Skip to main content

xDome

This Integration is part of the Claroty xDome Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

Use the xDome integration to manage assets and alerts. This integration was integrated and tested with version 1.0.0 of XDome.

Configure xDome in Cortex#

ParameterDescriptionRequired
XDome public API base URLTrue
API TokenThe API token to use for connectionTrue
Trust any certificate (not secure)False
Use system proxy settingsFalse
The initial time to fetch fromTrue
Fetch Only Unresolved Device-Alert PairsFalse
Alert Types SelectionIf no alert types are selected, all types will be fetchedFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

xdome-get-device-alert-relations#


Gets all device-alert pairs from xDome. You can apply a query-filter.

Base Command#

xdome-get-device-alert-relations

Input#

Argument NameDescriptionRequired
fieldsFields to return. Possible values are: all, alert_assignees, alert_category, alert_class, alert_id, alert_labels, alert_name, alert_type_name, alert_description, device_alert_detected_time, device_alert_status, device_alert_updated_time, device_assignees, device_category, device_effective_likelihood_subscore, device_effective_likelihood_subscore_points, device_first_seen_list, device_impact_subscore, device_impact_subscore_points, device_insecure_protocols, device_insecure_protocols_points, device_internet_communication, device_ip_list, device_known_vulnerabilities, device_known_vulnerabilities_points, device_labels, device_last_seen_list, device_likelihood_subscore, device_likelihood_subscore_points, device_mac_list, device_manufacturer, device_name, device_network_list, device_purdue_level, device_retired, device_risk_score, device_risk_score_points, device_site_name, device_subcategory, device_type, device_uid, mitre_technique_enterprise_ids, mitre_technique_enterprise_names, mitre_technique_ics_ids, mitre_technique_ics_names. Default is all.Optional
filter_byA filter_by object, refer to the xDome API documentation.Optional
offsetAn offset in the data. This can be used to fetch all data in a paginated manner, by e.g requesting (offset=0, limit=100) followed by (offset=100, limit=100), (offset=200, limit=100), etc.Optional
limitMaximum amount of items to fetch.Optional
sort_byDefault: [{"field":"device_uid","order":"asc"},{"field":"alert_id","order":"asc"}]. Specifies how the returned data should be sorted. If more than one sort clause is passed, additional clauses will be used to sort data that is equal in all previous clauses.Optional

