Claroty xDome
Claroty xDome is an OT (operational technology) security tool that provides protection across your organization against cyber threats. You can bring device information from Claroty xDome into Brinqa to construct a unified view of your attack surface and strengthen your cybersecurity posture.
This document details the information you must provide for the connector to authenticate with Claroty xDome and how to obtain that information from Claroty xDome. See create a data integration for step-by-step instructions on setting up the integration.
Required connection settings
When setting up a data integration, select Claroty xDome from the Connector dropdown. If you cannot find the connector in the dropdown, make sure that you have installed it first. You must provide the following information to authenticate Claroty xDome with Brinqa:
-
Service URL: The Claroty xDome API URL. The default URL is
https://api.medigate.io. -
API key: The API key associated with the Claroty xDome account, which must have permissions to log in to the API server and return data.
Obtain a Claroty xDome API key
For the Claroty xDome connector to use the Claroty API, you must create an API user and generate an API key. To do so, follow these steps:
-
Log in to your organization's Claroty xDome portal as an administrator.
-
Navigate to Settings > Admin Settings.
-
In the navigation menu, click User Management, and then click Add User.
The Create User dialog appears. Complete the following fields:
-
User Type: Select API User.
-
User Info: Enter a user name and title (description) for the API key.
noteThis user name must be different from the Claroty xDome portal login user name.
-
Site Permissions: Click the dropdown and choose the necessary sites you want the Claroty xDome connector to have access to.
-
Roles: Click the dropdown and select Read-Only User.
-
Including future sites: (Optional) Enable this option to automatically grant access to any new sites added to your Claroty xDome environment. This ensures that the connector can retrieve data from all current and future sites without requiring manual updates to the site permissions.
-
-
Click Create User.
-
After creating the new user, click Generate Token.
The Generate API token dialog appears.
-
Click the Token Expiration dropdown and select the desired token expiry date.
-
Click Generate.
Your new API key displays. You can not view the key again after this. Copy and save it to a secure location.
If you do not have permissions to create an API key, contact your Claroty xDome administrator.
Additional settings
The Claroty xDome connector contains additional options for specific configuration:
-
Page size: The maximum number of records to get per API request. The default setting is 100. It is not recommended to go over 100.
-
Parallel requests: The maximum number of parallel API requests. The default setting is 4.
Types of data to retrieve
The Claroty xDome connector can retrieve the following types of data from the Claroty API:
Table 1: Data retrieved from Claroty xDome
| Connector Object | Required | Maps to Data Model |
|---|---|---|
| Alert | Yes | Alert |
| Alert Definition | Yes | Alert Definition |
| Device | Yes | Host |
| Vulnerability | Yes | Vulnerability |
| Vulnerability Definition | Yes | Vulnerability Definition |
This diagram shows how Alert and Vulnerability connector objects relate to their definitions and the Device assets they are found in.
Figure 1: Connector object relationships
For detailed steps on how to view the data retrieved from Claroty xDome in the Brinqa Platform, see How to view your data.
Attribute mappings
Expand the sections below to view the mappings between the source and the Brinqa data model attributes.
Device
Table 2: Device attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
DeviceResource.uid | UID |
DeviceResource.deviceName | NAME |
DeviceResource.deviceCategory | CATEGORIES |
DeviceResource.retired | STATUS |
DeviceResource.ipList | IP_ADDRESSES |
DeviceResource.macList | MAC_ADDRESSES |
DeviceResource.vlanList | VLANS |
DeviceResource.networkList | NETWORKS |
DeviceResource.serialNumber | SERIAL_NUMBER |
DeviceResource.manufacturer | MANUFACTURER |
DeviceResource.combinedOs | OPERATING_SYSTEM |
DeviceResource.deviceName | DEVICE_NAME |
DeviceResource.model | MODEL |
DeviceResource.assetId | ASSET_ID |
DeviceResource.deviceCategory | DEVICE_CATEGORY |
DeviceResource.deviceSubcategory | DEVICE_SUBCATEGORY |
DeviceResource.deviceType | DEVICE_TYPE |
DeviceResource.deviceTypeFamily | DEVICE_TYPE_FAMILY |
DeviceResource.combinedOs | COMBINED_OS |
DeviceResource.purdueLevel | PURDUE_LEVEL |
DeviceResource.riskScore | RISK_SCORE |
