Document toolboxDocument toolbox

cef0.claroty.ctd

Owned by Juan Tomás Alonso Nieto (Unlicensed)
Last updated: Jan 10, 2022Version comment
1 min read

Introduction

The table cef0.claroty.ctd identifies events in CEF format generated by Claroty CTD.

Tag structure

Events in CEF format don't have a specific tag structure, as explained in Technologies supported in CEF syslog format. They are always sent to a table with the structure cef0.deviceVendor.deviceProduct.

In this case, the valid data tables are:

  • cef0.claroty.ctd 

How is the data sent to Devo?

Learn more about CEF syslog format and how Devo tags these events in Technologies supported in CEF syslog format.

Log samples

The following are sample logs sent to cef0.claroty.ctd. Find how the information will be parsed in your data table under each sample log.

Extra columns

Fields marked as Extra in the table below are not shown by default in data tables and need to be explicitly requested in the query. You can find them marked as Extra when you perform a query so they can be easily identified. Learn more about this in Selecting unrevealed columns.

cef0.claroty.ctd 

2021-12-10 12:07:16.490 localhost=127.0.0.1 14 CEF: 0|Claroty|CTD|4.3.0|Alert/Port Scan|Port Scan|10|src=10.28.35.202 dst=10.28.35.40 smac=00:00:00:00:00:00 shost=L51-AP-CB4 dmac=00:00:00:00:00:00 externalId=1211895 cat=Security/Port Scan start=Dec 01 2021 11:49:00 msg=TCP Port Scan: Asset 10.28.35.202 sent probe packets to 10.28.35.40 IP address on different ports. deviceExternalId=ama-Ctdpoc cs1Label=SourceAssetType cs1=HMI cs3Label=SourceZone cs3=ama-IDF03_BIR cs4Label=DestZone cs4=Broadcast/Multicast cs6Label=CTDlink cs6=https://asd.asd/asd/alert/1211895-2 cn1Label=IndicatorScore cn1=100

And this is how the log would be parsed:

Field

Value

Type

Source field name

Extra fields

eventdate

2021-12-10 12:07:16.49

timestamp



hostname

localhost

str



priorityCode

14

str



cefTag

CEF

str



cefVersion

0

str



embDeviceVendor

Claroty

str



embDeviceProduct

CTD

str



deviceVersion

4.3.0

str



signatureID

Alert/Port Scan

str



name

Port Scan

str



severity

10

str



duid

null

str



dvchost

null

str



outcome

null

str



requestClientApplication

null

str



requestCookies

null

str



requestMethod

null

str



src

10.28.35.202

ip4



smac

00:00:00:00:00:00

str



shost

L51-AP-CB4

str



dst

10.28.35.40

ip4



dmac

00:00:00:00:00:00

str



dhost

null

str



externalId

1211895

int8



cat

Security/Port Scan

str



rt

null

timestamp



msg

TCP Port Scan: Asset 10.28.35.202 sent probe packets to 10.28.35.40 IP address on different ports.

str



start

2021-12-01 11:49:00.0

timestamp



deviceExternalId

ama-Ctdpoc

str



cs1Label

SourceAssetType

str



cs1

HMI

str



cs2Label

null

str



cs2

null

str



cs3Label

SourceZone

str



cs3

ama-IDF03_BIR

str



cs4Label

DestZone

str



cs4

Broadcast/Multicast

str



cs6Label

CTDlink

str



cs6

https://asd.asd/asd/alert/1211895-2

str



cn1Label

IndicatorScore

str



cn1

100

int8



hostchain

localhost=127.0.0.1

str


✓

tag

CEF

str

cefTag

✓

rawMessage

CEF: 0|Claroty|CTD|4.3.0|Alert/Port Scan|Port Scan|10|src=10.28.35.202 dst=10.28.35.40 smac=00:00:00:00:00:00 shost=L51-AP-CB4 dmac=00:00:00:00:00:00 externalId=1211895 cat=Security/Port Scan start=Dec 01 2021 11:49:00 msg=TCP Port Scan: Asset 10.28.35.202 sent probe packets to 10.28.35.40 IP address on different ports. deviceExternalId=ama-Ctdpoc cs1Label=SourceAssetType cs1=HMI cs3Label=SourceZone cs3=ama-IDF03_BIR cs4Label=DestZone cs4=Broadcast/Multicast cs6Label=CTDlink cs6=https://asd.asd/asd/alert/1211895-2 cn1Label=IndicatorScore cn1=100

str


✓