Claroty xDome Connector
Claroty xDome is an OT/IoT security platform that provides deep visibility into industrial and connected device environments and identifies cyber risks across operational networks.
ETM ingests host assets and associated vulnerability findings from Claroty xDome to correlate OT exposures with broader enterprise risk and prioritize remediation.
Connector Details
High-level capabilities and supported features of the Claroty xDome connector.
| Vendor | Claroty |
| Product Name | Claroty xDome |
| Category | OT/IoT Security |
| Assets Supported | Devices |
| Findings Supported | Devices and Vulnerabilities |
| Supported Version & Type | SaaS (Latest) |
| Integration Type | API Integration (REST) |
| Direction | Unidirectional (Claroty to Qualys) |
| Delta Support | Not Supported |
| Import of Installed Software | Not Supported |
| Import of Source Tags | Not Supported |
| Filter Support | Yes |
| Version | 1.0.0 |
Connection Settings
User Roles and Permissions
To generate an API Token in Claroty xDome:
- Log in to the Claroty xDome portal as an Administrator.
- Navigate to Settings > Admin Settings.
- Go to User Management and click Add User.
- Select User Type: API User.
- Enter a unique User Name (different from your portal login).
- Click Edit Site Permissions.
- Select required sites (or choose Select All).
- Select Role: Read-Only User.
- (Optional) Enable Include Future Sites.
- Click Create User.
- Click Generate Token.
- Select token expiration and click Generate.
- Copy and securely store the generated token (it cannot be viewed again).
If you do not have permission to create API users, contact your Claroty xDome administrator.
Authentication Details
Provide the following credentials when configuring the connector:
| Name | Key | Type | Description |
|---|---|---|---|
| API URL | api_url |
String | Claroty API base URL (region specific). Example: https://api.medigate.io |
| API Token | api_token |
Encrypted String | Generated API Token |
API Endpoints
| Function | Endpoint | Method |
|---|---|---|
| Fetch Devices (Assets) | https://<region>.medigate.io/api/v1/devices/ |
GET |
| Fetch Vulnerabilities | https://<region>.medigate.io/api/v1/device_vulnerability_relations/ |
GET |
Connector Configuration
Basic Details
- Log in to Qualys ETM.
- Navigate to Connectors > Integration.
- Select Claroty xDome Connector and click Manage.
- Provide a Name and Description.
- Select the appropriate Qualys Data Model:
- Asset Only: Asset → HostAsset
- Asset + Vulnerability: Vulnerability → HostAsset
- Enter API URL and API Token.
Preserve Findings Missing in Latest Sync:
If selected, findings absent in the latest run retain their previous status. If not selected, missing findings are automatically marked as Fixed. This behavior is determined at connection creation time.
Data Model
The connector provides an out-of-box Claroty xDome default schema aligned to the Qualys ETM data model. You can review the schema in ETM to understand supported attributes.
Transform Maps
Default transform maps are provided for both Asset-only and Asset + Vulnerability configurations.
- Click Create New to define a custom transform map.
- Provide Transform Map Name, Source Data Model, and Target Data Model.
- Alternatively, select Clone to duplicate and modify the default map.
Asset Only Transformation Map
| Source Field | Target Field |
|---|---|
| device_name | hostName |
| site_name | assignedLocation.name |
| hw_version | biosInfo.biosDescription |
| manufacturer | biosInfo.manufacturer |
| model | biosInfo.model |
| cmms_ownership | businessMetaData.ownedBy |
| cmms_department | businessMetaData.department |
| management_services | businessMetaData.managedBy |
| cmms_state | businessMetaData.status |
| assignees | businessMetaData.supportedBy |
| cmms_technician | businessMetaData.supportGroup |
| domains.0 | domain |
| uid | externalAssetId |
| first_seen | firstFoundDate (with DATE_FORMAT function) |
| dhcp_last_seen_hostname | fqdn |
| network_list.0 | networkInterfaces[].interfaceName |
| ip_list.0 | networkInterfaces[].ipAddress |
| last_domain_user_activity | lastBoot |
| last_domain_user | lastLoggedOnUser |
| last_seen_reported | lastUpdatedDate (with DATE_FORMAT function) |
| mac_list.0 | networkInterfaces[].macAddress |
| windows_last_seen_hostname | netBiosName |
| os_name | operatingSystem.name |
| os_category | operatingSystem.publisher |
| os_version | operatingSystem.version |
| serial_number | serialNumber |
| device_category | customConnectorAttributes.& (device_category) |
| device_type | customConnectorAttributes.& (device_type) |
| device_subcategory | customConnectorAttributes.& (device_subcategory) |
| machine_type | customConnectorAttributes.& (machine_type) |
| mobility | customConnectorAttributes.& (mobility) |
| risk_score_points | customConnectorAttributes.& (risk_score_points) |
| risk_score | customConnectorAttributes.& (risk_score) |
Asset and Vulnerability Transformation Map
| Source Field | Target Field |
|---|---|
| device_name | hostName |
| site_name | assignedLocation.name |
| hw_version | biosInfo.biosDescription |
| manufacturer | biosInfo.manufacturer |
