Claroty xDome

Self Service Ingestion

Connect this data source on your own, using the Hunters platform.

TL;DR

Supported data types

3rd party detection

Hunters detection

IOC search

Search

Table name

Log format

Collection method

Claroty xDome Devices

✅

✅

claroty_xdome_devices

NDJSON

API

Claroty xDome Alerts

✅

✅

claroty_xdome_alerts

NDJSON

API

Claroty xDome Events

✅

✅

claroty_xdome_events

NDJSON

API

Claroty xDome Sites

✅

claroty_xdome_sites

NDJSON

API

Claroty xDome Device Alerts

✅

claroty_xdome_device_alert

NDJSON

API

Claroty xDome Device Vulnerabilities

✅

claroty_xdome_device_vulnerability

NDJSON

API


Overview

imageClaroty xDome is a cloud-based industrial cybersecurity platform designed to protect critical infrastructure and industrial environments. It provides comprehensive visibility, threat detection, and vulnerability management across operational technology (OT), Internet of Things (IoT), and IT networks. xDome leverages advanced analytics and automation to identify and mitigate risks, ensuring the resilience and security of industrial systems against evolving cyber threats. It is particularly valued for its ability to integrate with existing IT and OT environments, offering seamless protection and compliance management.

Supported data types

Claroty xDome Devices

Table name: claroty_xdome_devices

These logs provide a snapshot of connected devices within the network, including detailed information about each device’s attributes and configuration, helping to track and monitor network assets.

Claroty xDome Alerts

Table name: claroty_xdome_alerts

These logs capture security alerts triggered by unusual or potentially harmful activities, enabling security teams to prioritize and respond to incidents across the xDome environment.

Claroty xDome Events

Table name: claroty_xdome_events

These logs document network events and activities, offering insights into user actions and system changes, essential for tracking and investigating incidents.

Claroty xDome Sites

Table name: claroty_xdome_sites

These logs capture site configuration details, providing a comprehensive view of network segmentation and security zones to support operational monitoring and management.

Claroty xDome Device Alerts

Table name: claroty_xdome_device_alert

These logs link security alerts with the relevant devices, offering a more precise understanding of which assets are affected, facilitating targeted responses to threats.

Claroty xDome Device Vulnerabilities

Table name: claroty_xdome_device_vulnerability

These logs identify security vulnerabilities associated with specific devices, helping organizations to assess risk and prioritize remediation efforts across their network infrastructure.

Send data to Hunters

Hunters supports the integration of Claroty xDome logs using API.

To send data to Hunters:

  1. Create a designated Claroty API token:

    1. Log into your Claroty xDome dashboard and navigate to Admin Settings > User Management.

    2. Click Add user and select API user type.

    3. Fill in the fields as follows:

      1. Under Username and Title, provide a descriptive name.

      2. Under Site Permissions, check All Sites and Including future sites.

      3. Under Roles, select Administrator.

    4. Once done, click Create User.

    5. Locate the user you’ve just created from the user list and click the key icon to generate an API token.

      The token will now be displayed. Copy and paste it in a safe place.

  2. Open the Hunters platform and follow this guide to set up the connection.

  3. In the API key field, paste the token acquired in the previous steps.

  4. In the API hostname subdomain field, fill in one of the following:

    • eu.api if your Claroty regional API endpoint is located in Europe.

    • api if your Claroty regional API endpoint is located in the US.

      📘How can you tell?

      Locate your Claroty API endpoint URL (the URL destination for API requests). If the URL begins with eu.api (like this: https://eu.api.claroty.com/v1/assets), then your Claroty regional API endpoint is located in Europe. If the URL begins with api (like this: https://api.claroty.com/v1/assets), then your Claroty regional API endpoint is located in the US.

Expected format

Logs are expected in NDJSON format.

Claroty xDome Devices

{
            "ip_list": [
                "1.2.3.4"
            ],
            "device_subcategory": "Process",
            "model": "CB1234",
            "mac_list": [
                "ff:ff:ff:ff:ff:ff"
            ],
            "device_type_family": "Autonomous Vehicle",
            "device_type": "Autonomous Vehicle",
            "network_list": [
                "Corporate"
            ],
            "device_category": "OT",
            "asset_id": "123123",
            "uid": "00023e71-72b6-4824-9063-b63785e7d494"
        }

Claroty xDome Alerts

{
            "id": 1000077,
            "alert_type_name": "Network Change",
            "category": "Device Changes",
            "detected_time": "2024-02-15T09:32:51.128253Z",
            "updated_time": "2024-08-04T10:30:18.350550Z",
            "devices_count": 25,
            "unresolved_devices_count": 25,
            "medical_devices_count": 0,
            "iot_devices_count": 14,
            "it_devices_count": 8,
            "ot_devices_count": 3,
            "alert_name": "Devices Changed Network from Guest to Corporate or Industrial",
            "alert_class": "Device Changes Alerts",
            "status": "Unresolved"
        }

