|
| 1 | +# Claroty xDome |
| 2 | + |
| 3 | +[Claroty xDome](https://claroty.com/industrial-cybersecurity/xdome) is a modular, SaaS-powered industrial cybersecurity platform designed to protect cyber-physical systems (CPS) in industrial, healthcare, and commercial environments, offering features like asset discovery, exposure management, network protection, threat detection, and secure access. |
| 4 | + |
| 5 | +Use this integration to collect and parse data from your Claroty xDome instance. |
| 6 | + |
| 7 | +## Compatibility |
| 8 | + |
| 9 | +This module has been tested against the Claroty xDome API version **v1**. |
| 10 | + |
| 11 | +## Data streams |
| 12 | + |
| 13 | +The Claroty xDome integration collects three types of logs. |
| 14 | + |
| 15 | +- **Alerts** - Retrieves alerts and their affected devices from Claroty xDome. |
| 16 | + |
| 17 | +- **Events** - Collects events related to Operational Technology activities. |
| 18 | + |
| 19 | +- **Vulnerabilities** - Retrieves vulnerabilities and their affected devices from Claroty xDome. |
| 20 | + |
| 21 | +**Note** : |
| 22 | + |
| 23 | +1. The **alert data stream** combines data from the alerts and affected devices endpoints using a chain call. It first retrieves all alerts and then fetches affected devices for each alert ID. |
| 24 | + |
| 25 | +2. The **vulnerability data stream** follows the same approach, retrieving vulnerabilities first and then fetching affected devices for each vulnerability ID. |
| 26 | + |
| 27 | +3. A **data count mismatch** may appear in the **Discover** page for the vulnerability data stream. This occurs because the API retrieves data beyond the current date, while the **Elastic Agent** fetches only up-to-date data during the initial call. The missing data will appear in **Kibana** after the next interval's call. |
| 28 | + |
| 29 | +## Requirements |
| 30 | + |
| 31 | +### Agentless Enabled Integration |
| 32 | +Agentless integrations allow you to collect data without having to manage Elastic Agent in your cloud. They make manual agent deployment unnecessary, so you can focus on your data instead of the agent that collects it. For more information, refer to [Agentless integrations](https://www.elastic.co/guide/en/serverless/current/security-agentless-integrations.html) and the [Agentless integrations FAQ](https://www.elastic.co/guide/en/serverless/current/agentless-integration-troubleshooting.html). |
| 33 | + |
| 34 | +Agentless deployments are only supported in Elastic Serverless and Elastic Cloud environments. This functionality is in beta and is subject to change. Beta features are not subject to the support SLA of official GA features. |
| 35 | + |
| 36 | +### Agent Based Installation |
| 37 | +- Elastic Agent must be installed |
| 38 | +- You can install only one Elastic Agent per host. |
| 39 | +- Elastic Agent is required to stream data from the GCP Pub/Sub or REST API and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines. |
| 40 | + |
| 41 | +#### Installing and managing an Elastic Agent: |
| 42 | + |
| 43 | +You have a few options for installing and managing an Elastic Agent: |
| 44 | + |
| 45 | +#### Install a Fleet-managed Elastic Agent (recommended): |
| 46 | + |
| 47 | +With this approach, you install Elastic Agent and use Fleet in Kibana to define, configure, and manage your agents in a central location. We recommend using Fleet management because it makes the management and upgrade of your agents considerably easier. |
| 48 | + |
| 49 | +#### Install Elastic Agent in standalone mode (advanced users): |
| 50 | + |
| 51 | +With this approach, you install Elastic Agent and manually configure the agent locally on the system where it’s installed. You are responsible for managing and upgrading the agents. This approach is reserved for advanced users only. |
| 52 | + |
| 53 | +#### Install Elastic Agent in a containerized environment: |
| 54 | + |
| 55 | +You can run Elastic Agent inside a container, either with Fleet Server or standalone. Docker images for all versions of Elastic Agent are available from the Elastic Docker registry and we provide deployment manifests for running on Kubernetes. |
| 56 | + |
| 57 | +There are some minimum requirements for running Elastic Agent and for more information, refer to the link [here](https://www.elastic.co/guide/en/fleet/current/elastic-agent-installation.html). |
| 58 | + |
| 59 | +## Setup |
| 60 | + |
| 61 | +### To collect logs through REST API, follow the below steps: |
| 62 | + |
| 63 | +- Login to your Claroty xDome portal, create an API user from Admin Settings > User Management, and generate an API token. |
| 64 | + |
| 65 | +### Enabling the integration in Elastic: |
| 66 | + |
| 67 | +1. In Kibana navigate to Management > Integrations. |
| 68 | +2. In "Search for integrations" top bar, search for `Claroty xDome`. |
| 69 | +3. Select the "Claroty xDome" integration from the search results. |
| 70 | +4. Select "Add Claroty xDome" to add the integration. |
| 71 | +5. Add all the required integration configuration parameters, including the URL, API token to enable data collection. |
| 72 | +6. Select "Save and continue" to save the integration. |
| 73 | + |
| 74 | +## Logs reference |
| 75 | + |
| 76 | +### Alert |
| 77 | + |
| 78 | +This is the `alert` dataset. |
| 79 | + |
| 80 | +#### Example |
| 81 | + |
| 82 | +An example event for `alert` looks as following: |
| 83 | + |
| 84 | +{{event "alert"}} |
| 85 | + |
| 86 | +#### Exported fields |
| 87 | + |
| 88 | +{{fields "alert"}} |
| 89 | + |
| 90 | +### Event |
| 91 | + |
| 92 | +This is the `event` dataset. |
| 93 | + |
| 94 | +#### Example |
| 95 | + |
| 96 | +An example event for `event` looks as following: |
| 97 | + |
| 98 | +{{event "event"}} |
| 99 | + |
| 100 | +#### Exported fields |
| 101 | + |
| 102 | +{{fields "event"}} |
| 103 | + |
| 104 | +### Vulnerability |
| 105 | + |
| 106 | +This is the `vulnerability` dataset. |
| 107 | + |
| 108 | +#### Example |
| 109 | + |
| 110 | +An example event for `vulnerability` looks as following: |
| 111 | + |
| 112 | +{{event "vulnerability"}} |
| 113 | + |
| 114 | +#### Exported fields |
| 115 | + |
| 116 | +{{fields "vulnerability"}} |
0 commit comments