Skip to content

Threat Detection: Alerts

Alerts are generated when Claroty determines that an activity is significant enough to require attention. Alerts provide context and information that can help determine whether activity is expected, suspicious, or potentially malicious.

We now want to gain an understanding of how Claroty presents suspicious activity and how stories are formed from groups of indvidual alerts. We also want to understand what information is available within an alert, how alerts are prioritized, and how they can be used to begin an investigation into an asset, communication path, or broader network activity.


  • Navigate to Threat Detection > Alerts.

  • Review the Alerts page.

    • Alerts can be filtered by type, status, category, etc.,
    • Each has its own status, and the ability to be assigned to a specific user.

  • There are two types of alerts:

AlertDescription
Security Event AlertsIndicate potentially malicious or suspicious activity. Examples include:
- Port Scanning
- Unauthorized Communications
- Exploit Attempts
Process Integrity AlertsIndicate changes to operational processes. Examples include:
- Configuration Changes
- Firmware Updates
- Logic Changes
  • In the Alerts search bar, search for Heap Spray and select one of the two ETERNALBLUE alerts to open its Alert View page.
    • The top banner will display the type of alert (such as Known Threat, Network Scan, Configuration Download, etc.) followed by a short description of it. The page also includes additional and useful information:
ModuleDescription
Network Signature InfoProvides basic information about the alert, including its signature ID and name.
Alert ScoreIncludes Significant Indicators and how Claroty calculated the score.
Root Cause AnalysisShows a series of related alerts, also known as a Story, and an asset communication map.
Mitigation StepsSuggests potential mitigation steps, dependant on the type and criticality of the alert.
AlertProvides information about the asset(s) that triggered the alert.
Alert TimelineA comment box that can be used to note/record information about the timeline of the alert.
  • Return to the Alerts page and filter Alert Category by Integrity Alerts. Select an alert with the Configuration Upload type and go to its Alert View page.

  • Determine any similarities and any differences from the modules presented on this alert page.
  • How do different alert pages differ from one another? Does a Network Scan alert have different information than a Known Threat alert?
  • How could the information provided in an alert’s page be used to further investigate a potential threat?

  • Return to the Threat Detection > Alerts page.

    Switching to Network Topology View
  • Enable Group by Story in the top right of the page.
    • Stories are collections of related alerts that Claroty has grouped together. They provide additional context by showing how multiple alerts may be related to a larger activity or incident. Examples include:
      • Multiple alerts generated during a network scan
      • Several suspicious communications involving the same asset
      • A sequence of events that may indicate an attack progression
    • They are, often times, sequences of events.

  • Filter Alert Type by Known Threat Alert and look for the story containing the alert we previously investigated: Possible ETERNALBLUE ... Heap Spray.

  • With the story expanded, note the other alerts contained within it.
    • What do you recgonize about the alerts grouped within this story?
    • Did the alerts within the story happen within a close timeframe?
  • How do stories connect alerts, and how could referencing them be used to contextualize and identify potential malicious activity?
  • What appears to have caused these alerts to be grouped into the same story?