Industrial

Continuous Threat Detection (CTD) User Guide

CTD 5.1.0

December 2024
www.claroty.com | © 2024 Claroty Ltd. All rights reserved
 Industrial

Table of Contents
1. About CTD ..................................................................................................................... 13
1.1. Key Benefits ........................................................................................................ 13
1.1.1. Visibility with Active and Passive Methods .............................................. 13
1.1.2. Root Cause Analytics and ML Algorithm ................................................. 14
1.2. Architecture ......................................................................................................... 15
1.3. Scalability ............................................................................................................ 16
1.4. CTD Server ......................................................................................................... 16
1.4.1. DPI Processing ........................................................................................ 16
1.4.2. Distributed Configuration ......................................................................... 17
1.5. Enterprise Management Console (EMC) ............................................................ 17
1.6. CTD Sensor ........................................................................................................ 18
1.7. CTD Sensor Lite ................................................................................................. 19
1.8. Claroty Edge ....................................................................................................... 19

2. CTD Interface ................................................................................................................ 21

2.1. CTD Interface ..................................................................................................... 21
2.2. Login ................................................................................................................... 21
2.3. Dashboard .......................................................................................................... 23
2.4. Enterprise Overview ........................................................................................... 26
2.4.1. Site Statistics ........................................................................................... 26
2.4.2. Filter By .................................................................................................... 27
2.4.3. Site Information ........................................................................................ 27
2.4.4. Changing the Site Graphic ....................................................................... 28
2.5. Time and Date Display ........................................................................................ 29

3. Navigating the Interface ................................................................................................. 30

3.1. Navigating the Interface ...................................................................................... 30
3.2. Main CTD Menu .................................................................................................. 30
3.3. Search in Menu ................................................................................................... 31
3.3.1. Search Keyboard Shortcut ....................................................................... 32
3.4. Activity Bar .......................................................................................................... 32
3.4.1. Activity Bar ............................................................................................... 32
3.4.2. Site Selector and Search ......................................................................... 33

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 2

 Industrial

3.4.3. Logged-in User Menu .............................................................................. 34

3.4.4. Changing the Time Zone ......................................................................... 38
3.5. Browser Back Navigation .................................................................................... 39

4. Visibility .......................................................................................................................... 40
4.1. Visibility Overview ............................................................................................... 40
4.1.1. Visibility Overview .................................................................................... 40
4.1.2. Site Visibility Overview ............................................................................. 40
4.1.2.1. Site Visibility Widgets .................................................................... 42
4.1.3. EMC Visibility Overview ........................................................................... 43
4.1.3.1. EMC Visibility Widgets .................................................................. 45
4.2. About Assets and Views ..................................................................................... 46
4.2.1. Assets ...................................................................................................... 46
4.2.2. List View ................................................................................................... 46
4.2.3. Layered Topology View ............................................................................ 49
4.2.4. Network Topology View ............................................................................ 50
4.2.5. Asset Classes .......................................................................................... 50
4.2.6. Asset Types ............................................................................................. 51
4.2.7. Auto-Calculation of Subnets .................................................................... 53
4.3. Detailed Asset Page ........................................................................................... 54
4.3.1. Detailed Asset Page ................................................................................ 54
4.3.2. Physical Connections ............................................................................... 59
4.3.3. Changing Purdue Model Levels ............................................................... 60
4.3.4. Risk Score Widgets .................................................................................. 61
4.3.5. Network Communication Map .................................................................. 62
4.3.6. Cross Site Correlations ............................................................................ 63
4.4. Asset Actions ...................................................................................................... 64
4.4.1. Group By .................................................................................................. 64
4.4.2. Asset Color By ......................................................................................... 65
4.4.3. Showing Asset Neighbors ........................................................................ 66
4.4.4. Changing Asset Mode Manually .............................................................. 68
4.4.5. Merging Assets in the Assets Page ......................................................... 70
4.4.5.1. Asset Merge Principles ................................................................. 71
4.4.5.2. Merging Assets ............................................................................. 72
4.4.6. Showing Asset Related Items .................................................................. 74

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 3

 Industrial

4.4.7. Editing Assets .......................................................................................... 76

4.4.7.1. Editing Individual Assets ............................................................... 76
4.4.7.2. Editing Assets in Bulk ................................................................... 78
4.5. Using Asset Filters .............................................................................................. 80
4.5.1. Using Basic Filters ................................................................................... 80
4.5.1.1. Searching for an Asset .................................................................. 81
4.5.2. Using Advanced Filters ............................................................................ 81
4.5.2.1. Creating Predefined Filters (Presets) ............................................ 82
4.5.3. Advanced Graph Filter Options ................................................................ 83
4.6. Custom Attributes ............................................................................................... 84
4.6.1. Displaying Custom Attributes in the Assets Page .................................... 85
4.6.2. Applying Custom Attributes in the Detailed Asset Page .......................... 86
4.6.3. Applying Custom Attributes to Multiple Assets ........................................ 87
4.6.4. Removing Custom Attributes from Multiple Assets .................................. 88
4.6.5. Setting Up Custom Attributes ................................................................... 89
4.6.5.1. Adding Custom Attributes to a Site ............................................... 90
4.6.5.2. Adding Custom Attributes to Multiple Sites from the EMC ............ 91
4.6.5.3. Applying a Custom Attribute Created on One Site to Another
Site via the EMC ........................................................................................ 93
4.6.6. Creating Site Custom Attributes ............................................................... 94
4.6.6.1. Displaying Site Custom Attributes ................................................. 95
4.6.6.2. Applying Site Custom Attributes ................................................... 96
4.6.6.3. Using Site Custom Attributes to Filter Assets and Insights ........... 98
4.6.7. Exporting Assets with Custom Attributes ............................................... 100
4.6.8. CSV Imports with Custom Attributes ...................................................... 100
4.7. Zones ................................................................................................................ 100
4.7.1. Zone Behavior ........................................................................................ 100
4.7.2. Automatic Zone Creation ....................................................................... 101
4.7.3. Zone Graph Views ................................................................................. 101
4.7.3.1. Zones – Network Topology View ................................................. 103
4.7.3.2. Zones – Layered Topology View ................................................. 103
4.7.4. Zone List ................................................................................................ 106
4.7.5. Editing Zones ......................................................................................... 107
4.7.5.1. Adding a Zone ............................................................................. 107

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 4

 Industrial

4.7.5.2. Renaming a Zone ....................................................................... 108

4.7.5.3. Deleting a Zone ........................................................................... 109
4.7.6. Customized Auto-Grouping of Zones ..................................................... 109
4.7.7. Zone View Page ..................................................................................... 110

5. Risk & Vulnerabilities ................................................................................................... 112

5.1. About Risk & Vulnerabilities .............................................................................. 112
5.1.1. Risk & Vulnerabilities ............................................................................. 112
5.1.1.1. Risk & Vulnerabilities Overview .................................................. 112
5.1.1.2. Insights ........................................................................................ 112
5.1.1.3. Vulnerability Management ........................................................... 113
5.1.1.4. Threat Intelligence Updates ........................................................ 113
5.1.1.5. Attack Vectors ............................................................................. 113
5.2. Risk & Vulnerabilities Overview ........................................................................ 114
5.2.1. Risk & Vulnerabilities Overview ............................................................. 114
5.2.2. EMC Risk & Vulnerabilities Overview .................................................... 116
5.3. About Risk Calculation ...................................................................................... 118
5.3.1. Risk Calculation ..................................................................................... 118
5.3.2. Asset Risk Score Calculation ................................................................. 119
5.3.3. Zone Risk Score Calculation .................................................................. 120
5.3.4. Hygiene Score Calculation ..................................................................... 121
5.3.5. Improving the Hygiene Score ................................................................. 122
5.4. Insights ............................................................................................................. 122
5.4.1. Insights for a Specific Asset ................................................................... 123
5.4.2. Updating Insight Statuses ...................................................................... 124
5.4.3. Threat Intelligence Updates ................................................................... 126
5.4.4. Showing Insight Related Items .............................................................. 126
5.4.5. Exporting Insights .................................................................................. 128
5.5. Vulnerabilities .................................................................................................... 128
5.5.1. Vulnerabilities Page ............................................................................... 128
5.5.1.1. Opening the Vulnerabilities Page ................................................ 129
5.5.1.2. Vulnerability Details ..................................................................... 129
5.5.1.3. Filtering, Searching, and Sorting the Vulnerabilities List ............. 131
5.5.1.4. Searching for CVEs .................................................................... 132
5.5.2. Vulnerability View Page ......................................................................... 132

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 5

 Industrial

5.5.2.1. Opening the Vulnerability View Page .......................................... 134

5.5.2.2. Vulnerability Page Widgets ......................................................... 134
5.5.3. Affected Assets ...................................................................................... 136
5.5.3.1. Affected Asset Details ................................................................. 136
5.5.3.2. Filtering, Searching, and Sorting Affected Assets ....................... 138
5.5.3.3. Changing the Status of Affected Assets ...................................... 138
5.5.3.4. Adding a Comment to Affected Assets ....................................... 139
5.5.3.5. Assigning Affected Assets to a User ........................................... 140
5.5.4. Asset Vulnerabilities ............................................................................... 141
5.5.4.1. Vulnerability Details ..................................................................... 142
5.5.4.2. Filtering, Searching, and Sorting an Asset's Vulnerabilities ........ 143
5.5.4.3. Changing the Status of an Asset's Vulnerabilities ....................... 144
5.5.4.4. Adding a Comment to a Vulnerability .......................................... 145
5.5.4.5. Assigning Vulnerabilities to a User .............................................. 145
5.5.5. Migration Notes ...................................................................................... 146
5.5.5.1. Status .......................................................................................... 146
5.5.5.2. Comments in Asset-Vulnerability Pairs ....................................... 147
5.5.5.3. Vulnerability Relevance ............................................................... 147
5.6. Attack Vectors ................................................................................................... 148
5.6.1. Attack Vectors ........................................................................................ 148
5.6.2. Using Attack Vectors .............................................................................. 149

6. Threat Detection .......................................................................................................... 151

6.1. Threat Detection ............................................................................................... 151
6.2. Threat Detection Overview ............................................................................... 151
6.2.1. Threat Detection Overview .................................................................... 151
6.2.1.1. Threat Detection Widgets ........................................................... 153
6.2.2. EMC Threat Detection Overview ........................................................... 154
6.2.2.1. Threat Detection Widgets ........................................................... 156
6.3. Alerts ................................................................................................................. 157
6.3.1. Alert Types ............................................................................................. 157
6.3.2. Alerts Page ............................................................................................ 157
6.3.2.1. Alert Title ..................................................................................... 161
6.3.2.2. Alert PCAP .................................................................................. 161
6.3.2.3. Alert Indicators ............................................................................ 162

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 6

 Industrial

6.3.2.4. Root Cause Analysis ................................................................... 166

6.3.2.5. Alert Story ................................................................................... 167
6.3.3. Alerts Table ............................................................................................ 168
6.3.3.1. ..................................................................................................... 168
6.3.4. MITRE ATT&CK for ICS ......................................................................... 172
6.3.4.1. MITRE ATT&CK® for ICS ........................................................... 172
6.3.4.2. MITRE ATT&CK® Technique Page ............................................ 174
6.3.5. Alert View Page ..................................................................................... 177
6.3.6. Alert Scoring .......................................................................................... 179
6.3.6.1. Alert Scoring ............................................................................... 179
6.3.6.2. Sensitivity .................................................................................... 179
6.3.6.3. Alert Scoring Formula ................................................................. 179
6.3.6.4. Alert Score Values ....................................................................... 180
6.3.7. Alert Workflow ........................................................................................ 180
6.3.7.1. Resolving Alerts: Assign/Approve All/Approve Selected/Archive 180
6.3.7.2. Mitigating Alerts .......................................................................... 183
6.3.7.3. Viewing All Events in an Alert ..................................................... 183
6.3.7.4. Searching for an Event in the Event Details dialog ..................... 185
6.3.7.5. Exporting Alerts ........................................................................... 185
6.3.7.6. Downloading Capture - Raw Alert Data ...................................... 187
6.3.7.7. Viewing Resolved Alerts ............................................................. 188
6.3.8. Showing Alert Related Items .................................................................. 189
6.4. Events ............................................................................................................... 191
6.4.1. Events Page ........................................................................................... 191
6.4.2. Master Event View ................................................................................. 193
6.5. Alert Rules ........................................................................................................ 196
6.5.1. Zone Rules ............................................................................................. 197
6.5.1.1. Zone Rules Page ........................................................................ 197
6.5.1.2. Zone Rule Behavior .................................................................... 198
6.5.1.3. Policy Alert Types ....................................................................... 199
6.5.1.4. Zone Rules Columns .................................................................. 199
6.5.1.5. Creating a New Zone Rule .......................................................... 201
6.5.1.6. Editing an Existing Rule .............................................................. 204
6.5.1.7. Reviewing and Validating New Zone Rules ................................ 205

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 7

 Industrial

6.5.2. Baseline Rules ....................................................................................... 206

6.5.2.1. Editing a Baseline Rule ............................................................... 207
6.5.2.2. Creating a Baseline Rule ............................................................ 208
6.5.2.3. Baseline Rules Using Baseline Values ....................................... 211
6.5.3. Before Working with Network Signatures and Yara Rules ..................... 215
6.5.4. About Network Signatures ..................................................................... 216
6.5.4.1. Network Signatures in the Alert View Page ................................ 217
6.5.4.2. Managing Network Signatures .................................................... 217
6.5.4.3. Adding a Network Signature ....................................................... 220
6.5.5. Yara Rules ............................................................................................. 222
6.5.5.1. Working with Yara Rules ............................................................. 222
6.5.5.2. Adding a New Yara Rule ............................................................. 224
6.5.5.3. Deleting a Yara Rule ................................................................... 225
6.5.5.4. Yara Rule Example: Suspicious File Transfer Alert .................... 225
6.5.6. Auto Resolve .......................................................................................... 226
6.5.6.1. Resolving Alerts .......................................................................... 226
6.5.6.2. Viewing Automatically Resolved Alerts ....................................... 227
6.5.6.3. Centralized Management of Auto Resolve Rules ....................... 227
6.5.6.4. Creating an Auto Resolve Rule From the EMC .......................... 228
6.5.6.5. Creating an Auto Resolve Rule From a Site ............................... 233
6.5.6.6. Editing and Deleting Auto Resolve Rules ................................... 239
6.5.6.7. Understanding an Auto Resolve Rule's Effectiveness ................ 241
6.5.6.8. Auto Resolve Rule Migration ...................................................... 244

7. Investigation ................................................................................................................ 247

7.1. DNS .................................................................................................................. 247
7.1.1. DNS Widgets ......................................................................................... 248
7.2. Baselines .......................................................................................................... 249
7.2.1. Baseline List Filters ................................................................................ 250
7.2.2. Baseline Filters in Advanced Options .................................................... 251
7.2.2.1. Baseline Profiles of Virtual Zones ............................................... 252
7.2.3. Working with Baseline Values ................................................................ 252
7.2.3.1. Displaying Time-Aggregated Baseline Values ............................ 253
7.2.3.2. Displaying Detailed Baseline Values ........................................... 254
7.3. OT Audit ............................................................................................................ 258

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 8

 Industrial

7.4. Process Values ................................................................................................. 260

7.4.1. Prerequisites and Protocol Details ......................................................... 260
7.4.2. Display According to Access Types ....................................................... 261
7.4.3. Viewing Process Values ......................................................................... 261
7.4.3.1. Tags That Have No Tracking .................................................... 263
7.4.4. Tracking Configuration ........................................................................... 264
7.4.4.1. Tracking Modes ........................................................................... 264
7.4.4.2. Access Types (only for Detailed Tracking) .................................. 266
7.4.5. Process Value Graph ............................................................................. 267
7.4.6. Summary Tracking Mode ....................................................................... 268
7.4.6.1. General Information .................................................................... 270
7.4.6.2. Tag Information ........................................................................... 270
7.4.6.3. Statistics Information ................................................................... 270
7.4.6.4. Source Assets ............................................................................. 271
7.4.7. Detailed Tracking Mode ......................................................................... 271
7.4.7.1. Value Information ........................................................................ 271
7.4.8. Resetting Statistics ................................................................................ 273
7.5. Network Sessions ............................................................................................. 274
7.6. Protocol Summary ............................................................................................ 275

8. Management Tools ...................................................................................................... 277

8.1. Customizing Overviews .................................................................................... 277
8.1.1. Editing an Overview ............................................................................... 277
8.1.2. Creating a Private Custom Overview ..................................................... 278
8.1.3. Working with Widgets ............................................................................ 279
8.1.4. Adding a Predefined Widget .................................................................. 280
8.1.5. Creating a Custom Widget ..................................................................... 281
8.1.5.1. CTD Query Language (CQL) ...................................................... 286
8.1.6. Deleting a Custom Widget ..................................................................... 287
8.1.7. Example - Creating an “OT Assets by Vendor” Widget and Adding it to
an Overview ..................................................................................................... 289
8.1.7.1. Create the Widget ....................................................................... 289
8.1.7.2. Add the Widget to the Visibility Overview .................................... 291
8.2. Setting the Homepage ...................................................................................... 293
8.3. Activity Log ....................................................................................................... 294

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 9

 Industrial

8.3.1. Opening the Activity Log ........................................................................ 294

8.3.2. Activity Log Details ................................................................................. 295
8.3.3. Filtering, Searching, and Sorting the Activity Log .................................. 295
8.3.4. Activity Log Retention Period ................................................................. 296
8.3.5. Supported Activities - Categories and Actions ....................................... 296
8.3.6. Details of Activity Logging ...................................................................... 301
8.3.6.1. Failed Logins in the Activity Log ................................................. 301
8.3.6.2. Custom Attributes in the Activity Log .......................................... 301

9. Reports ........................................................................................................................ 302

9.1. About Reports ................................................................................................... 302
9.1.1. Reports in EMC-Managed and Standalone Sites .................................. 302
9.2. Prerequisite for Sharing Reports ...................................................................... 303
9.3. About Role-Based Access for Reports ............................................................. 303
9.4. Creating Table Reports ..................................................................................... 304
9.4.1. Download the Report Immediately ......................................................... 304
9.4.2. Schedule a Report ................................................................................. 305
9.5. About the Reports Editor .................................................................................. 308
9.5.1. Opening the Reports Editor ................................................................... 308
9.5.2. Parts of the Reports Editor ..................................................................... 308
9.5.3. Creating a Widget Report ...................................................................... 309
9.5.3.1. Adding Widgets to a Report ........................................................ 313
9.5.4. Editing a Widget Report ......................................................................... 314
9.5.4.1. About Global and Local Filtering of Widget Data ........................ 316
9.5.4.2. Copying a Widget ........................................................................ 317
9.5.4.3. Editing a Widget .......................................................................... 318
9.5.5. Predefined Widget Catalog .................................................................... 318
9.6. About the Reports Library ................................................................................. 320
9.6.1. Reports Library - Widget Reports .......................................................... 320
9.6.1.1. Opening the Reports Library ....................................................... 320
9.6.1.2. About Predefined Widget Reports .............................................. 321
9.6.1.3. Report Library Details - Widget Reports ..................................... 322
9.6.1.4. Filtering, Searching, and Sorting the Report Library ................... 323
9.6.1.5. Changing the Scheduling Settings for a Report .......................... 323
9.6.1.6. Making a Copy of a Report ......................................................... 324

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 10

 Industrial

9.6.1.7. Editing a Widget Report .............................................................. 325

9.6.1.8. Deleting a Custom Report ........................................................... 325
9.6.1.9. Risk Assessment Report ............................................................. 325
9.6.2. Reports Library - Table Reports ............................................................. 326
9.6.2.1. Opening the Reports Library ....................................................... 326
9.6.2.2. About Predefined Table Reports ................................................. 327
9.6.2.3. Filtering, Searching, and Sorting the Report Library ................... 328
9.6.2.4. Report Library Details - Table Reports ........................................ 329
9.6.2.5. Making a Copy of a Report ......................................................... 329
9.6.2.6. Deleting a Custom Report ........................................................... 329
9.6.2.7. Changing the Scheduling Settings for a Report .......................... 330
9.7. About Scheduled Reports ................................................................................. 331
9.7.1. Opening the Scheduled Reports Page .................................................. 331
9.7.2. Scheduled Report Details ...................................................................... 331
9.7.3. Filtering, Searching, and Sorting the Scheduled Reports List ............... 332
9.7.4. Changing the Scheduling Settings for a Report ..................................... 332

10. Terminology ............................................................................................................... 334

10.1. Terminology .................................................................................................... 334

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 11

 Industrial

To view the most updated version of this document, visit docs.claroty.com

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 12

 Industrial

1. About CTD

1.1. Key Benefits

Customers can quickly detect industrial operations risk, enhance cyber resiliency, and minimize
unplanned downtime. CTD prevents damage to physical processes, industrial equipment, injury
or death. It reduces management costs because it can be quickly deployed and scaled across
multiple sites.

CTD has built-in integration with:

• SIEM systems
• Log management systems
• Asset management systems
• Ticketing systems.

The integration of CTD with existing security tools provides Security Operations Center (SOC)
teams with real-time alerts and threat hunting capabilities. Its visibility features improve network
segmentation. Security Operators monitor the industrial network and can identify network
vulnerabilities. This saves time and improves cyber resiliency.

1.1.1. Visibility with Active and Passive Methods

With both active and passive methods, CTD offers visibility of assets within minutes. It passively
reads network communications without interfering with operations or industrial process, and it
can also actively query devices directly for additional visibility details. CTD displays the assets
and asset architecture on the web interface dashboard.

In the active mode, CTD uses active querying for asset information. CTD scans and performs
queries of the assets. CTD’s Active solution is detailed in the CTD Reference Guide: Active
Detection.

When passively sniffing the network, mapping it, and gathering information, CTD identifies
and exposes security threats. CTD uses network behaviors (a “baseline”) by examining
network communication through a Switched Port Analyzer (SPAN) port. It separates valid
communication from security threats.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 13

 Industrial

With Deep Packet Inspection (DPI), CTD identifies:

• The specific assets on the network

• The lines of asset communication
• Communication timing
• Protocols between assets
• The types of commands and registers used
• The values of valid responses.

Baselines may be changed if required.

CTD closely inspects every network communication and collects all events to identify a possible
threat. All related events go into a single alert that notifies of a possible threat to the process,
such as an operational anomaly or a security attack. One alert per threat rather than one alert
per event avoids alert‐overload.

You can then assign, address, and handle the alert.

1.1.2. Root Cause Analytics and ML Algorithm

Root cause analytics (RCA) examines each alert based on:

• Claroty’s machine learning (ML) algorithms

• Indicators
• User preferences.

RCA reduces noise and presents the user with relevant data as alerts.

The ML algorithm distinguishes legitimate minor events from alerts that are a risk to the
environment. Every change is logged in the system and classified as an event, but only
the highest alerts are shown to the end-user. These alerts are enriched by Claroty’s Threat
Intelligence (CTI). Risk-based indicators and a proprietary scoring index prioritize these ML-
generated alerts within an end-user’s queue. Alerting sensitivity is customizable to assist
different organizations’ risk acceptance criteria.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 14

 Industrial

1.2. Architecture
CTD’s scalable architecture supports a variety of hierarchies and use cases:

Figure 1. CTD Architecture

CTD can be configured as a simple standalone server or in a distributed model where lower
components are connected to an Enterprise Management Console (EMC). It can accommodate
widely geographically dispersed environments with a sizable number of assets across multiple
remote sites. It can also be configured to support installations in extreme environments across
isolated sites that have low network bandwidth or satellite connectivity.

The CTD solution is made of several components. A CTD Server is located at each site and
performs sniffing and Deep Packet Inspection (DPI). The CTD Server is connected through a
span port to sniff the network. Additionally, for isolated network segments, one or more CTD
Sensors may be used to collect and process network traffic and send it to the CTD Server
for incorporation into its database. Information from all CTD Servers are sent to the Enterprise
Management Console. The EMC gathers all the relevant information and displays the security
posture of all sites.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 15

 Industrial

1.3. Scalability
CTD is designed with scalable architecture to support deployments in environments across
multiple remote sites – often in extreme environmental conditions.

CTD can be configured with

• sensors with limited computing power

• a smaller physical footprint
• virtual environments
• specific scenarios requiring communication over low bandwidth networks.

CTD supports deployments in refineries, power generation, electric transmission grids, oil and
gas pipelines, and manufacturing. This unique architecture can be deployed at large, distributed
installations, monitoring thousands of devices.

1.4. CTD Server

The CTD Server, also called the CTD Site, is a physical or virtual server that provides real-time
cybersecurity and visibility of industrial control networks within distributed network environments
and architectures. It exists at each location and is the only mandatory component. Other
components are required depending on the use case and type of implementation.

1.4.1. DPI Processing

The CTD Server performs the DPI processing as follows:

Figure 2. Processes in the CTD Server

The CTD Server performs:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 16

 Industrial

• Sniffing
• Dissection
• Processing
• Correlation
• Visualization

CTD collects all the data in the network and builds the asset inventory. Based on what the
system learned, it creates security and integrity alerts like policy deviation.

It creates a risk assessment report with all the risks and analysis of the network, including:

• Unsecure protocols
• Unpatched vulnerabilities
• Open alerts
• Protocol distribution

1.4.2. Distributed Configuration

Alternatively, it is possible to split the work done by the CTD Server into distributed
components (including CTD Sensor and CTD Sensor Lite), each located in different areas
but all communicating to a CTD Server. The CTD server performs correlation and visualization
functions.

The distributed configuration is useful for assets not accessible to a CTD Server, or to balance
the load on a single CTD Server.

1.5. Enterprise Management Console (EMC)

The Enterprise Management Console (EMC) is CTD’s central appliance, usually located at the
Security Operations Center (SOC) or in the corporate site. It displays information collected from
all CTD sites on its web interface.

It displays the:

• network diagram
• statistics

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 17

 Industrial

• alerts for each site.

The EMC interface provides a global dashboard that consolidates data from multiple sites,
showing their:

• Assets
• Activities
• Alerts
• Access requests

The EMC also manages the CTD Servers, like upgrading the CTD application on the CTD
Servers and if present, their attached CTD Sensors.

The EMC is versatile and integrates with:

• SIEM solutions
• Firewalls
• Active Directory
• SMTP servers

1.6. CTD Sensor

A CTD Sensor component performs sniffing, dissection, and part of the processing. To lower the
bandwidth required to the CTD server, the CTD sensor sends only anomalies, new assets, and
other types of metadata to the CTD server.

The CTD Sensor operates as a remote extension of the CTD Server. It is used in sites
with limited physical connectivity or across multiple remote sites with limited out-of-band
aggregation.

In addition to passive data monitoring, the CTD Sensor is also capable of performing all of the
active queries available in CTD through the normal connection between sensor and site. This
allows for active queries deeper in the environment, without needing complicated firewall or
routing rules between the site and sensor.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 18

 Industrial

Figure 3. Processes in the CTD Sensor

1.7. CTD Sensor Lite

The CTD Sensor Lite performs only sniffing and initial compression (typically 50% compression)
of the sniffed packets. It does not create alerts or build the asset inventory. It sends the sniffed
information to the CTD Server for dissection and processing. CTD Sensor Lite is designed
primarily for use cases in which a minimal hardware footprint is required.

Figure 4. Processes in the CTD Sensor Lite

1.8. Claroty Edge

The Claroty Edge program is a Windows-based executable that is designed to identify, query,
and dissect data for local IT, OT, and IOT assets. It performs queries and dissection on local

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 19

 Industrial

Windows data and nearby network devices, and then sends the output of this to the CTD server
for processing, correlation, and visualization.

Figure 5. Processes in Claroty Edge

These capabilities extend even to networks that are fully air-gapped, remote, composed of
outsourced infrastructure, operated by third-parties, and/or have other characteristics that have
rendered them incompatible with traditional industrial cybersecurity solutions.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 20

 Industrial

2. CTD Interface

2.1. CTD Interface

CTD provides

• extreme visibility
• continuous threat and vulnerability monitoring
• deep insights into ICS networks.

It was designed to ensure safe, secure, and reliable operations in large, complex industrial
networks – ensuring zero impact to the operational processes and improved cyber resiliency.

CTD:

• extracts precise details about each asset on the industrial network

• profiles all communications and protocols
• generates a behavioral baseline of legitimate traffic.

It alerts you to

• network changes
• vulnerabilities
• threats.

The alerts the system generates provides the context you need to investigate and respond
quickly.

2.2. Login
You can log into CTD using either a username and password or SAML Authentication.

1. Enter the username and password provided by your Administrator, and click Log In:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 21

 Industrial

Figure 6. CTD Login Screen

2. If your Administrator enabled a SAML login for you, click the SAML AUTHENTICATION
button.

Figure 7. SAML Login

The Dashboard appears:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 22

 Industrial

Figure 8. CTD Dashboard

2.3. Dashboard

The CTD Dashboard provides an at-a-glance assessment of key information for the entire
enterprise or for an individual site. (When selecting a specific site from the EMC, the Dashboard
displayed is the same as when viewed from the CTD Site directly.)

The Dashboard appears by default when logging into the system, unless configured differently
in your environment. It can be accessed at any time by clicking Dashboard in the Main Menu.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 23

 Industrial

Figure 9. CTD Dashboard

The Dashboard consists of 7 widgets that emphasize real time characteristics for the entire
enterprise or an individual site for the last day, week, month, year, or selected date range.

Note
The Year option is not available for high-scale installations of 50 or more Sites.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 24

 Industrial

Table 1. Dashboard Widgets

Widget Description Action

Hygiene Score Shows the current cumulative risk level posed to the Click the "Improve your score with
system. Insights" link to open the Insights
page.
This score comprises the critical security insights,
CVEs, and anomalies that were detected, as well as
how many critical assets were identified.

A low score indicates that the system is highly

vulnerable to attacks.

To improve the Hygiene Score, see Improving the

Hygiene Score
Hygiene Score Shows the Hygiene Score of the system as a trend Hover over any point on the graph to
Trend over time. It is displayed as a line graph and a view the Hygiene Score on that day.
percentage of change.

Use the time selector to choose the time period.

Alerts by Bar graph that shows the number and severity of alerts Hover over a bar to view a breakdown
Severity for a selected time period. of the alerts it represents by count and
severity.
The colors in a bar indicate the severity of the alerts:
Critical - red, High - orange, Medium - yellow, Low - Click a bar to open the Alerts page
grey. sorted for the time period the bar
represents.
Use the time selector to choose the time period.
Asset Counts Show counts of the enterprise/site's Total, IT OT and Click a count to view the Assets list
IoT assets. filtered for the asset type.
Top Vulnerable Shows the volume of top enterprise vulnerable assets, Hover over each Site's bar to view the
Sites by sorted per Site and per Severity level (High, Medium, Severity breakdown.
Severity and Low).
Click the bar to open the Site's
(EMC Only) Insights page.
Asset Insights Shows the volume of top vulnerable assets per site, Hover over a severity level bar to view
by Severity sorted per Severity level. the number of Insights of that severity.

(Site Only) Click the bar to open the Insights page

filtered for that severity.
Top Insights Derived from your entire security posture and Hover over an Insight for more details.
producing a holistic picture and risk assessment, this
Click the Insight to open the Insights
widget lists the top 20 Insights.
page and drill down further to the
The colored symbol to the left of the Insight indicates information contained in the Insight.
its criticality: High - red, Medium - yellow, Grey - low.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 25

 Industrial

Widget Description Action

Recent High & Lists up to 25 of the most recent High and Critical Hover over an alert for more details.
Critical Alerts alerts.
Click the alert to open its Alert Details
The colored symbol to the left of the Insight indicates page.
its alert score and severity: Critical - red, High -
orange.

2.4. Enterprise Overview

The EMC Enterprise Overview offers overview information for each Site in the enterprise and
enables you to quickly dig deeper as needed. You can view enterprise-wide and site-specific
information, and search and filter for specific sites.

To access the Enterprise Overview, select Enterprise Overview in the main menu.

Figure 10. Enterprise Overview

2.4.1. Site Statistics

The top bar provides statistics aggregated from all the Sites in the enterprise, including the
number of:

• Disconnected sites

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 26

 Industrial

• Sites that need to be updated

• Total number of Assets in the enterprise
• System-wide process integrity alerts
• System-wide security event alerts

2.4.2. Filter By
To show information for specific sites, the following options are available:

• Search - To search for a specific site in the enterprise, type part or all of the site name and
press <Enter>.
• Status - To filter the list for disconnected or connected sites, select Disconnected or
Connected in the drop-down list.

2.4.3. Site Information

Each window displays the following data for its site:

Figure 11. Enterprise Overview - Site Information

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 27

 Industrial

1. Site name - Click the link to open the site's Assets list.
2. Site IP address
3. CTD version number - Indicates the current version number of the Site and whether or not
it is aligned with the EMC.
• Aligned with the EMC -
• Not aligned with the EMC -
4. Training Mode indicator (does not appear when in Operational Mode)
5. Connection status - Indicates whether the Site is Connected or Disconnected from the
network.
6. Process Integrity - Total number of process integrity alerts. Click to open the site's Alerts
page, filtered for process integrity alerts.
7. Security Events - Total number of security alerts. Click to open the site's Alerts page,
filtered for security alerts.
8. Assets - Total number of assets. Click the link to open the site's Assets list.
9. Site Graphic - Each site in the Enterprise can be represented by a different graphic image.
To change this image, see Changing the Site Graphic.

2.4.4. Changing the Site Graphic

You can customize the graphic displayed for each Site in the Enterprise Overview. This can help
you quickly identify individual sites or groups of sites.

For example, you might want each site in a manufacturing line or in a certain time zone to have
the same image. Or you might want each site to have a unique image.

Note
The change is made per Site.

To change the Site graphic, do the following:

1. In the EMC, navigate to Settings > Management > Site Management.

The Site Management page opens.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 28

 Industrial

Figure 12. Site Management

2. If needed, use the Site Name box to search for the Site whose graphic you want to change.
3. In the Site's Actions column, click the camera icon .
4. Browse to the location of the graphic file and upload it.
A success message is displayed and the graphic appears in the Enterprise Overview.