Context Output#

PathTypeDescription
XDome.DeviceAlert.alert_idNumberPlatform unique Alert ID.
XDome.DeviceAlert.alert_nameStringThe alert name, such as ā€œMalicious Internet Communication: 62.172.138.35ā€.
XDome.DeviceAlert.alert_type_nameStringAn alert type such as "Outdated Firmware".
XDome.DeviceAlert.alert_classStringThe alert class, such as ā€œPre-Defined Alertsā€ and ā€œCustom Alertsā€.
XDome.DeviceAlert.alert_categoryStringAlert category such as "Risk" or "Segmentation".
XDome.DeviceAlert.alert_labelsStringThe labels added to the alert manually or automatically.
XDome.DeviceAlert.alert_assigneesStringThe users and or groups the alert is assigned to.
XDome.DeviceAlert.alert_descriptionStringThe alert description, such as "SMBv1 Communication was detected by 2 OT Device devices".
XDome.DeviceAlert.device_alert_detected_timeDateDate and time when the Alert was first detected.
XDome.DeviceAlert.device_alert_updated_timeDateDate and time of last Alert update.
XDome.DeviceAlert.device_alert_statusStringDevice-Alert relation status (Resolved or Unresolved).
XDome.DeviceAlert.device_uidUUIDA universal unique identifier (UUID) for the device.
XDome.DeviceAlert.device_nameStringThe Device Name attribute is set automatically based on the priority of the Auto-Assigned Device attribute. You can also set it manually. The Device Name can be the deviceā€™s IP, hostname, etc.
XDome.DeviceAlert.device_ip_listListIP address associated with the device. IPs may be suffixed by a / (annotation), where annotation may be a child device ID or (Last Known IP).
XDome.DeviceAlert.device_mac_listListMAC address associated with the device.
XDome.DeviceAlert.device_network_listListThe network types, "Corporate" and or "Guest", that the device belongs to.
XDome.DeviceAlert.device_categoryStringThe device category group (see "About Device Categorization" in the Knowledge Base).
XDome.DeviceAlert.device_subcategoryStringThe device sub-category group (see "About Device Categorization" in the Knowledge Base).
XDome.DeviceAlert.device_typeStringThe device type group (see "About Device Categorization" in the Knowledge Base).
XDome.DeviceAlert.device_assigneesStringThe users and or groups the device is assigned to.
XDome.DeviceAlert.device_labelsStringThe labels added to the device manually or automatically.
XDome.DeviceAlert.device_retiredStringA boolean field indicating if the device is retired or not.
XDome.DeviceAlert.device_purdue_levelStringThe network layer the device belongs to, based on the Purdue Reference Model for Industrial Control System (ICS). The network segmentation-based model defines OT and IT systems into six levels and the logical network boundary controls for securing these networks.
XDome.DeviceAlert.device_site_nameStringThe name of the site within the organization the device is associated with.
XDome.DeviceAlert.device_first_seen_listListThe date and time a device's NIC was first seen.
XDome.DeviceAlert.device_last_seen_listListThe date and time a device's NIC was last seen.
XDome.DeviceAlert.device_risk_scoreStringThe calculated risk level of a device, such as "Critical", or "High".
XDome.DeviceAlert.device_risk_score_pointsNumberThe calculated risk points of a device, such as "54.1".
XDome.DeviceAlert.device_effective_likelihood_subscoreStringThe calculated effective likelihood subscore level of a device, such as "Critical", or "High".
XDome.DeviceAlert.device_effective_likelihood_subscore_pointsNumberThe calculated effective likelihood subscore points of a device, such as "54.1".
XDome.DeviceAlert.device_likelihood_subscoreStringThe calculated likelihood subscore level of a device, such as "Critical", or "High".
XDome.DeviceAlert.device_likelihood_subscore_pointsNumberThe calculated likelihood subscore points of a device, such as "54.1".
XDome.DeviceAlert.device_impact_subscoreStringThe calculated impact subscore level of a device, such as "Critical", or "High".
XDome.DeviceAlert.device_impact_subscore_pointsNumberThe calculated impact subscore points of a device, such as "54.1".
XDome.DeviceAlert.device_insecure_protocolsStringThe calculated level of the deviceā€™s ā€˜insecure protocolsā€™ likelihood factor, such as "Critical", or "High".
XDome.DeviceAlert.device_insecure_protocols_pointsNumberThe calculated points for ā€˜insecure protocolsā€™ likelihood factor of a device, such as "54.1".
XDome.DeviceAlert.device_internet_communicationStringThe manner of the device's communication over the internet.
XDome.DeviceAlert.device_known_vulnerabilitiesStringThe calculated level of the deviceā€™s ā€˜known vulnerabilitiesā€™ likelihood factor, such as "Critical", or "High".
XDome.DeviceAlert.device_known_vulnerabilities_pointsNumberThe calculated points for ā€˜known vulnerabilitiesā€™ likelihood factor of a device, such as "54.1".
XDome.DeviceAlert.device_manufacturerStringManufacturer of the device, such as "Alaris".
XDome.DeviceAlert.mitre_technique_enterprise_idsListMITRE ATT&CKĀ® Enterprise technique IDs mapped to the alert.
XDome.DeviceAlert.mitre_technique_enterprise_namesListMITRE ATT&CKĀ® Enterprise technique names mapped to the alert.
XDome.DeviceAlert.mitre_technique_ics_idsListMITRE ATT&CKĀ® ICS technique IDs mapped to the alert.
XDome.DeviceAlert.mitre_technique_ics_namesListMITRE ATT&CKĀ® ICS technique names mapped to the alert.

xdome-set-status-for-device-alert-relations#


Set device-alert status to resolved or unresolved.

Base Command#

xdome-set-status-for-device-alert-relations

Input#

Argument NameDescriptionRequired
alert_idAlert ID, as indicated in the id field of an alert.Required
device_uidsDevice UUIDs, as indicated in the uid field of a device.Optional
statusSet the device-alert status to resolve or unresolved. Possible values are: resolved, unresolved.Required

Context Output#

There is no context output for this command.

xdome-get-device-vulnerability-relations#


Get details of devices with their related vulnerabilities from the database. The data returned by this endpoint for each device corresponds to the vulnerabilities table in the single device page.

