The Claroty connector ingests asset and vulnerability data from Claroty into Qualys ETM for centralized risk analysis and prioritization.
What is the Claroty API Connector?
The connector establishes a secure, scheduled bridge between Claroty and Qualys ETM, transferring device/asset and vulnerability information which ETM normalizes and scores using TruRisk.
| Category | Supported Asset Type | Supported Finding Type |
|---|---|---|
| API Connector | Host Asset | Vulnerability and Assets |
Prerequisites
User Roles and Permissions
You need a Claroty account with permissions to view Visibility and Risk and Vulnerabilities. Create a user and assign roles via Settings > User Management (User, then RBAC).
API Access Information
- Base URL (Claroty platform)
- Username and Password for the Claroty platform
Reference: Claroty API documentation at https://<your-claroty-url>/ranger/apidocs.
Create User
- From the Claroty instance navigate to the Settings > User Management > User page.
- Click on the + sign to create a new user.
- On the opened pop-up provide required details and click on Add button.
Assign Role to the User
- From the Claroty instance navigate to the Settings > User Management > Role Based Access Control page.
- Click on the + sign to create a new role.
- On the opened pop-up provide Role Name and in Permission select View for Visibility and Risk and Vulnerabilities.
- Select the created user from the dropdown.
- Click Save.
Connector Configuration
Basic Details
- Provide the connector Name and Description.
- Select the type of findings (supported: Vulnerability / Host Asset).
- Enter authentication details: Base URL, Username, Password.
Authentication Details
| Name | Key | Type | Description / Example |
|---|---|---|---|
| Base URL | baseUrl |
String | Base URL of Claroty platform. |
| Username | username |
String | Username for Claroty platform (e.g., user1). |
| Password | password |
Encrypted | Password for Claroty platform. |
Data Model
The connector provides out-of-the-box models to map Claroty data to the Qualys ETM schema (Asset-only or Asset+Vulnerability).
Transform Maps
Use the default transform map, or create/clone maps to customize field mapping from Claroty to ETM.
Create New > set Transform Map Name, Source Data Model, Target Data Model.
Profile
Create a profile with Name, Description, Transform Map, Status (Active/Inactive), and Schedule (Single or Recurring).
When editing a connector, you can find the Retain Delta checkbox. Select this checkbox to retain delta that has already been set for this connection. Deselecting this resets delta and begins fresh ingestion.
Scoring
Map vendor non-CVE scores to QDS (1–5 severities > QDS 0–100). Configure a Default Severity for unmatched values.
Select Identification Rules
The Identification Rules are a set of out-of-the-box precedence rules set by Qualys CSAM. The connector discovers findings based on the order set by the selected Identification Rules.
You can proceed to the next step without making any changes to this screen.
If you don't want to choose a specific rule, turn off the toggle next to it. But, ensure that at least one rule is selected.
To learn more about the different rules and options present in this screen, refer to the CSAM Online Help.
How Does a Connection Work?
On schedule (or on-demand), the connector fetches Claroty findings and imports them into ETM. Profiles define what is synchronized and when. The Claroty vulnerability connector performs a full pull on each execution.
In the Connector screen, you can find your newly configured connector listed and marked in the Processed state.
Connector States
A successfully configured connector goes through 4 states.
- Registered - The connector is successfully created and registered to fetch data from the vendor.
- Scheduled - The connector is scheduled to execute a connection with the vendor.
- Processing - A connection is executed and the connector is fetching the asset and findings data.
- Processed - The connector has successfully fetched the assets, it may still be under process of fetching the findings. Wait for some more time for the connector to fetch the findings completely.
The Processed state indicates that the Connector is successfully configured but it is under the process of importing all your assets and findings. This process (specifically for findings) may take some time.
This entire process may take up to 2 hours for completion. Once it is done, you can find the imported data in Enterprise TruRisk Management (ETM).
View Assets and Findings in ETM
- Assets: Inventory > Assets > Host. Filter with
tags.name:"Claroty".
- Findings: Risk Management > Findings > Vulnerability. Filter with
finding.vendorProductName:"Claroty".
Additional Information
Profile Details
| Name | Key | Type | Description / Example |
|---|---|---|---|
| Site ID | site_id__exact |
Integer | Identifier of the Site in which the device resides (e.g., 1). |
| Risk Level | risk_level__exact |
Single Select | CTD risk level; only devices with this level are fetched. |
| Criticality | criticality__exact |
Single Select | CTD asset criticality; only devices with this value are fetched. |
API Reference
See Claroty API docs: /ranger/apidocs on your Claroty base URL.
Claroty Vulnerability Data Model Map
The Claroty to Qualys Vulnerability data model mapping.
|
Source Field |
Target Field |
|---|---|
|
id |
externalAssetId |
|
Host Name |
assetName |
|
IPv4 Address |
ipAddress |
|
IPv6 Address |
ipAddress |
|
MAC Address |
macAddress |
|
BIOS Model |
biosInfoModel |
|
serial_number |
biosInfoSerialNumber |
|
os |
operatingSystemName |
|
CVE-ID |
cveId |
|
Score (CVSS) |
cvss3Base |
|
Title |
findingName |
|
Full Summary |
findingDescription |
Claroty Asset Data Model Map
The Claroty to Qualy Asset data model mapping.
|
Source Field |
Target Field |
|---|---|
|
ID |
externalAssetId |
|
Host Name |
assetName |
|
Class Type |
System Type |
|
IPv4 Address |
ipv4Address |
|
IPv6 Address |
ipv6Address |
|
MAC Address |
macAddress |
|
Network Name |
interfaceName |
|
Operating System |
operatingSystemName |
|
OS Architecture |
operatingSystemArchitecture |
|
Model |
model |
|
Serial Number |
serialNumber |
|
Last Updated |
lastUpdatedDate |
|
First Seen |
firstFoundDate |