2.5. Time and Date Display

Throughout CTD, dates and times are displayed as follows:

• Dates are displayed in the format DD MMM YYYY; for example, 10 Dec 2020.
• Time is displayed in the 24-hour format; for example: 03:00, 15:00.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 29

 Industrial

3. Navigating the Interface

3.1. Navigating the Interface

CTD is based on a hierarchical navigation system that supports finding and navigating to
specific information or configurations down to a desired page. Instead of needing to recall the
exact hierarchy of a page in the system, you can simply search for it.

This is especially helpful if your role and responsibilities require you to use different parts of
CTD at different times.

This navigation system, from which all CTD pages can be accessed, includes:

• A hierarchical menu, structured according to the core CTD focus areas: Threat Detection,
Risk and Vulnerability, Investigation, Visibility, and System Settings
• Quick page search and navigation
• A Navigation Path for clear indication of your location
• The option to show or hide the menu to save screen space for the main content

Note
When a new version of CTD becomes available, a banner appears at the top of the page
with a brief description of a new feature and the option to learn more by clicking a link.
Click the X on the banner to close it.

To disable this feature, contact Claroty Support.

3.2. Main CTD Menu

Click the three-line menu icon on the top left corner of the interface to hide the Main Menu
for the CTD Platform. Click again to show it.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 30

 Industrial

Enterprise Overview – A high level overview for all multiple site deployments.
Relevant only for Admins. Available on the EMC only. See Enterprise Overview.
Dashboard – Provides an overview of the network with dynamic graphs and metrics;
see Dashboard.
Visibility – Gives comprehensive visibility of assets and their exposures.
Risk & Vulnerabilities –Identifies which aspects of the network can be fortified to
achieve a more robust network architecture and enhance protection of the system.
Threat Detection – Used to identify threats early in their process. Relying on
its in-depth knowledge of protocols, configuration, and communication flows, the
system identifies known threat attacks and zero-day attacks as well as ones with
sophisticated OT payloads.
Investigation –Used to investigate alerts or events in the network. Gives deeper
visibility and tools for understanding the network and its behavior.
Reports – Enables you to create rich graphical and textual reports that meet the
needs of multiple stakeholders in your enterprise. It also contains a large collection
of Claroty-created reports that can be used as-is or copied and then modified for
various needs. See About Reports.

(Settings) – Primarily used for Admins to set up and customize CTD features as
needed.

3.3. Search in Menu

The search window in the top left corner of the screen makes navigating CTD easy. Type the
name of any CTD page, or part of it, and as you type, any matched results are highlighted and
clickable as shown below.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 31

 Industrial

Figure 13. Searching in the Menu

3.3.1. Search Keyboard Shortcut

You can open the search window from anywhere in CTD by typing Ctrl +/.

3.4. Activity Bar

3.4.1. Activity Bar

After you log in, the Activity Bar appears at the top of your screen:

The Activity Bar consists of the following parts:

1. Hide/Show Main Menu – Click to hide or show the Main Menu and search window.
2. Site Selector – For sites connected to an EMC, enables you to view and perform CTD
functions on an individual site on all sites collectively.
3. Navigation Path – Indicates where in the CTD navigational hierarchy you are. Underlined
items in the path indicate a table.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 32

 Industrial

(In the example, you are currently viewing the details of Event #1. Clicking Alerts in the
path brings you one level up to the entire Alerts list).
4. Site Syncing - When the site is syncing with the EMC, the Site Syncing indicator displays
on both the site and the EMC.
While the sync is occurring, you might notice temporary discrepancies between the site and
EMC data.
5. System Mode – (Site only) When the system is in Training Mode, the Training indicator
displays.
6. Logged-in User Menu – Opens a menu for viewing and performing functions related to the
logged-in user.

3.4.2. Site Selector and Search

Note
This drop-down menu and search are only available when connected to an EMC.

Figure 14. Site Selector and Site Search

• Depending on your configuration, expand the site selector dropdown to select:

• The EMC, showing data for all sites in one display
• An individual site
• For organizations with many sites, use the Site Name search to find a specific site.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 33

 Industrial

3.4.3. Logged-in User Menu

Clicking your Username opens this menu, displaying the details of your login history and other
options, including:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 34

 Industrial

Figure 15. Login, Time Zone, Password, and Sign-Out Controls

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 35

 Industrial

• CTD Version – Currently-installed version and update of CTD

• Last Login - Displays your last login date and time
• Failed Logins - The number of failed logins
• Last Failed Login - The date and time of the last failed login
• Change Language - Shows the current display language of the CTD menu. To change the
display language, click Change Language and select the desired language.

Figure 16. Change Language Dialog

Supported languages: English, French, German, Italian, Japanese, Korean, Portuguese,

Spanish
• API Explorer (Admin user only) – Click API Explorer to open the API documentation.
• Change Time Zone – For managing Sites in a time zone different from where you are
physically located. See Changing the Time Zone.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 36

 Industrial

Figure 17. Change Time Zone Dialog

• Change Password – Reset your password. The Change Password popup opens, and you
need to provide your correct current password and your new password:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 37

 Industrial

Figure 18. Change Password Dialog

• Sign Out – Click to exit your session.

3.4.4. Changing the Time Zone

Enterprises often manage Sites across multiple time zones and need to view the time locally for
each Site.

You can set the time zone for the Site either according to the country/city in which it is located,
or by its GMT+offset. (GMT+offset is not affected by daylight saving time definitions).

This setting affects only the time zone you see in your browser. Each user can set a different
time zone, while the browser time zone is the Default.

To change the time zone:

1. In the Logged-in User Menu, click Change Time Zone.

The Change Time Zone dialog opens.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 38

 Industrial

Figure 19. Selecting the Site Time Zone by Country/City

2. Select the Time Zone Method.

3. Select the time zone from the Time Zone By drop-down list.
4. Click Save.

Note
After changing the time zone, refresh your browser window to see the updated time.

3.5. Browser Back Navigation

You can use the browser’s back button to navigate to the previous page.

Note
Internal page changes are not considered for back navigation.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 39

 Industrial

4. Visibility

4.1. Visibility Overview

4.1.1. Visibility Overview

The Visibility Overview displays CTD’s comprehensive visibility of assets and exposures. It
allows users to create customized widgets as needed, presenting extreme visibility into your
network. CTD manages the assets by monitoring traffic and collecting data passively, actively,
through the CTD Edge component, and via the Project Files parser. The Visibility tools reveal
the entire OT, IT, and IoT inventories in the environment, throughout all layers of the network.
They enable deep visibility into the ICS assets, including down to the card/rack slot data where
applicable.

The Visibility widgets present the network topology showing the assets and the network
analytics. Network-based diagrams show the communication patterns and dataflows. They are
according to the Purdue model format, both line and plant level, depending on the deployment
architecture. Users can use them to identify all the details of the individual components,
as well as their operating systems, firmware, device classifications, and more. Potential
misconfiguration issues are flagged quickly. By automatically clustering assets and baselines
into virtual zones, users have the advantage of managing them more effectively.

4.1.2. Site Visibility Overview

To access the Visibility Overview for a site:

• In the Main Menu, select the site from the Site Selector and click Visibility > Overview .
The Visibility Overview appears as follows:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 40

 Industrial

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 41

 Industrial

1. Use the Time Frame Selector to display information based on the time period of your
preference (day/week/month/year/date range). All widgets described below represent the
results per the selected duration.

4.1.2.1. Site Visibility Widgets

2. Visibility Info Bar – Displays the total assets, zones, IT/OT/IoT assets, new assets and
inactive assets.
3. Discovered Assets – Displays the breakdown of prominent assets discovered, subdivided
into asset types: OT, IT, External, Broadcast/Multicast, Ghosts, etc.
4. IT vs OT Policies – This widget presents bar graphs of IT vs. OT policies.
5. Asset Breakdown: Types – Pie chart showing each asset breakdown per asset Type.
6. OT Assets Distribution – The breakdown of the OT assets per type (e.g. PLC, HMI,
Engineering Station).
7. IT Assets Distribution – The breakdown of the IT assets per type (e.g. Endpoint, Printer,
Networking).
8. IoT Assets Distribution – The breakdown of the IoT assets per type (e.g. Camera, VOIP
Phone).
9. DNS Queries Over Time – A time graph of the number of DNS queries that have occurred.
10. Most Frequent DNS Queries– Provides a listing of the most frequent DNS Queries and
how often each has occurred.
11. Most Common Domain Names by Assets– Provides a listing of the most frequent DNS
Queries and how often each has occurred.
12. Network Analytics – Graph of bandwidth breakdown per most prevalent protocols.
13. Summary – A count of OT Assets, OT Operations, and Write and Execute type OT
Operations.
14. OT Operations by type – Breaks down the number of alerts for each type of OT operation.
15. Latest OT Operation – Lists the top 10 most recent OT asset alerts.
16. Top Assets by Process Value Requests – Lists the top 10 assets with the highest Read/
Publish or Write counts.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 42

 Industrial

Note
These Visibility breakdown widgets are not affected by the timeframe. Clicking on any
portion of the pie chart leads you to the corresponding filtered list view of the Asset Page.

4.1.3. EMC Visibility Overview

To access the EMC Visibility Overview:

• In the Main Menu, select EMC from the Site Selector and click Visibility > Overview.
The EMC Visibility Overview appears as follows:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 43

 Industrial

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 44

 Industrial

Use the Time Frame Selector to display information based on the time period of your
preference (day/week/month/year/date range). All widgets described below represent the results
per the selected duration.

4.1.3.1. EMC Visibility Widgets

1. Visibility Info Bar – Displays the total assets, IT/OT/IoT assets, new assets and inactive
assets across all sites.
2. Discovered Assets – Displays the breakdown of prominent assets discovered, subdivided
into asset types: OT, IT, External, Broadcast/Multicast, Ghosts, etc. across all sites.
3. Number of Assets – Shows the total number of assets per site.
4. Sites with the Largest Amount of Assets – Displays up to 10 sites with the largest
amount of assets, subdivided into asset types: OT, IT, External, Broadcast/Multicast,
Ghosts, etc. The vertical bar graphs are per site. A color legend is displayed for
distinguishing the most prominent types of assets in each site.
5. IT vs OT Policies – Shows horizontal bar graphs of IT vs. OT policies per site.
6. Asset Breakdown: Types – Pie chart showing each asset breakdown per asset Type per
site. Use the < > arrows to navigate to the < Previous or Next > sites.
7. Asset Breakdown: Zones – Pie chart showing each asset breakdown per asset Zone per
site. Use the arrows to navigate to the other sites.
8. Asset Breakdown: Subnets – Pie chart showing each asset breakdown per asset Subnet
per site. Use the arrows to navigate to the other sites.

Note
These Visibility breakdown widgets are not affected by the timeframe. Clicking on any
portion of the pie chart leads you to the corresponding filtered Asset Page.

9. OT Asset Distribution by Site - The breakdown of the OT assets per type (e.g. PLC, HMI,
Engineering Station).
10. IT Asset Distribution by Site – The breakdown of the IT assets per type (e.g. Endpoint,
Printer, Networking) per site.
11. IoT Asset Distribution by Site – The breakdown of the IoT assets per type (e.g. Camera,
VOIP Phone) per site.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 45

 Industrial

12. Summary – A count of OT Assets, OT Operations, and Write and Execute type OT
Operations.
13. OT Operations by type – Breaks down the number of alerts for each type of OT operation.
14. Latest OT Operation – Lists the top 10 most recent OT asset alerts.

4.2. About Assets and Views

4.2.1. Assets
You can manage your asset inventory from the Assets page.

To access the Assets page, click Visibility > Assets from the Main Menu.

This page enables monitoring of network and asset information, activities, and statuses. You
can view operational statistics, baseline details, and your asset inventory. You can follow the
asset’s alerts, activities, and statuses.

Any filters that you set apply to each viewing mode:

Icon Name Description

Layered The Layered Topology View divides all assets into Purdue model levels, showing
Topology View the connections between assets. The lines that connect the assets represent the
communication between them.
List View The List View displays a customizable table of all assets, divided into configurable
fields.

Network The Network Topology View visualizes all assets that are currently filtered and
Topology positions them by the communication between them. Assets that communicate with
each other are shown closer together.

4.2.2. List View

To access the Assets List view:

• Navigate to Visibility > Assets in the Main Menu. The List view is displayed as follows:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 46

 Industrial

Figure 22. Assets - List View

The Assets table displays the following columns by default:

• Name – Asset name

• IP – IP address
• MAC – MAC address
• Class – IT, OT, or IoT
• Type – Endpoint, Broadcast, PLC, HMI, etc.
• Vendor – Name of the equipment vendor
• Criticality – Low, Medium, or High. These values represent how critical the asset itself is to
the operation. CTD assigns criticality automatically to certain types of assets but enables you
to edit the value in the list and on the Asset Page.
• Risk Level – Calculation of how much risk the asset poses to the system - Critical, High,
Medium, Low

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 47

 Industrial

• First Seen – Date and time the asset was first detected
• Last Seen – Date and time the asset was last detected

Additional columns, accessed through More > Select Columns, include:

• Active Queries – Active Detection Queries associated with the asset

• Discovered by – Method used to discover the asset, such as Profinet scan, WMI ping
• Site – CTD site
• Address – Device address
• Hostname
• Purdue Level
• Operating System
• Firmware
• Model
• Virtual Zone
• Serial Number
• Parsed Asset – Indicates that the asset was imported by parsing configuration project files in
Project Files
• Network
• Protocols – Communication protocols used by the asset
• Vlan
• Mode – PLC operating mode
• Tag – Subnet tag associated with the asset
• Subnet Type – External, Internal, or Out of Scope
• Custom Information – Additional information about the asset
• Display Name – Alternate name given to asset after discovery
• Domain/Workgroup
• Default Gateway
• Edge Host Last Run - If this asset executed Claroty Edge, the date that Edge was last
executed
• Edge Host ID - ID of the Claroty Edge that discovered the asset

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 48

 Industrial

• Seen by Edge ID - IDs of all Edge Hosts that discovered the asset
• Seen by Edge - If an Asset was seen by Edge or is the host, then Yes is displayed.
Otherwise, No is displayed.
• Last Seen by Edge - The most recent date/time that the asset was seen by Edge.
If the asset was discovered by different Edge methods, the date/time of the most recent
discovery is displayed.
• Installed Antivirus
• Interface Source - The interface from which the asset was viewed, displayed as interface
name (Site or Sensor name), for example, tunl0 (Site 1). For further details, see
Asset Interface Source.

4.2.3. Layered Topology View

To access the Assets - Layered Topology view:

1. In the Main Menu, click Visibility > Assets. The Asset View page opens.
2. Click the Layered Topology View icon.

Figure 23. Asset View - Layered Topology

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 49

 Industrial

4.2.4. Network Topology View

The Network Topology View shows the connectivity between assets, as well as communication
directions.

To access Network Topology View:

1. In the Main Menu, navigate to Visibility > Assets.

2. Click the Network Topology View icon.

Here is Network Topology View, filtered to display only endpoints.

Figure 24. Asset View – Network Topology: Filtered for Endpoints

4.2.5. Asset Classes

An asset class indicates whether the asset is essentially an IT device, an OT device such as
those in an industrial network, or an Internet of Things (IoT) asset.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 50

 Industrial

This property can be used throughout the system to distinguish between various types of
assets, e.g. to create asset inventory filters, widgets, reports, and exports. CTD derives the
Class from the communications or protocols used.

To view the asset Class column:

• Open the Assets page by selecting Visibility > Assets.

Figure 25. Asset Classes

4.2.6. Asset Types

CTD sniffs packets from the network, analyzes them, and extracts information using Deep
Packet Inspection (DPI).

The following Device Types are identified from the traffic:

• PLCs

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 51

 Industrial

• HMIs
• Remote I/Os
• Engineering Stations
• OPC-Servers
• OTs
• Gateways

Some additional asset types CTD identifies include networking assets, printer assets, and
endpoint assets. CTD determines an asset type to be a networking asset, extracted from the
protocol dissectors, according to the asset’s usage of the STP protocol. CTD determines the
Printer asset type according to the specific SNMP queries performed on this asset. When
no asset type can be readily identified, CTD classifies its asset type as an endpoint. CTD
categorizes each asset as a specific type, which can be edited.

To see the asset types:

1. Click Visibility > Assets.

2. Go to the Layered Topology or Network Topology view.
3. Click the Asset Type Legend icon.

Table 2. Asset Types and Symbols

Access Control Gateway Printer

Access Point GPS Device Robot

Autonomous Vehicle Historian Router

Camera HMI RTU

Controller IED SCADA Client

Data Logger Nested Devices/ SCADA Server

Remote IO
Domain Controller Networking/Scan Switch

Endpoint OPC-Server UPS

Engineering Station OT Video Recorder

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 52

 Industrial

Access Control Gateway Printer

File Server PLC VOIP Phone

Refer to the CTD Reference Guide: Supported Asset Types for the full list of Supported Asset
Types.

4.2.7. Auto-Calculation of Subnets

CTD automatically calculates your subnets and classifies them as Internal or External as
follows:

• Internal - Subnets that are in-scope for the system. This will automatically include all the
subnets the system discovered using the CTD software. By default, every subnet that we see
its Broadcast domain / Internal Subnets / OT traffic from or to it is classified as internal. In
addition, you will be able to manually add new subnets and classify them as Internal.
• External – Subnets that are external to the customer sites. Usually internet subnets or
subnets external to the plant network (e.g. Enterprise IT subnets). Those subnets are not part
of the client network and can be considered as external subnets. By default, any subnets that
will not be classified as Internal subnets will be classified as External. You can manually add
new subnets and classify them as External.
• Out-of-Scope –Subnets that are included in the environment but are not part of the Internal
or External network. Classifying subnets as Out-Of-Scope can only be done manually as
detailed in Configuration of Subnets.

While you are in Training mode, you can choose to Approve these subnets so they will be
validated after the system moves to Operational Mode.

• Ghost Assets – Displays “ghost assets”, i.e. assets that process assets attempted to
communicate with, seen on the SPAN, but the target asset did not respond. These assets
could be the result of a misconfiguration or indicate a security problem.
• Don’t Show Ghost Assets – This is the default.
• Only Show Ghost Assets – Display only ghost assets in the asset table
• Show Ghost Assets – Include ghost assets in the asset table
• ARP Baselines – This attribute is only relevant for graph views:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 53

 Industrial

Figure 26. ARP Baselines

4.3. Detailed Asset Page

4.3.1. Detailed Asset Page

The Detailed Asset page contains detailed data for the selected device.

To access the detailed asset page:

1. In the Main Menu, navigate to Visibility > Assets.

2. Click the desired asset in the Assets table.

An example of a detailed asset page is shown as follows and contains the following tabs:

• Overview - Summary information about the asset such as device details, alert and risk
graphs, network analysis, and more.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 54

 Industrial

• Device Information - More detailed information about the device such as installed programs,
physical connections, and correlated assets.
• Risk & Vulnerabilities - Risk analysis graphs and stats for the device and those it
communicates with, as well as the device's Insights and Vulnerabilities.
• Threat Detection - Alert data for the device.
• Network Analytics - Network communication details.
• Communication - Zone Rules and other communication information for the device.

Figure 27. Detailed Asset Page - Overview

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 55

 Industrial

Figure 28. Detailed Asset Page – Device Information

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 56

 Industrial

Figure 29. Detailed Asset Page – Risk & Vulnerabilities

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 57

 Industrial

Figure 30. Detailed Asset Page - Threat Detection

Figure 31. Detailed Asset Page - Network Analytics

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 58

 Industrial

Figure 32. Detailed Asset Page – Communication

4.3.2. Physical Connections

The Detailed Asset Page provides information about physical connections between assets. A
Physical Connection area in the Asset page displays any existing physical connection or
switch. The switch is gathered via SNMP protocol.

To access the Physical Connection area:

1. In the Assets page, click the desired asset to open its detailed asset page.
2. Click the Device Information tab.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 59

 Industrial

Figure 33. Asset Page: Physical Connections in the Device Information Tab

In this example, Asset LKPO-LAB.t82.co has Physical Connections. The table lists all the assets
physically connected to the asset.

4.3.3. Changing Purdue Model Levels

The Layered Topology view features a Purdue model graph, displaying the assets according
to their Purdue model layers. The changing of an asset Purdue Level also is reflected in the
Purdue Level of the Virtual Zone the assets exist in.

Users can change the Purdue model level defined for a specific asset manually. Generally,
the Purdue model level for a specific asset is automatically determined based on the various
characteristics of the asset and its purpose. Sometimes the automatically determined level
needs to be adjusted to reflect the true asset behavior. This can be useful in cases where the
system has placed the asset in a level that does not properly describe its criticality. Note that
interim Purdue levels can also be applied, e.g. 1.5, 2.5, 3.5.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 60

 Industrial

To change the Purdue model levels:

1. Navigate to the detailed asset page.

2. Click Device Information.
3. Click Edit for the Purdue Level and choose the desired level.
4. Click the check mark.

Figure 34. Changing an Asset’s Purdue Level

4.3.4. Risk Score Widgets

The risk score widgets give a score on the risk level parameters. They provide a calculation
showing the parameter’s effect on the score. These widgets can help you to reduce risks on the
asset/zone, by being aware of the vulnerabilities and resolving them.

To access the risk score widgets:

1. Navigate to Visibility >Assets in the Main Menu and click on an asset.

2. Click the Risk & Vulnerabilities tab.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 61

 Industrial

Figure 35. Risk Score Widgets

4.3.5. Network Communication Map

The network communication map shows the communication to and from the asset, the subnet,
protocol, zone, and the asset it communicates with. The width of the lines represents the flow of
the most bandwidth for a protocol.

To access the network communication map:

1. Navigate to Visibility >Assets and click an asset.

2. Navigate to Network Analytics > Network Communication Map.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 62

 Industrial

Figure 36. Network Communication Map

The network communication map displays, from left to right, a hierarchical presentation of the
communication which includes:

• Internal and/or external subnets

• Protocols used for communication
• Destination assets with which the selected asset talks

Effects of clicking on the network communication map:

• On hover – you see the bandwidth for each protocol.

The system shows up to 10 connected assets or protocols with an option to click to load more.

There is an option to filter the assets that communicate by clicking To or From. You can also
filter by time frame.

4.3.6. Cross Site Correlations

When operating on a large-enterprise network, the EMC is required to act as a single point
of truth where information from sites will be correlated and shown without duplication. Users
handling asset inventory and alerts in the EMC need a coherent image of the entire network,
regardless of how different sites capture their network behavior and inventory.

This Cross-Site Correlation behaves as follows:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 63

 Industrial

• Only Internal assets are shown in the EMC

• For each asset, a user can see a list of “correlated assets” from different sites where the
associated asset appears in subnets that are defined as "external" or "out of scope".

The table can be accessed through the Device Information tab of the Asset View page.

Figure 37. Correlated Assets

4.4. Asset Actions

4.4.1. Group By
All the assets are grouped by a selected attribute.

You can choose to group assets by:

• Type
• Criticality
• Risk level
• Vendor
• Tag
• Subnet
• VLAN
• Zone
• Discovered By

To use group by:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 64

 Industrial

1. In List View, click the Layered Topology or Network Topology icon.

2. Click the group assets by an attribute icon and select the attribute from the dropdown
menu.

Figure 38. Asset Layered Topology View - Group By

4.4.2. Asset Color By

The Asset Color By feature allows you to color the assets to see useful information at a glance.
You can emphasize the most critical assets, or highlight differences between subnets.

You can choose to color assets by: Type, Criticality, Risk level, New assets, Zone, VLAN, or
Subnet.

To use Asset Color By:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 65

 Industrial

1. In List View, click the Layered Topology or Network Topology icon.

2. Click the Color assets by an attribute icon and select the attribute from the dropdown
menu.

Figure 39. Asset Layered Topology View - Colored by Asset Type

4.4.3. Showing Asset Neighbors

Asset Neighbors are two or more assets that communicate with one another.

You can use asset neighbors to understand communication patterns between groups of assets.
For example, you might want to see with which assets HMIs are communicating or see
the communication between assets with high criticality and their neighbors. You can even
identify with which assets a specific asset is communicating by searching for it and viewing its
neighbors.

To view Asset Neighbors:

1. In List View, click the Layered Topology or Network Topology icon.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 66

 Industrial

2. Apply filters as needed. For example, from the Type filter, select HMI.

Figure 40. Assets - Layered Topology View, Filtered for Type HMI

3. In the toolbar, click Show Asset Neighbors .

The asset neighbors are shown.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 67

 Industrial

Figure 41. Assets - Layered Topology View, Showing All Neighbors of HMIs

4.4.4. Changing Asset Mode Manually

You can manually change assets to the following Modes:

• Guest Mode - Archives all New Asset/Baseline alerts for an asset. The behavior is not
automatically learned by the system. These alerts continue to be archived while the asset
remains in this mode.
Sample Usage: You have an asset that you know will be changing configuration, and you
want that configuration to automatically be captured by the system - this could be because
you know you’re upgrading a large amount of equipment and you want CTD to automatically
capture all of the new configuration without generating any alerts.
• Maintenance Mode - Automatically archives all non-threat alerts (all alert types but Known
Threat), but does not place the asset into Training Mode. As a result, New Asset/Baseline
alerts still appear for a specific asset.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 68

 Industrial

Sample Usage: You have an asset that you know will have a lot of alerts occurring because
of changing configuration, but you do NOT want CTD to automatically learn the new
configuration. For instance, you’re doing testing on an asset and playing with its configuration,
and you want to suppress alerts on that while you’re working on it, but you don’t want CTD to
automatically learn the new configuration.
• Training Mode - Resolves all alerts related to the selected assets and automatically
approves all New Asset/Baseline type alerts so that the behavior is automatically learned
by the system. It also places the selected asset(s) in Training Mode so that new alerts are
suppressed and learned for the duration of the training mode.
Sample Usage: You want to add a new asset into the system to perform tests/other temporary
types of work, but don’t want CTD to learn any of the behavior of that asset, or even that the
asset was in the network. This prevents alerts being generated by this asset, but will allow a
“guest” user to add into the network.

To manually change the mode of one or more assets:

1. In the Main Menu, select Visibility > Assets.

2. Filter the Assets list for the assets whose mode you want to change, and then select them.
3. In the Toolbar, click the Change State icon. The Set Mode for Assets dialog opens.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 69

 Industrial

Figure 42. Set Mode for X Assets Dialog

4. Select the Mode from the Change Assets Mode To: dropdown list.
5. If you want the assets to automatically return to their previous mode after a specific time
period, select the days and hours in the Set to Expire In: fields.
6. Click Approve to save changes or Reset Mode to cancel.

4.4.5. Merging Assets in the Assets Page

Multiple instances of the same asset can appear in CTD for a number of reasons. For example,
the same Asset could be assigned multiple IPs over time, or assets might be created by
different data sources and CTD does not have enough data to determine whether these assets
are the same.

Most often, when asset duplication occurs and CTD identifies these assets as duplicated, a
Conflict Asset Alert is triggered. The alert can then be resolved.

• In Training Mode, these assets are merged and the alert is resolved automatically.
• In Operational Mode, you review the Alert and choose whether or not to merge the assets,
resolving the alert.

Another option is to merge the assets manually from the Assets page.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 70

 Industrial

Note
To merge Assets, you must have Admin level privileges for Visibility.

4.4.5.1. Asset Merge Principles

The operating principles for asset merge are as follows:

• Assets can only be merged on a Site - not from the EMC.

• When merging assets, you select 2 assets and decide which asset is the Source and which
is the Target. The Source asset's attributes are then merged into the Target asset, with the
exception of the Source asset's custom attributes.
• The merged asset receives the custom attributes of the target asset only.
• Once merged, the IPs and/or MACs of the source and target assets are integrated into the
merged asset.

Figure 43. Merged Asset Example

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 71

 Industrial

Note
Assets will not merge if both the Source and Target the Asset contain more than 110
entities, or if one of the assets has a dynamic IP.

4.4.5.2. Merging Assets

To merge two assets:

1. In a Site, navigate to Visibility > Assets.

2. Select the two assets to merge and click Merge Assets .

The Merge Assets window opens.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 72

 Industrial

3. Select the Target Asset and click Merge.

After the merge process completes, a message is displayed describing whether the merge
was successful. If so, a link is included that enables you to open the Detailed Asset Page of
the merged asset.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 73

 Industrial

Figure 44. Asset Merge Successful Message

4.4.6. Showing Asset Related Items

The Show Related tool enables you to dig deeper into asset information while maintaining
navigation context.

For example, in the Assets page you might want to view all assets with high criticality and then
navigate to the Alerts page to see the related alerts. From the Alerts page, you could then
navigate to the Zones page to discover zones related to a particular type of Alert.

For any individual Asset or group of Assets, you can view its related:

• Alerts
• Insights
• OT Audit
• Process Values
• Zone Rules
• Zones

To show items related to one or more assets, do the following:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 74

 Industrial

1. Filter the list with the desired criteria. (See Using Basic Filters).
2. Select the asset or assets for which you want to display related items.

Important
• Up to 10,000 items can be selected. If more than 10,000 are in the list, the Show
Related icon will be disabled and a message instructing you to further filter your
selection will display.
• If you do not select specific items, Select All is assumed. This could be more than
10,000 items depending on the size of your enterprise.

3. In the toolbar, click the Show Related icon and select the desired related item from the
drop-down list.

Figure 45. Selecting "Show Related Alerts" For Assets Filtered for High Criticality

The related page opens, filtered for only those items related to at least one of the selected
assets. Because the filter mentions the page from which the Show Related command
came, context is maintained.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 75

 Industrial

Figure 46. Alerts Related to the Selected Assets With High Criticality

4. If needed, drill down another level by again filtering the list and/or selecting items, clicking
Show Related and selecting the desired related item.

4.4.7. Editing Assets

Assets can be edited individually and in bulk.

4.4.7.1. Editing Individual Assets

To edit individual assets:

1. Go to the Assets page.

2. Select the checkbox on the left side of the row of the asset:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 76

 Industrial

Figure 47. Selecting an Asset on the Asset Page

3. Click the Edit Asset button from the toolbar :

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 77

 Industrial

Figure 48. Edit Asset Details Dialog

4.4.7.2. Editing Assets in Bulk

To edit multiple assets:

1. Select multiple rows of assets of interest:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 78

 Industrial

Figure 49. Bulk Asset Modification

2. Select the Edit button .

Figure 50. Edit Details - Bulk Change

3. Choose the Types, Criticalities, Virtual Zones and/or Purdue Levels to modify for the
selected assets, and click Change:

Note
After changing the Criticality of all the assets through a bulk Criticality change, the system
will no longer attempt to automatically assign a Criticality value to these assets.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 79

 Industrial

4.5. Using Asset Filters

4.5.1. Using Basic Filters

To use basic filters:

1. In the Main Menu, navigate to Visibility > Assets.

2. Use any of the following filters:
• Class – Whether the asset is an OT, IT, or IoT device.
• Site – (EMC only) The site to which the asset belongs.
• Asset Type – The asset type (Endpoint, Broadcast, PLC, HMI, etc.)
• Vendor – The equipment vendor.
• Protocol – The protocol in which the asset communicates.
• Asset Criticality – Low, Medium, or High. These values represent how critical the asset
itself is to the operation. CTD assigns criticality automatically to certain types of assets
but enables you to edit the value in the list and on the Asset Page.

Use the basic filters to manipulate the assets in the various viewing modes. You can search for
a filter option in the dropdown lists:

Figure 51. Assets - Basic Filters

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 80

 Industrial

• The OR filter contains either results.

• The AND filter must contain both results, which is more restrictive.

4.5.1.1. Searching for an Asset

Search for a specific asset by name, IP, or MAC address in the Search by field.

Note
To search for a specific address, specify the address in quotation marks. Otherwise, the
results will be any asset that contains the entered value.

4.5.2. Using Advanced Filters

To use the Asset advanced filters:

1. In the Main Menu, navigate to Visibility > Assets.

2. Click the Advanced Options link to open the Advanced Filters:

Figure 52. Assets - Advanced Filters

3. Select the required options from each of the dropdown lists.

• Select the Search Attributes:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 81

 Industrial

• Filter Name/Filter Value – The attribute by which you want to filter. For example,
Address, Baseline, Vendor, and so on.
Some filters allow you to specify items in a free text field. This enables you to exclude
a specific name, such as that of a certain vendor. Examples: Site, Virtual Zone,
Primary Asset, Non-Primary Asset
• Action – The type of action (include or exclude).
• Assets in CTD are classified into subnets of the following types:
• Address type – Multi-select address filter; select from the following: Broadcast,
External assets, Multicast, and/or Unicast.
• See Auto-Calculation of Subnets to learn more about how assets are classified into
subnets.

4. Click Add Filter to apply each filter and repeat the process for as many filters as
needed.

4.5.2.1. Creating Predefined Filters (Presets)

You can save your preferred asset filters, search criteria, and selected advanced options as a
Preset view that can be easily accessed later.

Note
Presets are deleted when a system reset is performed.

To create a Preset:

1. Set up your filters, search criteria and selected Advanced Options with the preferences that
you use frequently and want to save between sessions.
2. Click the Preset button in upper right corner of the screen:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 82

 Industrial

Figure 53. Presets Button

3. Name your Preset filter and click Save.

Figure 54. Save Preset

4. To change your Preset preferences, click Reset.

5. Select << Advanced Options to revert to the basic Filter page.

4.5.3. Advanced Graph Filter Options

The advanced Graph Filter options only appear when you are in Layered Topology or
Network Topology view mode. The filters apply to the asset communications, while the other
filters are on the nodes. Use these fields to create sophisticated queries by choosing various

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 83

 Industrial

filter names and whether to include or exclude selected data. To access the advanced graph
filter options, follow the steps below.

