Claroty xDome

Claroty xDome is a modular SaaS-based cybersecurity platform capable of long-term flexibility. You can configure Claroty xDome to send device alert events (when determined to be a threat) through an API endpoint to generate third-party alerts in SIEM (InsightIDR).

ℹ️

Only xDome for Industrial is supported

This event source only supports Claroty xDome for Industrial. Claroty xDome for Healthcare is not currently supported.

Data can be sent from your Claroty xDome account to SIEM (InsightIDR) from event collection through the Cloud.

To set up the Claroty xDome event source, complete these steps:

Read the requirements and complete any prerequisite steps.
Configure Claroty xDome to send data to SIEM (InsightIDR).
Configure SIEM (InsightIDR) to collect data from the event source.
Test the configuration.

You can also:

Review sample logs.

ℹ️

Visit the third-party vendor's documentation

For the most accurate information about preparing your event source product for integration with SIEM (InsightIDR), we recommend that you visit the Claroty xDome product documentation .

Requirements

Before SIEM (InsightIDR) can start ingesting data from Claroty xDome, you must:

Create an API user
Generate an API token

Configure Claroty xDome to send data to SIEM (InsightIDR)

To ensure SIEM (InsightIDR) can receive data from Claroty xDome, you must configure a few settings within the Claroty xDome platform.

Log in to your Claroty xDome account and create an API User from Admin Settings > User Management. Read the documentation from Claroty xDome for further guidance.
Select a role for your API user with adequate permissions for alerts and devices. If a role does not exist, you can generate one from the Role Based Permissions page. A Read-Only user is sufficient for this configuration.
Choose your Site Permissions.
Generate an API token. Store this token in a secure place for later use.

Configure SIEM (InsightIDR) to receive data from the event source

After you create your API User in Claroty xDome and obtain the API token, you can set up your Claroty xDome event source in SIEM (InsightIDR).

Task 1: Select Claroty xDome

Go to Data Collection and click Setup Event Source > Add Event Source.
Do one of the following:
- Search for Claroty xDome in the event sources search bar.
- In the Product Type filter, select Third Party Alerts.
Select the Claroty xDome event source tile.

Task 2: Set up the Cloud Connection

In the Add Event Source panel, select Run On Cloud.
Name the event source. This will be the name of the log that contains the event data in Log Search. If you do not name the event source, the log name will default to Claroty xDome.
Optionally, select the option to send unparsed data.
Select your Account Attribution preference:
- Use short name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by short name, for example, jsmith. If the short name is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith.
- Use fully qualified domain name attribution: The system first attempts to attribute data by email address, for example, jsmith@myorg.example.com. If the first attempt is unsuccessful, attribution is attempted by a user’s first and last name, for example, John Smith. This option is best if your environment has collisions with short names.
Optionally, in a multi-domain environment, use the dropdown menu to select your main Active Directory domain. See Deploy in Multi-domain Environments and Advanced Event Source Settings.
Click Add a New Connection.
In the Create a Cloud Connection screen, enter a name for the new connection.
In the API Token field, add a new credential:
- Name your credential.
- Describe your credential.
- Select the credential type.
- Enter the API Token you created in Configure Claroty xDome to send data to SIEM (InsightIDR).
- Specify the product access for this credential.
Optionally, enter the hostname for your Claroty xDome instance. If a value is not entered, the hostname defaults to api.claroty.com.
Click Save Connection.
Click Save.

Test the configuration

The event types that SIEM (InsightIDR) parses from this event source are:

Third Party Alerts

To test that event data is flowing into SIEM (InsightIDR) through the Cloud Connection:

View the raw logs:
1. From the Data Collection Management page, click the Event Sources tab.
2. Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to SIEM (InsightIDR).
Use Log Search to find the log entries. After approximately seven minutes, you can verify that log entries are appearing in Log Search.
1. From the left menu, go to Log Search.
2. In the Log Search filter, search for the new event source you created.
3. Select the log sets and the log names under each log set. Claroty xDome logs flow into these log sets:
  - Third Party Alerts
4. Set the time range to Last 10 minutes and click Run.

The Results table displays all log entries that flowed into SIEM (InsightIDR) in the last 10 minutes. The keys and values that are displayed are helpful when you want to build a query and search your logs.

Sample logs

Single device alert


  {
      "alert_assignees": [],
      "alert_category": "Risk",
      "alert_class": "predefined",
      "alert_description": "Outdated firmware detected on 2 None devices",
      "alert_id": 2,
      "alert_labels": [
        "Top Priority"
      ],
      "alert_type_name": "Outdated Firmware",
      "device_alert_detected_time": "2023-10-19T16:21:01+00:00",
      "device_alert_status": "Unresolved",
      "device_alert_updated_time": "2023-10-19T16:21:01+00:00",
      "device_assignees": [
        "Admin"
      ],
      "device_category": "Medical",
      "device_first_seen_list": [
        "2023-10-19T16:32:04.127979+00:00"
      ],
      "device_ip_list": [
        "10.101.10.27"
      ],
      "device_labels": [],
      "device_last_seen_list": [
        "2023-10-19T16:32:01+00:00"
      ],
      "device_mac_list": [
        "00:40:9d:10:15:b7"
      ],
      "device_network_list": [
        "Corporate"
      ],
      "device_purdue_level": "Level 4",
      "device_retired": false,
      "device_risk_score": "Very Low",
      "device_site_name": "New York General Hospital",
      "device_subcategory": "Patient Devices",
      "device_type": "Patient Monitor",
      "device_uid": "f342efb7-4f4a-4ac0-8045-0711fb2c5528",
      "mitre_technique_enterprise_ids": [],
      "mitre_technique_enterprise_names": [],
      "mitre_technique_ics_ids": [],
      "mitre_technique_ics_names": []
    }