Claroty
About
The Claroty context integration provides enriched asset context to Netography Fusion from Claroty Industrial Cybersecurity appliances. It connects to the Claroty CTD/EMC API to retrieve asset information and then adds Context Labels to the Netography Fusion API.
NetoFuse Modules: Cloud deployment vs. On-Prem deployment
This page documents how to add and configure the NetoFuse module for an on-prem deployment with a container or Python package. If you want to use the cloud deployment model and have this integration run in the Netography Fusion SaaS, you can add it as a context integration in the Netography Fusion Portal instead by consulting the Context Integrations documentation.
Supported Products
Claroty Threat Detection (CTD)
Claroty Enterprise Management Console (EMC)
Integrate to Claroty EMC if you have deployed it, and Claroty CTD if not
Claroty EMC aggregates data from multiple Claroty CTD appliances. Therefore, if you have deployed one or more Claroty EMCs in your environment, follow the configuration steps for each Claroty EMC appliance rather than each Claroty CTD.
The API and configuration steps are identical for both CTD and EMC appliances, so they are not differentiated in the documentation or in the
claroty
NetoFuse module.
API Configuration Parameters
All the fields required for this integration are listed here, along with the corresponding environment variable name used to set that field in the NetoFuse module.
Claroty Field | Required | NetoFuse Environment Variable | Description |
---|---|---|---|
URL | Yes | NETO__CLAROTY__URL | URL used to access Claroty appliance |
username | Yes | NETO__CLAROTY__CREDENTIALS__USERNAME | Username to authenticate with |
password | Yes | NETO__CLAROTY__CREDENTIALS__PASSWORD | Password to authenticate with |
Claroty CTD/EMC Configuration
Create a read-only account in Claroty
- Login to the Claroty CTD or EMC appliance.
- Click the gear icon in the bottom left of screen.
- Select User Management > Users and click
+
to add a user. - Add a user (e.g.
neto-api-user
) and save. - Go to User Management > Groups and click
+
to add a group. - Add a group (e.g.,
Read Only API Group
), add the user you created. - Provide read permissions for the site(s) and assets as appropriate.
You can select more granular permissions for the group based on the data you want to be read from the system.
Consult the Claroty documentation if you encounter problems creating a user.
Use the account you just created, along with the URL to the appliance you created the account on, to configure the claroty
NetoFuse module.
claroty
NetoFuse Module Configuration
claroty
NetoFuse Module ConfigurationAll the fields required for this integration are listed above in the API Configuration Parameters section above. See Configure > module for additional options for setting configuration fields and Credential Storage for additional options for setting credentials.
Advanced Configuration Options
You can edit the module configuration to modify what assets and asset fields the Claroty API returns. By default, all assets available to the user authenticated to the API will be retrieved.
The params:
section passes these fields arguments to the Claroty API /ranger/assets
command. You do not need to edit these values unless you want to filter the list of assets and fields returned by the Claroty API.
If no fields
param is added, all asset fields are returned by the API, increasing the load on the Claroty appliance. If you will only use a few fields from Claroty as context labels and have a large Claroty deployment, you may want to define the specific fields to retrieve.
Consult the Claroty Web API User Guide for further assistance configuring these parameters, and use the Claroty API Explorer to experiment with parameters.
For example, you can add a field site_id__exact
that will filter the list of assets returned to only those matching a specific site ID. Multiple ids can be put on the field using Claroty's separator, which is: ,;$
default claroty
module configuration
claroty
module configuration claroty
url
per_page5000
params
format asset_list
insight_status__exact"0"
approved__exacttrue
valid__exacttrue
special_hint__exact"0"
fields null
credentials
username
password
transform
ipv4
context ip
ipv6
context ip
id
context claroty_id
name
context name
mac
context mac_addr
class_type
context claroty_class
asset_type__
context claroty_type
criticality__
context criticality
replace
eLow low
eMedium medium
eHigh high
risk_level
context risk
replace
"0" low
"1" medium
"2" high
site_name
context site
vendor
context manufacturer
serial_number
context serial_number
virtual_zone_Name
context zone
os
context osver
context os
function
function transform_os
timestamp
context lastseen
Updated 12 months ago