1. In List View, click the Layered Topology or Network Topology icon.

2. Click the Graph Options link.
A new set of filter fields is added.
• Action
• Filter Name
• Filter Value

Figure 55. Layered Topology - Graph Options

3. Add multiple filters via ‘AND’ for a more complex query.

• The graph will show assets that apply to all filters.

4.6. Custom Attributes

CTD offers the ability to add asset Custom Attributes for internal information that cannot be
detected directly from the network traffic.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 84

 Industrial

The attributes are available for use throughout the system in the same manner as the built-in
fields, providing you with a tool for applying custom criteria to manage asset inventories more
effectively.

Custom attributes can be shared on multiple sites and can be viewed from the EMC or the Site
level.

The attributes are included in CSV import and export of assets.

The Admin sets up the Custom Attributes and can modify or remove them, as described in
Setting Up Custom Attributes

4.6.1. Displaying Custom Attributes in the Assets Page

The Assets page enables you to apply custom attributes to both individual assets and groups of
assets. In order for custom attributes to display in the Assets page along with the built-in data,
you must add a column to the Assets page table for each custom attribute to be used.

To display custom attributes in the Assets page:

1. In the Main Menu navigate to Visibility > Assets.

2. In the toolbar, click the More icon and then click Select Columns.
3. In the Select Columns dialog, select the custom attributes to be displayed in the table.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 85

 Industrial

4. Click Apply. The columns with the custom attributes you chose are added to the right side
of the table.

Figure 56. Custom Attributes Added to Asset List

4.6.2. Applying Custom Attributes in the Detailed Asset Page

To apply a custom attribute to an asset directly in its Detailed Asset page:

1. Click the +Add a custom attribute link.

2. Select a custom attribute from the drop-down list and then add a value.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 86

 Industrial

Figure 57. Choosing a Custom Attribute in the Asset Page

3. Click the check mark next to the Custom Attributes heading to save your selection.

Figure 58. Saving a Custom Attribute in the Asset Page

4.6.3. Applying Custom Attributes to Multiple Assets

In the Assets page, you can choose several assets and apply custom attributes as follows:

1. Select the relevant row/s of assets and click the Edit Assets icon in the toolbar.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 87

 Industrial

The Edit Details dialog opens

2. In the Custom Attributes subsection of the dialog, click the Set custom attributes link
to open the custom attribute list.
3. Select a custom attribute from the drop-down list and enter a value for the custom attribute.
4. To apply another custom attribute to the selected asset(s), click +Set another custom
attribute and then set values.
5. To remove the custom attribute(s) just applied, click the X next to the attribute.
6. Click Change.

4.6.4. Removing Custom Attributes from Multiple Assets

Custom Attributes can be removed from one or more assets in the Assets list as follows:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 88

 Industrial

1. Select the relevant row/s of assets from which you want to remove a custom attribute. Then
click the Edit Assets icon in the toolbar.
2. In the Custom Attributes section of the dialog, click the Remove custom attributes link.

Figure 59. Remove Custom Attributes Link

3. Select the custom attributes to be removed from the assets.

4. Click Change.

4.6.5. Setting Up Custom Attributes

Custom Attributes can be created from either the Site or the EMC. Because all Custom
Attributes created on a specific site also appear in the EMC, they can be easily shared with
other sites as needed.

Important
All Custom Attributes with the same name are assumed to be identical.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 89

 Industrial

4.6.5.1. Adding Custom Attributes to a Site

To add a Custom Attribute to a site:

1. Navigate to Settings > Management > General and click the Custom Attributes tab:

Figure 60. Custom Attributes Tab

2. Click Create new .

3. Provide the following input in the Add Custom Attribute dialog:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 90

 Industrial

Figure 61. Add Custom Attribute Dialog

• Name ― Enter the name of the attribute you are adding (this is a mandatory field).
• Description ― Add a description for clarification. This description only appears the
Custom Attributes tab.
4. Click OK to save the new attribute or Cancel to revert to the prior setup.
After the Attribute is added to the system, a new row appears with its Name, Description (if
applied), and an Action column for editing the attribute.

5. Click Edit on the row of any Custom Attribute that you want to modify.

4.6.5.2. Adding Custom Attributes to Multiple Sites from the EMC

To add custom attributes to multiple sites from the EMC:

1. Navigate to Settings > Management > General and click the Custom Attributes tab:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 91

 Industrial

Figure 62. Custom Attributes Tab - EMC

2. Click Create New .

3. Provide the following input in the Add Custom Attribute dialog:

Figure 63. Add Custom Attribute Dialog - EMC

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 92

 Industrial

• Name ― Enter the name of the attribute you are adding (this is a mandatory field).
• Description ― Add a description for clarification that is useful across multiple sites. This
description only appears in the Custom Attributes tab.
• Site – Select the sites to which the custom attribute should apply from the drop-down list.
• Automatically Include New Sites – Slide to the right to apply the custom attribute to
new sites added to the enterprise.
4. Click OK to save the new attribute or Cancel to revert to the prior setup.

4.6.5.3. Applying a Custom Attribute Created on One Site to Another Site via the
EMC
You might want to use a custom attribute created for one site on another site.

For example, you might create a Warranty Expiration Date custom attribute for Site 1 and later
decide to use it on Site 2 as well.

To apply a custom attribute created for one site to another site:

1. Click the Edit icon of the custom attribute you want to apply to another site.
2. In the Site drop-down list of the Add Custom Attribute Dialog, select the site to which you
want to apply the custom attribute.

Figure 64. Site Dropdown List

3. Click OK.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 93

 Industrial

Note
CTD recognizes that custom attributes with the same name from different sites are
identical, so the name will only appear once in the Site drop-down list.

4.6.6. Creating Site Custom Attributes

Site Custom Attributes help enrich the system with information to be applied across one or
more sites. For example, a "Region" site custom attribute could be created to segment Sites by
geographical region.

To create a Site Custom Attribute:

1. Navigate to Settings > Management > Custom Attributes > Site tab.
2. Click Create New . The Add Custom Attribute dialog opens.
3. Enter the following:
• Name - Name of the custom attribute.
• Description - The purpose of the custom attribute.

Note
This is for management purposes and displays only in the Site Custom Attribute
tab.

Figure 65. Add Custom Attribute Dialog

4. Click OK to save the new attribute or Cancel to revert to the prior setup.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 94

 Industrial

After the Attribute is added to the system, a new row appears with its Name, Description (if
applied), and an Action column for editing the attribute.
5. Click Edit on the row of any Custom Attribute that you want to modify.

4.6.6.1. Displaying Site Custom Attributes

The Site Management page enables you to apply site custom attributes to one or more sites in
the enterprise.

For these custom attributes to display along with the built-in data, you must add a column to the
Site Management page table for each custom attribute to be used.

Figure 66. Site Custom Attribute in Site Management Table

To display Site Custom Attributes:

1. In the Main Menu, navigate to Settings > Management > Site Management.

2. In the toolbar, click the More icon and then click Select Columns.
3. In the Select Columns dialog, select the custom attributes to be displayed in the table.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 95

 Industrial

Figure 67. Selecting the "Region" Site Custom Attribute

4. Click Apply. The columns with the custom attributes you chose are added to the table.

4.6.6.2. Applying Site Custom Attributes

Site Custom Attributes are applied to Sites in Site Management page.

Note
You can apply a Site Custom Attribute to up to 1000 Sites.

Tip
If the Site Management table does not already contain a column for each Site Custom
Attribute you want to apply, see Displaying Site Custom Attributes to add them to the
table.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 96

 Industrial

To apply a Site Custom Attribute:

1. In the Main Menu, navigate to Settings > Management > Site Management.
2. Select the sites to which you will apply the Site Custom Attribute.
3. In the toolbar, click Edit Sites . The Site Custom Attributes dialog opens.

Figure 68. Site Custom Attributes Dialog

4. Click the Set custom attributes link to open the custom attribute list.
5. Select a custom attribute from the drop-down list and enter a value for the custom attribute.

Figure 69. Applying a Site Custom Attribute

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 97

 Industrial

6. To apply another custom attribute to the selected site(s), click +Set another custom
attribute and then set values.
7. To remove the custom attribute(s) just applied, click the X next to the attribute.
8. Click Change.
The custom attributes and their values are added to the table.

Figure 70. Site Custom Attribute added to the Site Management table

4.6.6.3. Using Site Custom Attributes to Filter Assets and Insights

You can use Site Custom Attributes to filter the Assets list and Insights page.

For example, a "Region" Site Custom Attribute, could be used to display only Assets or Insights
from a specific region.

To filter the Assets and Insights pages using Site Custom Attributes:

1. In the Assets (Visibility > Assets) or Insights (Risk & Vulnerabilities > Insights) pages,
click the Advanced Options link to open the advanced filters.
2. In the Filter Name drop-down list, select the Site Custom Attribute by which to filter the
assets. (Site Custom Attributes have (Site Attribute) next to their names). Then type a value
in the Filter Value box and click Add Filter.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 98

 Industrial

Figure 71. Filtering Assets by the "Region" Site Custom Attribute

The list is filtered by the selected Site Custom Attribute.

Figure 72. Filtered Asset List

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 99

 Industrial

4.6.7. Exporting Assets with Custom Attributes

When exporting assets to a CSV file, any custom attributes that appear in the table are
automatically included in the export. When exporting to a PDF format, all custom attributes
appear in a single cell separated by a column.

To export these assets, click the Download icon in the toolbar.

4.6.8. CSV Imports with Custom Attributes

When importing assets from a CSV file, attributes not assigned should be left empty.

4.7. Zones
In Training Mode, the system automatically allocates discovered assets into Zones, based on
the assets’ type and communication patterns. The communication links between zones are
known as conduits. These zones and conduits are detailed in ISA/IEC-62443.

4.7.1. Zone Behavior

By default, Zones are groups of logically related assets. When in training mode (or when new
assets are approved during operational mode), the system creates Zones according to the
discovered asset types and their learned communication patterns.

Zones can also be edited, modified, or created manually to match a specific network
segmentation defined by the end user.

By design, a Zone represents a group of assets that are similar or related in the type of function
they serve within the OT network such as a PLC, HMI, or Engineering Station Endpoint, the
other groups of assets they communicate with, and their profile of communication patterns.

As such, Zones serve as a segmentation and micro-segmentation design tool by providing

users with a real view of how their network is logically segmented. They also offer a good base
of understanding of what may be required to segment it properly and securely.

CTD’s Zone Rules are based on Zone grouping and segmentation to define a security detection
policy system. With its firewall-like management page, Zone Rules allow the user to review,
modify, and validate system-generated policy rules. Zone Rules identify which traffic is allowed
within and between Zones and which traffic should create alerts.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 100
 Industrial

4.7.2. Automatic Zone Creation

Zones graphically display the communication between OT and IoT zones, and visualizations of
inter-zone communications also known as conduits. These Zones are calculated automatically
both in training and in operational mode. After a new asset is discovered or information is
changed, the system calculates to which zone it should be assigned or creates a new virtual
zone if a relevant one does not exist.

CTD’s vast and growing range of firewall integrations enable users to enforce network
segmentation policy violations by identifying and restricting anomalous or non-compliant
communications across zones.

• The system calculates the optimal zones that will be used, and automatically creates them.
Learned or approved assets are assigned to the most appropriate virtual zone.
• The system automatically creates rules that define the allowed or alerted communication
within and between zones.
• You can modify the zone where the asset was assigned. (See Editing Assets).

4.7.3. Zone Graph Views

There are two views to display the zones graphically: Layered Topology View and

Network Topology View .

To view the zone graph views:

• Open the Zone list by clicking Visibility > Zones from the main menu. Then click on either

Layered Topology View or Network Topology View.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 101
 Industrial

Figure 73. Layered Topology View of Zones

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 102
 Industrial

4.7.3.1. Zones – Network Topology View

Figure 74. Zones - Network Topology View of Zones

4.7.3.2. Zones – Layered Topology View

The Layered Topology View features a Purdue model graph, displaying the zones in their
relevant layers:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 103
 Industrial

Figure 75. Zones - Layered Topology View

Communication Direction
In both the Layered Topology and Network Topology views, you can use Communication
Direction to dynamically display the direction of the communication in the zones and view
the dominant network communication at a glance:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 104
 Industrial

Figure 76. Zones – Communication Direction

Panning and Zooming

You can pan to different areas and zoom in and out by hovering your mouse over the graphic
and pressing the + or – keys on your keyboard.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 105
 Industrial

Figure 77. Zone Topology - Zoom In

Communication between a pair of virtual zones (a conduit) is represented by a segment with the
zone icon at each end.

4.7.4. Zone List

The Zone List displays all the zones in list form and is accessed by clicking Visibility > Zones.

Clicking on a zone leads you to more details. Each zone is assigned a zone Risk Level and a
zone Criticality.

Admins and Users with Write permissions can:

• Create zone/s
• Generate automatic zones
• Rename zones
• Delete zones

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 106
 Industrial

Figure 78. Zone List

4.7.5. Editing Zones

You can add, rename, and delete zones.

• All the columns are displayed by default: Name, Assets, Risk Level, Criticality, and Actions.
To show or hide columns, click More > Select Columns.

4.7.5.1. Adding a Zone

To add a zone:

• Click Add .

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 107
 Industrial

Figure 79. Adding a Zone

• After adding the new Zone, associate assets with it by editing the details on the Assets page.
• Select the relevant row and click Edit to rename it.

4.7.5.2. Renaming a Zone

To rename a Zone:

1. Click the row’s Edit button.

2. Apply your change to the Zone name and click Update.

Figure 80. Updating a Virtual Zone

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 108
 Industrial

4.7.5.3. Deleting a Zone

• To remove a Zone, select the checkbox next to each row to be deleted and clickDelete .

4.7.6. Customized Auto-Grouping of Zones

The Zone feature helps to manage the assets and the Zone rules. When you have many assets
with the same kind of attributes, you want to be able to see and manage them in an easy way
and at a high-level. You can create rules according to those zones, manage the zone risk, and
manage the asset inside the zone.

Customized Auto-Grouping allows you to choose which grouping method to group the zones
by, which attribute; you can choose to group them by the default algorithm, subnets, or custom
attributes.

To modify the default Zone grouping:

1. Navigate to Settings > Management > General > Virtual Zones tab.

2. Choose the grouping method. Zones are grouped by:

• Default Behavioral Grouping Algorithm - uses the asset type and protocol to group the
zones (for example, PLC: Rockwell)
• Subnets - groups the zones by the detected subnets in the network (each zone is another
subnet)

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 109
 Industrial

• Custom attribute - the user can define custom attributes for each asset, for example, the
custom attribute that represents a process in the factory. By grouping assets by custom
attribute, the user is able to create zones from these attributes.
• Default behavior & subnets/custom attributes - are combining the default algorithm with
subnets or custom attributes. It can be used if you want to create a zone of the default
algorithm and consider the subnet or custom attribute in the zone calculation as well.
3. Click Save.

4.7.7. Zone View Page

Exploring a Zone is done with the Zone View page, which enables users to investigate all the
information in one place.

To access the Zone View page:

1. Navigate to Visibility > Zones in the main menu.

2. Click the name of the desired zone.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 110
 Industrial

Figure 81. Zone View Page - Overview tab

The Zone View page features the following headers:

• Overview
• Zone Information
• Risk & Vulnerabilities
• Threat Detection
• Network Statistics
• Communication

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 111
 Industrial

5. Risk & Vulnerabilities

5.1. About Risk & Vulnerabilities

5.1.1. Risk & Vulnerabilities

CTD gives you a number of important tools for analyzing and remediating risk and vulnerabilities
in your cyber-physical systems (CPS).

• Risk & Vulnerabilities Overview

• Insights
• Vulnerability Management
• Threat Intelligence Updates
• Attack Vectors

5.1.1.1. Risk & Vulnerabilities Overview

The Risk & Vulnerabilities Overview provides a summary of the entire asset inventory and
all communications discovered on the industrial network, pinpointing vulnerable assets and
resolutions, while revealing network configuration and other “network hygiene” issues that can
provide attackers with a means of interfering in critical processes. It shows which aspects of
the network can be fortified to achieve a more robust network architecture and enhance system
protection. It also highlights whether the system is sufficiently patched by showing gaps in
network security.

5.1.1.2. Insights
CTD generates Insights that reveal particular exposures, empowering you to investigate both
operational (process) and security insights. This tool provides deep insights based on the
analysis of your entire security posture, producing a holistic picture and risk assessment across
your entire ICS network. These insights are collected from traffic by SPAN monitoring, ingesting
PCAP, Project Files, or Active query.

Key Insights show how to proactively enhance your CPS security posture, shedding light on
mission-critical assets and misconfigurations. Security and OT teams can easily use and act

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 112
 Industrial

upon them. The system generates a summary score and detailed analysis of the weaknesses
in your CPS environment. Some insights expose a list of protocols and the assets using these
protocols. Others divulge assets that communicate with external assets, including assets that
are performing data acquisition write actions on PLCs and thus have potential for impacting the
process. Insights are calculated automatically and frequently. The Overview leads you to the full
Insights page. A listing of potential Insights is provided in the CTD Reference Guide: Insights.

5.1.1.3. Vulnerability Management

CTD's vulnerability management feature matches known CVEs (vulnerabilities) to discovered
assets. Related metrics such as CVSS and EPSS scores, as well as CTD's proprietary analysis
help you prioritize and manage the patching operation for those assets. Different views of
the data are tailored to your role in the organization, enabling you to view the data with a
vulnerability or asset focus.

5.1.1.4. Threat Intelligence Updates

Claroty's best-in-class research team releases periodic packages of Threat Intelligence
Updates for that update the Common Vulnerability and Exposure (CVE) database to detect
vulnerable models/firmware, plus new threat signatures to detect attacks at the network level.

CTD reports CVE matches for the devices in the network with a list of network hygiene and
other configuration issues that can potentially open an attack path. CTD regularly adds Incident
of Compromise (IOCs) that expand detection coverage even further to guard against CVEs that
have yet to be addressed. By applying CVE updates, users can uncover compromised devices.

Parameters for the vulnerabilities added to CTD using Threat Intelligence Updates include:
CVSS 9 and over or KEV ture (Actively exploited) or EPSS 0.5 and over + vulnerabilities whose
exploitation can lead to remote code execution.

In addition to CVE-related content, Threat Intelligence Updates include Snort and YARA rules
as well as information about assets that have reached end-of-life status.

5.1.1.5. Attack Vectors

The Attack Vector feature displays the scenarios that could potentially compromise your
critical assets (especially OT assets), providing your security teams with the needed visibility
to proactively mitigate risk and prioritize activities. CTD leverages proprietary analytics to reveal

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 113
 Industrial

the most prominent attack scenarios an attacker could use to propagate between assets and
zones in the network.

5.2. Risk & Vulnerabilities Overview

5.2.1. Risk & Vulnerabilities Overview

To access the Risk & Vulnerabilities Overview, click Risk & Vulnerabilities > Overview in the
main menu.

The Risk & Vulnerabilities Overview appears as follows for a CTD Site.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 114
 Industrial

Figure 82. Risk & Vulnerabilities Overview - Site

The Risk & Vulnerabilities Overview includes:

1. The Time Frame Selector to show information based on the time period of your choice
(day/week/month/other). All widgets described below represent the results per the selected
duration.
2. Hygiene Score - Current cumulative risk level posed to the system.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 115
 Industrial

3. Asset Insight Numbers – Summarizes the prominent Insight findings:

• Assets with Unsecure Protocols – Lists the total assets identified as having unsecure
protocols.
• Assets Communicating with External Assets – Lists the total assets communicating
with External Assets.
• Assets with Confirmed Vulnerabilities – Lists the total vulnerabilities detected.
4. Assets by Insight Severity – Distribution of assets and their Insights by severity. A single
asset could have multiple Insights.
5. Zones by Criticality – A pie chart widget of the distribution of the zones per Criticality.
Clicking an area of the pie links to the associated Virtual Zones page with the relevant
Criticality filter.
6. Top Insights – Shows the most significant insights. Slide the bar on the right side
downward to see the lower part of the list. Click Show More to open the Insights page.
7. High Risk Assets by Criticality– A pie chart widget showing the distribution of high-risk
assets per criticality. Click an area of interest in the pie chart to reach the detailed Asset list
with the appropriate filters (by both Risk and Criticality). When no high-risk assets exist, the
widget heading changes to ‘No High-Risk Assets Found’.
8. Affected Assets by Vulnerability Relevance - A pie chart widget showing the distribution
of assets per Vulnerability Relevance of either Potentially Relevant or Confirmed. Click an
area of interest in the pie chart to reach the detailed Asset list filtered for those assets with
the selected Vulnerability Relevance.

Note
There is an optional Just to Let You Know widget that lists Insights that highlight
potential issues that were investigated and do not exist in your system (e.g. SNMP
Querying Assets, Files Downloaded (clients)).

To enable this widget, contact Claroty Support.

5.2.2. EMC Risk & Vulnerabilities Overview

The EMC Risk & Vulnerabilities Overview appears as follows:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 116
 Industrial

Figure 83. Risk & Vulnerabilities Overview - EMC

1. Hygiene Score Bar - This widget shows the Hygiene Score for each site.
When there are more sites than those shown on a single line, click the arrow to view more.
2. Top Risky Sites by Insight Severity – Shows the volume of top enterprise vulnerable
assets, sorted per site and per Severity level (High, Medium, and Low).

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 117
 Industrial

• The left widget - Calculates the number of Assets with Insights of any severity level.
Each asset is counted once.
• The right widget - Calculates each Asset with Insights once per severity level. So, for
example, an asset with 3 highs, 1 medium, and 2 lows would be counted 3 times - once
for each severity level.
As such, the number in the right widget will most likely be higher than that in the left widget.
3. Zones by Criticality – A pie chart widget of the distribution of the zones per Criticality
per site. Each pie chart represents a single site. Use the < > arrows to navigate to the
< Previous or Next > site. Clicking an area of the pie links to the associated Virtual Zones
page with the relevant risk filter. See Risk Calculation.
4. Top Insights – Shows the most significant Insights, sorted by importance. Slide the bar
on the right side downward to see the lower part of the list. Click Show More to open the
Insights page.
5. High Risk Assets by Criticality – Widget showing the distribution of high-risk assets per
criticality per site. Each site is represented with its own pie chart. Click an area of interest
in the pie chart to reach the Assets list with the appropriate filters (by both Risk and
Criticality).
Click the right arrow > to navigate to the next site.
6. Affected Assets by Vulnerability Relevance - A pie chart widget showing the distribution
of assets per Vulnerability Relevance of either Potentially Relevant or Confirmed. Click an
area of interest in the pie chart to reach the detailed Asset list filtered for those assets with
the selected Vulnerability Relevance.
Click the right arrow > to navigate to the next site.

5.3. About Risk Calculation

5.3.1. Risk Calculation

CTD uses a granular risk mechanism for classifying assets and zones. It is a self-learning
algorithm that enables users to detect risky areas and assets in the network. Then users will
understand the nature of the risk in order to take the necessary steps to remediate it.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 118
 Industrial

The Risk calculation impacts the assets, zones, and the Hygiene Score of the site, and its level
is defined as High, Medium, or Low, based on the following parameters. Each parameter has its
own score and impacts the asset risk level as follows:

• Risk Algorithm for Assets – The Asset Risk Score is based on the asset's Vulnerabilities,
Insights, Alerts, Policies, Asset Criticality, and network locations.
• Risk Algorithm for Zones – The Zone Risk Score is based on an average of the asset
parameters and the asset criticality of the zone; the number of zones communicating with this
zone, and the number of zones that this zone is communicating with.
• Hygiene Score Algorithm – The Zone Risk has an impact on the Hygiene Score of all the
sites. The Hygiene Score decreases when more zones are at high risk. When you want to
improve the Hygiene Score, see Improving the Hygiene Score.

5.3.2. Asset Risk Score Calculation

Claroty's expertise and deep understanding of OT, IoT and IT devices and communication
protocols gives it the unique ability to create an effective, contextualized risk assessment
framework for connected Assets in organization networks.

Assets are assigned Critical, High, Medium or Low risk scores. Each risk factor that Claroty
includes in the risk score calculation is weighted according to its significance relative to other
factors.

Each factor is assigned a point value from 0 to 100, with 0 being the safest value an asset could
be assigned and 100 being the most risky. Each factor then receives a multiplier that determines
its weight relative to the other factors. All weights add up to 100%.

The following five vectors determine the risk score of an asset:

• Vulnerability (30%) – This vector indicates how vulnerable the asset is. The more CVEs
an asset has, the more vulnerable it is to attack. The Claroty algorithm matches between
every asset and its unpatched CVEs and determines a vulnerability score according to the
number of CVEs and their corresponding severities. There are additional qualities that deter
vulnerability, such as the unsecured protocols the asset is using.
• Threat (20%) – This vector indicates whether the asset is already considered a threat. This
vector is based on unresolved alerts when the relevant asset is the Primary Asset. When

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 119
 Industrial

there are many unresolved alerts, the asset behavior is suspicious and likely exposed to
threats, or will be a threat in the network.
• Criticality (20%) – This vector is based on how important the asset is in the network and
how much damage it could inflict. It is based on the asset’s qualities and its privileges (for
example, Write HMI PLC, Privileged operations).

Tip
The Criticality value can be edited in the Detailed Asset Page - Overview tab > Device
Information section.

• Accessibility (15%) – This vector indicates the accessibility score of an asset. The
accessibility score of an asset depends on the asset’s network location (its subnet), its
communication with dangerous assets and zones (which depends on its baselines and zone
policies), and the asset’s network behavior (for example, open ports, multiple interfaces,
talking with IT).
• Infection (15%) – This vector indicates the extent of the asset’s ability to spread malicious
content to other assets. This vector is based on the asset’s policies, baselines, privileges,
insights, and protocols.

5.3.3. Zone Risk Score Calculation

The Zone Risk Score is based on an average of the:

• Asset parameters and asset criticality of the zone

• Number of zones communicating with the zone
• Number of zones the zone is communicating with

A zone can receive Critical, High, Medium and Low risk scores. Each risk factor that Claroty
includes in the risk score calculation is weighted according to its significance relative to other
factors.

Each factor is assigned a point value from 0 to 100, with 0 being the safest value a zone could
be assigned and 100 being the most risky. Each factor then receives a multiplier that determines
its weight relative to the other factors. All weights add up to 100%.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 120
 Industrial

The following five vectors determine the Risk score of a specific zone:

• Vulnerability (30%)– This vector indicates the vulnerability of a zone. The vulnerability rate of
a zone is impacted by its asset's vulnerabilities. This value is the average (or the maximum) of
all the asset vulnerability vector scores in the zone.
• Threat (20%) – The threat vector indicates whether the asset is already a threat. This vector
is the average (or the maximum) of all the asset threat scores in the zone.
• Criticality (20%) – This vector indicates criticality values that determine its importance. Every
zone has its own criticality values that determine its importance.
• Accessibility (15%) – This vector indicates to what extent the zone is exposed to risks by
its communication with other zones. This rate is influenced by the average accessibility vector
score of the zone’s assets, and by the number of zones that communicate with this zone.
• Infection (15%) – This vector indicates the extent of the zone’s ability to spread malicious
content. It is determined by the average infection rate of the zone’s assets and by the number
of zones that communicate with this zone.

5.3.4. Hygiene Score Calculation

The Hygiene Score is the health barometer for the sites and the EMCs. It indicates whether the
site is healthy (with few risks) or if it is exposed to many risks. Its scale ranges between 0 and
100, where 100 is the healthiest. The values will always range from 0 (the riskiest) to 100 (the
safest).

The Hygiene Score is calculated as follows:

By default, the Hygiene Score is based on the site Zone Risk Score. However, a disadvantage
of using the zone-based calculation is that it is less reliable since the Hygiene Score changes
according to the chosen zone algorithm.

Instead, the score can be modified to be based on the Asset Risk Score instead of the Zone
Risk Score. Contact Claroty Support to implement this change.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 121
 Industrial

5.3.5. Improving the Hygiene Score

1. In Insights, identify the assets with high risk scores by checking the Top Risky Assets
insight and reviewing their number of vulnerabilities.
2. Filter for high risk zones.
3. Resolve all the risk and vulnerabilities:
• From the zones
• From the assets
• From the open alerts associated with those zones and assets. (See Resolving Alerts:
Assign/Approve All/Approve Selected/Archive)

5.4. Insights
Insights are derived from your entire security posture, producing a holistic picture and risk
assessment. This page provides a detailed analysis of the assets and communications
discovered on the industrial network. This analysis pinpoints exposed assets and uncovers
network configurations that could provide a pathway for attackers or impact critical processes.

CTD generates dozens of insights on how to enhance your ICS security posture, shedding
light on critical assets and misconfigurations. Security and OT teams then can easily use and
act upon these insights. Some insights expose a list of protocols and the assets using these
protocols. Other insights reveal assets that communicate with external assets, including assets
performing data acquisition write actions on PLCs.

Note
Insight calculations are continuously calculated in the background, but the results are not
shown in real time.

Insights are synchronized with the EMC, enabling users to view relevant insights from sites in
the EMC and perform operations on them.

The complete list of Insights is detailed in the CTD Reference Guide: Insights.

To access the Insights page:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 122
 Industrial

• From the Main Menu, select Risk & Vulnerabilities > Insights.

Figure 84. Insights Page

Note
For EMCs with 50 or more sites, Insights of Low severity are filtered out by default.

You can show them using the Insights Options filter, accessed from the Insight
Options>> link.

5.4.1. Insights for a Specific Asset

To view all Insights that affect a specific asset:

1. In the Main Menu, click Visibility > Assets. The Assets page opens.
2. Click a specific asset. The asset's Asset View page opens.
3. Click the Risk & Vulnerabilities tab and then navigate to the Insights section of the tab.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 123
 Industrial

Figure 85. Insights for an Asset

5.4.2. Updating Insight Statuses

Users can update insights with the following statuses: COMPLETED, HIDDEN or OPEN, where
OPEN is the default status. This also ensures the Hygiene Score metrics are based only on
relevant data, based on the organization's specific policy and requirements. A HIDDEN or
COMPLETED insight would not appear by default when showing the list of insights, on the
Insights page.

Comments can be applied to Insights, so the handling of the Insight could be managed per
need. For instance, this allows the user to keep track of the open vulnerabilities and their
remediation process.

To mark Insights with statuses:

1. Open the Insights section of the asset.

2. Mark the status as COMPLETED, HIDDEN, or OPEN.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 124
 Industrial

Figure 86. Resolution Options for the Insights

OPEN

• OPEN is the default status and insights with this status will appear on the Insights page.
• OPEN means the insight still needs to be addressed, and as long as it is opened it negatively
affects the Hygiene Score.

HIDDEN

• After the user changes the insight status to HIDDEN, the insight will no longer be visible on
the Insights page. All hidden insights can be seen by applying the Insights Status > Hidden
filter.
• Changing the insight status to HIDDEN, will not improve the overall Hygiene Score or the Risk
Score of the involved assets.

COMPLETED

• After the user changes the insight status to COMPLETED, the insight will no longer be visible
on the Insights page. All completed insights can be seen by applying the Insight Status >
Completed filter.
• Changing the insight status to COMPLETED, will improve the overall Hygiene Score or the
Risk Score of the involved assets.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 125
 Industrial

Note
Even after an Insight is marked as COMPLETED, if the same communication occurs
again, the Insight might reappear due to Insight recalculations.

5.4.3. Threat Intelligence Updates

Regular threat intelligence bundles provide the latest threat definitions discovered by Claroty’s
Research team. These threat definition bundles include new CVEs as well as network traffic
signatures and Yara signatures.

The bundles enable the system to stay up to date with the latest threats without requiring a full
upgrade of the entire CTD software. For more information, see the CTD Administration Guide:
Applying Threat Intelligence Bundles.

5.4.4. Showing Insight Related Items

The Show Related tool enables you to dig deeper into Insight information while maintaining
navigation context.

For example, you might want to view the Zones related to the "Talking with Ghost Assets"
Insight.

For any Insight, you can view the related:

• Assets
• Zones

Note
Related Zones cannot be shown from the EMC.

To show items related to one or more Insights, do the following:

1. Filter the list with the desired criteria.

2. In the toolbar, click the Show Related icon and select the desired related item from the
drop-down list.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 126
 Industrial

Figure 87. Selecting "Show Related Zones" for Insights Filtered for "Talking with Ghost Assets"

The related page opens, filtered for only those items related to at least one of the selected
Insights. Because the filter mentions the page from which the Show Related command
came, context is maintained.

Figure 88. Zones Related to the "Talking with Ghost Assets" Insight

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 127
 Industrial

5.4.5. Exporting Insights

Insights can be exported as a Table Report. See Creating Table Reports.

5.5. Vulnerabilities
CTD's vulnerability management feature matches known CVEs (vulnerabilities) to discovered
assets. Related metrics such as CVSS and EPSS scores, as well as CTD's proprietary analysis
help you prioritize and manage the patching operation for those assets.

Different views of the data are tailored to your role in the organization, enabling you to view the
data with a vulnerability or asset focus.

Constant OT-focused security updates include new CVEs, network traffic signatures, and Yara
signatures. In addition, Claroty’s best-in-class vulnerability research gives you early access to
zero-day vulnerabilities. These threat intelligence updates enable you to stay up to date without
a full upgrade of the entire CTD environment.

Note
Vulnerability calculations are continuously conducted in the background, but the results
are not shown in real time.

Vulnerabilities are synchronized with the EMC, enabling you to view important information from
Sites in the EMC and perform operations on them.

For information about applying Threat Intelligence Bundles, see Applying Threat Intel Bundles.

5.5.1. Vulnerabilities Page

The Vulnerabilities page displays all the vulnerabilities in the enterprise by CVE (Common
Vulnerabilities and Exposures).

For each CVE, you can view scores that help you understand its severity and prioritize your
work in resolving it. You can also view information about the Assets affected by the vulnerability.

Like other pages in CTD, vulnerability information can be downloaded as a Table Report in .csv
format.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 128
 Industrial

Figure 89. Vulnerabilities Page

Tip
By default, only CVEs with affected Assets are displayed. To view all CVEs in the system,
remove the Only Show Affected Assets filter.

