Docs

Claroty

Suggest Edits

About

The Claroty context integration provides enriched asset context to Netography Fusion from Claroty Industrial Cybersecurity appliances. It connects to the Claroty CTD/EMC API to retrieve asset information and then adds Context Labels to the Netography Fusion API.

☁️

NetoFuse Modules: Cloud deployment vs. On-Prem deployment

This page documents how to add and configure the NetoFuse module for an on-prem deployment with a container or Python package. If you want to use the cloud deployment model and have this integration run in the Netography Fusion SaaS, you can add it as a context integration in the Netography Fusion Portal instead by consulting the Context Integrations documentation.

Supported Products

Claroty Threat Detection (CTD)

Claroty Enterprise Management Console (EMC)

⚖️

Integrate to Claroty EMC if you have deployed it, and Claroty CTD if not

Claroty EMC aggregates data from multiple Claroty CTD appliances. Therefore, if you have deployed one or more Claroty EMCs in your environment, follow the configuration steps for each Claroty EMC appliance rather than each Claroty CTD.

The API and configuration steps are identical for both CTD and EMC appliances, so they are not differentiated in the documentation or in the claroty NetoFuse module.

API Configuration Parameters

All the fields required for this integration are listed here, along with the corresponding environment variable name used to set that field in the NetoFuse module.

Claroty FieldRequiredNetoFuse Environment VariableDescription
URLYesNETO__CLAROTY__URLURL used to access Claroty appliance
usernameYesNETO__CLAROTY__CREDENTIALS__USERNAMEUsername to authenticate with
passwordYesNETO__CLAROTY__CREDENTIALS__PASSWORDPassword to authenticate with

Claroty CTD/EMC Configuration

Create a read-only account in Claroty

  1. Login to the Claroty CTD or EMC appliance.
  2. Click the gear icon in the bottom left of screen.
  3. Select User Management > Users and click + to add a user.
  4. Add a user (e.g. neto-api-user) and save.
  5. Go to User Management > Groups and click + to add a group.
  6. Add a group (e.g.,Read Only API Group), add the user you created.
  7. Provide read permissions for the site(s) and assets as appropriate.

You can select more granular permissions for the group based on the data you want to be read from the system.

Consult the Claroty documentation if you encounter problems creating a user.

Use the account you just created, along with the URL to the appliance you created the account on, to configure the claroty NetoFuse module.

claroty NetoFuse Module Configuration

All the fields required for this integration are listed above in the API Configuration Parameters section above. See Configure > module for additional options for setting configuration fields and Credential Storage for additional options for setting credentials.

Advanced Configuration Options

You can edit the module configuration to modify what assets and asset fields the Claroty API returns. By default, all assets available to the user authenticated to the API will be retrieved.

The params: section passes these fields arguments to the Claroty API /ranger/assets command. You do not need to edit these values unless you want to filter the list of assets and fields returned by the Claroty API.

If no fields param is added, all asset fields are returned by the API, increasing the load on the Claroty appliance. If you will only use a few fields from Claroty as context labels and have a large Claroty deployment, you may want to define the specific fields to retrieve.

Consult the Claroty Web API User Guide for further assistance configuring these parameters, and use the Claroty API Explorer to experiment with parameters.

For example, you can add a field site_id__exact that will filter the list of assets returned to only those matching a specific site ID. Multiple ids can be put on the field using Claroty's separator, which is: ,;$

default claroty module configuration

  claroty:
    url:
    per_page: 5000
    params:
      format: asset_list
      insight_status__exact: "0"
      approved__exact: true
      valid__exact: true
      special_hint__exact: "0"
      fields: null
    credentials:
      username:
      password:
    transform:
      ipv4:
        context: ip
      ipv6:
        context: ip
      id:
        context: claroty_id
      name:
        context: name
      mac:
        context: mac_addr
      class_type:
        context: claroty_class
      asset_type__:
        context: claroty_type
      criticality__:
        context: criticality
        replace:
          eLow: low
          eMedium: medium
          eHigh: high
      risk_level:
        context: risk
        replace:
          "0": low
          "1": medium
          "2": high
      site_name:
        context: site
      vendor:
        context: manufacturer
      serial_number:
        context: serial_number
      virtual_zone_Name:
        context: zone
      os:
        - context: osver
        - context: os
          function:
            function: transform_os
      timestamp:
        context: lastseen

Updated 11 months ago