DeviceResource.riskScorePoints | RISK_SCORE_POINTS |
DeviceResource.criticality | CRITICALITY |
DeviceResource.siteName | SITE_NAME |
DeviceResource.internetCommunication | INTERNET_COMMUNICATION |
DeviceResource.mobility | MOBILITY |
DeviceResource.fdaClass | FDA_CLASS |
DeviceResource.retired | RETIRED |
DeviceResource.endpointSecurityNames | ENDPOINT_SECURITY_NAMES |
DeviceResource.detectorName | DETECTOR_NAME |
DeviceResource.note | NOTE |
DeviceResource.labels | TAGS |
SiteResource.location | SITE_LOCATION |
SiteResource.timezone | SITE_TIMEZONE |
SiteResource.countryCode | SITE_COUNTRY_CODE |
DeviceResource.firstSeenList[0] | FIRST_SEEN |
DeviceResource.lastSeenList[0] | LAST_SEEN |
| System-generated | LAST_CAPTURED |
Alert Definition
Table 3: Alert Definition attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
AlertResource.alertTypeName | UID |
AlertResource.alertTypeName | NAME |
AlertResource.description | DESCRIPTION |
AlertResource.category, AlertResource.alertClass | CATEGORIES |
| MITRE technique names (ICS + Enterprise) | TAGS |
AlertResource.alertClass | ALERT_CLASS |
AlertResource.status | ALERT_STATUS |
AlertResource.devicesCount | DEVICES_COUNT |
AlertResource.unresolvedDevicesCount | UNRESOLVED_DEVICES_COUNT |
AlertResource.detectedTime | DETECTED_AT |
AlertResource.updatedTime | UPDATED_AT |
AlertResource.mitreTechniqueIcsIds | MITRE_ICS_IDS |
AlertResource.mitreTechniqueIcsNames | MITRE_ICS_NAMES |
AlertResource.mitreTechniqueEnterpriseIds | MITRE_ENTERPRISE_IDS |
AlertResource.mitreTechniqueEnterpriseNames | MITRE_ENTERPRISE_NAMES |
| System-generated | LAST_CAPTURED |
Alert
Table 4: Alert attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
alertId:deviceUid | UID |
DeviceAlertRelationResource.deviceUid | TARGETS |
DeviceAlertRelationResource.alertTypeName | TYPE |
DeviceAlertRelationResource.deviceAlertStatus | PROVIDER_STATUS |
Normalized from PROVIDER_STATUS | SOURCE_STATUS |
DeviceAlertRelationResource.alertLabels | TAGS |
DeviceAlertRelationResource.alertCategory | ALERT_CATEGORY |
DeviceAlertRelationResource.alertClass | ALERT_CLASS |
DeviceAlertRelationResource.deviceAlertDetectedTime | DETECTED_AT |
DeviceAlertRelationResource.deviceAlertUpdatedTime | UPDATED_AT |
| System-generated | LAST_CAPTURED |
Vulnerability Definition
Table 5: Vulnerability Definition attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
VulnerabilityResource.name | UID |
VulnerabilityResource.name | NAME |
VulnerabilityResource.description | DESCRIPTION |
VulnerabilityResource.adjustedVulnerabilityScoreLevel | SEVERITY |
VulnerabilityResource.adjustedVulnerabilityScoreLevel | SOURCE_SEVERITY |
| Derived from normalized severity | SEVERITY_SCORE |
VulnerabilityResource.vulnerabilityType | CATEGORIES |
VulnerabilityResource.vulnerabilityLabels | TAGS |
VulnerabilityResource.cveIds | CVE_IDS |
VulnerabilityResource.cveIds | CVE_RECORDS |
VulnerabilityResource.epssScore | EPSS_SCORE |
VulnerabilityResource.publishedDate | PUBLISHED_DATE |
VulnerabilityResource.sourceUrl | SOURCE_URL |
VulnerabilityResource.cvssV2VectorString, VulnerabilityResource.cvssV3VectorString | CVSS v2/v3 metrics |
VulnerabilityResource.vulnerabilityType | VULNERABILITY_TYPE |
VulnerabilityResource.adjustedVulnerabilityScore | ADJUSTED_SCORE |
VulnerabilityResource.adjustedVulnerabilityScoreLevel | ADJUSTED_SCORE_LEVEL |
VulnerabilityResource.isKnownExploited | IS_KNOWN_EXPLOITED |
VulnerabilityResource.exploitsCount | EXPLOITS_COUNT |
VulnerabilityResource.affectedDevicesCount | AFFECTED_DEVICES_COUNT |
VulnerabilityResource.sourceName | SOURCE_NAME |
VulnerabilityResource.vulnerabilityPriorityGroup | PRIORITY_GROUP |
| System-generated | LAST_CAPTURED |
Vulnerability
Table 6: Vulnerability attribute mappings
| Source Field Name | SDM Attribute |
|---|---|
vulnerabilityId:deviceUid | UID |
DeviceVulnerabilityRelationResource.deviceUid | TARGETS |
DeviceVulnerabilityRelationResource.vulnerabilityName | TYPE |
Derived from vulnerabilityRelevance | PROVIDER_STATUS |
Normalized from PROVIDER_STATUS | SOURCE_STATUS |
DeviceVulnerabilityRelationResource.vulnerabilityLabels | TAGS |
DeviceVulnerabilityRelationResource.vulnerabilityRelevance | VULNERABILITY_RELEVANCE |
DeviceVulnerabilityRelationResource.deviceVulnerabilityDetectionDate | DETECTION_DATE |
DeviceVulnerabilityRelationResource.deviceVulnerabilityResolutionDate | RESOLUTION_DATE |
DeviceVulnerabilityRelationResource.vulnerabilityAdjustedVulnerabilityScoreLevel | ADJUSTED_SCORE_LEVEL |
| System-generated | LAST_CAPTURED |
Operation options
The Claroty xDome connector supports the following operation options. See connector operation options for information about how to apply them.