5.5.1.1. Opening the Vulnerabilities Page

To open the Vulnerabilities page, navigate in the Main Menu to Risk & Vulnerabilities >
Vulnerabilities.

5.5.1.2. Vulnerability Details

The following information is available about each vulnerability:

• CVE - The numerical identifier of the vulnerability according to the industry-standard CVE
(Common Vulnerabilities and Exposures) database.
Clicking a CVE opens its Vulnerability View page.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 129
 Industrial

• Type - Options include Application, OT, IoT, and Platform.

• CVSS V3 Score - Severity of the vulnerability according to the industry-standard Common
Vulnerability Scoring System (CVSS) version 3 (V3). Severity levels include Low, Medium,
High, and Critical.
By default, the Vulnerabilities table is sorted by this score.
• EPSS Score -The likelihood of the vulnerability being exploited in the wild, based on the
Exploit Prediction Scoring System (EPSS) model.
• Actively Exploited - Indicates a Vulnerability that has been actively exploited in the wild,
based on the CISA Catalog of Known Exploited Vulnerabilities (KEV). "N/A" is displayed if the
vulnerability has not been exploited.
Actively exploited Vulnerabilities are updated with every Claroty Threat Intelligence Bundle.
• Description - CVE details about the vulnerability.
• Affected Assets - Total of Confirmed Assets plus Potentially Relevant Assets. Click the
number to open the Assets page filtered for these Assets.
• Confirmed Assets - Assets with vendor, model, and firmware versions ("Full Match CVEs"
prior to v5.1.0) as well as Installed Program versions ("Program Match CVEs" prior to v5.1.0)
that match the CVE. Click the number to open the Assets page filtered for these Assets.
• Potentially Relevant Assets - Assets with vendor name and model only (known as Model
Match prior to v5.1.0) and all Windows vulnerabilities. Click the number to open the Assets
page filtered for these Assets.
• Comment (Site only) - Click to add or edit free text such as reminders, statuses, or action
items.

Other Available Details

The following columns can be added to the Vulnerabilities table by clicking More in the
toolbar and then Select columns.

• CVSS V2 Score - Severity of the vulnerability according to the older industry-standard

Common Vulnerability Scoring System (CVSS) version 2 (V2). Severity levels include Low,
Medium, and High.
• Access Vector - The type of access required to exploit the vulnerability. Possible values:
Network, Unknown, Physical, Adjacent Network, or Local.
• Advisory - A group of CVEs that are generally remediated together.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 130
 Industrial

• Detection Date - Date on which the Asset-Vulnerability pair was detected.

• Last Modified - Most recent date the CVE was modified in the NVD database.
• Release Date - Date that the CVE was released in the NVD database.
• Manually Fixed Assets - Number of Assets that were patched by a user.
Click the number to open the Assets page filtered for these Assets.
• Affected IoT Assets - Number of IoT Assets affected by the vulnerability.
Click the number to open the Assets page filtered for these Assets.
• Affected IT Assets - Number of IT Assets affected by the vulnerability.
Click the number to open the Assets page filtered for these Assets.
• Affected OT Assets - Number of OT Assets affected by the vulnerability.
Click the number to open the Assets page filtered for these Assets.

5.5.1.3. Filtering, Searching, and Sorting the Vulnerabilities List

To find vulnerabilities, you can filter, search, and sort the Vulnerabilities list.

• You can filter the Vulnerabilities list using any of these filters:
• Class - Vulnerabilities that affect OT, IT, and/or IoT assets
• Affected Assets - Only vulnerabilities that have affected assets in CTD OR only
vulnerabilities that do not have affected assets in CTD
• Actively Exploited - Only vulnerabilities that have been exploited in the wild OR
vulnerabilities that have NOT been actively exploited in the wild
• Vulnerability Relevance - Vulnerabilities with assets that are potentially relevant and/or
confirmed
• Vulnerability Status - Vulnerabilities with any of these statuses:
• Open - Default status -Vulnerabilities with no action yet taken on them
• Irrelevant - Vulnerabilities with assets matched to them incorrectly - a false positive
• Accepted - Vulnerabilities with their inherent risk known and acknowledged
• Manually Fixed - Windows vulnerabilities that have been patched
• You can search for vulnerabilities by typing any part of the CVE number, advisory number, or
description in the Search by field and pressing <Enter>.
• You can sort the list by clicking any column heading except Description and Comment.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 131
 Industrial

5.5.1.4. Searching for CVEs

By default, only CVEs with affected assets are displayed.

To search for a vulnerability that is not affecting assets in your environment, remove the
Affected Assets filter before searching instead of searching the CTD Knowledge Base.

Likewise, to browse the entire list of CVEs supported by CTD, remove the Affected Assets
filter.

Figure 90. Affected Assets Filter

5.5.2. Vulnerability View Page

The Vulnerability View page contains detailed data about the vulnerability selected in the
Vulnerabilities page.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 132
 Industrial

Figure 91. Vulnerability View Page

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 133
 Industrial

5.5.2.1. Opening the Vulnerability View Page

To open the Vulnerabilities page, navigate in the Main Menu to Risk & Vulnerabilities >
Vulnerabilities.

Then click any vulnerability.

5.5.2.2. Vulnerability Page Widgets

The Vulnerability View Page contains the following widgets:

1. Vulnerability Summary - Includes the CTD vulnerability type as well as the CVE number
and description.
2. Vulnerability Information - Includes the following details about the vulnerability:
• Vulnerability Type - Options include Application, OT, IoT, and Platform.
• Release Date - Date that the CVE was released in the NVD database.
• CVSS V3 Base Score - Severity of the vulnerability according to the industry-standard
Common Vulnerability Scoring System (CVSS) version 3 (V3). Severity levels include
Low, Medium, High, and Critical.
• CVSS V2 Base Score - Severity of the vulnerability according to the older industry-
standard Common Vulnerability Scoring System (CVSS) version 2 (V2). Severity levels
include Low, Medium, and High.
• EPSS Score -The likelihood of the vulnerability being exploited in the wild, based on the
Exploit Prediction Scoring System (EPSS) model.
• Affected Assets - Lists the number of assets affected by this vulnerability. Click the
number to open the Assets page filtered for all assets with this vulnerability.
• Actively Exploited - Indicates a Vulnerability that has been actively exploited in the wild,
based on the CISA Catalog of Known Exploited Vulnerabilities (KEV). "N/A" is displayed
if the vulnerability has not been exploited.
• Comment (Site only) - Click to add or edit free text such as reminders, statuses, or
action items.
• Last Modified - Most recent date the CVE was modified in the NVD database.
• Access Vector - The type of access required to exploit the vulnerability. Possible values:
Network, Unknown, Physical, Adjacent Network, or Local.
• NVD Link - Click the link to view the vulnerability in the NVD database.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 134
 Industrial

Important
Claroty cannot ensure the validity of links to outside sources.

3. Affected Assets by Vulnerability Relevance - Pie chart that breaks down the assets
affected by the vulnerability
Statuses include:
• Confirmed - Number of Assets with vendor, model, and firmware versions that match the
CVE
Click the "pie piece" to open the Assets page filtered for these Assets.
• Potentially Relevant - Assets with vendor name and model only (known as Model match
prior to v5.1.0) and all Windows vulnerabilities
Click the "pie piece" to open the Assets page filtered for these Assets.
4. Affected Assets by Class - All assets affected by the vulnerability, broken down by asset
class of OT, IT, and IoT
Click the asset class to open the Assets page filtered for these Assets.
5. Affected Assets by Status - Bar chart that breaks down the statuses assigned to Assets
with the vulnerability. Statuses include:
• Open - (Default) No action taken yet.
• Irrelevant - The matching of the vulnerability with the asset is incorrect - a false positive.
• Accepted - The risk inherent in the vulnerability is known and acknowledged.
• Manually Fixed - The vulnerability was patched or another compensating control was
added.
Click a bar to open the Assets page filtered for assets with this status.
6. Affected Assets - This widget is a table that lists all the Assets affected by the vulnerability
and includes vulnerability-specific parameters such as Detection Date, Vulnerability
Relevance, and Risk Level.
You can search, sort, and filter the table as needed, and you can perform specific actions to
manage the assets.
To learn more about this widget, see Affected Assets.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 135
 Industrial

5.5.3. Affected Assets

The Affected Assets widget is a table within the Vulnerability View page that lists all the
Assets affected by a specific vulnerability. It includes vulnerability-specific parameters such as
Detection Date, Vulnerability Relevance, Risk Level, and others that help you understand the
vulnerability's impact on these assets and manage them.

The list can be filtered, searched, and sorted, and you can manage assets by changing their
status, adding a comment, and assigning them to another user.

Figure 92. Vulnerability View Page - Affected Assets

5.5.3.1. Affected Asset Details

The following information is available about each asset affected by the vulnerability:

• Site (EMC Only) - Site on which the vulnerability was found

• Asset Name
• IP
• Type - Options include Application, OT, IoT, and Platform.
• Vendor

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 136
 Industrial

• Model
• OS
• Firmware
• Detection Date - Date on which the Asset-Vulnerability pair was detected.
• Vulnerability Relevance Accuracy of the asset-vulnerability pairing:
• Confirmed - The vulnerability is relevant to the asset.
• Potentially Relevant - The vulnerability might be relevant to the asset, but there are not
enough details to confirm this.
• Status - One of the following statuses can be assigned to an Asset:
• Open - (Default) No action taken yet.
• Irrelevant - The matching of the vulnerability with the asset is incorrect - a false positive.
• Accepted - The risk inherent in the vulnerability is known and acknowledged.
• Manually Fixed - The vulnerability was patched or another compensating control was
added.
• Assigned To - User to whom the asset was assigned for further tracking.
• Comment - Click to add or edit free text such as reminders, statuses, or action items.
Note that because this comment is specific to the asset-vulnerability pair, there is no
connection between the comment added to the vulnerability in the Vulnerabilities page.

Other Available Details

The following columns can be added to the Affected Assets table by clicking More in the
toolbar and then Select columns.

• Type - Type of vulnerability. Options include Application, OT, IoT, and Platform.
• MAC
• Class - Asset class. Options include IT, OT, and IoT
• Criticality - High, Medium, Low
• Risk Level – Calculation of how much risk the asset poses to the system - Critical, High,
Medium, Low
• Last Seen – Date and time the asset was last detected
• Updated By - User that updated the Status or added a Comment.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 137
 Industrial

5.5.3.2. Filtering, Searching, and Sorting Affected Assets

To find specific assets affected by the vulnerability, you can filter, search, and sort the list.

• You can filter the list by doing any of the following:

• Use any of these filters: Site (EMC only), Vulnerability Relevance, and Vulnerability
Status.
• Narrow down the filter results by time using the Last Seen filter.
• Alternately, click Switch to Query View to add Claroty Query Language queries.
• You can search for Affected Assets by typing any part of the Asset Name, IP, Mac, Vendor,
Firmware, Model, CVSS score, or EPSS score in the Search by box, and pressing <Enter>.
• You can sort the list by clicking any column heading except Asset Name, Firmware, and
Status.

5.5.3.3. Changing the Status of Affected Assets

You can change the status of one or more assets affected by the vulnerability. Statuses include:

• Open - (Default) No action taken yet.

• Irrelevant - The matching of the vulnerability with the asset is incorrect - a false positive.
• Accepted - The risk inherent in the vulnerability is known and acknowledged.
• Manually Fixed - The vulnerability was patched or another compensating control was added.

Individual Asset
To change the status of an individual asset affected by the vulnerability:

1. In the Status column of an asset, click the Update Status icon, which is
displayed when hovering over the current status.
2. In the Update Vulnerability Status window, select the status and click Save.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 138
 Industrial

Multiple Assets
To change the status of multiple assets affected by the vulnerability:

1. Select the assets whose status you want to change.

(To select all assets, click the Select All checkbox in the toolbar).

2. In the toolbar, click the Update Status icon.

3. In the Update Vulnerability Status window, select the status and click Save.

5.5.3.4. Adding a Comment to Affected Assets

You can add a comment to one or more assets affected by the vulnerability. Comments enable
you to document and track information such as reminders, statuses and action items.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 139
 Industrial

Note

• Because the purpose of this comment is to add information about the vulnerability
as it relates to the selected assets, a comment added to the vulnerability in the
Vulnerabilities page is not reflected here.
• Saving a comment overwrites the previous one. Therefore, to append information,
press <Enter> after the existing comment.

Individual Asset
To add a comment to an asset affected by the vulnerability:

1. In the Comment column of an asset, click the Comment icon.

2. In the Add Comment window, type a comment and click Save.

Multiple Assets
To add a comment to multiple assets affected by the vulnerability:

1. Select the assets whose status you want to change.

(To select all assets, click the Select All checkbox in the toolbar).
2. In the toolbar, click the Comment icon.
3. In the Add Comment window, type a comment and click Save.

5.5.3.5. Assigning Affected Assets to a User

You can assign assets affected by the vulnerability to a user, such as a SOC Analyst, to
manage.

1. Select the assets to which you want to assign a user.

(To select all assets, click the Select All checkbox in the toolbar).

2. Click the Assign User icon.

3. In the Assign CVE window, select the user to which the assets should be assigned from the
Select User dropdown list OR click Assign to Me (Admin).

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 140
 Industrial

Figure 93. Assigning a Vulnerability to a User

Then click Assign.

The name of the selected user is displayed in the Assigned To column.

5.5.4. Asset Vulnerabilities

The Risk & Vulnerabilities tab of an asset's Detailed Asset page contains the Vulnerabilities
table, which enables you to see all the vulnerabilities identified on the asset, create a work
process, and track its progress.

The list can be filtered, searched, and sorted, and you can manage vulnerabilities by changing
their status, adding a comment, and assigning them to another user.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 141
 Industrial

Figure 94. Vulnerabilities Table in the Detailed Asset Page

5.5.4.1. Vulnerability Details

The following information is available about each of the asset's vulnerabilities:

• CVE - The numerical identifier of the vulnerability according to the industry-standard CVE
(Common Vulnerabilities and Exposures) database.
• Advisory - A group of CVEs that are generally remediated together.
• Type - Type of vulnerability. Options include Application, OT, IoT, and Platform.
• CVSS V3 Score - Severity of the vulnerability according to the industry-standard Common
Vulnerability Scoring System (CVSS) version 3 (V3). Severity levels include Low, Medium,
High, and Critical.
• EPSS Score -The likelihood of the vulnerability being exploited in the wild, based on the
Exploit Prediction Scoring System (EPSS) model.
• Description - CVE details about the vulnerability.
• Vulnerability Relevance - Vulnerabilities with assets that are potentially relevant and/or
confirmed
• Status - One of the following statuses can be assigned to an Asset:
• Open - (Default) No action taken yet.
• Irrelevant - The matching of the vulnerability with the asset is incorrect - a false positive.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 142
 Industrial

• Accepted - The risk inherent in the vulnerability is known and acknowledged.

• Manually Fixed - The vulnerability was patched or another compensating control was
added.
• Comment - Click to add or edit free text such as reminders, statuses, or action items.

Other Available Details

The following columns can be added to the Vulnerabilities table by clicking More in the
toolbar and then Select columns.

• CVSS V2 Score - Severity of the vulnerability according to the older industry-standard

Common Vulnerability Scoring System (CVSS) version 2 (V2). Severity levels include Low,
Medium, and High.
• Detection Date - Date on which the Asset-Vulnerability pair was detected.
• Assigned To - User to whom the asset was assigned for further tracking.
• Actively Exploited - Indicates a Vulnerability that has been actively exploited in the wild,
based on the CISA Catalog of Known Exploited Vulnerabilities (KEV). "N/A" is displayed if the
vulnerability has not been exploited.
Actively exploited Vulnerabilities are updated with every Claroty Threat Intelligence Bundle.
• Access Vector - The type of access required to exploit the vulnerability. Possible values:
Network, Unknown, Physical, Adjacent Network, or Local.
• Release Date - Date that the CVE was released in the NVD database.
• Updated By - User that updated the Status or added a Comment.
• Last Modified - Most recent date the CVE was modified in the NVD database.

5.5.4.2. Filtering, Searching, and Sorting an Asset's Vulnerabilities

To find an asset's vulnerabilities, you can filter, search, and sort the list.

• You can filter the list by doing any of the following:

• Use any of these filters: Site (EMC only), Vulnerability Relevance, and Vulnerability
Status.
• Alternately, click Switch to Query View to add Claroty Query Language queries.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 143
 Industrial

• You can search for the asset's vulnerabilities by typing any part of the CVE number,
Advisory number, Description, CVSS score or EPSS score into the Search by box and
pressing <Enter>.
• You can sort the list by clicking any column heading except Description and Status.

5.5.4.3. Changing the Status of an Asset's Vulnerabilities

You can change the status of one or more of the asset's vulnerabilities. Statuses include:

• Open - (Default) No action taken yet.

• Irrelevant - The matching of the vulnerability with the asset is incorrect - a false positive.
• Accepted - The risk inherent in the vulnerability is known and acknowledged.
• Manually Fixed - For Windows vulnerabilities - the vulnerability was patched.

Individual Vulnerability
To change the status of an individual vulnerability:

1. In the Status column of a vulnerability, click the Update Status icon.

2. In the Update Vulnerability Status window, select the status and click Save.

Multiple Vulnerabilities
To change the status of multiple vulnerabilities:

1. Select the vulnerabilities whose status you want to change.

(To select all vulnerabilities, click the Select All checkbox in the toolbar).

2. In the toolbar, click the Update Status icon.

3. In the Update Vulnerability Status window, select the status and click Save.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 144
 Industrial

5.5.4.4. Adding a Comment to a Vulnerability

You can add a comment to one or more of an asset's vulnerabilities. Comments enable you to
document and track information such as reminders, statuses and action items.

Note

• Because the purpose of this comment is to add information about the vulnerability as it
relates to the selected asset, a comment added to the vulnerability in the Vulnerabilities
page is not reflected here.
• Saving a comment overwrites the previous one. Therefore, to append information,
press <Enter> after the existing comment.

Individual Vulnerability
To add a comment to a single vulnerability:

1. In the Comment column of a vulnerability, click the Comment icon.

2. In the Add Comment window, type a comment and click Save.

Multiple Vulnerabilities
To add a comment to multiple vulnerabilities:

1. Select the vulnerabilities whose status you want to change.

(To select all vulnerabilities, click the Select All checkbox in the toolbar).
2. In the toolbar, click the Comment icon.
3. In the Add Comment window, type a comment and click Save.

5.5.4.5. Assigning Vulnerabilities to a User

You can assign vulnerabilities to a user, such as a plant manager, to manage.

1. Select the vulnerabilities whose status you want to change.

(To select all vulnerabilities, click the Select All checkbox in the toolbar).

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 145
 Industrial

2. Click the Assign User icon.

3. In the Assign CVE window, select the user to whom the vulnerabilities should be assigned
from the Select User dropdown list OR click Assign to Me (Admin).

Figure 95. Assigning a Vulnerability to a User

Then click Assign.

The name of the selected user is displayed in the Assigned To column.

5.5.5. Migration Notes

In CTD versions earlier than 5.1.0, Vulnerabilities were a type of Insight. This has several
implications when they are migrated to Vulnerabilities.

5.5.5.1. Status
Vulnerabilities that were previously Insights are assigned the following Statuses upon migration:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 146
 Industrial

Table 3. Old and New Statuses

Old Status New Status

Open Open
Hide Accept
Completed Manually Fixed

5.5.5.2. Comments in Asset-Vulnerability Pairs

As an Insight, you could add a comment to an Asset associated with the Vulnerability as follows:

Figure 96. Comment in Vulnerability Insight

After migration, these comments are displayed in the:

• Vulnerability View page - the Affected Assets table

• Detailed Asset page - the Vulnerabilities table

5.5.5.3. Vulnerability Relevance

The Relevance of a Vulnerability is the accuracy estimation of the Asset-Vulnerability pairing.

When migrating previous vulnerability-related Insights, the following relevance ratings are
assigned:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 147
 Industrial

Table 4. Old and New Relevance

Old Relevance New Relevance

Full Match CVE Confirmed

Program Match CVE

Windows CVE Potentially Relevant

Windows CVE Full Match

Model Match CVE

5.6. Attack Vectors

5.6.1. Attack Vectors

The Attack Vector is designed to identify potential attack pathways into your most critical assets,
and show which vulnerabilities or assets could be exploited to gain access to, or to negatively
impact these devices.

The results display the scenarios that could potentially compromise your critical assets
(especially OT assets), providing your security teams with the needed visibility to proactively
mitigate risk and prioritize activities. CTD leverages proprietary analytics to reveal the most
prominent attack scenarios an attacker could use to propagate between assets and zones in the
network.

This empowers users to quickly visualize and simulate likely attack vectors based on risks and
other security gaps. The system enables users to effectively mitigate and remediate against
these critical potential paths an attacker would leverage to penetrate the environment.

Note
Due to the sensitivity of this capability, its access is limited to only those users with
Administrator rights.

Note
Attack Vectors will not be calculated by default when using the Enterprise Management
Console (EMC).

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 148
 Industrial

5.6.2. Using Attack Vectors

To use Attack Vectors:

In the Main Menu, select Risk & Vulnerabilities > Attack Vectors.

• The default view represents the most threatened Attack Vector identified from all the potential
possibilities calculated, which is in the riskiest zone.
• You can choose other target zone/s from which additional attack vectors can be calculated
from the Target Zone dropdown.

Figure 97. Attack Vector Simuation

The lateral movements that CTD considers an attack vector are:

• Internal asset communicating with external assets (except NTP, ghost assets)
• Same subnets - when an asset has a connection to an external network, the algorithm
assumes that all assets in the network also have a connection to the external network

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 149
 Industrial

• Remote connections - if a remote communication between assets accrued (like RDP

connection)
• OT protocols - running OT commands to change configurations
• Domain controllers – an attacker gaining control over a domain controller can execute
commands

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 150
 Industrial

6. Threat Detection

6.1. Threat Detection

CTD is designed to identify threats early in their process. Relying on its in-depth knowledge of
protocols, configuration, and communication flows, the system identifies known threat attacks
and zero-day attacks as well as ones with sophisticated OT payloads.

The system uses deep packet inspection (DPI) analysis technology to

• protect critical infrastructures

• gain visibility into the network
• implement virtual network segmentation.

It continuously monitors for threats and policy violations.

CTD provides you with visibility to immediately focus on the network’s vital signs to allow a quick
response.

6.2. Threat Detection Overview

6.2.1. Threat Detection Overview

To access the Threat Detection Overview:

Click Threat Detection > Overview in the menu.

The Threat Detection Overview appears as follows for a CTD Site.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 151
 Industrial

Figure 98. Threat Detection Overview - Site

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 152
 Industrial

Use the Time Frame Selector to show information based on the time period of your preference
(day/week/month/year). All widgets described below represent the results of the selected
duration.

6.2.1.1. Threat Detection Widgets

1. Threat Detection Bar – Displays the total numbers of open alert stories, open alerts, and
events for the selected time period. Click a number to display the full list of stories, alerts, or
events.
2. Alert Status – Displays a bar graph of the open alert stories and open alerts for the
selected time period. Click a bar in the graph to open a list.
3. Recent Alerts – A table highlighting the recent 10 alerts, displaying their Description,
Score, and Detection date, with a colored dot to indicate the alert’s severity level. Use the
scroll bar on the right edge to view earlier alerts. Click an alert to navigate to the full details
of its Alert page. Click Show More to display all alerts on the Alerts page.
4. Top Alerted Assets – Shows a table of the top 10 alerted assets, sorted by asset Names,
its asset Type, each listing the alerted asset’s Criticality level and the number of alert
instances in the given timeframe. Assets with no alerts are not displayed. Click on an
Alerted Asset to open its detailed Asset page.
5. Top Alerted Zones – This table shows virtual zones. Each virtual zone is grouped
according to the type of alert associated with the asset. The virtual zones are displayed
by criticality level. The top zones with open alerts are listed; zones that have no alerts are
not listed. Click a virtual zone to reach its zone page (if there is one); otherwise, it leads
to the Alerts page with the relevant zone filter. The zone page is a table of zones with
each row displaying the zone name, its criticality, and the number of alerts in the given
timeframe.
6. Alerts by Type – A pie chart widget showing the breakdown of alerts per type and the
number of instances of each type. The top three types are shown. Click on an alert type to
navigate to the Alert Page for detailed information.
7. Alerts by Severity – This widget displays a pie chart of the alert distribution for each
severity category in the given timeframe. Click on a portion of the pie chart to reach the
Alerts Page filtered by the specific severity and timeframe.
8. Alert Trend – This time graph shows the distribution and total new alerts based on their
alert types (with a line for each type) for the selected time period. Click on a line to navigate

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 153
 Industrial

to the Alert page. The granularity of the alert groups displayed is relative to the selected
time frame (for example, the alerts are grouped by hour when the timeframe selected is a
day).
9. Recent High & Critical Alerts - Lists up to 25 of the most recent High and Critical alerts.

6.2.2. EMC Threat Detection Overview

The EMC Threat Detection Overview appears as follows:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 154
 Industrial

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 155
 Industrial

6.2.2.1. Threat Detection Widgets

1. Threat Detection Bar – Displays the total numbers of open alert stories, open alerts, and
events in the enterprise for the selected time period. Click a number to display the full list of
stories, alerts, or events.
2. Top Alerted Sites - This widget contains two parts. The first shows the total number of
Critical open alerts throughout the enterprise and breaks it down graphically by alert family.
Each alert family is represented by a color, as described in the legend to the right.
The second is a bar graph that displays critical open Alerts for each Site broken down by
alert family. Each alert family is represented by a color (as described in the legend to the
right), and clicking the alert type opens the Alerts list filtered by that alert type.
3. Alert Status - A color-coded bar graph of Alert Stories and Alerts with a count of each
alert severity level. Clicking the graph opens the Alerts page filtered for the alert count and
severity in the graph.
4. Recent Alerts – A table highlighting the recent 10 alerts, displaying their Description,
Score, and Detection date, with a colored dot to indicate the alert’s severity level. Use the
scroll bar on the right edge to view earlier alerts. Click an alert to navigate to the full details
of its Alert page. Click Show More to display all alerts on the Alerts page.
5. Top Alerted Assets – Shows a table of the top 10 alerted assets, sorted by asset Names,
its asset Type, each listing the alerted asset’s Criticality level and the number of alert
instances in the given timeframe. Assets with no alerts are not displayed. Click on an
Alerted Asset to open its detailed Asset page.
6. Top Alerted Zones – This table shows virtual zones. Each virtual zone is grouped
according to the type of alert associated with the asset. The virtual zones are displayed
by criticality level. The top zones with open alerts are listed; zones that have no alerts are
not listed. Click a virtual zone to reach its zone page (if there is one); otherwise, it leads
to the Alerts page with the relevant zone filter. The zone page is a table of zones with
each row displaying the zone name, its criticality, and the number of alerts in the given
timeframe.
7. Alerts by Type – A pie chart widget showing the breakdown of alerts per type and the
number of instances of each type. The top three types are shown. Click on an alert type to
navigate to the Alert Page for detailed information.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 156
 Industrial

8. Alerts by Severity – This widget displays a pie chart of the alert distribution for each
severity category in the given timeframe. Click on a portion of the pie chart to reach the
Alerts Page filtered by the specific severity and timeframe.
9. Alerts by Site - This bar graph displays the total number of alerts for each site.
10. Alert Trend – This time graph shows the distribution and total new alerts based on their
alert types (with a line for each type) for the selected time period. Click on a line to navigate
to the Alert page. The granularity of the alert groups displayed is relative to the selected
time frame (for example, the alerts are grouped by hour when the timeframe selected is a
day).
11. Recent High & Critical Alerts - Lists up to 25 of the most recent High and Critical alerts.

6.3. Alerts
Alerts appear in the Alerts page, which displays resolved and unresolved alerts and allows you
to manage them.

Note
To optimize system performance, Alerts are maintained in the CTD database for one year
from the date of occurrence.

To navigate to the Alerts Page, click Threat Detection > Alerts.

6.3.1. Alert Types

CTD differentiates Process Integrity Alerts from Security Events Alerts.

• Process Integrity Alert – Reflects a critical change to a process, such as configuration,

download/upload, and mode change. These alerts are triggered by a network failure, operator
error, or malicious attack.
• Security Event Alert – Raised when a well-defined cyber-attack vector occurs, such as a
Man-in-the-Middle (MitM) attack, port or network scan attack.

6.3.2. Alerts Page

Use the Alerts page for viewing and investigating your alerts.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 157
 Industrial

Note
Certain features are available only when viewing the EMC or a Site as indicated below.

To access the Alerts page:

• In the Main Menu, navigate to Threat Detection > Alerts.

Figure 100. Alerts Page

1. The top bar gives the total Process Integrity Alerts vs. Security Event Alerts.
2. By default, the alerts in the alert table are listed individually so that actions such as
Approving or Archiving can be performed on them. However, they can also be grouped
by Alert Story - a set of alerts that CTD correlates after it has determined that the events
are interrelated.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 158
 Industrial

To view Alert stories, click Group Alerts by Story. To ungroup the alerts, click Ungroup
Alerts by Story.
3. Filter the Alerts page to display the alerts according to any of the following.
• (EMC only) - Use Site to select the Sites from which alerts should be shown.
• Use the Alert Status to differentiate alerts with an Unresolved status (by default) vs.
Resolved alerts.
• Select specific Alert Type/s of interest.
• Choose to identify alerts of the Category Integrity and/or Security.
• The Alert Severity level is based on the Alert score, which is determined based on the
matched Indicators that are evaluated against the asset information and communication.
• Use the Search by field to find particular assets you suspect may be involved in an alert.
You can search by Alert ID, any part of the alert description, or primary asset information.
This could include the primary asset name, type, IP, Hostname, MAC, OS, or Vendor.
• (EMC only) - Use ATT&CK® Techniques and ATT&CK® Tactics to filter alerts
according to MITRE ATT&CK for ICS® criteria.
• Set the alert Time range of interest.
• Click Reset Filters to clear applied filters.
• Click Advanced Filters to display more filtering options.
• Click Switch to Query View to show the filters in query view and edit as needed. (See
Constructing CQL Queries for more information.)

4. (Site only) - The default Alerts page is in List View .

• You can view the assets in Layered Topology or Network Topology view:
• Use the Layered Topology to view the assets impacted by the alerts in the context
of the asset’s Purdue model levels and the connections between the assets.
• Use the Network Topology to visualize all assets impacted by the currently filtered
alerts. Assets that communicate with each other are shown closer together. The arrows
indicate the direction of communication between related assets.
5. When rows of the Alert Results table are grouped by Alert Story ,they are listed by Site
(if viewing from the EMC), Story ID with the corresponding Alert Score in parentheses, as
well as the total number of Alerts in each Story.
Click the arrow to expand the Story and view its Alerts.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 159
 Industrial

Figure 101. Alert Stories

6. Click an Alert description to open its Alert View page and examine its details.

Note
Occasionally, the Source/Destination IPs in an Alert description might be inaccurate
since they are calculated when the Alert is created and, in some cases, updated.

If you encounter inaccurate IP information in a description, recalculate the alert

score by opening the alert's Alert View page and clicking the Calculate Score button.

7. Use the Alert toolbar to access all alert actions. You can Approve and Archive alerts and
Assign them to other users. You can also view Assets, Events, Zone Rules, and Zones
related to the selected alerts.
Click More for other actions: Selecting the columns shown in the table, creating a widget
from the data, creating a scheduled report, and downloading a report.

Important
To Archive multiple alerts, they must all support this functionality AND be on the
same page. If you select alerts on separate pages, the Archive icon will not be
available.

Likewise, when selecting the Select All checkbox, if there is more than one page of
alerts, the Archive icon will not be available.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 160
 Industrial

6.3.2.1. Alert Title

The Alert Title section of the Alert View page contains the Alert's:

1. Name
2. Details
3. Related MITRE ATT&CK® Techniques/Tactics
4. Potential implications

Figure 102. Alert Title

To view an alert title:

1. In the Main Menu, click Visibility > Alerts.

The Alerts page opens.
2. Click an Alert.
The Alert View page opens with the alert title.

6.3.2.2. Alert PCAP

CTD allows users to save a .pcap file of each alert raised for in-depth analysis. This capability
is configurable during setup in the Store Raw Data (PCAP) option. After the Save PCAP
capability has been set up, users can selectively choose which alert PCAPs are of interest and
then click the Download Capture icon .

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 161
 Industrial

Figure 103. CTD Alert with PCAP

For more details, see Downloading Capture - Raw Alert Data.

6.3.2.3. Alert Indicators

The Alert Indicators are shown in the Alert Score area of the Alert View page, as follows:

Figure 104. Indicators in the Alert Score Area

• The Significant Indicators are shown next to the alert score, with icons representing each of
the alert indicator types:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 162
 Industrial

Figure 105. Alert Score - Significant Indicators

• A maximum of three Significant Indicators are displayed. Out of all the evidence detected,
these indicators are those most relevant for investigating the alert. Note these are not
necessarily the ones with the highest score.
• Additional indicators are provided to show more details about this alert. Each indicator is
assigned a different weight, representing its relative contribution to the total score points in
the alert.
• Clicking Show Indicators displays the full set of indicators. After the alert is seen
in context, it allows the user to view the alert score and severity level. This list of indicators
includes two types of indicators: static and event indicators. Static indicators consist of static
information that can potentially affect the score of an alert such as the asset type, subnet or
virtual zone group. Event indicators consist of dynamic information, such as related network
activity, that can potentially affect the score and provide context to the given alert.
• Toggle between Show Indicators and Hide Indicators as needed.
• Working Hours are defined as 08:00 to 20:00. To customize this for your enterprise, contact
Claroty Support.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 163
 Industrial

Figure 106. Alert Score - List of Indicators

Note
When the indicators reach a score over 100, the alert score is capped.

Other relevant information is provided by some of the indicators, even if they do not directly
contribute to the score.