Claroty xDome Events

{
            "description": "Online Edit was detected from 10.26.30.91 (Engineering Station) to 10.25.15.156 (PLC)",
            "event_type": "Online Edit",
            "source_asset_id": "HILMJVW",
            "mode": null,
            "source_ip": "10.26.30.91",
            "dest_asset_id": "ASDASD",
            "dest_ip": "10.25.15.156",
            "protocol": "S7comm",
            "source_device_type": "Engineering Station",
            "detection_time": "2024-08-04T08:27:42.404624+00:00",
            "dest_port": 102,
            "source_username": "admin",
            "source_port": 56855,
            "dest_device_type": "PLC",
            "related_alert_ids": [
                1000038,
                1000046
            ],
            "event_id": 138,
            "ip_protocol": "TCP"
        }

Claroty xDome Sites

{
            "id": 1,
            "name": "Washington",
            "location": "Washington, NY",
            "timezone": "America/New_York",
            "country_code": "US",
            "description": null,
            "hospital_type": "Health System",
            "number_of_beds": 25,
            "devices_count": 1672,
            "site_attribution_rules_count": 4
        }

Claroty xDome Device Alerts

{
    "device_last_seen_list": [
        "2024-08-18T05:17:58.585486+00:00"
    ],
    "alert_id": 1000037,
    "device_labels": [
        "Criticidad alta",
        "OT Internet Klabin",
        "Urgent"
    ],
    "device_purdue_level": "Level 1",
    "device_subcategory": "Control",
    "device_manufacturer": "ABB",
    "device_site_name": "Albany",
    "device_retired": false,
    "alert_name": "Configuration Upload / Configuration Download Activity",
    "alert_class": "OT Activity Alerts",
    "device_category": "OT",
    "device_alert_status": "Unresolved",
    "device_impact_subscore": "Critical",
    "device_mac_list": [
        "00:1c:01:17:f7:90"
    ],
    "device_assignees": [
        "3rd Party SOC (Group)",
        "Demo test group (Group)",
        "Jose Alegria"
    ],
    "device_likelihood_subscore_points": 49.034035,
    "device_name": "10.26.30.119",
    "device_insecure_protocols": "Very Low",
    "device_known_vulnerabilities": "Very Low",
    "alert_category": "OT Activity",
    "device_risk_score": "High",
    "device_effective_likelihood_subscore": "Low",
    "device_likelihood_subscore": "Low",
    "device_known_vulnerabilities_points": 0.0,
    "alert_type_name": "OT Activity",
    "device_alert_updated_time": "2024-08-03T12:32:44.461647+00:00",
    "alert_labels": [],
    "device_uid": "0ed6e732-55fb-4b88-aa73-a9f946cb14b0",
    "device_internet_communication": "No",
    "device_insecure_protocols_points": 0.0,
    "alert_assignees": [],
    "device_alert_detected_time": "2024-08-03T12:32:44.461647+00:00",
    "device_effective_likelihood_subscore_points": 49.034035,
    "device_type": "PLC",
    "device_risk_score_points": 59.42042,
    "device_first_seen_list": [
        "2024-02-24T13:42:02.585486+00:00"
    ],
    "device_ip_list": [
        "10.26.30.119"
    ],
    "device_network_list": [
        "Industrial"
    ],
    "device_impact_subscore_points": 75.0
}