Expand the sections below to view the supported operation options per connector object.
Device
Table 7: Device operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Device | excludeRetired | true or false | Exclude retired devices from sync. Default is true. | Key: excludeRetired,Value: false.This key and value combination includes retired devices in the sync. |
| enrichSites | true or false | Enable site enrichment (adds location, timezone, and country code from the /api/v1/sites/get endpoint). Default is false. | Key: enrichSites,Value: true.This key and value combination enriches each Device with site location, timezone, and country code. |
Alert Definition
Table 8: Alert Definition operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Alert Definition | excludeResolved | true or false | Exclude resolved alert definitions from sync. Default is true. | Key: excludeResolved,Value: false.This key and value combination includes resolved alert definitions in the sync. |
Alert
Table 9: Alert operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Alert | excludeRetired | true or false | Exclude alerts on retired devices. Default is true. | Key: excludeRetired,Value: false.This key and value combination includes alerts on retired devices in the sync. |
Vulnerability
Table 10: Vulnerability operation options
| Connector Object | Option | All Possible Values | Description | Example |
|---|---|---|---|---|
| Vulnerability | excludeRetired | true or false | Exclude vulnerabilities on retired devices. Default is true. | Key: excludeRetired,Value: false.This key and value combination includes vulnerabilities on retired devices in the sync. |
| excludeIrrelevant | true or false | Exclude vulnerabilities with relevance irrelevant. Default is false. | Key: excludeIrrelevant,Value: true.This key and value combination excludes vulnerabilities marked as irrelevant. |
APIs
The Claroty xDome connector uses the Claroty xDome API. Specifically, it uses the following endpoints:
Table 11: Claroty xDome API Endpoints
| Connector Object | API Endpoint |
|---|---|
| Alert | POST /api/v1/device_alert_relations/ |
| Alert Definition | POST /api/v1/alerts/ |
| Device | POST /api/v1/devices/ |
| Vulnerability | POST /api/v1/device_vulnerability_relations/ |
| Vulnerability Definition | POST /api/v1/vulnerabilities/ |
Changelog
The Claroty xDome connector has undergone the following changes:
Table 12: Claroty xDome connector changelog
| Version | Description | Date Published |
|---|---|---|
| 3.0.4 | Improvements - Devices discovered in Claroty xDome are now synchronized to the standard 'Host' model, aligning the connector with Brinqa's host-centric Unified Data Model. The associated asset category is also updated from Device to Host. - Expanded the set of Host identifiers used for record matching to include serial number, MAC addresses, and IP addresses — improving deduplication when correlating xDome devices with Host records from other sources. Migration Required - 'Device': The target model has changed from Device to Host. Action: purge previously synced Device records from this connector and re-sync to repopulate them as Host assets. | June 4th, 2026 |
| 3.0.2 | Fixed an issue where the NAME attribute on the Device object was incorrectly populated with an internal UID instead of the actual device name. The connector now uses the DEVICE_NAME attribute to provide accurate device names. | January 30th, 2025 |
| 3.0.1 | Code cleanup and general maintenance. | December 26th, 2024 |
| 3.0.0 | Initial Integration+ release. | December 26th, 2024 |