Alert Indicators for Repetitive Alerts in Training Mode

We auto-approve repetitive alerts when the system is in training mode (by using an indicator);
this will decrease the number of duplicate alerts in the system.

Description: This alert has been repeated several times in the last 14 days with no rejection
from the user while the system is in training mode.

To see the alert indicators:

1. Go to Alerts and click on an alert.

2. From the Alert View page, look under the Alert Score section.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 164
 Industrial

3. Click on Show Indicators.

All the parameters in the alert indicator configuration:

• Enable/disable the feature

• number of days to check (days before)
• number of repetitive alerts

Figure 107. Repetitive Alerts

Supported alert types: Failed Login, Configuration Download, Configuration Upload, Monitor
Debug, Online Edit

Calculate Score
Users can prompt the system to calculate/recalculate using the Calculate Score button:

Figure 108. Alert Score - Calculate Score

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 165
 Industrial

By default, the alert score is automatically calculated. When needed, press Calculate Score
to recalculate the alert score; this will also update the Indicators. A recalculated score
affects the overall score of the alert and will take the context of the previous alerts. For example,
an alert on a query to the PLC for the first time will appear as risky, but if it is supposed to repeat
every day, then you can recalculate the score and it will appear as less risky.

6.3.2.4. Root Cause Analysis

The alerts are displayed with Root Cause Analysis, made of a chain of interrelated events.
This timeline consists of a series of events that provide rationale behind the network and asset
behavior. Admins can control the sensitivity level that differentiates alerts from notifications. The
chain of events indicates when the score has been impacted by network activity or other related
behavior.

Root Cause Analysis is found on the Alert View page in the area underneath the Alert Score.
The following chain of events shows an example of a series of Known Threat Alerts:

Figure 109. Root Cause Analysis: Known Threat Alerts

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 166
 Industrial

Root Cause Analysis gives users a picture of a suspected attack. This ‘zoom out’ perspective
attempts to expose the overall attack path by highlighting related events that could enhance our
understanding of the suspicious activity.

The alert’s chain of events are those the system has identified, analyzed, and determined to
have influenced the alert and its score. With this detailed information, users can investigate the
attack, including actions that preceded the alert.

The timeline of the chain of events appears in descending order. An alert may include the chain
of events, whether or not the score is qualified.

Note
An alert with no relevant events does not have a chain of events.

6.3.2.5. Alert Story

An Alert Story is a set of alerts that CTD correlates after it has determined that the events are
interrelated.

To navigate to an alert story:

1. Click Threat Detection > Alerts in the main menu. The Alerts page appears.
2. Click Group Alerts by Story.

The Alerts are grouped into Stories.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 167
 Industrial

Figure 110. Alert Story Example: Story ID 3

This Alert Story example contains several types of Alerts: New Assets, Configuration Download,
and Configuration Download.

To learn more about Alerts, Alert Stories, and the Events on which they are based, see Events,
Alerts, and Stories

6.3.3. Alerts Table

This table summarizes all the alerts currently available in CTD, including the following:

• A description of the alert

• CTD Alert type
• Resolution options in Training Mode and Operational mode.
• MITRE Info - Whether the alert is mapped to MITRE ATT&CK® for ICS Tactics and
Techniques.
• Capsaver - Whether a PCAP file is saved for the alert
• Retention Period - How long the alert is saved in the system
• For a resolved alert, it is from the time of resolution, regardless of the type of resolution,
such as Archive, Approve, etc.
• For an unresolved alert, it is from the most recent time an event was added to the alert.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 168
 Industrial

Alert Name Description Alert Resolution Resolution Retention Capsaver MITRE

Type Options in Options in Period Info
Training Mode Operational
Mode
Asset This alert Integrity Automatically • Approve All Forever No Yes
Information detects approved by • Approve
Change changes to CTD Selected
asset-related • Archive
information
(such as
Firmware, OS,
Hostname, and
Slot Cards)
Baseline This alert Integrity Not generated • Approve 12 No No
Rule detects • Archive months
baseline-related
activity based
on custom
configuration
Configuration This alert Integrity • Approve • Approve 12 No Yes
Download detects • Archive • Archive months
Configuration
Download
events
Configuration This alert Integrity • Approve • Approve 12 No Yes
Upload detects • Archive • Archive months
Configuration
Upload events
DCS This alert Integrity • Approve • Approve 12 No Yes
Configuration detects events • Archive • Archive months
Change related to
changes to the
DCS
Configuration
Denial of This alert Security • Approve • Approve 12 Yes Yes
Service detects DoS • Archive • Archive months
attacks
File System This alert Integrity • Approve • Approve 12 Yes Yes
Change detects events • Archive • Archive months
related to
changes to the
File System

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 169
 Industrial

Alert Name Description Alert Resolution Resolution Retention Capsaver MITRE

Type Options in Options in Period Info
Training Mode Operational
Mode
Firmware This alert Integrity • Approve • Approve 12 Yes Yes
Download detects • Archive • Archive months
Firmware
Download
events
Host Scan This alert Security • Approve • Approve 3 months Yes Yes
detects Host • Archive • Archive
Scan events by
sending TCP
SYN or UDP
requests to
multiple hosts
on the same
port
Known This alert Security • Approve • Approve 12 Yes No
Threat Alerts detects • Archive • Archive months
suspicious
events based
on Network
Signature
matching
Login This alert Security • Approve • Approve 3 months Yes Yes
detects Failed • Archive • Archive
Login events
Man-in-the- This alert Security • Approve • Approve 12 Yes Yes
Middle detects Man-in- • Archive • Archive months
Attack the-Middle
(MiTM) attacks
Memory This alert Security • Approve • Approve 12 Yes Yes
Reset detects Memory • Archive • Archive months
Reset events
Mode This alert Integrity • Approve • Approve 12 No Yes
Change detects events • Archive • Archive months
related to
changes to the
device Mode
(Run, Stop,
Program)

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 170
 Industrial

Alert Name Description Alert Resolution Resolution Retention Capsaver MITRE

Type Options in Options in Period Info
Training Mode Operational
Mode
Monitor or This alert Integrity • Approve • Approve 12 No Yes
Debug Mode detects when a • Archive • Archive months
device mode is
set on Monitor
or Debug
New Asset This alert Integrity Automatically • Approve and Forever No Yes
detects new approved by Update
assets in the CTD Policy
environment • Ignore
• Acknowledge
New Conflict This alert Integrity Automatically • Approve and Forever No Yes
Asset detects conflicts approved by Update
between assets CTD Policy
having identical • Ignore
information (IP, • Acknowledge
MAC)
Online Edit This alert Integrity • Approve • Approve 12 No Yes
detects Online • Archive • Archive months
Edit attempts to
a device
program
Policy Rule This alert Integrity • Ignore • Ignore 12 No Yes
Match detects policy • Acknowledge • Acknowledge months
related activity
based on
custom
configuration
Policy This alert Integrity Automatically • Approve and 12 No Yes
Violation detects approved by Update months
Alert anomalies in CTD Policy
the network • Ignore
communications • Acknowledge
based on Zone
policies

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 171
 Industrial

Alert Name Description Alert Resolution Resolution Retention Capsaver MITRE

Type Options in Options in Period Info
Training Mode Operational
Mode
Port Scan This alert Security • Approve • Approve 3 months Yes Yes
detects Port • Archive • Archive
Scan events by
sending TCP
SYN or UDP
requests to
different server
ports on a host
to see which
ports it answers
on
Settings This alert Integrity • Approve • Approve 12 Yes Yes
Change detects events • Archive • Archive months
related to
changes to the
Device Settings
Suspicious This alert Security • Approve • Approve 3 months Yes Yes
Activity detects • Archive • Archive
suspicious
events based
on OT protocol
anomalies
Suspicious This alert Security • Approve • Approve 12 Yes Yes
File Transfer detects • Archive • Archive months
suspicious
events based
on Yara Rule
matching

6.3.4. MITRE ATT&CK for ICS

6.3.4.1. MITRE ATT&CK® for ICS

Note
MITRE ATT&CK® for ICS is supported for the EMC, Sites viewed in the EMC, and
standalone Sites.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 172
 Industrial

MITRE ATT&CK® for ICS is a framework used to describe the actions an adversary might
take to disrupt industrial control systems. It can be used to better characterize and describe
post-compromise adversary behavior.

The enrichment of CTD's extensive alerting capabilities with the knowledge provided by MITRE
ATT&CK® for ICS framework provides the context needed to better understand and manage the
implications of each alert.

The framework consists of a set of tactical goals, or Tactics, and methods for achieving those
goals, or Techniques.

All of CTD's alerts, with the exception of Baseline Rule Alert and Known Threat Alert, are
mapped to MITRE, and for each of these alerts, you can view its related Techniques and Tactics
in these places:

• The Alerts Page contains Technique and Tactic columns that list all the relevant techniques
and tactics for each Alert. You can also filter by technique or tactic.

For further information, see Alerts Page.

• The Alert View Page lists the relevant techniques and tactics related to the Alert.

For further information, see Alert View Page.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 173
 Industrial

• The Technique View Page provides in-depth information about a technique and its related
tactics and gives links to related information on the MITRE ATT&CK® for ICS website for
further reading.

For further information, see MITRE ATT&CK® Technique Page .

Important
It might take up to 24 hours to calculate MITRE techniques for the existing alerts. After
this initial calculation, all subsequent information will calculate in real time.

6.3.4.2. MITRE ATT&CK® Technique Page

The MITRE ATT&CK® Technique Page provides key information regarding a Technique, its
related Alerts, and a set of Mitigations that can be applied to the Technique.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 174
 Industrial

Figure 111. MITRE ATT&aCK® Technique Page

The MITRE ATT&CK® Technique Page can be accessed from these locations:

• Alerts Page - Click the Technique name in the ATT&CK® Technique column.
• Alert View page - Click the Technique name in the Alert’s description.

The MITRE ATT&CK® Technique Page is divided into three sections: Technique info, Related
Alerts, and Mitigations.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 175
 Industrial

Technique Info
This section provides the key information of the Technique, including a brief description,
Adversary Groups known for using the Technique, Software (especially malware) using the
Technique and potentially Impacted Devices.

A link to the relevant MITRE ATT&CK® Technique webpage is also provided.

Figure 112. Technique Description

Mitre ATT&CK Technique Page - Related Alerts

This section includes a table of all the Alerts related to the Technique. Only Unresolved alerts
are displayed, giving you the context you need to Approve, Archive, or Assign them in batch.

Figure 113. Related Alerts section of the Mitre ATT&CK Technique page

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 176
 Industrial

Mitre ATT&CK Technique Page - Mitigations

This section lists a set of Mitigations that can be applied to the Technique. Mitigations are
proactive measures that can be deployed within the organization to improve its overall security
posture via the ATT&CK® Technique. However, they are not a substitute for the specific
resolution options (see Alert Workflow) of the individual Alerts related to the Technique.

A link to the relevant MITRE ATT&CK® Mitigation webpage is also provided.

Figure 114. Mitigations section of the Mitre ATT&CK Technique page

6.3.5. Alert View Page

To navigate to the Alert View page:

1. In the Main Menu, click Threat Detection > Alerts. The Alerts page appears.
2. Click on the desired alert. The Alert View page opens.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 177
 Industrial

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 178
 Industrial

6.3.6. Alert Scoring

6.3.6.1. Alert Scoring

CTD’s Alert Scoring is a method for managing and controlling alerts. It enables different levels of
sensitivities to enforce the strictness of the detection algorithm. The detection algorithm decides
if an event is considered relevant enough to warrant investigation. Each individual alert receives
a score ranging from 0 through 100.

Admins control the sensitivity value to suit their environment. After an alert passes the defined
threshold, it is considered qualified. Until it has been approved or archived by the user, its score
can only be increased by new indicators. The alerts are provided, with a chain of events that
provide a rationale behind the alert mechanisms, to interpret network and asset behavior into
quantifiable risk factors.

The scoring provides a detailed and transparent method for assessing the real risk involved
with an alert. This enables CTD to significantly improve its ability to differentiate severe alerts
from notifications. The alert score is shown with static indicators and each of their specific
contributions to the overall alert score. An indicator is a result of a related network activity that
can potentially affect the score of an alert and provides context.

6.3.6.2. Sensitivity
CTD’s sensitivity value differentiates notifications from alerts. The possible sensitivity categories
range between 0 and 100, as Low, Medium, Normal, or High.

6.3.6.3. Alert Scoring Formula

In the alert scoring, the indicators are evaluated against the asset information and
communications. The alert score is then determined based on the matched indicators. The
severity is hard coded based on the alert score:

Severity Color
Critical Red
High Orange
Medium Yellow
Low Blue

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 179
 Industrial

6.3.6.4. Alert Score Values

Each alert can receive a score of 0-100. The alert score is capped at 100, even if the sum of
indicators exceeds 100.

6.3.7. Alert Workflow

Critical and High alerts are the most crucial alerts to resolve. The other alerts are considered
notifications and have a lower severity.

Most of the alerts will only be raised when the system is in Operational mode.

6.3.7.1. Resolving Alerts: Assign/Approve All/Approve Selected/Archive

Resolving Alerts in Bulk from the Alerts Page

1. Select the checkbox of the Alert Stories or individual Alerts to be resolved.

Tip
To resolve selected alerts in an Alert Story, click Ungroup Alerts by Story and
select the relevant Alerts.

2. Click the relevant resolution in the toolbar.

Resolving an Individual Alert from the Alert View Page

In the Alert View Page, the following options appear on the top right of the page for each alert:

Figure 116. Alert Options for an Individual Alert

Decide how to resolve the selected alert from the following options:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 180
 Industrial

• Assign to – Click to delegate the alert to another user for investigation and resolution.
• Approve – Click when the activity that caused the alert is legal and valid communication,
such as a newly-installed asset. Approving an alert as a valid change validates only the
observed activity. In some cases, it is added to the baseline:

• Archive – Click to Archive the alert when the cause is not acceptable or is not a legitimate
network communication. The information is archived; it is not added to the baseline.

Resolving Policy Unmatched Violation Alerts

In addition to Assigning a Policy Violation on the Alert View page, there are three options for
resolving this type of alert:

Figure 117. Resolution Options for Policy Unmatched Violation Alerts

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 181
 Industrial

• Approve & Update Policy - This means you are approving communication behavior. You
are asked to approve the suggested rule(s) to be added to your policy (to prevent them from
raising alerts).
• Ignore - Choose this when the event reported by the alert was expected or accepted as a
one-time event that you are aware of. In this case, no change to the policy is required, and
resolving the alert is logged as ‘Alert Ignored’
• Acknowledge - This means the alert is signaling a real security event. You will want to
continue being alerted on such events in the future, so no change to the policy is required.
The result is the same as in the ‘Ignore’ case. However, in this case, the resolving of the alert
is logged as a true security event for auditing purposes.

Figure 118. Approving and Updating a Policy

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 182
 Industrial

Note
When approving a New Asset alert, you can uncheck all suggested rules and still
approve the alert. Doing so will result in the approval of the new asset itself, but without
any change to your policy, which can result in a future Policy Unmatched Violation alert
when the newly approved asset is communicating again.

6.3.7.2. Mitigating Alerts

Mitigation steps show how to respond to and resolve each alert. These mitigations guide SOC
and OT engineers during investigation. The mitigations include instructions for avoiding future
alerts of each type. For example, with a security alert, the mitigation steps may include how to
secure the environment.

For more information, refer to the CTD Reference Guide: Alerts Table

6.3.7.3. Viewing All Events in an Alert

Drill down to reveal all events collected that comprise the current alert.

• Click Event Details from the Alert View page.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 183
 Industrial

Figure 119. Events in Alert

• The Event Details pop up appears:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 184
 Industrial

Figure 120. Event Details

6.3.7.4. Searching for an Event in the Event Details dialog

Use the Search by Description field to search for an event. This can be
useful for forensic purposes.

6.3.7.5. Exporting Alerts

To export alerts:

1. Navigate to the top right corner of the Alert View page:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 185
 Industrial

Figure 121. Alerts - Export Button

2. Click Export to export this alert for investigation.

• The Download Report popup appears:

Figure 122. Download Report

3. Select the report format: CSV (default) or PDF.

4. Select whether to include Events and/or Activities in the report.
5. Click Download.
• The report is downloaded to your browser:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 186
 Industrial

Figure 123. Cover Page of Alert Report in PDF Format

Note
CTD supports the export of up to 1K alerts with the pdf format.

6.3.7.6. Downloading Capture - Raw Alert Data

When the packet capture file is preserved for an alert, it is available for download in PCAP
format from the Alert View page.

Figure 124. Alert With PCAP Available For Download

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 187
 Industrial

• Click the Download Capture icon :

This packet capture file includes raw information of the current alert for investigation. This icon
only appears when there is an available PCAP file.

Note
Saving the PCAP file is configured by the Admin via the Save CAPs checkbox (refer to
the Admin Manual).

• If the PCAP file was not saved, this icon is greyed out and appears with a tooltip: ‘No capture
file was recorded.’

To understand which alerts have PCAP download available, refer to the Alerts Table.

6.3.7.7. Viewing Resolved Alerts

Generally, you will be more concerned with reviewing and resolving unresolved alerts. But, at
times, you might need to review alerts that were already resolved.

To view unresolved alerts:

1. If necessary, add the Resolved As column to the Alerts table by selecting More in
the toolbar and then selecting Select Columns > Resolved As.
2. Click the column header to sort the resolved alerts as follows, and click again to sort in
reverse order:
• Approved
• Archived
• Approved by CTD while in Training Mode
• Resolved by Auto Resolve Rule
• Ignored
• Acknowledged
• Approved by Auto Resolve Rule
• Archived by Auto Resolve Rule

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 188
 Industrial

6.3.8. Showing Alert Related Items

The Show Related tool enables you to dig deeper into alert information while maintaining
navigation context.

For example, in the Alerts page you might want to view all New Conflict Asset alerts and then
navigate to the Assets page see a comprehensive list of assets affected by that alert. From the
Assets page, you could then navigate to the Zones page to discover where those assets reside.

For individual Alerts or Alert Stories, you can view the related:

• Assets
• Baseline Rules
• Events
• Zones
• Zone Rules

Note
This option shows Zone Rules that trigger policy violation alerts.

To show items related to one or more alerts, do the following:

1. Filter the list with the desired criteria.

2. In the toolbar, click the Show Related icon and select the desired related item from the
drop-down list.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 189
 Industrial

Figure 125. Selecting "Show Related Assets" For New Conflict Asset Alerts

The related page opens, filtered for only those items related to at least one of the selected
Alerts or Alert Stories. Because the filter mentions the page from which the Show Related
command came, context is maintained.

Figure 126. Assets Related to New Conflict Alerts

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 190
 Industrial

3. If needed, drill down another level by again filtering the list and/or selecting items, clicking
Show Related and selecting the desired related item.

Important

• Up to 10,000 items can be selected. If more than 10,000 are in the list, the Show
Related icon will be disabled and a message instructing you to further filter your
selection will display.
• If you do not select specific items, Select All is assumed. This could be more than
10,000 items depending on the size of your enterprise.

6.4. Events
A log of all the events logged by CTD’s engines are displayed in the Events page, regardless of
whether they are considered alerts that might impose a risk.

The Status of each event can be risky (an Alert or an OT Alert) or not (a Non-Risky Change
or an OT Operation). Clicking a risky event opens an Alert View page, and clicking a non-risky
event opens a Master Event View page, where groups of interrelated events are displayed.

6.4.1. Events Page

To access the Events page, navigate in the menu to Threat Detection > Events.

Figure 127. Events Page

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 191
 Industrial

1. The Event Results shows the total number of events logged. It dynamically displays a
table of all events generated by CTD’s engines, regardless of whether they are considered
alerts that might impose a risk.
2. Each row of the table displays the event ID, the event Type detected (e.g. Configuration
Download, Login, Known Threat Alert), its Status, a high-level Description and its
detection timestamp.

3. To add the Site column to the table, click the More icon, select Selected Columns
from the menu, click Site and click Apply.
4. The Type filter allows multiple selections of the available Alert Types.
5. The Status filter lets you filter for Alerts, Non-Risky Changes, OT Alerts and OT
Operation events or a combination of them:

Figure 128. Event Status Dropdown

• Clicking an event’s ID leads to the Event view that displays information of any correlated
events:
• In the case of a risky event (Events with Alert or an OT Alert statuses), selecting the
event ID leads to the relevant Alert Page to access all the controls for managing and
investigating the alert.
• For events classified as having no risk (i.e. events Status of Not Risky Change or OT
Operation), selecting the event ID leads to the relevant Event for investigation.
6. Select a Time frame for the Event Results to display: During the past Hour/Day/Week/
Month or any user-defined period.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 192
 Industrial

7. Use the Search by field to search for an event by part of its Description.
8. Use the Clear All and QueryView controls to adjust the display as needed.
9. Use the Page Controls to navigate through the pages of the Event table.

6.4.2. Master Event View

Related events are assembled into a Master Event. The Master Event View contains a chain of
related events with an alert score.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 193
 Industrial

Continuous
Figure 129. Master Threat
Event Details Detection
for a New Asset (CTD) User Guide CTD 5.1.0 Page 194
 Industrial

1. Name of the event and its description. Above is the timestamp of the event.
2. The Master Event header displays the following:
The system risk definition algorithm has classified these events as not risky

Note
This Event occurs when the sensitivity value that differentiates notifications from
alerts determines that the current event is not interesting or relevant enough to be
classified as an alert.

3. Click Export to generate a report for this event in PDF or CSV format, and choose to
include Events, Activities, and/or Baselines:

Figure 130. Downloading a Report for a Master Event

4. The Event area provides metadata of the event:

• The event is shown without a Score since this is a non-risky event.
• The Significant Indicators are displayed.
• Click Show Indicators to view additional event indicators. For further details see Alert
Indicators.
5. The Root Cause Analysis shows the chain of events leading up to every single alert,
which is essential for OT security alerts. It enables fast and easy triage of alerts, as well
as proactive threat hunting. By providing the context surrounding the associated threat

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 195
 Industrial

and risk, these details help users hunt for threats and resolve security events. For further
details, see Root Cause Analysis.
6. The Master Event Details provide metadata of the event, such as the primary asset
involved. The right side of the Master Event Details page shows the details of a secondary
asset/s involved in this event.
7. Click Event Details to view details of the Master Event. Each row of the table displayed
provides an event description, its ID, type and timestamp. A window is provided for text
searches of the event descriptions instead of browsing through the Event Details results.
8. When applicable, the Asset Communication area appears for the event. This section
provides a communication summary and details of any Virtual Zones impacted.
9. A section with all the Baseline Details for the event is populated when applicable. This
table features filters for all aspects of the event and each communication type.

6.5. Alert Rules

CTD gives you the ability to monitor network traffic and raise alerts based on a variety of
different rules. Rules can also be used to automatically approve or archive alerts without any
user input.

The various types of rules available in CTD are as follows:

Table 5. Alert Rules

Rule Description
Zone Rules These rules behave as a set of logical conditions for the detection of communication between
Zones in the system. If the conditions of the rule are met, the communication can either be
allowed or raise an alert. The implicit ‘Alert on Anything’ rule is matched by default (including
unvalidated rules).
Baseline Rules These rules can raise alerts based on changes to, or activities within, Baselines. Notably,
these rules can be triggered when a baseline is inactive for the specified period or upon its
appearance, upon user configuration. This alert needs to be manually configured by the admin
in the Baselines page (under the Investigation module), based on the baselines automatically
created by the system.
Network These network traffic rules allow users to disable or enable any existing network traffic
Signatures signatures, either provided out-of-the-box or user-generated. Network Rules are implemented
on the basis of the SNORT rules format.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 196
 Industrial

Rule Description
Yara Rules These rules, based on YARA signatures, provide matching of patterns found on data blocks
extracted from network traffic. The YARA rules settings allow the user to manually disable or
enable any existing YARA signatures, either provided out-of-the-box, or user-generated.
Auto Resolve These rules enable users to automatically approve or archive alerts based on a plethora of
different parameters, such as alert types, assets, baselines, and more.

6.5.1. Zone Rules

This mechanism provides a high level of accuracy for fine-tuning the system’s communication
rules using a familiar, easy-to-use interface, similar to a firewall management interface.

When transitioning into operational mode, zone rules are applied to the network traffic. At this
point, you can manage the rule list and customize it as needed. You can review, delete, validate,
or modify the out-of-the-box zone rules or create new ones based on specific needs.

You can:

• Create and control zone rules with an intuitive interface

• Apply a rule validation process to allow Admins to review and validate newly created rules.
(Unvalidated rules are policy violations and trigger alerts.)
• Investigate and resolve Policy Violation alerts, using the context provided by the matching of
detected communication to existing rules, and quickly understand which rule was responsible
for each generated alert or which rule is required to prevent an alert from being generated
again in the future.
• Resolve an alert by updating its rule, based on new rule suggestions made by the system.

Note
All the automatically created Zone Rules are zone-based and are mutually exclusive.

6.5.1.1. Zone Rules Page

The Zone Rules page displays a table similar to the one shown here, enabling you to see
all rules in a firewall-type management interface. The view allows for creating, reviewing,
validating, modifying, or deleting policy rules.

To view the Zone Rules page:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 197
 Industrial

• Navigate to Threat Detection > Rules > Zone Rules in the main menu.

Figure 131. Zone Rules Page

6.5.1.2. Zone Rule Behavior

The Zone Rules behave as a set of logical conditions set upon the network traffic detected.
When conditions are met, the system responds by taking one of the following actions:

• Allow – When the conditions of the zone rule are met and the action is set to "Allow", the
system does not trigger an alert.
• Alert – When the conditions of the policy rule are met and the action is set to "Alert", the
system triggers a Policy Rule Match alert.

The policy includes an implicit default “Alert on anything” rule (not visible in the Policy Rule
list). In operational mode, if the detected communication did not match any of the existing rules,
the system matches the Alert on Anything rule, which will trigger a Policy Violation alert.

A Policy Violation alert is triggered when none or only some of the conditions set in the Policy
Rules do not match the parameters of the incoming network traffic.

Note
The action to be taken is configured by Administrators.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 198
 Industrial

6.5.1.3. Policy Alert Types

The two types of Policy alerts are as follows:

• Policy Rule Match – This occurs when the detected communication matches an explicit
policy rule defined with an ‘Alert’ action.
• Policy Unmatched Violation – This type of alert is triggered when the detected
communication was not matched to any rule with an ‘Allow’ action, and as a result, the implicit
“Alert on Anything” rule was hit. This means there was no pre-existing policy rule for such
communication.

In case the system detects a new asset, a New Asset alert will be triggered. If the new asset’s
communication is not already addressed in any existing policy rule, the system will suggest a
rule to be added to approve the new asset’s communication.

The system will suggest a zone for the new asset and a change in policy based on asset
communication.

By definition, when a Policy rule is created, it is in an invalidated state. Only Admins can
validate a rule.

6.5.1.4. Zone Rules Columns

This table describes the columns available in the Zone Rules grid. You can sort the results by
clicking any column header.

Table 6. Policies Grid: Default Columns

Column Name Description

ID * Identifier of the Policy Rule. Each Policy Rule is automatically assigned with this unique number
as it is created.

(Active) Whether this Policy Rule has been enabled Green means the rule has been activated
Action * Whether this Policy Rule allows or will trigger an alert
Source Zone * The name of the source of this virtual zone
Destination Zone * The name of the destination of this virtual zone
Protocol The protocol/s used in the communication between the source and the destination zones (can
accept multiple protocols)
Port The port/s through which the communication flows for this rule (can accept multiple ports)

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 199
 Industrial

Column Name Description

Category * The categorization of this asset, such as Protocol, Programming, Network, Data Acquisition, etc.
Access * The type of access this asset is allowed: Read, Write, Publish, Execute, None (uncategorized).
This field can accept multiple access types.
Exact Match * Whether the policy’s communication should exactly match (Yes) or not (No), including the
Baseline Description (which must be identical).
Description * User-defined description of this policy rule
Hit Count * The number of communications that matched (hit) this rule
Validated *
Whether the policy rule has already been validated or is not set to be validated

This table describes the additional columns to display in the Zone Rules grid.

Table 7. Zone Rules Grid: Additional Columns

Column Name Description

Created By The username of the user that created this rule
Created On The date and timestamp of the creation of this rule
Last Modified The latest date and time that this rule was modified
Last Modified By The username of the user that last modified this rule
Last Validated The latest date and time that this rule was last validated
Validated By The username of the user that last validated this rule

• To add additional columns to the Zone Rules table, click the More button in the toolbar
and click Select columns.
• Choose additional columns to display from the Select Columns window and click Apply:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 200
 Industrial

Figure 132. Select Columns Window

6.5.1.5. Creating a New Zone Rule

To manage your system effectively, you can create as many new zone rules as needed, or edit
existing rules.

To create a new rule:

1. Select the Create New+ button from the Zone Rules toolbar:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 201
 Industrial

Figure 133. Create New button on the Zone Rules toolbar

The Add New Alert Policy dialog appears:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 202
 Industrial

Figure 134. Add New Alert Policy Dialog

2. To incorporate the new alert policy rule, define its characteristics:

• Rule Description – Provide an explanation of this rule to be easily identified in the future
or by other users.
• Source Virtual Zone of the communication
• Destination Virtual Zone of the communication

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 203
 Industrial

• Active – By default, the rule will be activated. Slide this button to the left if you prefer to
deactivate the rule.
• Action – By default, the rule is allowed. If otherwise, select the Alert button.
• Exact Match – By default, the rule does not require an exact match. If otherwise, select
Yes.
• Category – A drop down list of communication categories. You can choose multiple
categories, e.g. Diagnosis, Authentication, and Programming.
• Access Type – The type of access permitted for this communication. Select one of the
following: Read, Write, None, Publish, Execute
• Port – The communication port(s) specified by the rule. You may specify multiple ports if
required.
3. Click Add to commit the new policy rule.

6.5.1.6. Editing an Existing Rule

To edit an existing rule, select it from the list and click Edit Rules:

Figure 135. Edit Rules

The Edit Alert Policy popup appears, enabling editing of the rule parameters,

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 204
 Industrial

Figure 136. Edit Alert Policy dialog

6.5.1.7. Reviewing and Validating New Zone Rules

Zone Rules, which regulate network communication, are created in an unvalidated state during
the system's Training Mode. After the system transitions to Operational Mode, the administrative
user may then validate these Zone Rules - individually or collectively.

Whenever a new Zone Rule is discovered in the system, a corresponding Policy Violation alert
is automatically triggered, awaiting approval from the administrative user. Every occurrence of a
new Zone Rule during Operational Mode inherently triggers a policy violation.

Notably, this Policy Violation alert is triggered in the absence of a corresponding rule within
CTD, regardless of whether the rules are in a validated or unvalidated state. Such an event
signifies a previously unlearned communication, thus pointing toward an anomaly in the
network's behavior.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 205
 Industrial

Upon detection of a new Policy Violation alert, administrative users have the option to either
resolve or leave it unresolved via the Alert View page. Similarly, regarding Zone Rules on
the Zone Rules page, they can opt for validation or maintain the unvalidated status at their
discretion.

If you want your system to ignore the unvalidated rules (create Policy Violation alerts until the
Zone Rule is user-validated) please open a support case.

Figure 137. Zone Rules Page With Rules Pending Validation

6.5.2. Baseline Rules

Baseline Rules are a type of alert you can create based on changes to, or activities within,
Baselines. For example, you might want to be alerted when the baseline “TCP from any port to
port 5000” appears.

Baseline Rules can be viewed and edited from this page but are created in Baselines. See
Creating a Baseline Rule.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 206
 Industrial

Note
Baseline Rules can only be created from existing baselines. They cannot be created
"from scratch."

6.5.2.1. Editing a Baseline Rule

To edit a baseline rule:

1. Navigate to Threat Detection > Rules > Baseline Rules.

The Baseline Rules page appears:

Figure 138. Baseline Rules Page

2. Select a rule and in the Edit Rule column, click Edit.

The Edit Baseline Rule dialog appears:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 207
 Industrial

Figure 139. Edit Baseline Rule Dialog

3. Make changes as needed as described in Creating a Baseline Rule.

6.5.2.2. Creating a Baseline Rule

Baseline Rules are created in the Baselines page.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 208
 Industrial

Figure 140. Selecting a Baseline From Which to Create the Rule

To create a baseline rule:

1. Navigate to Investigation > Baselines

2. Select the relevant baseline from which you want to create the rule.

3. Click the Create Rule button.

The Create Baseline Rule dialog appears:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 209
 Industrial

Figure 141. Create Baseline Rule Dialog

4. Provide the following details for your new baseline rule:

• Rule Name – Provide a name for this rule
• Description – This field is populated from the baseline name and can be changed as
needed
• Active Until – The duration (date and time limit) for this rule to apply
• Filter type – Determine when the new alert will be triggered:
• Inactive for – Select this type if you want to deactivate the period for this alert, and
define its duration (the default is set for 1 minute):
• Upon appearance – An alert will be raised when this baseline appears and meets the
condition, whether or not there is a baseline deviation.

5. Click Save . The rule is added to the Baseline Rules page.

To define baseline rules using baseline values, see Baseline Rules Using Baseline Values

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 210
 Industrial

6.5.2.3. Baseline Rules Using Baseline Values

Baseline values can be used to construct a rule to create an alert.

Preconditions
Before using this feature, make sure you have ensured the following:

1. The IEC 101 protocol is enabled. See Protocols.

2. The Admin identified an existing baseline, which already includes relevant IEC 101 data
with minimum and maximum values, to use as the basis for defining the baseline rule.

Steps

1. To define a baseline alert to be triggered on a certain value condition, follow the same
baseline rule creation steps as in Creating a Baseline Rule.
2. Then in Filter Type select Value and enter the desired condition:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 211
 Industrial

Figure 142. Setting a Condition for a Baseline Rule

• Filter Type – Determines when the new alert will be triggered.

• Value – Sets the criteria for the deviation.

The condition is displayed in the Baseline view.