Base Command#

xdome-get-device-vulnerability-relations

Input#

Argument NameDescriptionRequired
fieldsFields to return. Possible values are: all, device_network_list, device_category, device_subcategory, device_type, device_uid, device_asset_id, device_mac_list, device_ip_list, device_type_family, device_model, device_os_category, device_serial_number, device_vlan_list, device_retired, device_labels, device_assignees, device_hw_version, device_local_name, device_os_name, device_os_version, device_os_revision, device_os_subcategory, device_combined_os, device_endpoint_security_names, device_equipment_class, device_consequence_of_failure, device_management_services, device_ad_distinguished_name, device_ad_description, device_mdm_ownership, device_mdm_enrollment_status, device_mdm_compliance_status, device_last_domain_user, device_fda_class, device_mobility, device_purdue_level, device_purdue_level_source, device_dhcp_hostnames, device_http_hostnames, device_snmp_hostnames, device_windows_hostnames, device_other_hostnames, device_windows_last_seen_hostname, device_dhcp_last_seen_hostname, device_http_last_seen_hostname, device_snmp_last_seen_hostname, device_ae_titles, device_dhcp_fingerprint, device_note, device_domains, device_battery_level, device_internet_communication, device_financial_cost, device_handles_pii, device_machine_type, device_phi, device_cmms_state, device_cmms_ownership, device_cmms_asset_tag, device_cmms_campus, device_cmms_building, device_cmms_location, device_cmms_floor, device_cmms_department, device_cmms_owning_cost_center, device_cmms_asset_purchase_cost, device_cmms_room, device_cmms_manufacturer, device_cmms_model, device_cmms_serial_number, device_cmms_last_pm, device_cmms_technician, device_edr_is_up_to_date_text, device_mac_oui_list, device_ip_assignment_list, device_protocol_location_list, device_vlan_name_list, device_vlan_description_list, device_connection_type_list, device_ssid_list, device_bssid_list, device_wireless_encryption_type_list, device_ap_name_list, device_ap_location_list, device_switch_mac_list, device_switch_ip_list, device_switch_name_list, device_switch_port_list, device_switch_location_list, device_switch_port_description_list, device_wlc_name_list, device_wlc_location_list, device_applied_acl_list, device_applied_acl_type_list, device_collection_servers, device_edge_locations, device_number_of_nics, device_last_domain_user_activity, device_last_scan_time, device_edr_last_scan_time, device_retired_since, device_os_eol_date, device_last_seen_list, device_first_seen_list, device_wifi_last_seen_list, device_last_seen_on_switch_list, device_is_online, device_network_scope_list, device_ise_authentication_method_list, device_ise_endpoint_profile_list, device_ise_identity_group_list, device_ise_security_group_name_list, device_ise_security_group_tag_list, device_ise_logical_profile_list, device_cppm_authentication_status_list, device_cppm_roles_list, device_cppm_service_list, device_name, device_manufacturer, device_site_name, device_risk_score, device_risk_score_points, device_effective_likelihood_subscore, device_effective_likelihood_subscore_points, device_likelihood_subscore, device_likelihood_subscore_points, device_impact_subscore, device_impact_subscore_points, device_known_vulnerabilities, device_known_vulnerabilities_points, device_insecure_protocols, device_insecure_protocols_points, device_suspicious, device_switch_group_name_list, device_managed_by, device_authentication_user_list, device_collection_interfaces, device_slot_cards, device_cmms_financial_cost, device_software_or_firmware_version, device_enforcement_or_authorization_profiles_list, device_ise_security_group_description_list, device_recommended_firewall_group_name, device_recommended_zone_name, vulnerability_id, vulnerability_name, vulnerability_type, vulnerability_cve_ids, vulnerability_cvss_v2_score, vulnerability_cvss_v2_exploitability_subscore, vulnerability_cvss_v3_score, vulnerability_cvss_v3_exploitability_subscore, vulnerability_adjusted_vulnerability_score, vulnerability_adjusted_vulnerability_score_level, vulnerability_epss_score, vulnerability_sources, vulnerability_description, vulnerability_affected_products, vulnerability_recommendations, vulnerability_exploits_count, vulnerability_is_known_exploited, vulnerability_published_date, vulnerability_labels, vulnerability_assignees, vulnerability_note, vulnerability_last_updated, vulnerability_relevance, vulnerability_relevance_sources, vulnerability_manufacturer_remediation_info, vulnerability_manufacturer_remediation_info_source, vulnerability_overall_cvss_v3_score, device_vulnerability_detection_date, device_vulnerability_resolution_date, device_vulnerability_days_to_resolution, patch_install_date. Default is all.Optional
filter_byA filter_by object, refer to the xDome API documentation. Input as a string and dont forget to escape quotes (\").Optional
sort_byDefault: [{"field":"device_uid","order":"asc"}, {"field":"vulnerability_id","order":"asc"}]. Specifies how the returned data should be sorted. If more than one sort clause is passed, additional clauses will be used to sort data that is equal in all previous clauses.Optional
offsetAn offset in the data. This can be used to fetch all data in a paginated manner, by e.g requesting (offset=0, limit=100) followed by (offset=100, limit=100), (offset=200, limit=100), etc.Optional
limitMaximum amount of items to fetch.Optional