| model | biosInfo.model |
| cmms_ownership | businessMetaData.ownedBy |
| cmms_department | businessMetaData.department |
| management_services | businessMetaData.managedBy |
| cmms_state | businessMetaData.status |
| assignees | businessMetaData.supportedBy |
| cmms_technician | businessMetaData.supportGroup |
| domains.0 | domain |
| uid | externalAssetId |
| first_seen | firstFoundDate (DATE_FORMAT) |
| dhcp_last_seen_hostname | fqdn |
| network_list.0 | networkInterfaces[].interfaceName |
| ip_list.0 | networkInterfaces[].ipAddress |
| last_domain_user_activity | lastBoot |
| last_domain_user | lastLoggedOnUser |
| last_seen_reported | lastUpdatedDate (DATE_FORMAT) |
| mac_list.0 | networkInterfaces[].macAddress |
| windows_last_seen_hostname | netBiosName |
| os_name | operatingSystem.name |
| os_category | operatingSystem.publisher |
| os_version | operatingSystem.version |
| serial_number | serialNumber |
| device_category | customConnectorAttributes.& |
| device_type | customConnectorAttributes.& |
| device_subcategory | customConnectorAttributes.& |
| machine_type | customConnectorAttributes.& |
| mobility | customConnectorAttributes.& |
| risk_score_points | customConnectorAttributes.& |
| risk_score | customConnectorAttributes.& |
| devices_vulnerabilities[].vulnerability_id | finding[].externalFindingId |
| devices_vulnerabilities[].vulnerability_name | finding[].name |
| devices_vulnerabilities[].vulnerability_description | finding[].description |
| devices_vulnerabilities[].references[] | finding[].references[] |
| devices_vulnerabilities[].findingUrl | finding[].findingURL |
| devices_vulnerabilities[].findingDetectionURL | finding[].findingDetectionURL |
| devices_vulnerabilities[].vulnerability_adjusted_vulnerability_score | finding[].riskScore |
| devices_vulnerabilities[].vulnerability_adjusted_vulnerability_score | finding[].sourceRiskScore |
| devices_vulnerabilities[].vulnerability_adjusted_vulnerability_score_level | finding[].severity (LOOKUP) |
| vulnerability_relevance | finding[].confidenceString |
| devices_vulnerabilities[].device_vulnerability_detection_date | finding[].firstFoundOn (DATE_FORMAT) |
| devices_vulnerabilities[].vulnerability_last_updated | finding[].lastFoundOn (DATE_FORMAT) |
| devices_vulnerabilities[].device_vulnerability_resolution_date | finding[].lastFixedOn (DATE_FORMAT) |
| devices_vulnerabilities[].vulnerability_manufacturer_remediation_info.0 | finding[].remediation.remediationStrategy |
| devices_vulnerabilities[].vulnerability_cve_id | finding[].findingType.vulnerability.cveId |
| devices_vulnerabilities[].vulnerability_relevance | finding[].typeDetected |
| devices_vulnerabilities[].vulnerability_cvss_v3_exploitability_subscore | finding[].findingType.vulnerability.cvss.cvss3Temporal |
| devices_vulnerabilities[].vulnerability_cvss_v2_exploitability_subscore | finding[].findingType.vulnerability.cvss.cvss2Temporal |
| devices_vulnerabilities[].vulnerability_cvss_v2_score | finding[].findingType.vulnerability.cvss.cvss2Base |
| devices_vulnerabilities[].vulnerability_cvss_v3_score | finding[].findingType.vulnerability.cvss.cvss3Base |
| devices_vulnerabilities[].vulnerability_is_known_exploited | finding[].findingType.vulnerability.isExploitAvailable |
Severity Lookup Mapping:
| Claroty Severity | Qualys Severity |
|---|---|
| MEDIUM | 3 |
| HIGH | 4 |
| CRITICAL | 5 |
The connector supports up to 200 custom connector attributes.
Profiles
Profiles control the execution of the connector.
- Click + to add a new profile.
- Provide a Name and Description.
- Select the required Transform Map.
- Set Status (Active or Inactive).
- Configure a Schedule: Single Occurrence or Recurring with start and end dates/times.
The following additional fields are available on the Profile configuration screen:
- Dashboard URL: The dashboard URL from the Claroty xDome portal used for user login.
- Device Category: Category of devices to be ingested by the connector. Accepted values include IoT, OT, and Medical.
- Retired Devices Only: Select this checkbox to ingest only retired devices from the Claroty xDome environment.
Scoring
Map non-CVE vulnerability scores to Qualys Detection Score (QDS) using five severity levels (1–5). Define Expected Source Values and corresponding QDS (0–100). Configure a Default Severity for unmapped values.
Identification Rules
Identification Rules determine how imported findings are matched to assets in ETM. Default Qualys CSAM precedence rules are applied. You may proceed without modification.
How Does a Connection Work?
The Claroty xDome connector executes according to the configured profile schedule or on-demand trigger. During each run, it performs a full data pull of device and vulnerability data from Claroty and imports it into ETM.
After successful execution, the connector state changes to Processed.
View Assets and Findings in ETM
After synchronization completes:
- Assets: Navigate to Enterprise TruRisk Management > Inventory > Assets > Host. Filter using:
tags.name:"Claroty xDome".
- Findings: Navigate to Risk Management > Findings > Vulnerability. Filter using:
finding.vendorProductName:"Claroty.
xDome"