When a Baseline Alert occurs, it is displayed as follows:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 212
 Industrial

Figure 143. Baseline Rule Alert

Preconditions
Before using this feature, make sure you have ensured the following:

1. The IEC 101 protocol is enabled. See ???.

2. The Admin identified an existing baseline, which already includes relevant IEC 101 data
with minimum and maximum values, to use as the basis for defining the baseline rule.

Steps

1. To define a baseline alert to be triggered on a certain value condition, follow the same
baseline rule creation steps as in Creating a Baseline Rule.
2. Then in Filter Type select Value and enter the desired condition:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 213
 Industrial

Figure 144. Setting a Condition for a Baseline Rule

• Filter Type – Determines when the new alert will be triggered.

• Value – Sets the criteria for the deviation.

The condition is displayed in the Baseline view.

When a Baseline Alert occurs, it is displayed as follows:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 214
 Industrial

Figure 145. Baseline Rule Alert

6.5.3. Before Working with Network Signatures and Yara Rules

Before working with Yara or Network Signatures, ensure that your environment is set up for
sniffing with ‘Known Threat Detection’ enabled on the specific network you are working on, as
shown below.

To sniff ‘Known Threat Detection’:

1. Navigate to Settings > Data Sources > Interface Configuration.

2. Click Advanced Network Settings and turn on Known Threat Alert Detection.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 215
 Industrial

Figure 146. Configuring Known Threat Alert Detection

6.5.4. About Network Signatures

A network signature is a unique set of characteristics or patterns that can be used to identify
a particular type of network traffic or behavior. It can include information such as the protocol
being used, the source and destination addresses and ports, packet size, and other network
metadata. For example, a network signature might be the presence of a particular string of
characters in a network packet that is known to be associated with a particular malware family.

Network signatures are useful for a variety of purposes, such as traffic analysis, network
forensics, and network troubleshooting. They can help to identify the root cause of network
issues and provide insights into network performance and utilization. By analyzing network
traffic and identifying patterns, network signatures can also be used to optimize network
performance and block malicious traffic.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 216
 Industrial

Creating effective network signature rules requires a deep understanding of network protocols,
cyber threats, and security best practices. It is an ongoing process, as new threats are
constantly emerging and signature rules must be updated to keep pace.

In CTD, Network Signatures trigger Known Threat Alerts.

Network Signatures are supplied and updated in CTD on a regular basis as threat bundles,
which contain publicly available signatures, as well as proprietary signatures created by
Claroty's award-winning research team. You also can upload additional signatures as needed.

6.5.4.1. Network Signatures in the Alert View Page

Threats detected by Network Signatures create Known Threat Alerts. You can view the details in
the Network Signature Info section of the Alert View page.

Figure 147. Known Threat Alert with Network Signature

6.5.4.2. Managing Network Signatures

Use the Network Signatures page to search for, view, and manage Network Signatures, as well
as understand their meaning and source.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 217
 Industrial

To open the Network Signatures page, navigate to Threat Detection > Rules > Network
Signatures.

Figure 148. Network Signatures

The following information is displayed for each signature:

• Status - Indicates whether the signature is active and triggering alerts.

Slide the switch to the right to activate the signature.
• Signature ID - ID number assigned to the signature by its creator
• Signature Name - Name assigned to the signature by its creator
• Revision - Revision number of the signature
For non-Claroty created signatures, click the pop-out icon to view its contents.
• Criticality - A score calculated using a combination of signature parameters and Claroty
research. Possible values include Low, Medium, High, and Critical. This score is not
calculated for user-powered signatures.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 218
 Industrial

• Confidence - A score representing the probability that a communication event that triggers
the signature is a network threat.
Expressed on a scale of 1% to 100%, It is calculated using a combination of signature
parameters and Claroty research and does not apply to user-powered signatures.
• Tags - Attack types and other enriched signature information
• External Links - More information about publicly available signatures
• First Released - Date this revision of the signature was released
• Last Updated - Date this revision was last updated by its creator
• Updated in CTD - Date the signature was last updated in CTD
• Powered By - Creator and maintainer of the signature
Options include:
• Claroty - Signatures created by Team82 or by Claroty's data team
• Emerging Threats, Other - Publicly available signatures
• Username of the user who uploads a signature
• User - User-powered signatures created in a version earlier than v4.8.0
• Actions - For user-created signatures, click Edit to open the Edit Network Signature
window and edit the signature content

Sorting, Filtering, and Searching the Network Signatures List

1. You can sort the list by Signature ID, Signature Name, Criticality, Confidence, Tags,
First Rev.Release, Last Rev. Update, and Updated in CTD by clicking the column header.
2. You can filter the list using the Status, Criticality, Tags, Powered By, and Updated in
CTD filters.
3. You can also search for signatures using the Search by field.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 219
 Industrial

6.5.4.3. Adding a Network Signature

You can upload your own user-powered Network Signatures to CTD.

Important

• The file must have a .rules extension and be no larger than 1.5 KB.
• The file can contain multiple signatures. After upload, each signature will display as a
separate row in the Network Signatures list.
• Only "alert" actions are supported in CTD Network Signatures.

To upload a network signature:

1. Navigate to Threat Detection > Rules > Network Signatures.

2. In the toolbar, click Create New .
The Create New Network Signature Rules window opens.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 220
 Industrial

Figure 149. Create New Network Signature Rules Window

3. In the Upload Network Signature Rule area, drag and drop your signature file from your
computer into the box. Alternately, click Select File and browse to the file you want to
upload.
The content of the signature displays in the Create New Network Signatures window.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 221
 Industrial

Figure 150. Network Signature Content

4. Click Create.
The signature is added to the Network Signatures list.

6.5.5. Yara Rules

6.5.5.1. Working with Yara Rules

To work with Yara rules:

• Navigate to Threat Detection > Rules > Yara Rules.

The list of installed Yara rules is displayed:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 222
 Industrial

Figure 151. Yara Rules Page

The Results grid displays the Yara rules, listed with the following default sortable columns:

1. Active button – The default value is Active . Click this button to Deactivate an
existing Yara rule.
2. Name – The name of this Yara rule
3. Time of Creation – The timestamp of when this rule originated
4. Rule Source – Whether the source of the rule is from the system (Claroty) or is user
created. System Rules can be disabled but you cannot edit or delete them.
5. Options – When a Yara rule is editable, the Edit icon appears in this column.

In addition:

6. The toolbar contains options for adding new Yara Rules and deleting selected ones.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 223
 Industrial

Naming Convention for Import

For importing Yara rules, the naming convention is as follows:

• For Rules that contain a threat tag:

[THREAT TYPE]_[THREAT TAG]_[(YARA_Rule_Name)]
Example: MALWARE_TROJAN_(Trojan_Win64_Generic_23).yar
• For Rules without a threat tag:
[THREAT TYPE]_[(YARA_Rule_Name)]
Example: EXPLOIT_(Spring4Shell).yar

6.5.5.2. Adding a New Yara Rule

To add a Yara rule:

• Click Create New in the toolbar.

The Create New Yara Signature Rule dialog is displayed:

Figure 152. Create New Yara Signature Rule Dialog

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 224
 Industrial

• The dialog prompts you to:

• Enter a Signature Name for your new Yara Rule
• Click or drag the Yara signature file itself
The content of the signature will be displayed in the main window.
• Click Create to upload the Yara signature file

6.5.5.3. Deleting a Yara Rule

To delete a Yara rule:

1. Either select the row of the Yara Rule from the list of Results, or search for part of the string
of the Yara Rule name in the Search By field.
2. Click Delete on the toolbar to remove the Yara Rule/s.
3. Before deleting any rules, the system requests confirmation of the deletion.

When a rule is modified, the system shows a message on the lower right corner of the screen
indicating if it was deleted or not.

6.5.5.4. Yara Rule Example: Suspicious File Transfer Alert

Figure 153. Yara Signature Example

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 225
 Industrial

6.5.6. Auto Resolve

Each network has behaviors that are expected and occur on a regular basis. These behaviors
create alerts that do not need to be reviewed and can be resolved automatically by the system.

For example:

• You might periodically attach a camera of a specific vendor to a specific IP subnet.

In this case, you could create an Auto Resolve rule that automatically Approves the alerts
raised by this activity.
• You might schedule a port scan to occur on a regular basis from a known IP or host name.
In this case, you could create an Auto Resolve rule that Archives the alerts permanently.
• An asset on a specific subnet is malfunctioning, and a technician will fix it in one week.
In this case, you could create an Auto Resolve rule that automatically Archives the alert until
the day after the asset is fixed.

6.5.6.1. Resolving Alerts

Alerts can be resolved in these ways:

• You automatically Approve an alert when the cause is acceptable and/or the communication/
activity is a legitimate network communication. Alerts that meet specified criteria are approved
until the expiration date of the rule, if one is set.

Note
This is unlike Approving alerts manually, where all of the new policies associated with
the alert are added as valid, ensuring that the alert with the same policies is not
triggered in the future.

• You automatically Archive an alert when the changed information is not acceptable or is
not a legitimate network communication/activity. This action archives all the information, and
changed information is not added to the Asset.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 226
 Industrial

Note
• When a New Asset alert is archived, the Asset and all its related information,
including Alerts and Events, is archived along with it.
• When an Auto Resolve archive rule has an expiration date, Alerts that meet the
specified criteria are archived until the expiration date of the rule, after which they
appear again for manual review.
When an Auto Resolve archive rule has no expiration date, it is effectively the same
as manually archiving an alert - its policy is not updated, but the alert is always
archived.

6.5.6.2. Viewing Automatically Resolved Alerts

The alert's Alert View page indicates the type of Auto Resolve resolution.

Hovering over this indication displays the name of the rule that resolved the alert as well as the
date and time on which it was resolved.

Figure 154. Alert Approved by Auto Resolve Rule

6.5.6.3. Centralized Management of Auto Resolve Rules

The EMC acts as the central repository of all Auto Resolve Rules so that whether created on the
site or the EMC, a Rule can be viewed in the EMC.

To optimize and streamline your organization's creation and use of Auto Resolve Rules, a rule
can be created on the EMC once and then applied to selected sites; it can also be customized
as required for a specific Site. Also, a rule created for an individual site can then be applied to
other sites.

There are several important guidelines for creating rules and applying them to other sites:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 227
 Industrial

• A rule can be created on one site and applied to another, as long as all desired sites and the
EMC run the same version of CTD. (Rules created on any site can be viewed in the EMC
regardless of the site version).
• Rules can be created on either the EMC or site, but content can only be modified on a site.
• When a rule created in the EMC is applied to a site and then modified, it effectively becomes
a new rule and appears in the EMC as such.

6.5.6.4. Creating an Auto Resolve Rule From the EMC

Auto Resolve rules can be created in the EMC and applied to one or more Sites in your
enterprise.

To create an Auto Resolve rule:

1. In the EMC, navigate to Threat Detection > Rules > Auto Resolve.
The Auto Resolve Rules page opens:

Figure 155. Auto Resolve Rules - EMC

2. In the toolbar, click Create New .

The Auto Resolve window opens.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 228
 Industrial

Figure 156. Auto Resolve Window for the EMC

3. In Rule Name, choose a descriptive name for your new rule.

4. In the Sites dropdown list, select the Sites to which the rule should be applied.

Note
Auto Resolve rules can only be applied to Sites with a CTD version that is the same
as the EMC. Any Site that is not on the same version as the EMC does not appear
in the list.

For information about upgrading Sites, see Upgrading Your Enterprise.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 229
 Industrial

5. In Alert Condition, configure the condition under which the alert should be automatically
resolved.
• Click +AND to add more conditions - up to 4.
• You can add one of each condition option - Category, Description, Severity, Type
Example: To specify New Asset alerts with low severity, select these options:
Type, New Asset +AND
Severity, Low
6. In Asset Condition, configure the condition under which the alert should be automatically
resolved.
Click +AND to add more conditions - up to 4.
Example: To specify a camera on IP 10.91.159.75, select these options:
Asset, Asset Type, Camera +AND
Asset, IP, 10.91.159.75 (type this value)

Note
• A Primary Asset is an asset that performs a communication that triggers the alert
creation process. It is the asset that, in most cases, will need to be investigated as
the potential threat source.
• A Non-Primary Asset is an asset that communicates with a Primary Asset.

Note
Wildcards can be used in the Host Name, Display Name, Domain/Workgroup,
and Domain Name filters. See Using Wildcards in Asset Condition Filters.

7. In Active Until, select the expiration date of the Auto Resolve rule. Select Forever if there
is no expiration date.
8. In Select Automatic Action, select the action to be taken when the Alert and Asset
conditions specified previously are met.
• Approve (Default)
• Archive
For an explanation of these options, see Resolving Alerts.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 230
 Industrial

9. Click Create.
The Auto Resolve Rule window lists rule creation or failure for each Site selected in the
Sites dropdown list.

10. Click OK.

The rule is added to the table with an icon that indicates that it has been applied to multiple
Sites.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 231
 Industrial

Optional: Click the icon to view the Sites to which the rule was applied.

Note
A rule created from the EMC is applied to all networks on a selected Site. To select
specific networks on a Site, either create the rule directly on the Site or customize the
rule on the Site.

For more information, see Creating an Auto Resolve Rule From a Site.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 232
 Industrial

Using Wildcards in Asset Condition Filters

For maximum flexibility and comprehensiveness when creating filters, you can use wildcards as
follows:

• claroty* - Finds names that begin with the word “claroty”.

• *claroty - Finds names that end with the word “claroty”.
• *claroty* - Finds names that contain the word claroty anywhere in the value.

Examples:

• You could use *claroty.com* - to create a rule that automatically Approves all new assets
that contain the domain name "claroty.com".
• For hostnames following a specific naming convention, such as Location-Function-
UID (e.g., NYC-DB-01), you could apply a pattern such as NYC-DB-* to match any hostname
that starts with this sequence.

6.5.6.5. Creating an Auto Resolve Rule From a Site

You can create an Auto Resolve rule for a Site using either of these methods:

• Create a rule on the Site.

• Customize a rule created in the EMC for the Site.

Creating a Rule on the Site

Create a rule directly on a Site when you know about the unique events on that Site that occur
on a regular basis and can be either Approved or Archived automatically.

Tip
Rules created on a Site display in the EMC if the CTD versions of the Site and EMC
version are aligned. A copy of the rule can then be customized for other Sites as needed.

To create an Auto Resolve rule on a Site:

1. In a Site, navigate to Threat Detection > Rules > Auto Resolve.

The Auto Resolve Rules page opens:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 233
 Industrial

Figure 157. Auto Resolve Rules - Site

2. In the toolbar, click Create New .

The Auto Resolve for Site dialog opens.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 234
 Industrial

Figure 158. Auto Resolve Window for a Site

3. In Rule Name, choose a descriptive name for your new rule.

4. In Networks, select the relevant networks for your new rule.
5. In Alert Condition, configure the condition under which the alert should be automatically
resolved.
• Click +AND to add more conditions - up to 4.
• You can add one of each condition option - Category, Description, Severity, Type
Example: To specify New Asset alerts with low severity, select these options:
Type, New Asset +AND

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 235
 Industrial

Severity, Low
6. In Asset Condition, configure the condition under which the alert should be automatically
resolved.
Click +AND to add more conditions - up to 4.
Example: To specify a camera on IP 10.91.159.75, select these options:
Asset, Asset Type, Camera +AND
Asset, IP, 10.91.159.75 (type this value)

Note
• A Primary Asset is an asset that performs a communication that triggers the alert
creation process. It is the asset that, in most cases, will need to be investigated as
the potential threat source.
• A Non-Primary Asset is an asset that communicated with the Primary Asset.

Note
Wildcards can be used in the Host Name, Display Name, Domain/Workgroup,
and Domain Name filters. See Using Wildcards in Asset Condition Filters.

7. In Active Until, select the date on which the Auto Resolve rule should no longer be
applied.
8. In Select Automatic Action, select the action to be taken when the Alert and Asset
conditions specified previously are met.
• Approve (Default)
• Archive
For an explanation of these options, see Resolving Alerts.
9. Click Create.
The Auto Resolve Rule is added to the list.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 236
 Industrial

The rule displays in the EMC indicating that it was created on one site. Hovering over "1
site" displays the Site on which it was created.

Figure 159. Site-created Rule in the EMC

• In the Site, the row of each alert rule displays the following columns: ID, Rule Name,
Condition, Action, Active Until, Resolved Alerts, Last Resolved, Created, Updated
Updated By, Actions.
• To export the Auto Resolve rules and their conditions, select the relevant row(s). Then, in

the toolbar, click More > Download.

The results are exported to a CSV file.

Customizing a Rule Created from the EMC

A rule created from the EMC can be customized on the Site. The customized rule then becomes
a new, separate entity and as a result, different versions of the rule will appear in the EMC.

To customize a rule for a Site:

1. In the Site, navigate to Threat Detection > Rules > Auto Resolve.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 237
 Industrial

The Auto Resolve Rules page opens.

2. In the Actions column, click the Edit Rule icon .
The Auto Resolve for Site window opens with a note explaining that the rule was created
in the EMC.

Figure 160. Editing an Auto Resolve Rule That Originated in the EMC

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 238
 Industrial

3. Edit the various fields as required and click Save.

A confirmation message displays in the lower right corner confirming the change.

6.5.6.6. Editing and Deleting Auto Resolve Rules

Using centralized management principles for Auto Resolve rules, you can do the following:

• Change the Sites to which EMC-created rules are applied.

• Apply a rule created on one Site to other Sites.
• Delete a rule from the EMC or a Site

Change the Sites to Which EMC-Created Rules Are Applied

1. In the EMC, navigate to Threat Detection > Rules > Auto Resolve.
2. In the Actions column of the rule you want to change, click the Add or Remove Rule from
Sites icon.
The Auto Resolve window opens.
3. In the Sites dropdown list, select the Sites to which the rule should be added and deselect
the Sites to which the rule should be deleted.
4. Click Save.
The Auto Resolve Rule window lists success or failure for each Site.

Apply a Rule Created on a Site to Other Sites

All rules, whether created on a Site or the EMC, are displayed in the EMC. When the version
number of a Site is aligned with the EMC, its rules can be applied to other Sites.

To apply a Site rule to other Sites:

1. In the EMC, navigate to Threat Detection > Rules > Auto Resolve.
2. In the Actions column of the rule you want to apply to other Sites, click the Add or
Remove Rule from Sites icon.
The Auto Resolve window opens with a message explaining that the rule was created on a
Site.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 239
 Industrial

3. In the Sites dropdown list, select the Sites to which the rule should be applied.
The Site on which the rule originated is unavailable.

4. Click Save.
The Auto Resolve Rule window lists rule creation success or failure for each Site.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 240
 Industrial

Note
Once the rule is applied to a new Site, if it is then modified, it becomes a new, separate
rule.

Delete a Rule from the EMC or a Site

1. In the EMC or Site, navigate to Threat Detection > Rules > Auto Resolve.
2. Select the checkbox of the rule you want to delete and in the toolbar, click Delete Selected
.
• In the EMC, the Auto Resolve Rule window lists the success or failure of the deletion.
• In a Site, a message describes the success or failure of the deletion.

Note

• An Auto Resolve rule created on a Site can be deleted only from the Site.
• Deleting an Auto Resolve rule from a Site deletes it only from that Site, and not from
other Sites to which it was applied.
• Deleting an Auto Resolve rule from the EMC deletes it from all the Sites to which it was
applied.

6.5.6.7. Understanding an Auto Resolve Rule's Effectiveness

If very few alerts were resolved by an Auto Resolve rule, or if alerts were not resolved recently,
you might want to either edit the rule to make it more effective or delete it altogether.

The Auto Resolve Rules page contains 2 columns that together can give a good indication of a
rule's effectiveness.

• Resolved Alerts - Counts the number of alerts the rule automatically resolved.
• Last Resolved - Shows a timestamp for the last time an alert was automatically resolved by
the rule.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 241
 Industrial

As an example, let's say the current date is 1 April and the rule last resolved a good number of
alerts on the previous 1 December. Because more than 4 months have passed since the rule
resolved an alert, it is a good candidate for either tweaking or deleting.

Here is an example on a Site.

Figure 161. Ineffective Auto Resolve Rule on a Site

Click the number in the Resolved Alerts column to open the Alerts page filtered for all the alerts
resolved by the rule.

In the EMC, when an alert rule has been applied to several sites, you can click to open a
window that lists all the sites to which the rule has been applied. Both columns appear there.

Figure 162. Auto Resolve Rule in the EMC

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 242
 Industrial

Figure 163. Resolved Alerts and Last Resolved Columns

Click the number in the Resolved Alerts column of any Site to open the Alerts page filtered for
all the alerts resolved by the rule.

To learn about editing and deleting Auto Resolve Rules, see Editing and Deleting Auto Resolve
Rules.

Important Points to Keep in Mind

• The count in the Resolved Alerts does not include alerts deleted due to alert retention rules.
To learn more about retention rules for each alert type, see Alerts Table.
• The Last Resolved column displays the date/time of the most recent alert resolved by the rule
regardless of whether the alert was deleted.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 243
 Industrial

• The number of resolved alerts includes qualified, unqualified, and deleted alerts. There might
be a discrepancy between the total number of alerts and the filtered alerts, which could
potentially result in an empty set of filtered alerts.
• The Resolved Alerts count starts from the moment that v4.9.1 or above of CTD is installed.
For rules that were migrated from previous versions, N/A displays.
• If the rule was created before v4.7.0, the rule might not be valid; it is recommended to open
the rule in the Site view and make sure that all the values in it are correct and valid.

6.5.6.8. Auto Resolve Rule Migration

Depending on the version of CTD you are upgrading from, the following changes will be made
when Auto Resolve Rules are migrated:

Table 8. Migration

Pre-Migration Version Changes After Upgrade

Pre-4.7.x Auto Resolve Rule Table Changes

Auto Resolve Rule Configuration Handling

All previous versions Auto Resolve Rule Table Changes

Auto Resolve Rule Table Changes

When upgrading to v4.8.0 of CTD from all previous versions, the migration rules are as follows
for selected columns in the Auto Resolve table:

• Created
• This column is created during the upgrade to v4.8.0.
• If the value does not exist in the Updated column, the date will be the moment of the
migration (CREATED=UPDATED).
• Updated
• If the value does not exist in the DB, the date will be the moment of the migration
(CREATED=UPDATED).
• Updated by
• This column is created during the upgrade to v4.8.0.
• If the value does not exist in the DB, the value will be OTHER.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 244
 Industrial

Auto Resolve Rule Configuration Handling

When upgrading from a pre-v4.7.0 version, previously-created rules will migrate automatically
with a few exceptions. This is due to a change in logic in CTD that assists you in creating valid
Auto Resolve rules.

Auto Resolve Rule Spreadsheet

To understand which rules will not migrate, it is important to download the Auto Resolve rule
spreadsheet that lists each rule. This can be done in three ways:

• Before upgrading (preferred) - In the Auto Resolve toolbar, click More > Download.
• After upgrading - download the file from this path: /var/lib/mysql/
alert_rules_<MIGRATION_TIMESTAMP>.csv
• Contact Claroty Support.

Auto Resolve Exceptions

The exceptions are as follows:

• Rules with invalid data typed as text - such as in the IP field, a comma typed accidentally
instead of a period.
These rules are migrated, but when you edit the rule, the invalid data is displayed in red fields
with tooltips on how to resolve the invalid value.

• Rules that contain a Vendor - This attribute is now supported by a list based on what is in
your network instead of as text.
Rules with vendor names that are supported by the new lists are migrated; rules that are not
in the lists are not migrated.
• Rules that contain multiple Alert Description conditions - Before v4.7.0, when a rule
contains multiple Alert Description conditions, they are treated as OR conditions in a single
rule. After migration, each condition is treated as a separate rule. All other conditions in the
rule are maintained as-is.
• Rules based on Policy Rule Match, Baseline Rule, or Policy Violation alerts - These
rules do not migrate.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 245
 Industrial

• In the case of Auto Resolve rules containing Policy Rule Match alerts and Baseline Rule
alerts, these alerts are user configured. You can therefore delete the Zone Rules that create
Policy Rule Match alerts and Baseline Rules that create Baseline Rule alerts.
• In the case of rules containing Policy Violation alerts, these alerts can no longer be
resolved based on Baseline values, and are not migrated. All other conditions in the rule
are maintained as-is.
To recreate these rules in v4.7.0, in the Condition column of the spreadsheet, copy the
Protocol and Access Type of the Auto Resolve rule. Example: Protocol - MODBUS, Access
Type - Write
Then, in the Alert Condition section of the new Auto Resolve dialog, select Description
and then paste the copied text into the Type Description field, which is a text field.

• All other alert types are not connected directly to baseline conditions.
• Rules containing attributes that were not effectively supported pre-4.7.0 - Rules that
contain the following attributes will not migrate:
• Alert Condition : Alert family, Created (days ago), Non Primary Assets, Primary Asset,
Site, Story Severity, Status, Time of day, Type (Asset Down, Baseline Deviation, Baseline
Down, Baseline Volume Deviation, Invalid Session, Malformed Packet, Program Operation,
Protocol, Protocol Down, Threat)
• Asset condition: Network
• Baseline condition: Description, Destination Port, Protocol, Source Port, Access Type,
Category

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 246
 Industrial

7. Investigation
The Investigation functions of CTD are used investigate alerts or events in the network.
They also give deeper visibility and tools for understanding the network and its behavior. For
example, DNS Queries can be used to investigate if an external domain is being used, or
to detect suspicious activities. They can also help to find configuration issues. The Network
Sessions screen analyzes network traffic, giving you more insight into how your network traffic
looks and your network health. Process Values enable you to investigate OT alerts and get
visibility into OT asset behavior in the network.

Investigation functions are valuable for investigation purposes and they can help with threat
hunting.

7.1. DNS
DNS enables threat hunting to investigate unexpected behavior on the network, previous issues
in the network, or alerts.

To access DNS view:

• In the Main Menu, navigate to Investigation > DNS.

Figure 164. DNS Query Page

The DNS Queries page includes the following columns:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 247
 Industrial

• ID
• DNS Server
• Domain
• DNS Client
• Status
• Response
• Record Type
• Hit Count
• First Seen
• Last Seen

7.1.1. DNS Widgets

The Visibility Overview and the Asset View page have DNS widgets that show the DNS queries
detected by the network. The widgets provide the following DNS statistics of the network:

• The number of DNS queries over time

• The names and volumes of the most frequent DNS queries
• The domains with the most assets

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 248
 Industrial

Figure 165. DNS Widgets

7.2. Baselines
Baselines display all the baselines from all your assets, enabling filtering capabilities. These
capabilities can be used during forensic processes done by Security Officers or operational
investigations done by OT Engineers.

For example, OT Engineers could use this view to filter all write data acquisition operations
performed in their environment. Security Officers or SOC operators could search for
communications within a specific timeframe.

Note
In the Enterprise Management Console (EMC), this page will include an additional Site
filter to view baselines from some or all sites.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 249
 Industrial

Note
Baselines not active for more than a month in the system are removed automatically. This
affects all the system components like insights, assets, etc.

7.2.1. Baseline List Filters

The Baselines List can be filtered in a variety of ways. The main columns are available in
the normal view; additional columns are available in the Advanced Options filters as listed in
Baseline Filters in Advanced Options.

Figure 166. Baseline Filters

The following Baseline filters are supported:

1. Protocol – Dropdown list of all the supported protocols.

2. Access Type - Dropdown list of all the supported access types.
3. Source Asset – Filters by source of the identified asset.
4. Destination Asset –Filters by the destination of the identified asset.
5. Source Virtual Zone – Filters by the source of the virtual zone
6. Destination Virtual Zone – Filters by the destination of the virtual zone
7. Baseline Name – Filters by the name of the baseline
8. Category fields:

• Alarm • Authentication • Data Acquisition

• Diagnosis • File System • Firmware
• Network • Operation • Other
• Programming • Protocol • Remote Connection

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 250
 Industrial

9. Time – Filters the baselines by a set timeframe:

• 1 hour/1 day/1 week/1 month
• By a range of your choice:

• Source Address – Address of the source of an identified asset. Note this field consists of the
IP or MAC address.
• Destination Address – Address of the destination of an identified asset. Note this field
consists of the IP or MAC address.

7.2.2. Baseline Filters in Advanced Options

The following baseline filters are also supported and accessed by clicking Advanced Options:

Figure 167. Selecting Advanced Options

Use the Baseline’s Advanced Options as follows:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 251
 Industrial

Figure 168. Baseline - Advanced Options

1. Action – Select an Include or Exclude action

2. Filter Name – Select a filter name from the following list: Baseline Name, Destination,
Destination Port, First seen (days ago), Frequency, Last Seen (days ago), OT Protocols
Only, Source, Source Port, Transmission
3. Filter Value – Enter the value for the filter you are creating
4. Add Filter button – Click this button to activate your filter.

7.2.2.1. Baseline Profiles of Virtual Zones

In the Baselines page, filter the results to source virtual zone and destination virtual zone. The
baseline results are displayed as shown below:

Figure 169. Baseline Results From Virtual Zones

7.2.3. Working with Baseline Values

Some communication protocols contain additional values representing various process-related
information such as voltage, temperature, pressure, etc. For selected protocols, CTD can parse

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 252
 Industrial

the numerical or textual value and incorporate it into the asset’s baseline. These values can
be viewed on the baselines page in a time-aggregated view, in a detailed view, or as a graph.
Baseline values can also construct a baseline rule to create a baseline alert (refer to Creating a
Baseline Rule.)

Note
Baseline values are currently supported for the DNP3, IEC101, IEC103, IEC104, VNET
(VHF), DPI (over PCCC).

Prior to working with baseline values, make sure the IEC-101 and IEC-104 protocols are
enabled (in the Protocols page, accessible from the Configuration Menu).

There are more protocols for the baseline values supported in the Process Values, see Process
Values.

7.2.3.1. Displaying Time-Aggregated Baseline Values

To view a time-aggregated display of IEC-101 baseline values:

1. Make sure that IEC-101 baselines are present in the table by using the Protocol filter, or by
manually searching for them in the table.
2. Click the arrow at the end of a table row to display a sub-table with baseline values.

The sub-table shows the count and the size seen for the specific baseline in each given
timeframe (between Start Time and End Time), as shown below:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 253
 Industrial

Figure 170. Baseline Sub-Table

7.2.3.2. Displaying Detailed Baseline Values

To display detailed baseline values, do the following:

1. Add the Show Values column to the table by clicking More >Select columns, choosing
Show Values, and clicking Apply.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 254
 Industrial

Figure 171. Selecting Show Values from the Select Columns popup

The Show Values column is added to the table.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 255
 Industrial

Figure 172. Show Values Column

2. Click the arrow at the end of its table row to display the values for a given baseline.
The row expands downwards to display a sub-table with the count and size seen for the
specific baseline in each given timeframe (between Start Time and End Time).
In this example, there are two baseline values and each one has a count of 1.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 256
 Industrial

Figure 173. Baseline Sub-Table

3. Click the baseline’s Show link to see a detailed view of the baseline values.
A window displays the details of the baseline values.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 257
 Industrial

Figure 174. Baseline Values Window with Baseline Value Details

The number of rows in the window reflect the counts of all the baseline values. In our
example, there were two baseline values with a count of 1 each. Therefore, the Baseline
Value window contains two rows.

7.3. OT Audit

The OT Audit page displays all the latest OT operations the system has detected. This page is
essential for Management of Change (MOC) in OT operations.

To access the OT Audit page:

• In the Main Menu, navigate to Investigation >OT Audit.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 258
 Industrial

Figure 175. OT Audit Page

OT Audit Results
Each row in the OT Audit table provides the following OT event information:

• ID – The OT event ID; clicking it leads to the Event or Alert Page to access all the information
for investigating, controlling, and managing the alert.
• Type – The OT event/alert type.
• Description – The description of the OT event/alert.
• Date Detected – The timestamp of when this OT event/alert was detected.
• Network – The network in which the OT event/alert occurred.

OT Audit Menu
To hide duplicates (Distinct), download this OT audit as a .csv or .pdf file, or export/share/
schedule this report, click the menu button .

Filter & Search

To filter & search for an OT event, use the following fields:

• Type field to select an OT event by its type.

• Search by field to search for text in the OT event description.
• Clear All / Query View tools to clear your filter/s or adapt the current query.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 259
 Industrial

7.4. Process Values

CTD’s Process Value tool enables monitoring and investigation of OT processes. Based on its
data and analytic algorithms, it provides visibility of the values that read, write or publish from an
OT asset. For each asset you can see all the tags, their values and their access types.

The Process Values can be used to combat unexpected changes that can indicate risks to
process integrity and warn of an impending cyberattack.

This tool enables users to know the normal values and recognises when they are moving
towards a critical state, when they are abnormal or unexpected. You might find behaviors
related to a malware attack early in its kill chain or determine an operational reliability issue.
One example of Process Values is temperature on a controller and observing normal behavior
or any changes.

Note
This Process Values view is available by default, even before the user has selected any
tag tracking.

7.4.1. Prerequisites and Protocol Details

Important points to know about protocols before working with Process Values:

• Prior to working with Process Values, make sure that the IEC-101 or IEC-104 protocol is
enabled in Investigation > Protocols Summary.
If neither is enabled, refer to Protocols.
• Process Values are currently supported for the following protocols: CIP, Goose (IEC-61850),
IEC101, IEC104, MMS (IEC-61850/ICCP/TASE.2), Modbus, PCS7 WinCC (Historian),
S7Comm, DPI (over PCCC).
• Baselines values are still available from the baselines view and supported for DNP3, IEC101,
IEC103, IEC104, VNET (VHF), DPI (over PCCC).

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 260
 Industrial

7.4.2. Display According to Access Types

The order of the tags in the Process Values table is according to our recommendations for
tracking tags. If a Write access type exists, it is more important than the other types, and is
therefore displayed at the top of the list.

Figure 176. Process Values Page

7.4.3. Viewing Process Values

To view Process Values:

1. From the Main Menu, click Investigation > Process Values.

2. By clicking a row, you can see a detailed screen with more info on the process value (see
Tags that have no tracking [263]).