Claroty xDome Device Vulnerabilities

{
            "device_subcategory": "Process",
            "vulnerability_assignees": [],
            "vulnerability_labels": [],
            "patch_install_date": null,
            "device_category": "OT",
            "vulnerability_note": null,
            "device_vulnerability_days_to_resolution": null,
            "vulnerability_type": "Platform",
            "device_vulnerability_resolution_date": null,
            "vulnerability_last_updated": "2024-08-18T05:58:00.992448+00:00",
            "vulnerability_relevance": "Potentially Relevant",
            "vulnerability_relevance_sources": [
                "Claroty"
            ],
            "device_type": "Autonomous Vehicle",
            "device_vulnerability_detection_date": "2024-08-18T05:56:19.415951+00:00",
            "vulnerability_affected_products": "* All the Wi-Fi devices\r\n* Aruba:\r\n\t- ArubaOS 6.4.x: prior to 6.4.4.25\r\n\t- ArubaOS 6.5.x: prior to 6.5.4.19\r\n\t- ArubaOS 8.3.x: prior to 8.3.0.15\r\n\t- ArubaOS 8.5.x: prior to 8.5.0.12\r\n\t- ArubaOS 8.6.x: prior to 8.6.0.8\r\n\t- ArubaOS 8.7.x: prior to 8.7.1.2\r\n\t- Aruba instant AP\r\n* SUSE:\r\n\t- SUSE Linux Enterprise Server 15\r\n\t- SUSE Linux Enterprise Desktop 15\r\n\t- SUSE Linux Enterprise Server 12\r\n\t- SUSE Linux Enterprise Desktop 12\r\n\t- SUSE Linux Enterprise Server 11\r\n\t- SUSE Linux Enterprise Desktop 11\r\n* Synology:\r\n\t- RT2600ac\r\n\t- MR2200ac\r\n\t- RT1900ac\r\n* Microsoft - according to the affected versions detailed in the attached advisories.\r\n* Juniper:\r\n\t* the following models affected in specific versions and see attached advisory:\r\n\t\t- AP12 / AP21 / AP32 / AP33 / AP41 / AP43 / AP61 / AP63 / SRX series",
            "device_site_name": "Albany",
            "vulnerability_recommendations": "See the following advisories released by the vendors, which details what mitigation steps should be done:\r\n* Aruba - https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-011.txt\r\n* Arista - https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63\r\n* Canonical (Ubuntu) - https://ubuntu.com/security/CVE-2020-24587\r\n* Cisco - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu\r\n* Debian - https://security-tracker.debian.org/tracker/CVE-2020-24587\r\n* Dell - https://www.dell.com/support/kbdoc/ro-ro/000186331/dsa-2021-100-dell-client-platform-security-update-for-intel-wifi-software-vulnerabilitiesdsa-2021-100-dell-client-platform-security-update-for-intel-wifi-software-vulnerabilities\r\n* Industry Consortium for Advancement of Security on the Internet (ICASI) - https://www.icasi.org/aggregation-fragmentation-attacks-against-wifi/\r\n* Intel - https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00473.html\r\n* Juniper Networks - https://kb.juniper.net/InfoCenter/index?page=content&id=JSA11170&cat=SIRT_1&actp=LIST\r\n* Lenovo - https://support.lenovo.com/us/en/product_security/LEN-57316\r\n* Microsoft (CVE-2020-24588 and CVE-2020-24587) - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-24588 OR https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-24587\r\n* NETGEAR - https://kb.netgear.com/000063666/Security-Advisory-for-Fragment-and-Forge-vulnerabilities-on-some-WiFi-capable-devices-PSV-2021-0014-PSV-2021-0080\r\n* RUCKUS - https://support.ruckuswireless.com/fragattacks-ruckus-technical-support-response-center\r\n* Sierra Wireless - https://source.sierrawireless.com/resources/security-bulletins/sierra-wireless-technical-bulletin---swi-psa-2021-003/#sthash.pxcTZWwH.dpbs\r\n* Synology - https://www.synology.com/tr-tr/security/advisory/Synology_SA_21_20\r\n* SUSE - https://www.suse.com/support/kb/doc/?id=000020244\r\n* Wi-Fi Alliance - https://www.wi-fi.org/security-update-fragmentation\r\n* Zyxel - https://il.zyxel.com/support/Zyxel_security_advisory_for_FragAttacks_against_WiFi_products.shtml",
            "device_uid": "00023e71-72b6-4824-9063-b63785e7d494",
            "vulnerability_name": "FragAttacks",
            "vulnerability_cve_ids": [
                "CVE-2020-24586",
                "CVE-2020-24587",
                "CVE-2020-24588",
                "CVE-2020-26139",
                "CVE-2020-26140",
                "CVE-2020-26141",
                "CVE-2020-26142",
                "CVE-2020-26143",
                "CVE-2020-26144",
                "CVE-2020-26145",
                "CVE-2020-26146",
                "CVE-2020-26147"
            ],
            "device_labels": [
                "OT Assets without Assignees",
                "OT Internet Klabin"
            ],
            "device_assignees": [],
            "vulnerability_is_known_exploited": false,
            "vulnerability_description": "A collection of new 12 security vulnerabilities that affect Wi-Fi devices. An adversary that is within range of a victim's Wi-Fi network can abuse these vulnerabilities to steal user information or attack devices. Three of the discovered vulnerabilities are design flaws in the Wi-Fi standard and therefore affect most devices. On top of this, several other vulnerabilities were discovered that are caused by widespread programming mistakes in Wi-Fi products. Experiments indicate that every Wi-Fi product is affected by at least one vulnerability and that most products are affected by several vulnerabilities.\r\nThe discovered vulnerabilities affect all modern security protocols of Wi-Fi, including the latest WPA3.\r\nThe design flaws are hard to abuse because doing so requires user interaction or is only possible when using uncommon network settings. As a result, in practice the biggest concern are the programming mistakes in Wi-Fi products since several of them are trivial to exploit.\r\nWhen a website is configured with HSTS to always use HTTPS as an extra layer of security, the transmitted data cannot be stolen\r\n\r\n\r\n\r\n",
            "vulnerability_epss_score": 0.00316,
            "vulnerability_adjusted_vulnerability_score": 5.008266,
            "vulnerability_id": "ALKIFVSA",
            "device_risk_score": "Critical",
            "vulnerability_published_date": "2021-05-12T00:00:00.485000+00:00",
            "vulnerability_sources": [
                {
                    "url": "https://www.fragattacks.com/#intro",
                    "name": "vanhoefm"
                }
            ]
        }