Claroty: Enhanced IoT/OT Detection with Improved Alert Fidelity

What Changed

Claroty solution version 3.0.5 addresses Content Doctor recommendations across 9 analytic rules and 10 hunting queries. Changes include improved entity mappings, enhanced alert details, additional MITRE technique coverage, and strengthened query logic for better detection fidelity.

Detection Logic (9 Rules Updated)

• Critical Baseline Deviation: Added alert customization and T1565.001 (Data Manipulation) mapping
• Login to Uncommon Location: Improved user extraction and site comparison logic using set operations
• Multiple Failed Logins: Enhanced with credential access tactics (T1110) and better username extraction
• Failed Logins Same Destination: Strengthened threshold monitoring with sample user tracking
• New Asset: Added discovery tactics (T1082) and custom alert formatting
• Policy Violation: Enhanced with T1135 (Network Share Discovery) mapping and custom details
• Suspicious Activity: Added alert customization and event type details
• Suspicious File Transfer: Expanded with exfiltration tactics (T1020) and improved formatting
• Threat Detection: Added reconnaissance tactics (T1595) and enhanced alert details

MITRE Mapping

Additional technique coverage includes:

• T1565.001 (Data Manipulation) for baseline deviations
• T1110 (Brute Force) for authentication attacks
• T1135 (Network Share Discovery) for policy violations
• T1020 (Automated Exfiltration) for file transfers
• T1595 (Active Scanning) for threat detection
• T1082, T1016, T1613 for hunting queries

OT/IoT Security Impact

These improvements enhance visibility into industrial control systems and IoT environments by:

• Reducing false positives through refined query logic
• Improving incident response with enriched alert details
• Expanding attack surface coverage with additional MITRE mappings
• Strengthening entity resolution for IP-based investigations

Affected Files

Solutions/Claroty/Analytic Rules/ClarotyCriticalBaselineDeviation.yaml
Solutions/Claroty/Analytic Rules/ClarotyLoginToUncommonSite.yaml
Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLogin.yaml
Solutions/Claroty/Analytic Rules/ClarotyMultipleFailedLoginsSameDst.yaml
Solutions/Claroty/Analytic Rules/ClarotyNewAsset.yaml
Solutions/Claroty/Analytic Rules/ClarotyPolicyViolation.yaml
Solutions/Claroty/Analytic Rules/ClarotySuspiciousActivity.yaml
Solutions/Claroty/Analytic Rules/ClarotySuspiciousFileTransfer.yaml
Solutions/Claroty/Analytic Rules/ClarotyThreat.yaml
Solutions/Claroty/Hunting Queries/ClarotyBaselineDeviation.yaml
Solutions/Claroty/Hunting Queries/ClarotyConflictAssets.yaml
Solutions/Claroty/Hunting Queries/ClarotyCriticalEvents.yaml
Solutions/Claroty/Hunting Queries/ClarotyPLCLogins.yaml
Solutions/Claroty/Hunting Queries/ClarotySRAFailedLogins.yaml
Solutions/Claroty/Hunting Queries/ClarotyScanSources.yaml
Solutions/Claroty/Hunting Queries/ClarotyScantargets.yaml
Solutions/Claroty/Hunting Queries/ClarotyUnapprovedAccess.yaml
Solutions/Claroty/Hunting Queries/ClarotyUnresolvedAlerts.yaml
Solutions/Claroty/Hunting Queries/ClarotyWriteExecuteOperations.yaml
Solutions/Claroty/Workbooks/ClarotyOverview.json
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.0.5.zip, ReleaseNotes.md, createUiDefinition.json, mainTemplate.json)