Figure 177. Process Values Table - No Tracking

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 261
 Industrial

The Process Value table displays the following columns by default:

• ID – The Process Value ID

• Target Asset – The target (affected) asset (such as, a Controller)
• Tag name – The tag name that is related to the asset. This tag has a value.
• Protocol – The related protocol running on this asset
• Access types – The read or write to the asset
• Read/Publish Count – The sum of the Read/Publish requests for this tag
• Write Count – The sum of the Write requests for this tag
• Last value - The last tag value that was seen on this asset.

Note
When the following 3 fields are non-numeric, they will have no data:

• Min value – The minimum tag value seen on this asset

• Max value – The maximum tag value seen on this asset
• Average value – The average tag value seen on this asset

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 262
 Industrial

7.4.3.1. Tags That Have No Tracking

Figure 178. Detailed Process Values View

A screen will open on the right with a detailed page. Click the arrow on the top right corner to
expand this view to the entire screen.

The following fields appear:

• Tag Information – Includes the Tag name, the Target asset associated with this tag, Protocol,
Write Count, Read Count, Publish Count and Tagging Mode as described above
• Source assets – The assets that communicated with the target asset and sent the read/write
requests. The parameters includes the source asset Name, IP address, MAC address, Class,
Type, Criticality, Risk Level, Vendor, Network, and Last Seen fields as described in Assets
List View. These assets are sorted by decreasing Risk Level.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 263
 Industrial

7.4.4. Tracking Configuration

In the Tracking Configuration dialog, accessed by selecting assets and then clicking Edit

Tracking Configuration in the toolbar, select the Tracking mode and Access Type.

7.4.4.1. Tracking Modes

Users are required to identify which tags are of interest in order for CTD to track them and
collect information on them.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 264
 Industrial

Figure 179. Tracking Mode Dropdown

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 265
 Industrial

Choose from the following Process Value tracking modes:

• No Tracking – In this mode, there is no tracking whatsoever. The user obtains some data in
the Process values table
• Summary – In this intermediate level of tracking, Process Values are tracked at a high
level, including statistics and trends over time. If further information is needed, use Detailed
tracking. The statistics are summarized on an hourly basis.
• Detailed – This is the most extensive type of tracking. Every detail of the process values is
tracked and available for further investigation, yet it has less history than Summary tracking.
This mode provides continuous tracking information in real time.
• Detailed Write
• Detailed Read/Publish

7.4.4.2. Access Types (only for Detailed Tracking)

Users are required to identify and select tags in order for CTD to track and collect Process
Value information on them.

• Select from the dropdown of trackable Access Type/s: Write, Read/Publish

Figure 180. Access Type Dropdown

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 266
 Industrial

Note
We highly recommend that users track Write access types.

7.4.5. Process Value Graph

This Values Over Time graph is featured in both the Detailed mode and Summary mode
expanded views:

Figure 181. Timeline

This timeline graph shows two aspects: a light blue block that shows the range of values, plus
an additional line graph superimposed above it:

• In Detailed mode, a timeline of the actual value in this range dynamically.

• In Summary mode, the average value is shown.

When hovering over the graph, further details are displayed, and the corresponding table is
marked.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 267
 Industrial

7.4.6. Summary Tracking Mode

In addition to the Values over Time graph, the Summary mode view highlights the tag
information, the appropriate statistics as well as the source assets of the asset under
investigation. The statistics are summarized on an hourly basis.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 268
 Industrial

Figure 182. Summary View

The following fields are displayed in Overview page for the process values:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 269
 Industrial

7.4.6.1. General Information

The Process Values include the following general information:

• Process Values Title – The name of the Process Value being tracked
• First seen – The first time there was a read/write/publish action on this tag
• Last seen – The last time there was a read/write/publish action on this tag

7.4.6.2. Tag Information

Process Values include the following tag information:

• Tag Name – The tag name that is related to the asset. This tag has a value
• Target Asset –The target (affected) asset (e.g., a Controller)
• Protocol –The related protocol running on this asset
• Read/Write/Publish counts, the Last Read/Write/Publish value
• Last Function Code – How the read/write action was done
• Tracking Mode – No Tracking / Summary / Detailed

7.4.6.3. Statistics Information

The Process Values include the following statistics information:

• The Site ID – Identifies the site in which the process values are being tracked (only visible
when investigating from the EMC)
• The Source Asset/s – The asset/s that communicated with the target asset and sent the
read/write requests.
• Min Value, Max Value, Average Value, Range: These entities are measured from the time
the system started to learn or after statistics reset.

Note
When a relevant value does not exist, the corresponding field is not displayed (for
example, an average is not relevant for a Boolean or a string).

• • Min Value - The lower limit of a process value

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 270
 Industrial

• Max Value – The upper limit of a process value

• Average Value – The average of the Min Value and the Max Value
• Range – The difference between the Min Value and the Max Value
• Write / Read / Publish count
• Last access type of the last action (e.g. read or write) to the asset
• Last function code – The last function code, how the read/write action was done.
• Time – The time period during which this value was tracked

7.4.6.4. Source Assets

The Process Values from the source assets are tracked by

• Clicking on the cell of a source asset opens the Source Assets dialog with a table listing
each source asset and its corresponding request type
• Clicking the asset name opens the full Asset View page
• Requesting multiple request types for a single asset source, the request types are separated
by commas
• Sorting the table by the Request Type in the same manner as the main table

7.4.7. Detailed Tracking Mode

In addition to the Values over Time graph, the Detailed Mode table displays which Source
Asset performed an operation, as well as the Value at each time interval, along with the
Access Type (Read/Write/Publish) used and the Function Code.

The main areas of the Detailed page include:

• General Information
• Tag Information
• Process Value Graph
• Value Information
• Source Assets

7.4.7.1. Value Information

This view is similar to the Summary Mode view, with a Value Information area instead of the
Summary Mode’s Statistical Information area.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 271
 Industrial

Figure 183. Detailed Mode - Value Information

Value Information Filters

The Detailed view presents the following filters for the Process Value results:

• Asset Name for filtering the results asset name

• Value for filtering the results by value
• Access Types – Select Write / Read / Publish for filtering the results by access types
• Time – Choose whether to filter the results per Hour / Day / Week / Month

These filters simplify search for something specific, such as Read Write access on a tag that
uses the Modbus protocol.

Value Information Results Table

The Detailed Results table displays the following information. Click on any column name to sort
the table by that parameter.

• Source Asset – The name of the asset performed the operation with a link to its Detailed
asset page

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 272
 Industrial

• Value – The tag’s value

• Access Type – Write / Read / Publish
• Function Code – The function code
• Time – The timestamp of the tag

7.4.8. Resetting Statistics

When it is time to reset the statistics, select a row and then either open the Summary Side Bar
and press the Reset Statistics Summary button as shown below; or press the Reset button
on the Process Values toolbar.

Figure 184. Resetting Statistics

Reset is used when the existing data is no longer relevant and there is a need to start over.
Reset can be performed on a single Process Value or on several ones at once.

The values are Reset as follows:

• The Minimum and Maximum values that had previously been learned are now deleted
• The Counts are deleted
• The Averages are deleted

After Reset, new values are learned.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 273
 Industrial

7.5. Network Sessions

Network Sessions analyzes network traffic. It gives you more insights into how your network
traffic looks and your network health. It provides another dimension of visibility where traffic is
based on the amount of data, validity of data, and number of errors.

The related Network Health graph shows retransmissions over time and the flow of data
between assets. You can view a specific asset and determine if it has network issues.

To access Network Sessions view:

• In the Main Menu, navigate to Investigation > Network Sessions.

Figure 185. Network Sessions

To access the Network Health graph:

1. In Investigation > Network Sessions or Visibility > Assets in the Main Menu, click on an
asset.
2. Go to the Communication tab and scroll down to the Network Health graph.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 274
 Industrial

Figure 186. Network Health Graph

7.6. Protocol Summary

The Protocol Summary is an investigational tool that analyzes network communication by
counting how many times each protocol in use appeared on a port. This helps engineers and
analysts understand which protocols are the most commonly used.

To access the Protocol Summary page:

• Navigate to Investigation > Protocols Summary in the main menu.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 275
 Industrial

Figure 187. Protocol Summary

The filters in the Protocol Summary are identical to those in Baselines, minus the Time filter.

To use these filters, see Baseline List Filters and Baseline Filters in Advanced Options.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 276
 Industrial

8. Management Tools
CTD contain tools for viewing and managing system health and for maintaining and upgrading
the system.

8.1. Customizing Overviews

The Visibility, Risk & Vulnerabilities, and Threat Detection Overviews can be customized to
show the information you need most. You can add and remove widgets and create your own.

Additionally, each default Overview can be used as a template to create personalized

Overviews tailored to the needs of specific users.

Overviews can contain predefined widgets, as well as custom widgets with data important to
specific users or roles.

8.1.1. Editing an Overview

A custom overview/widget can be edited only by the original owner but can be viewed by all
users in the site/EMC in which the changes were made.

To edit the Overviews:

1. In the View dropdown list, choose the View to be edited.

Figure 188. View Dropdown List

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 277
 Industrial

2. Click More > Edit.

The following options are enabled:

Figure 189. Edit Overview Options

• Add widgets – For adding new widgets. For more details see Adding a
Predefined Widget and Creating a Custom Widget.

• Save – For saving the current overview as is presently set up, with the current
name. When pressing Save:

• If the “Default View” overview is currently displayed, only the Save As option
appears.

• Otherwise, all the Save, Save As and Cancel options appear.

Note
A customized Overview can only be revised by the user that created it.

• Save As – For saving the existing overview with a new name. Use this option when
cloning the current overview as a base template for creating a new overview.

• Cancel – To undo the changes initiated in Edit mode.

• Delete – For deleting custom overviews/widgets. This option is only displayed for a
custom-made overview.

8.1.2. Creating a Private Custom Overview

Custom Overviews can be viewed by all users in the site/EMC. However, in an organization with
many Custom Overviews, the number of choices in the View list can become unwieldy.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 278
 Industrial

To reduce the number of Overviews in the list, those that are of interest only to a specific user
can be designated as Private and display only when that user is logged on.

To create a Private Custom Overview:

• When saving a new Custom Overview, select the Private Dashboard option in the Save
Dashboard window.

Figure 190. Making an Overview Private

8.1.3. Working with Widgets

The Overviews support creation and customization of widgets to effectively emphasize various
aspects of the system as needed. By easily resetting the UI in this dynamic manner, you can
display and highlight the critical data you prefer, and then visually analyze the results. The
system also enables you to personalize Overviews to focus on these results regularly. You can
create new widgets or customize the predefined ones.

You can create a customized Overview by reorganizing the placement of the widgets as follows:

• Click More > Edit to start your customizations.

• The controls on the top right of each widget header are Edit mode controls , enabling
you to perform the following operations:

• Clone – To copy the selected widget.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 279
 Industrial

• Move – To reposition the selected widget on the dashboard by dragging the widget with
the mouse and releasing it at the target location.

• Delete – To delete the selected widget.

• To Resize the width of widget, click on the border and drag to the left or right.

8.1.4. Adding a Predefined Widget

To add a predefined widget, do the following:

1. Click Add widgets .

The Add Widgets window opens.

Figure 191. Add Widgets Window

By default, all available widgets are displayed, but the Predefined Widgets pane enables
you to filter them according to Visibility, Risk & Vulnerabilities, and Threat Detection
categories.
2. Scroll down to view the list of predefined widgets and click each widget to be added.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 280
 Industrial

3. Click Add Widgets.

The selected widgets are added to the bottom of the page.

4. Reposition a widget as needed by clicking Move and moving it to the appropriate place.

8.1.5. Creating a Custom Widget

Custom Widgets can be created from data in the Baselines, Assets, or Alerts pages. They can
then be added to Overviews and Reports as needed.

To create a custom widget, do the following:

1. Navigate to Baselines, Assets, or Alerts. Then, in the toolbar, click More > Create a
Widget.
The Create a Widget window opens.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 281
 Industrial

Figure 192. Create a Widget Window - Assets

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 282
 Industrial

2. In the General section, add a Widget Name and an optional Widget Description.
3. In the Visualization section, select how the data should be displayed visually by doing the
following:
a. In Chart Type, choose from the following:

Horizontal Bar

Line Chart

Pie Chart

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 283
 Industrial

Vertical Bar

Vertical Bar
Stacked

Note
This widget displays data for up to 5 Sites. So depending on the number
of Sites in your enterprise, you might need to create several widgets.

For example, for an enterprise with 14 Sites, you would create 2 widgets
with 5 sites each and another widget with 4 sites.

b. In Group By, choose a category for how you want to group the results. You can group
the results according to any of the following categories (listed alphabetically):
• In Assets – Asset Criticality, Asset Type, Class, Default Gateway, Domain, Domain/
Workgroup, Firmware, First Seen (days ago), Host Name, Installed Antivirus, Last
Seen (days ago), Mode, Model, Name, Network, OS, Parsed Asset, Purdue Level,
Risk Level, Serial, Site (EMC only), Subnet, Type, Vendor, Virtual Zone
• In Alerts – Alert Description, Alert Family, Category, Created (days ago), Severity,
Site, Status, Type
• In Baselines – Access Type, Baseline Name, Communication Type, Destination
Port, First Seen (days ago), Frequency, Last Seen (days ago), Protocol, Site (EMC
only), Source Port, Transmission

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 284
 Industrial

Chart Type and Group By selections are reflected in the Preview pane.
4. In the Filters section, specify which data should be displayed by doing any of the following:
• Apply filters as needed. Filter options vary, based on whether you are creating an Assets,
Alerts, or Baselines widget.
• Click the Switch to Query View link and use Claroty’s CTD Query Language (CQL)
to modify or add filtering. Already-active filters in the viewed page are automatically
translated into this query language. You can modify the query statement or rewrite it to
suit your requirements.
See CTD Query Language (CQL) for full instructions on using CQL.

Figure 193. Filters Using CQL (Claroty Query Language)

5. Click Save.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 285
 Industrial

The widget is added to the Custom Widgets section of the Create a Widget window and can
be added to any Report or Overview.

8.1.5.1. CTD Query Language (CQL)

The intuitive and dynamic CTD Query Language is available throughout the interface, allowing
advanced filtering and search in the Query View.

Constructing CQL Queries

CQL, with an SQL-like syntax, supports both simple and complex queries.

• All built-in properties for every entity are supported

• Custom Attributes can be used for assets
• The operator ‘AND’ is supported between each phrase
• For IN or NOTIN, use brackets to group multiple values

Table 9. CQL Operators

CQL Operators
= For entities where the value matches exactly. This cannot be used with text fields; see
the CONTAINS operator instead.
!= For entities where the value does not match exactly. To find entities where the value of a specified
field exactly matches multiple values, use multiple "=" statements with the ‘AND’ operator
IN Contained in the list of values separated by commas and enclosed in brackets
NOTIN Not contained in the list of values separated by commas and enclosed in brackets
~ Like
!~ Not like
~IN Like in
~NOTIN Not like in
AND Displays the result if ALL the conditions separated by the ‘AND‘ are met
OR Displays the result if EITHER of the conditions separated by the ‘OR‘ are met
BETWEEN Selects values within a given range. The values can be numbers, text, or dates. It is inclusive; i.e.
the begin and end values are included
NOT Displays the result if the conditions separated by the ‘AND’ are not met

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 286
 Industrial

Table 10. CQL Syntax Examples

CQL Syntax Examples

Equals “Name” = “10.10.10.10”
Not Equals Name != “10.10.10.10”
Time Frame “Last Seen” BETWEEN (01/01/1970,01/01/2019)
Multiple Values Name IN (“10.10.10.10”, “10.10.10.20”)
Like Name ~ “10.10”
Composite Condition Name = “10.10.10.10” AND Protocol = “ARP”

CTD Query Language (CQL) Tooltips in Widgets

A tooltip hovers over every custom-made widget, revealing the underlying CQL query that
produced the graph’s results.

Figure 194. Query Tooltip When Hovering Over Widget

If the tooltip does not appear, move the mouse to an empty space on the graph until it appears.

8.1.6. Deleting a Custom Widget

Custom widgets can be deleted from the widget catalog in the Add Widget window. This window
is accessed from both Reports and the Visibility, Risk & Vulnerabilities, and Threat Detection
Overviews.

Important
Deleting a widget from the widget catalog permanently removes it not only from the
catalog, but from all Reports and Overviews in which it was used.

To delete a widget:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 287
 Industrial

1. Open the Add Widgets window.

• In Reports - Click any of the + Add Widgets buttons.
• In Overviews - Do the following:
a. Click the More icon > Edit.

b. Click + Add Widgets.

The Add Widgets window opens.
2. In the left pane, click Custom Widgets.

Figure 195. Custom Widgets in the Add Widget Window

3. Scroll through the right pane to find the widget you want to delete.
4. Click .
The widget is deleted from the catalog, and all Reports and Overviews in which it was used.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 288
 Industrial

8.1.7. Example - Creating an “OT Assets by Vendor” Widget and Adding it

to an Overview
OT Engineers at a site want to be able to see all of the site’s OT assets per vendor at the top of
the Visibility Overview. This is accomplished in two steps:

1. Create an "OT Assets by Vendor" widget.

2. Add it to the Visibility Overview.

8.1.7.1. Create the Widget

1. Go to Visibility > Assets

2. Filter the list for OT Assets by selecting OT from the Class filter.

Figure 196. Filtering Asset List for OT Assets

3. Click More > Create a Widget. The Create a Widget dialog opens with your filter:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 289
 Industrial

• Displayed as a graph with default settings

• Transformed into query language (CQL):

Figure 197. Create a Widget Dialog

4. Create a horizontal bar chart of OT assets grouped by vendor:

• In Name, type OT Assets by Vendor.
• In ChartType, select Horizonal Bar.
• In Group by, select Vendor.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 290
 Industrial

Figure 198. Adjusting the Title, Chart Type and Group By Choices for a Widget

5. Click Save .

8.1.7.2. Add the Widget to the Visibility Overview

1. Navigate to Visibility > Overview.

2. Because this widget should be available to anyone viewing the default Visibility Overview,
leave Default View selected in the view selector.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 291
 Industrial

Figure 199. Default Visibility Overview

3. Click More > Edit.

4. Click Add Widgets .

5. In the Add Widgets dialog, select Custom Widgets, choose the “OT Assets by Vendor”
widget you created previously, and click Done.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 292
 Industrial

Figure 200. Selecting the Relevant Widget to Add to the Overview

The widget is added to the bottom of the Visibility Overview.

6. Drag the widget to the top right corner of the Overview.
7. Click Save.

8.2. Setting the Homepage

Depending on your role, you might want the Dashboard or one of the Overviews - Visibility, Risk
& Vulnerabilities, Threat Detection - to display by default when you enter CTD.

The homepage is set per User.

To set the homepage:

1. Navigate to the desired Dashboard or Overview.

2. Click in the upper right corner of the content area, click More > Set as home page.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 293
 Industrial

8.3. Activity Log

The Activity Log records activities performed in CTD in the last year by users and by the
system. This list provides the activities that took place on the EMC and the Sites.

These activity logs also include data loaded into CTD from CSV import, Project Files, and Active
Queries.

Activity Logs can be transmitted to SIEM tools using Syslog. To learn more, see CEF Latest:
Activity Log.

8.3.1. Opening the Activity Log

To open the Activity Log, navigate in the main menu to Settings > Activity Log.

Figure 201. Activity Log

The activities are listed in chronological order, with the newest items appearing at the top.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 294
 Industrial

8.3.2. Activity Log Details

The following information is available about each Activity:

• Site - (EMC only) The name of the site on which the activity took place, or Central if on the
EMC
• Time - Date and time the activity took place
• User Name - Name of the user who performed the activity
• Category - Major areas of CTD, such as Alerts, Assets, and Zone Rules.
• Action - A brief description of the activity
• Description - A detailed explanation of the activity
• Action Status - Success, Failure, or Error
• Log Type - System or User log

Note
When the Log Type is System, the User Name is always N/A.

For a full list of Categories and their related Actions, see Supported Activities - Categories and
Actions.

8.3.3. Filtering, Searching, and Sorting the Activity Log

To investigate operations that occurred in your system, you can filter, search, and sort the
Activity Log.

• You can filter the Asset Retention Rules list using any of these filters:
• Site
• Category
• Action
• Action Status

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 295
 Industrial

• Log Type
• You can search for Activities by typing any part of the activity description into the Search by
field and pressing <Enter>.
• You can sort the list by date by clicking the Time column heading.

In this example, the Activity Log is filtered by the Alert Assigned action. This displays all
activities where alerts were assigned to users to review.

Figure 202. Activity Log Filtered by the Alert Assigned Action

8.3.4. Activity Log Retention Period

Activity Log entries are retained in the system for 365 days. This can be extended by Claroty
Support for up to 3 years.

8.3.5. Supported Activities - Categories and Actions

This table lists each category and its related actions.

Table 11. Activity Log -Categories and Actions

Category Action
Active Detection Tasks
Task Created
Task Deleted

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 296
 Industrial

Category Action
Task Stopped
Task Updated
Query Created
Query Deleted
Query Updated
Alert Alert
Alert Assigned
Alert Comment Added
Alert Comment Deleted
Alert Comment Updated
Alert Resolved
Alert Scoring Calculated
Assets Asset Cleaner
Asset Comment Added
Asset Deleted
CSV Imported
Asset Info Updated
Assets Merged
Asset Retention Asset Retention Rule Created
Asset Retention Rule Deleted
Asset Retention Rule Run
Asset Retention Rule Updated
Baselines Baseline Deleted
Remote Connection
Dashboard View Dashboard Created
Dashboard Deleted
Dashboard Updated
Widget Created
Widget Deleted
Data Sources Interface Configuration
Matcher
Matcher Created
Matcher Deleted

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 297
 Industrial

Category Action
Matcher Updated
NAT Configuration Uploaded
Netflow Host Added
Netflow Host Updated
Netflow Host Deleted
Netflow Port Updated
Network
Network Created
Network Deleted
Network Renamed
Network Updated
PCAP Deleted
PCAP Uploaded
Play PCAP
Project Files Parser Configuration Added
Project Files Parser Configuration Deleted
Project Files Parser Configuration Updated
Project Files Parsing - One Time
Project File Parsing - Recurring
Recorded PCAP deletion
Email Notification Email Notifications
Enterprise Management Auto Upgrade Sites
Cloud Connection
Cloud Updates
Deployment Architecture
Site Image Deleted
Site Image Uploaded
Updates
Upgrade
Insights Insights Calculated
Insight Comment Added
Insights Comment Deleted
Insights Comment Updated

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 298
 Industrial

Category Action
Insight Marked
Insight Status Updated
Integrations CrowdStrike
Integration Configuration
License License Expired
License Renewed
License Updated
Reports Report Created
Report Deleted
Reports
Report Scheduling Created
Report Scheduling Updated
Report Updated
Rules Auto Resolve Rule Created
Auto Resolve Rule Deleted
Baseline Rule Added
Baseline Rule Deleted
Baseline Rule Updated
Network Signatures
Network Signature Created
Network Signature Deleted
Network Signature Updated
Rule Added
Rule Deleted
Rule Updated
YARA Rule
YARA Rule Created
YARA Rule Deleted
YARA Rule Updated
Subnets CSV Imported
Subnet Added
Subnet Auto Learning
Subnet Deleted

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 299
 Industrial

Category Action
Subnet Imported
Subnets Reclassified
Subnet Tag Added
Subnet Tag Deleted
Subnet Tag Updated
Subnet Updated
System Health Bootstrap
Communication
DB Cleaner
Site Communication Down
Site Communication Up
Site Down
Site Up
Site Synchronization
System Management Alert Capture File Settings Updated
Application Restart
Auto Change Mode
Backup
Changed to Operational Mode
Changed to Training Mode
Custom Attributes
Custom Attributes Created
Custom Attributes Deleted
Custom Attributes Updated
DB Passwords Updated
Site Custom Attributes Updated
Site/EMC Info Updated
Zone Grouping Method Updated
Zone Grouping Algorithm Updated
Threat Detection Settings Alert Sensitivity Updated
Threat Intel Bundle
Zones Zones
Zones Auto Generated

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 300
 Industrial

Category Action
Zone Created
Zone Criticality Updated
Zone Deleted
Zone Description Updated
Zone Renamed
Zone Updated
Zone Rules Policy Added
Policy Deleted
Policy Invalidated
Policy Validated
Policy Updated

8.3.6. Details of Activity Logging

8.3.6.1. Failed Logins in the Activity Log

An activity is logged in the Activity Log after 5 failed logins.

8.3.6.2. Custom Attributes in the Activity Log

The Custom Attributes listed in the Activity Log detail which user performed which action, with a
timestamp and, if it is a multiple-site deployment, the relevant site.

The Activity Log logs configuration operations (Add/Delete/Update) for Custom Attributes as
well as their usage. When a user changes the application or value of a Custom Attribute, the
system logs the corresponding asset name and its value, including the site and the network in
which the change occurred. When bulk actions are performed, they are listed per asset.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 301
 Industrial

9. Reports

9.1. About Reports

The CTD reporting mechanism enables you to create rich graphical and textual reports that
meet the needs of multiple stakeholders in your enterprise. It also contains a large collection of
Claroty-created reports that can be used as-is or copied and then modified for various needs.

Reports in CTD are based on two types of data presentation:

• Tables - Data from various tables such as Alerts, Assets, Insights, and others.
Table reports are especially suited to Analysts and SOC staff for investigating incidents
across a large dataset containing thousands of records via CSV export.
• Widgets - Widgets used in the Dashboard and various Overviews.
Widget reports are of interest to executives, who require a high-level data aggregation to
understand trends and security posture direction.

There are three parts to CTD Reports:

• Reports Editor - Use this flexible, feature-rich editor to create reports that contain graphic
representations of data, or widgets, from across CTD.
• Reports Library - The central hub of CTD reporting, the Reports Library contains both Claroty
and user-created table and widget reports. From here you can schedule, download, copy,
edit, and delete reports.
• Scheduled Reports - Used to manage advanced scheduling settings.

9.1.1. Reports in EMC-Managed and Standalone Sites

Reporting is available for both EMC-managed and standalone sites. For EMC-managed sites,
reporting is accessed from the EMC and not from the site.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 302
 Industrial

Note
There is no report creation sync between the EMC and sites. So while it is technically
possible to log directly onto an EMC-managed site and create a report, it will not appear
in the EMC. Likewise, reports created in the EMC do not appear in sites.

9.2. Prerequisite for Sharing Reports

In order to share CTD Reports by email, the system requires prior configuration with an SMTP
Server, which can be configured by Admins as described in Configuring the SMTP Server -
Procedure.

9.3. About Role-Based Access for Reports

CTD's Role-based Access Control (RBAC) determines the reporting actions a user is permitted
to perform and the content they are permitted to access. Reporting actions include creating,
viewing, editing, and scheduling reports. Content access includes the various areas of CTD,
such as Visibility, Risk & Vulnerabilities, Threat Detection, and others. See Assigning Role-
based Permissions (RBAC) for full details.

Reporting actions users are permitted to take are as follows:

• Users with Admin permissions may view, schedule, and immediately download reports that
they create, Claroty-created reports, and those of all other users. They may edit only those
reports they create themselves.
• Users with Manage permissions may view, edit, schedule, and immediately download only
the reports they create themselves. They do not have access to reports created by other
users or to Claroty-created reports.
• Users with View permissions may view the reports they create themselves and schedule
the widget reports they create themselves. They may immediately download both table and
widget reports upon creation.

For Widget Reports, content access determines the content a user is permitted to see in the
Report Editor and send in the report. So if you have Admin reporting actions, but only Threat
Detection content access:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 303
 Industrial

• When you view a report in the Reports Editor that has non-Threat Detection content, you will
see content only for the Threat Detection widgets. The other widgets in the report will contain
a message that you do not have proper permissions to view the content.
• When you send the report, the recipients will receive only the Threat Detection content, even
if they have access to other areas of CTD.

9.4. Creating Table Reports

You can create reports for the current view of the data from each major page (Assets, Alerts,
Baselines, Activity Log, Insights, etc.). You can either:

• Download the report immediately.

• Create a Scheduled Report that can run once or at scheduled times.

9.4.1. Download the Report Immediately

Important
You can download a report for up to 20,000 items (Assets, Alerts, etc.). For a larger
number of items, create a Scheduled Report instead.

To download the report immediately:

1. Filter the page to display the data to download.

2. In the toolbar, click the More icon and then Download.
The Download Report window opens.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 304
 Industrial

Figure 203. Download Report Window

The requested information varies depending on the type of item to be downloaded.

3. Select the options and click Download. The report is downloaded.

9.4.2. Schedule a Report

To schedule a report:

1. Filter the page to display the data to download.

2. In the toolbar, click the More icon and then Create a New Table Report. The Create
Report window opens.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 305
 Industrial

Figure 204. Create Report Window for Assets

The requested information varies depending on the type of item to be downloaded.

3. Edit the information as needed in the Report Details and Display and Data Scope
sections of the window.
4. To automatically email the report, enter the following in the Share With section:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 306
 Industrial

a. Recipients – Enter the name of users or roles, or type in an email address.

b. Email Subject – A subject is already included, but you can adjust it as needed.
c. Email Body – Adjust the text to suit your needs.
5. If you intend to have this report generated on a regular basis, follow theRecurrence steps:
• Pattern – Choose the frequency of your report, clicking the relevant days of the week
that you prefer. Select a daily or weekly (the default) recurrence. You can select one or
multiple entries.
• Time – By default, the system sets the default time to be the current hour. Adjust it to the
hour of your choice.
6. Click Create.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 307
 Industrial

9.5. About the Reports Editor

CTD contains an extensive set of widgets that graphically represent various system states
and activities. They are used throughout CTD in the Dashboard and Overviews, and you can
harness their power to create reports. The Report Editor is your tool for creating and editing
widget reports.

Note
For information about creating table reports, see Creating Table Reports.

9.5.1. Opening the Reports Editor

Open the Reports Editor from the Main Menu by selecting Reports > Reports Editor.

9.5.2. Parts of the Reports Editor

The Reports Editor is made up of the following parts:

1. Report Content Pane - Enables you to do the following:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 308
 Industrial

• Navigate throughout your report. Click a heading to jump to that area of the report in the
Report Preview Pane.
• Add, delete, copy, and edit widget content
2. Filters - Specify the dataset of the report by Site and/or Time.
3. Report Preview Pane - Displays a preview of the report.
4. Create/Save/Download buttons - (Depends on whether the report is being created or
edited.)
• Create - Saves the report to the Reports Library after you specify recipients and
scheduling.
• Download - Runs and downloads the report immediately after the report is created.
• Save - Saves changes to the edited report.
• Save As - Saves the edited report as a new report.

9.5.3. Creating a Widget Report

To create a widget report:

1. In the EMC, navigate to Reports > Reports Editor.

2. By default, the report contains data for all Sites in the enterprise within the last day.
• To define specific Sites, select them from the Sites filter.
• To specify a different time period, select it from the Time Range filter.
3. Add widgets to the report.
4. Configure and save report settings by doing the following:
a. Click Create.
The Create Widget Report window opens.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 309
 Industrial

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 310
 Industrial

b. Configure the following:

a. In the Report Details section, edit the Report Name and add an optional
Description.
b. In the Share With section, specify the recipients of the report by searching for a
Role or specific User and selecting it, or by typing in an email address.
c. If you want the report to run on a recurring basis, configure these settings in the
Recurrence section.
5. Click Create.
A message notifies you whether or not the report was created successfully.

To view the newly-created report in the Reports Library, click the link. Otherwise, click OK.
6. At this point, you can choose to:
• Run and download the report immediately by clicking .
• Continue adding widgets and either save the report by clicking Save, or save it as a new
report by clicking Save As.
• Edit the report name and description as needed:
a. At the top of the report content pane, click .

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 311
 Industrial

The General Report Info window opens.

b. Edit the Report Name and Description as needed. Then click Save.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 312
 Industrial

9.5.3.1. Adding Widgets to a Report

To add widgets to a report:

1. In the Report Content pane, click +Add Widget.

The Add Widgets window opens.

Figure 205. Add Widgets Window

Tip
If you do not see the data you expect, close this window and make sure you
specified the correct period in the Time Range filter.

2. Find and select Predefined (system) or Custom (CTD user-created) widgets to add to the
report by doing the following:
a. Find widgets in the left pane by doing the following:
i. Find predefined widgets by doing either of the following

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 313
 Industrial

• Click the Predefined Widgets heading and scroll through the list
• Click the categories underneath the Predefined Widgets heading to filter the list
by the major sections of the widget catalog
ii. Find Custom widgets by clicking Custom Widgets in the left pane and scrolling
through the list.
b. In the right pane, click a widget to select it. Click again to deselect it.
As you select and deselect widgets, the Widgets Selected count changes.
3. After you finish selecting widgets, click Add Widgets.
The selected widgets are added to the:
• Report Preview pane
• Report Content pane, under the Widgets in Report heading

9.5.4. Editing a Widget Report

You can edit a report by doing any of the following:

• Adding or deleting widgets

• Copying a widget
• Editing widget content
• Changing the order of the widgets in the report

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 314
 Industrial

To edit a widget report:

1. Add or delete widgets as needed:

Figure 206. Widgets in Report

• To add widgets, click any of the +Add Widget buttons and add widgets as described in
Adding Widgets to a Report.
• To delete widgets, in the Report Content pane, under the Widgets in Report heading,
do one of the following:
• To delete all widgets in the report, click the trash can icon next to the Widgets in
Report heading.
• To delete specific widgets:
a. Click the More menu of the widget to be removed.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 315
 Industrial

b. Click Remove Widget.

2. Copy a widget and then edit it as needed.

3. Change the order of the widgets by clicking their names under the Widgets in Report
section and dragging them up or down as needed.
4. Save the changes to the current report or create a new one by doing one of the following:
• To save the changes to the report, click Save.
• To save the changes as a separate report:
a. Click Save As.
The Save As: New Report window opens.
b. Update the details as required and click Copy.

