCP over UDP as the Protocol when you define the connection in your
EMC
• You may need to increase the size of the TCP payload you allow on your QRadar machine:

1. In your QRadar machine, go to the Admin tab.

2. Click on the System Settings icon:

05-Jan-2022 Version 7 Page 13 of 15

 CTD - QRadar Installation Syslog Message was Split into Parts
Guide

3. Click on the Advanced button:

4. Click on System Settings:

5. Look for Max TCP Syslog Payload Length and increase the length as needed:

05-Jan-2022 Version 7 Page 14 of 15

 CTD - QRadar Installation FAQ & Reference
Guide

4. FAQ & Reference

Q: What CTD data can be sent via Syslog?

A: The following entities are supported:

Log Type CEF - Legacy CEF - New

Alerts Yes Yes

Events Yes Yes

Baseline Yes No

Health Monitoring Yes No

Q: Which DSM Event QRadar Identifier (QIDs) are supported?

A: The following QIDs are supported:

Event QID

Protocol 1002500003

Baseline Deviation 1002500031

Firmware Download 1002500033

Configuration Download 1002500028

Baseline (N/A) 1002500035

Known Threat Alert 1002500025

Configuration Upload Alert 1002500026

New Entity 1002500023

Asset Information Change 1002500024

New Asset 1002500019

New Conflict Asset 1002500015

Entity Conflict 1002500016

Known Threat Event 1002500012

Health Check ("HealthCheck") 1002500013

Login Event 1002500010

Alert Login 1002500011

Sniffer Status 1002500008

Alert Port Scan 1002500027

Event Port Scan 1002500029

Alert Host Scan 1002500022

Event Host Scan 1002500020

Site Status 1002500021

Suspicious File Transfer Event 1002500017

Suspicious File Transfer Alert 1002500018

NOTE
The Policy Violation Event and Policy
Violation Alert both have the same ID

Policy Violation Event 1002500014

Policy Violation Alert 1002500014

05-Jan-2022 Version 7 Page 15 of 15