Note
If, at any time during the editing process, you leave the Reports Editor without saving, a
confirmation message is displayed.

9.5.4.1. About Global and Local Filtering of Widget Data

By default, a new report will contain data from within the last day.

However, when you first create a report, you can change the time period that is applied to all
widgets. This is the global filter, and it affects the data displayed in the widgets in the Add
Widgets window.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 316
 Industrial

Figure 207. Global Filter

Once you add widgets to your report, you can then edit the time filter for specific widgets. This
local filter overrides the time period specified in the global filter.

If you then change the global filter, you are prompted to choose whether to apply the change to
all widgets, including those with local filters, or only those widgets to which local filters were not
applied.

9.5.4.2. Copying a Widget

You can make a copy of a widget and then modify it to suit the report in which it is included.

1. In the More menu of the widget to be edited, click Copy Widget.

The new widget is created with (Copy) in its Name.

2. You can then proceed to edit the copy.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 317
 Industrial

See Creating a Custom Widget.

9.5.4.3. Editing a Widget

The type of content that can be edited in a widget depends on whether it is a Predefined or
Custom widget.

• For predefined widgets, the name and description can be modified.

• For Custom widgets, all the content can be modified.
See Creating a Custom Widget.

9.5.5. Predefined Widget Catalog

The following predefined widgets are available in the Add Widgets window:

Table 12. CTD Widget Catalog

Category Name Description

Visibility Total Assets by Class Displays the total number assets, as well as a breakdown by IT, OT, and IoT.
Discovered Assets Displays the breakdown of prominent assets discovered, subdivided into
asset types: OT, IT, External, Broadcast/Multicast, Ghosts, etc. across all
sites.
Number of Assets Number of Assets per Site.
Sites with the largest Displays up to 10 sites with the largest amount of assets, subdivided into
amount of assets asset types: OT, IT, External, Broadcast/Multicast, Ghosts, etc.

The vertical bar graphs are per site. A color legend is displayed to distinguish
the most prominent types of assets in each site.
IT vs OT Policies Shows horizontal bar graphs of IT vs. OT policies per site.
Asset Breakdown Pie chart showing each asset breakdown per asset Type, Zone, and Subnet
per site.
OT Asset Distribution The breakdown of the OT assets per type (e.g. PLC, HMI, Engineering
by Site Station).
IT Asset Distribution The breakdown of the IT assets per type (e.g. Endpoint, Printer, Networking)
by Site per site.
IoT Asset Distribution The breakdown of the IoT assets per type (e.g. Camera, VOIP Phone) per
by Site site.
Summary A count of OT Assets, OT Operations, and Write and Execute type OT
Operations.
OT Operation by type Breaks down the number of alerts for each type of OT operation.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 318
 Industrial

Category Name Description

10 Latest OT Lists the top 10 most recent OT asset alerts.
operations
DNS queries over A time graph of the number of DNS queries that have occurred.
time
Top 10 Frequent DNS Provides a listing of the top 10 DNS Queries and how often each has
Queries occurred.
Top 10 Domain Provides a listing of the top 10 DNS Queries and how often each has
Names by Assets occurred.
Network Analytics Graph of bandwidth breakdown per most prevalent protocols.

Note
This widget is only available on standalone sites.

Top 10 Assets Lists the top 10 assets with the highest Read/Publish or Write counts.
by Process Values
Requests
Insights Summary Shows the Hygiene Score and top 3 Insights for the selected Sites.
Top Risky Sites by Shows the volume of top enterprise vulnerable assets, sorted per site and
Insight Severity per Severity level (High, Medium, and Low).
Zones By Criticality A pie chart widget of the distribution of the zones per Criticality per site.
Top 10 Insights Shows the top 10 most significant insights, sorted by importance.
Just to Let You Know List of Insights that highlight the potential issues that that were investigated
and do not exist in your system (e.g. Dangerous Protocols, Unpatched
Vulnerabilities).
High Risk Assets by Pie chart that shows the distribution of high-risk assets per criticality per site.
Criticality
Assets by Insights Bar chart that lists the number of assets, sorted per severity level.
Severity
Threat Threat Detection Displays the total numbers of open alert stories, open alerts, and events in
Detection Summary the enterprise for the selected time period.
Top Alerted Sites - Shows the total number of Critical open alerts throughout the enterprise and
Critical Open Alerts breaks it down graphically by alert family.
by Type
Alert Status A color-coded bar graph of Alert Stories and Alerts with a count of each alert
severity level.
Top 10 Recent Alerts A table highlighting the recent top 10 alerts, displaying their Description,
Score, and Detection date, with a colored dot to indicate the alert’s severity
level.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 319
 Industrial

Category Name Description

Top 10 Alerted Assets Shows a table of the top 10 alerted assets. Sorted by asset Name, it also
includes its asset Type, Criticality level, and number of alert instances in the
given timeframe. Assets with no alerts are not displayed.
Top 10 Alerted Zones Shows a table of the top 10 alerted Zones. Sorted by the number of alerts per
Zone, it includes each Zone's Criticality level and number of alert instances in
the given timeframe. Zones that have no alerts are not listed.
Alerts by Type A pie chart showing the breakdown of alerts per type and the number of
instances of each type. The top 3 types are named.
Alerts by Severity A pie chart of the alert distribution for each severity category in the given
timeframe.
Alerts by Site A bar graph that displays the total number of alerts for each Site.
Alerts Trend A time graph that shows the distribution and total new alerts based on their
alert types (with a line for each type) for the selected time period.
Top 10 Recent High & Lists up to 25 of the most recent High and Critical alerts.
Critical Alerts

9.6. About the Reports Library

The Reports Library serves as a centralized hub for organizing all the Table and Widget reports
within the system. It encompasses a comprehensive range of reports, including those generated
by users and a selection of pre-configured reports that can be copied and customized as
necessary.

9.6.1. Reports Library - Widget Reports

The Widget Reports section of the Reports Library contains both Claroty and user-created
reports based on data from various widgets throughout CTD, including those from the
Dashboard and Overviews.

9.6.1.1. Opening the Reports Library

In the EMC, open the Reports Library from the Main Menu by selecting Reports > Reports
Library.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 320
 Industrial

Figure 208. Reports Library - Widget Reports

9.6.1.2. About Predefined Widget Reports

The Report Library contains the following predefined widget reports:

• Visibility Overview Report - Displays CTD’s comprehensive visibility of assets and

exposures. Presenting extreme visibility into your network. CTD manages the assets by
monitoring traffic and collecting data passively, actively, through the CTD Edge component,
and using Project File parsing. The Visibility tools reveal the entire OT, IT, and IoT inventories
in the environment, throughout all layers of the network. They enable deep visibility into the
ICS assets down to card/rack slot data where applicable.
• Insights Overview Report - shows which aspects of the network can be fortified to achieve a
more robust network architecture and enhance the protection of the system. It highlights if the
system is sufficiently patched by showing gaps in network security.
CTD generates Insights that reveal particular exposures and vulnerabilities, empowering
users to investigate both operational (process) and security insights. This tool provides deep
insights based on the analysis of your entire security posture, producing a holistic picture and

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 321
 Industrial

risk assessment across your entire ICS network. These insights are collected from traffic by
SPAN monitoring and ingesting PCAP, Project File, or Active Query data.
This Overview provides a summary of the entire asset inventory and all communications
discovered on the industrial network, pinpointing vulnerable assets and resolutions, while
revealing network configuration and other “network hygiene” issues that can provide attackers
with a means for interfering in critical processes.
• Threat Detection Overview Report - CTD closely inspects every network communication
and collects all events to identify a possible threat. All related events go into a single alert
that notifies of a possible threat to the process, such as an operational anomaly or a security
attack.
The Threat Detection Overview Report displays CTD’s cyber and OT threat detection and
policy violations
• Risk Assessment Report - A combination widget and table report that begins with an overall
network summary and then progresses to the details.
For further information about this report, see About the Risk Assessment Report.

9.6.1.3. Report Library Details - Widget Reports

The following information is available about each widget report in the library:

• Report Source - Whether the report is a Claroty or Custom (user-created) report.

• Report Name
• Description
• Filters - The filters applied to the data in the system to create the dataset in the report.
The number of filters is displayed. Hover the mouse over the filter to display the filters used.
• Created - Date the report was created.
• Created By - (Admin only) The user that created the report.
• Scheduled - Whether or not the report has been scheduled to run.
• Actions - Icons enable you to do the following:
• - Run the report immediately and download the results.
• - Change the scheduling settings for the report.
• - Make a copy of the report.
• - Open the Reports Editor to edit the report content.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 322
 Industrial

• - (Custom report only) Permanently delete the report from the system.

9.6.1.4. Filtering, Searching, and Sorting the Report Library

To find the reports you need, you can filter, search, and sort the reports in the Report Library.

• You can filter the Report Library using any of these filters:
• Report Source - Whether the report is a Claroty or Custom (user-created) report.
Since only Custom reports can be edited or deleted, this filter is useful for displaying only
those reports on which you can take action.
• Scheduled - Whether or not the report has been scheduled.
This filter is useful for displaying only reports that have not yet been scheduled.
• Created By - (Admin only) Lists the users that created reports.
• Alternately, click Switch to Query View to add Claroty Query Language queries.
• You can search for reports by typing any part of the report name or description in the Search
by field and pressing <Enter>.
• You can sort the list by Report Source, Report Name, Created, Created By, Last Sent, and
Scheduled by clicking these column headings.

Creating a Widget Report

If you cannot find the widget report you are looking for, and you have the correct role, you can
create it yourself. Click the + Create New Widget Report button to open the Reports Editor and
create a report.

9.6.1.5. Changing the Scheduling Settings for a Report

Change the scheduling settings for a report by doing the following:

1. For the report whose settings you want to change, click Schedule Report in its
Actions column.
The Edit Report window opens.
2. Scroll down to the Recurrence section, click the Click to enable Scheduling Settings
link, and make changes as needed. Then click Update.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 323
 Industrial

9.6.1.6. Making a Copy of a Report

Copying a report is especially useful when you want to use the report as the basis for a new
report. You can then edit the report copy as needed. Scheduling settings are copied from the
source report and can be edited if needed.

To create a copy of a report, click , change the report details as needed in the Copy
Widget Report window, and click Copy.

A success or failure message is displayed, and the copy is added to the library.

Note
You can make a copy of any report except the Risk Assessment Report.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 324
 Industrial

9.6.1.7. Editing a Widget Report

To edit a widget report, click to open the Reports Editor and edit the report.

Note
To edit a Claroty-created widget report, make a copy first and then edit the copy.

9.6.1.8. Deleting a Custom Report

Custom (user-created) reports can be deleted from the system.

To delete a report, click in its Actions column.

Note
Predefined (Claroty-created) reports cannot be deleted.

9.6.1.9. Risk Assessment Report

A summarized Risk Assessment Report can be generated by the system at any time. The
report generation is automatic and faster than manually generated reports.

The Risk Assessment Report starts with an overall network summary and then progresses
to the details. These include the various control process devices, demonstrating how
they communicate within and across the network. It provides specific visibility into your
communication paths and associated devices.

This report provides a Network Hygiene score, which indicates the cumulative risk level that the
alerts, insights, and assets pose to the system. A low value means that your system is more
vulnerable to attacks. This score is calculated based on the critical security insights, CVEs,
and anomalies detected, as well as how many critical assets were identified. When assets with
severe vulnerabilities and alerts affecting them are used along with weak protocols, the score
decreases.

The hygiene score appears together with a list of actionable insights that can help improve
network hygiene, assets, and network statistics. This report can be used as a Key Process

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 325
 Industrial

Indicator (KPI) to track progress as part of a security program, as an executive brief, and as a
list of recommended changes.

Since the hygiene score is consolidated into a single score, it can be used to track progress in
reducing the risk and attack surface.

When producing the report on the Enterprise Management Console (EMC) for all sites, be
aware that the data shown is an aggregation of the data from all the sites belonging to that
EMC. As such, the Top Communicators and Protocol Distributions graphs are not displayed
in the report since this particular information does not apply when viewed from the EMC.

9.6.2. Reports Library - Table Reports

The Table Reports section of the Reports Library contains both Claroty and user-created reports
based on data from various tables throughout CTD, such as Alerts, Assets, Insights, and others.

9.6.2.1. Opening the Reports Library

Open the Reports Library from the Main Menu by selecting Reports > Reports Library. Then
click the Table Reports tab.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 326
 Industrial

Figure 209. Reports Library - Table Reports

9.6.2.2. About Predefined Table Reports

The Report Library contains the following predefined table reports:

Table 13. Table Reports

Report Description
CTD Alerts Ignored/Acknowledged from Activities of alerts marked as ignored or acknowledged from the last week
the last week
CTD Assets Changed IP in the last month Activities about assets that changed their IP in the last month
CTD Assets discovered in the last week All assets discovered in the last week
CTD Assets from the Enterprise Security Assets from the enterprise network (Purdue level 4 and level 5)
Zone
CTD Assets from the Industrial Security Assets in the industrial security zone (Purdue level 3)
Zone
CTD Assets performed Data Acquisition All assets that performed data acquisition write. These assets should be
Write (Operated PLCs) considered as potential assets that can change the process by changing
values.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 327
 Industrial

Report Description
CTD Assets that talk with external IPs Unicast and remote assets that are talking with external assets. External
IPs, coupled with respective network interfaces, expose the asset to
users outside of the company's perimeter, enabling attackers to enter the
OT network.
CTD Assets using remote connection All assets using remote connections
CTD Assets with unpatched CVEs All assets with unpatched vulnerabilities that have Full Match CVEs.
These assets, which run vulnerable software versions, can be leveraged
by attackers for various malicious purposes such as, remote code
execution, DDOS, etc.
CTD Assets with unsecured protocols All assets using unsecured protocols. Assets with unsecured protocols
contain security weaknesses that attackers can leverage to compromise
the network's security.
CTD Completed Insights All Insights marked as completed, include vulnerabilities.
CTD Inactive assets from the last week Unicast assets that did not communicate in the last week
CTD Insights Report All open Insights (severity: High, Medium, Low)
CTD Insights with High Criticality -
CTD New Alerts from the last week Critical and High alerts created in the last week and their statuses
CTD Parsed Assets All assets that were discovered as parsed assets via Project Files
Resolved alerts from the last week Activities report for alerts that resolved in the last week
CTD Site connectivity from the last week Site connectivity status from the last week (site up or down)
CTD Top Risky Assets Top 10 most risky assets

9.6.2.3. Filtering, Searching, and Sorting the Report Library

To find the reports you need, you can filter, search, and sort the reports in the Report Library.

• You can filter the Report Library using any of these filters:
• Report Source - Whether the report is a Claroty or Custom (user-created) report.
Since only Custom reports can be edited or deleted, this filter is useful for displaying only
those reports on which you can take action.
• Scheduled - Whether or not the report has been scheduled.
This filter is useful for displaying only reports that have not yet been scheduled.
• Created By - (Admin only) Lists the users that created reports.
• Alternately, click Switch to Query View to add Claroty Query Language queries.
• You can search for reports by typing any part of the report name or description in the Search
by field and pressing <Enter>.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 328
 Industrial

• You can sort the list by Report Source, Report Name, Created, Created By, Last Sent, and
Scheduled by clicking these column headings.

9.6.2.4. Report Library Details - Table Reports

The following information is available about each report in the library:

• Report Source - Whether the report is a Claroty or Custom (user-created) report.

• Name
• Description
• Export Format - Can be either CSV or PDF
• Filters - The filters applied to the data in the system to create the dataset in the report.
The number of filters is displayed. Hover the mouse over the filter to display the filters used.
• Created - Date the report was created.
• Created By - (Admin only) The user that created the report.
• Scheduled - Whether or not the report has been scheduled to run.
• Actions - Icons enable you to do the following:
• - Run the report immediately and download the results.
• - Change the scheduling settings for the report.
• - Make a copy of the report.
• - (Custom report only) Permanently delete the report from the system.

9.6.2.5. Making a Copy of a Report

Table reports can be created in either CSV or PDF formats, with one format being more
appropriate for a specific audience than another. Also, one audience might want to receive the
report more frequently than another.

In these cases and others, you can make multiple copies of a report and then tailor the format,
recipients, and scheduling settings to various audiences.

Scheduling settings are copied from the source report and can be edited if needed.

9.6.2.6. Deleting a Custom Report

Custom (user-created) reports can be deleted from the system.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 329
 Industrial

To delete a report, click in its Actions column.

Note
Predefined (Claroty-created) reports cannot be deleted.

9.6.2.7. Changing the Scheduling Settings for a Report

Change the scheduling settings for a report by doing the following:

1. For the report whose settings you want to change, click Schedule Report in its
Actions column.
The Edit Report window opens.
2. Scroll down to the Recurrence section, click the Click to enable Scheduling Settings
link, and make changes as needed. Then click Update.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 330
 Industrial

9.7. About Scheduled Reports

Scheduled Reports is a list of each Widget and Table report that has been scheduled to run
either on a one-time or fixed basis. Use this page to manage report scheduling settings.

Figure 210. Scheduled Reports

9.7.1. Opening the Scheduled Reports Page

To open the Scheduled Reports page, navigate in the Main Menu to Reports > Scheduled
Reports.

9.7.2. Scheduled Report Details

The following information is available about each scheduled report:

• Report Type - Options include Table Report or Widget Report. Click the column header to
sort the list.
• Report Name

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 331
 Industrial

• Report Format - Can be CSV or PDF,

• Recurrence - The scheduling settings
• Scheduled By - (Admin users only) The name of the user who scheduled the report.
• Recipients - If specified, the email addresses of users who will receive the report.
• Last Sent - Date the scheduled report was last sent.
• Status - Whether the report has been disabled or enabled. Disabling a report is useful when
you want to pause it for a period of time, but not completely remove the scheduling settings.
• Actions - Icons enable you to do the following:
• - Run the report immediately and send it to any recipients specified in the
scheduling settings.
• - Change the scheduling settings for the report.
• - Delete the scheduling settings for the report.

Note
When you delete a report's scheduling settings, it is removed from the Scheduled
Reports page. However, the report is not deleted from the system and can be
rescheduled from the Report Library.

9.7.3. Filtering, Searching, and Sorting the Scheduled Reports List

To find the reports you need, you can filter, search, and sort the Scheduled Reports list.

• You can filter the Scheduled Reports list using any of these filters:
• Report Type - Options include Table Report and Widget Report.
• Alternately, click Switch to Query View to add Claroty Query Language queries.
• You can search for scheduled reports by typing any part of the report name in the Search by
field and pressing <Enter>.
• You can sort the list by Report Type, Report Name, Report Format, Scheduled By, Last Sent,
and Status by clicking these column headings.

9.7.4. Changing the Scheduling Settings for a Report

Change the scheduling settings for a report by doing the following:

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 332
 Industrial

1. For the report whose settings you want to change, click Schedule Report in its
Actions column.
The Edit Report window opens.
2. Scroll down to the Recurrence section, click the Click to enable Scheduling Settings
link, and make changes as needed. Then click Update.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 333
 Industrial

10. Terminology

10.1. Terminology
Table 14. CTD Terminology

Term Meaning
ACS Assertion Consumer Service
Actionable Objects in the system related to an alert.
AD Active Directory
Alert An event that may cause a threat or a risk to the security of the network and
requires attention and investigation.
Alert Indicator A predefined characteristic of an alert that affects the alert score.
Alert Score A number representing the overall alert importance, resulting from the collection of
observed indicators and network activities.
App DB Application Database
ARP Address Resolution Protocol. A communication protocol used for discovering the
link layer address associated with a given IPv4 address, a critical function in the
Internet protocol suite. Used for mapping a network address such as an IPv4
address, to a physical address, such as a MAC address.
Asset Any distinguishable network entity.
Attack Vector A path or means by which a hacker can gain access to a computer or network
server to deliver a payload or a malicious outcome. Attack vectors enable hackers
to exploit system vulnerabilities.
Baseline The CTD collection of valid network behaviors. An individual baseline represents a
command or an instance of communication between two assets.
Baseline Deviation During training mode, the system learns the existing asset communication and
defines a baseline for how a normal asset (or group of assets) behaves on the
network in terms of its communication patterns. A baseline deviation occurs when
a communication occurs that has not been defined yet. During operational mode,
baselines can be changed or further defined by auto-generated virtual zones and
user approved alerts.
BPF Berkeley Packet Filter. A mechanism to write/read packets to/from the network
interface.
CSR Certificate Signing Request
CAM Content Addressable Memory table. Used to record a station’s MAC address and
its corresponding switch port location. Common in Layer 2 switching.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 334
 Industrial

Term Meaning
CDP Cisco Discovery Protocol. A proprietary Data Link Layer protocol developed by
Cisco Systems. Used to share information about other directly connected Cisco
equipment, such as the operating system version and IP address.
CEF Common Event Format. A proprietary syslog-based event format that can be used
by other vendors.
Chain of Events A series of alerts/events that are correlated with each other and generated an alert
and require investigation as group.
CIDR Classless Inter-Domain Routing. IP Address syntax that uses IPv4 address space
and prefix aggregation, known as route summarization or super-netting.
CIP Common Industrial Protocol. Industrial protocol for industrial automation
applications.
ClarotyOS A hardened, purposely built Linux OS, ready for use for CTD out-of-the-box. Every
Claroty Appliance is delivered pre-installed with ClarotyOS for quick deployment.
CMDB Configuration Management Database. A data repository that acts as a data
warehouse or inventory for information technology (IT) installations. It holds data
relating to a collection of IT assets, the relationships between assets and enables
understanding the composition of critical assets such as information systems. Also
help organizations track the configuration of components in the system.
Community Group of CTD devices that are interconnected with the same EMC.
CQL CTD Query Language. Provided for users to build swift SQL-like query statements
for filtering data in the system.
CSV Comma-separated values. A delimited text file that uses a comma to separate
values. A CSV file stores tabular data (numbers and text) in plain text. Each line of
the file is a data record. Each record consists of one or more fields, separated by
commas. The use of the comma as a field separator is the source of the name for
this file format.
CTD Continuous Threat Detection. The anomaly detection product within the Claroty
Platform for ICS networks, providing rapid and concrete situational awareness
through real-time alerting. Constantly monitors ICS network traffic and generates
alerts for anomalous network behavior that indicates a malicious presence and for
changes that have the potential for disrupting the industrial processes.
CTI Claroty Threat Intelligence. A highly curated, multi-source and tailored feed that
enriches Claroty’s RCA with proprietary research and analysis of OT zero-day
vulnerabilities and ICS-specific Indicators of compromise (IoC) linked to adversary
tactics, techniques and procedures (TTP). CTI’s YARA rules, for example, run on
OT asset configuration changes and code sections, not just IT artifacts. CTI equips
threat hunters and incident responders with the relevant context needed to detect
and prevent targeted attacks early in the kill chain and mitigate the consequences
of malware infections.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 335
 Industrial

Term Meaning
CVE Common Vulnerabilities and Exposures. A catalog of known security threats.
The threats are classified as vulnerabilities or exposures. The CVEs originate in
software or firmware, and are identified, standardized and cataloged into a free
“dictionary” for organizations to improve their security.
CVSS Common Vulnerability Scoring System. A standardized method to indicate how
critical a specific CVE is.
DCP Discovery and Basic Configuration Protocol. A protocol definition within the
PROFINET context. A link layer-based protocol to configure station names and
IP addresses. It is restricted to one subnet and mainly used in small and medium
applications without an installed DHCP server.
DDoS Distributed Denial-of-Service. An attempt to make an online service unavailable by
overwhelming it with traffic from multiple sources. In this type of attack, multiple
compromised computer systems attack a target, such as a server, website or other
network resource, and cause a denial of service for users of the targeted resource.
DHCP Dynamic Host Configuration Protocol. A network protocol that enables a server to
automatically assign an IP address to a computer from a defined range of numbers
configured for a given network.
DN Distinguished Name. The fully qualified name of a domain or network device.
DNP Distributed Network Protocol. A set of communication protocols used between
components in process automation systems.
DNS Domain Name System. A hierarchical decentralized naming system for computers,
services, or other resources connected to the Internet or a private network.
DoS Denial-of-Service (attack). Also known as DDoS (Distributed Denial of Service)
DPI Deep Packet Inspection. A form of computer network packet filtering that examines
the header and data part of a packet as it passes an inspection point, searching
for protocol non-compliance, viruses, spam, intrusions, or defined criteria. This
method is used for identifying specific assets in the ICS network, lines of asset
communication, communication timing, protocol communication between assets,
types of commands and registers used, and the values of valid responses.
EMC Enterprise Management Console, i.e. the Central Appliance at operation
headquarters.
ENIP Ethernet Industrial Protocol (Ethernet/IP)
EPSS Score The likelihood of the vulnerability being exploited in the wild, based on the Exploit
Prediction Scoring System (EPSS) model.
Event A single network event that CTD has collected using Deep Packet Inspection (DPI).
Event Indicator See Indicator
EWS Engineering WorkStation. A high-end very reliable computing platform designed
for configuration, maintenance and diagnostics of control system applications and
other control system equipment.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 336
 Industrial

Term Meaning
FQDN Fully Qualified Domain Name
FW Firewall
GDPR General Data Protection Regulation. A European Union regulation that specifies
standards for data protection and electronic privacy in the European Economic
Area, and the rights of European citizens to control the processing and distribution
of personally identifiable information. Aims primarily to give control to individuals
over their personal data and to simplify the regulatory environment for international
business by unifying the regulation within the EU.
HDD Hard Disk Drive
HMI Human-Machine Interface. A software application that presents information to an
operator about the state of a process and accepts and implements the operator’s
control instructions.
HTTP Hypertext Transfer Protocol. An application protocol for distributed, collaborative,
and hypermedia information systems. HTTP is the foundation for data
communication on the web.
Hygiene Score CTD widget displaying the current cumulative risk level posed to the system by the
insights. This score comprises the critical security insights, CVEs and anomalies
that were detected, as well as how many critical assets were identified. A low
hygiene score indicates that the system is highly vulnerable to attacks.
ICMP Internet Control Message Protocol. A supporting protocol in the Internet protocol
suite used by network devices.
ICS Industrial Control Systems. Control systems used in industrial production, including
supervisory control and data acquisition (SCADA) systems.
IdP Identity Provider. A system entity that creates, maintains, and manages identity
information for principals while providing authentication services to relying
applications within a federation or distributed network
IED Intelligent Electronic Devices
IoC Indicators of Compromise
Incident An instance of invalid network activity (network failure, malicious attack, user error,
etc.)
Indicator • Static Indicator – Static information that con potentially affect the score of an
alert.
For example: The asset type, subnet, and virtual zone group.
• Event Indicator – An observed related network activity that can potentially affect
the score of an alert and provides context to the given alert.
For example: Whether an asset has performed write operations, or whether an
asset has communicated using SMBv1.
Insight Knowledge mined from CTD about the system or about one of the entities in the
system.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 337
 Industrial

Term Meaning
IoT Internet of Things. A system of interrelated computing devices, machines or objects
that transfer data over a network. CTD’s proprietary framework swiftly incorporates
and processing these devices and provides micro-segmentation in the same
manner as it does for IT and OT assets, with unified visibility, security monitoring
and risk assessment. By automatically discovering and classifying IoT devices
in the network, CTD correlates them with known vulnerabilities and continuously
monitors them.
IoT Matcher Simple code section in JSON format describing the retrieval of information from
an IoT device. These Active HTTP and Telnet queries made to the assets obtain
important device information (such as vendor, model, type, OS version, role).
IP Internet Protocol. A numerical label assigned to each device connected to a
computer network that uses the Internet Protocol for communication. It provides
identification of the host or network interface and the device’s location address.
IT Information Technology
JSON A lightweight format for storing and transporting data, usually used when data is
sent from a server to a web page. It is "self-describing" and easy to understand.
Known Threats CTD uses a sophisticated signatures-based database to enhance its capability for
identifying known attacks.
KEV Known Exploited Vulnerabilities. A compilation by CISA of documented security
vulnerabilities that have been successfully exploited in the wild. Used in
determining the Actively Exploited parameter in Vulnerabilities.
KPI Key Process Indicator. A quantifiable measure used to evaluate the success of an
organization, employee, etc., in meeting performance objectives.
MAC Media Access Control address. This device address is a unique identifier assigned
to a network interface for communication at the data link layer of a network
segment.
Master Event An event whose sensitivity value determines that it is not interesting or relevant
enough to be classified as an alert.

Also known as an unqualified alert.

MitM Man-in-the-Middle. Type of attack in which the attacker secretly relays and possibly
alters the communication between two parties who believe they are communicating
with each other directly.
ML Machine Learning. CTD’s ML alert algorithm delivers fast response without the
distracting noise of unnecessary alerts.
MLFB Order Number
NetFlow Source of asset data and network anomaly detection whose summarized data flows
through the network. Enhances CTD’s statistical data for network analytics.
NTP Network Time Protocol

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 338
 Industrial

Term Meaning
Operator A person in charge of operating CTD.
Operational mode System mode in which the system raises alerts about new assets, baselines, and
abnormal communication, having already learned the necessary information about
the network communications in the site from Training mode
OS Operating System
OT Operational Technology. Hardware and software that detect or cause a change
through the direct monitoring and/or control of physical devices, processes and
events in the enterprise.
PCAP Packet Capture. By using PCAPs to records events, CTD can display which
information was changed during a particular action/activity.
PCS 7 SIMATIC PCS 7 Process Control System.
Ping Sweep AKA an Internet Control Message Protocol (ICMP) sweep. A supporting protocol in
the Internet protocol suite used by network devices, including routers, to send error
messages and operational information indicating, for example, that a requested
service is not available or that a host or router could not be reached. Whereas a
single ping will tell you whether one specified host computer exists on the network,
a ping sweep consists of ICMP ECHO requests sent to multiple hosts; if a given
address is live, it will return an ICMP ECHO reply.
PLC Programmable Logic Controller. An industrial digital computer that has been
ruggedized and adapted for the control of manufacturing processes.
Policy Rule An expression that differentiates between communication that is considered a
corporate policy violation and that which is allowed.
Policy Violation Type of alert triggered when the detected communication did not match any explicit
‘Allow’ or ‘Alert’ policy rule
PsExec A lightweight telnet-replacement that lets you execute processes on other systems,
complete with full interactivity for console applications, without having to manually
install client software.
RCA Root Cause Analytics. This CTD feature provides visibility into the chain of events
leading up to every single alert, which is particularly important for OT security
alerts. RCA enables fast and easy triage of alerts, as well as proactive threat
hunting. By providing the context surrounding the associated threat and risk, RCA
helps users hunt for threats and resolve security events.
RTU Remote Terminal Unit. A multipurpose device used for remote monitoring and
control of various devices and systems for automation. It is typically deployed in
an industrial environment and serves a similar purpose to PLCs but to a higher
degree.

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 339
 Industrial

Term Meaning
SAML Security Assertion Markup Language. An open standard for exchanging
authentication and authorization data between parties, in particular, between an
identity provider (IdP) and a service provider SP. SAML is an XML-based markup
language for security assertions (statements that service providers use to make
access-control decisions).
S7Comm Siemens proprietary protocol that runs between PLCs of the Siemens S7-300/400
family
SCADA Supervisory Control And Data Acquisition
Sensitivity Entity that controls the level to be used when correlating between associated alerts.
For example, high sensitivity is in effect when the user trusts the communication
between zones.

Events that cross a sensitivity threshold are considered "qualified" and become
alerts.
SIEM Security Information and Event Management
SMB Server Message Block. SMB operates as an application-layer network protocol
mainly used for providing shared access to files, printers, and serial ports and
miscellaneous communications between nodes on a network. It also provides an
authenticated inter-process communication mechanism.
SMTP Simple Mail Transfer Protocol. An Internet standard for electronic mail (email)
transmission.
SNMP Simple Network Management Protocol
SOC Security Operations Center. A centralized unit dealing with security issues on an
organizational and technical level.
SP Service Provider. A system entity that receives and accepts authentication
assertions
SPAN Switched Port Analyzer. Used to monitor network traffic. With port mirroring
enabled, the SPAN switch sends a copy of all network packets seen on one port (or
an entire VLAN) to another port, where the packet can be analyzed.
SSH Secure Shell. Cryptographic network protocol for operating network services
securely over an unsecured network. Provides administrators with a secure way
to access a remote computer. This encryption and protocol technology is used to
connect two computers to lock out eavesdroppers by encrypting the connection and
scrambling the transmitted data so it is meaningless to anyone outside of the two
computers.
SSL Secure Sockets Layer. Standard security technology for establishing an encrypted
link between a web server and a browser. This link ensures that all data passed
between the web server and browsers remain private and integral.
Story See Chain of Events
Subnet A group of IPs. Used to segregate the internet

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 340
 Industrial

Term Meaning
SYN A type of Distributed Denial of Service (DDoS) attack that exploits part of the
normal TCP three-way handshake to consume resources on the targeted server
and render it unresponsive.
TCP Transmission Control Protocol
Training mode Learning mode in which CTD dynamically profiles the site’s normal process
behavior, assembling a baseline by observing all network traffic and registering
it as valid. Alerts are triggered for critical changes and security risks, and newly
discovered assets and communication patterns are recorded in the baseline as
shown on the System Management page.
UDP User Datagram Protocol
UEFI Unified Extensible Firmware Interface. A specification for a software program that
connects a computer's firmware to its operating system (OS). UEFI is expected to
eventually replace BIOS. Like BIOS, UEFI is installed at the time of manufacturing
and is the first program that runs when a computer is turned on.
UI User Interface
UPS Uninterruptible Power Supply
User A person using the CTD web interface.
UUID Unique User Identification.
Virtual Zones Capability for grouping related assets in a logical view. Virtual Zones allow definition
of a Baseline Deviation alert policy for each Virtual Zone or communication
between Virtual Zones.
VM Virtual Machine
WMI Windows Management Instrumentation. The infrastructure for management data
and operations on Windows-based operating systems.
Zones See Virtual Zones

Continuous Threat Detection (CTD) User Guide CTD 5.1.0 Page 341