Context Output#

PathTypeDescription
XDome.DeviceVulnerability.vulnerability_nameStringName designated by Claroty's Research team, based on the advisory name or CVE ID.
XDome.DeviceVulnerability.vulnerability_typeStringType such as "Application", "Clinical", "IoT" or "Platform".
XDome.DeviceVulnerability.vulnerability_cve_idsListRelevant Common Vulnerability Exploits for the selected vulnerability.
XDome.DeviceVulnerability.vulnerability_cvss_v3_scoreNumberCommon Vulnerability Scoring System Version 3 score (0-10). In case of multiple CVEs, the highest Subscore is displayed.
XDome.DeviceVulnerability.vulnerability_adjusted_vulnerability_scoreNumberThe Adjusted Vulnerability Score represents the vulnerability score based on its impact and exploitability.
XDome.DeviceVulnerability.vulnerability_adjusted_vulnerability_score_levelStringThe calculated Adjusted vulnerability Score (AVS) level of a vulnerability, such as "Critical", or "High".
XDome.DeviceVulnerability.vulnerability_epss_scoreNumberA probability score between 0 to 1 indicating the likelihoodof a vulnerability to be exploited in the wild, based on the Exploit Prediction Scoring System (EPSS) model.
XDome.DeviceVulnerability.vulnerability_descriptionStringDetails about the vulnerability.
XDome.DeviceVulnerability.vulnerability_exploits_countNumberAn aggregated numeric field of the number of known exploits based on ExploitDB.
XDome.DeviceVulnerability.vulnerability_is_known_exploitedBooleanA boolean field indicating whether a vulnerability is currently exploited in-the-wild, based on the CISA Catalog of Known Exploited Vulnerabilities.
XDome.DeviceVulnerability.vulnerability_published_dateDateThe date and time the vulnerability was released.
XDome.DeviceVulnerability.vulnerability_relevanceStringThe device vulnerability relevance reflects the confidence level of the detection process, corresponding to several components, such as the vulnerability type.
XDome.DeviceVulnerability.device_vulnerability_detection_dateDateThe date when the vulnerability was initially detected on the device. A vulnerability is considered detected once marked as ā€œconfirmedā€ or ā€œpotentially relevantā€ for the respective device.
XDome.DeviceVulnerability.device_network_listListThe network types, "Corporate" and or "Guest", that the device belongs to.
XDome.DeviceVulnerability.device_categoryStringThe device category group (see "About Device Categorization" in the Knowledge Base).
XDome.DeviceVulnerability.device_subcategoryStringThe device sub-category group (see "About Device Categorization" in the Knowledge Base).
XDome.DeviceVulnerability.device_typeStringThe device type group (see "About Device Categorization" in the Knowledge Base).
XDome.DeviceVulnerability.device_uidStringA universal unique identifier (UUID) for the device.
XDome.DeviceVulnerability.device_asset_idStringAsset ID.
XDome.DeviceVulnerability.device_mac_listListMAC address associated with the device.
XDome.DeviceVulnerability.device_ip_listListIP address associated with the device. IPs may be suffixed by a / (annotation), where annotation may be a child device ID or (Last Known IP).
XDome.DeviceVulnerability.device_type_familyStringThe device type family group (see "About Device Categorization" in the Knowledge Base).
XDome.DeviceVulnerability.device_modelStringThe device's model.
XDome.DeviceVulnerability.device_os_categoryStringThe device's OS category, such as "Windows", "Linux" or "Other".
XDome.DeviceVulnerability.device_serial_numberStringThe device's serial number.
XDome.DeviceVulnerability.device_vlan_listListThe virtual LAN to which the device belongs.
XDome.DeviceVulnerability.device_labelsListThe labels added to the device manually or automatically.
XDome.DeviceVulnerability.device_assigneesListThe users and or groups the device is assigned to.
XDome.DeviceVulnerability.device_hw_versionStringThe hardware version of the device.
XDome.DeviceVulnerability.device_local_nameStringSimilar to hostname, the device name identifier is extracted from protocol traffic.
XDome.DeviceVulnerability.device_combined_osStringThe aggregated value of OS name, version and revision, such as "Windows XP SP3".
XDome.DeviceVulnerability.device_endpoint_security_namesListThe names of endpoint security applications installed on the device.
XDome.DeviceVulnerability.device_equipment_classStringDetermines the equipment class of the device, according to The Joint Commission (TJC).
XDome.DeviceVulnerability.device_management_servicesStringDefines whether the device is managed by Active Directory, Mobile Device Management, or neither.
XDome.DeviceVulnerability.device_purdue_levelStringThe network layer the device belongs to, based on the Purdue Reference Model for Industrial Control System (ICS). The network segmentation-based model defines OT and IT systems into six levels and the logical network boundary controls for securing these networks.
XDome.DeviceVulnerability.device_http_last_seen_hostnameStringThe most recent unique hostname identifier of the device, extracted from HTTP protocol traffic.
XDome.DeviceVulnerability.device_snmp_last_seen_hostnameStringThe most recent unique hostname identifier of the device, extracted from SNMP protocol traffic.
XDome.DeviceVulnerability.device_noteStringThe notes added to the device.
XDome.DeviceVulnerability.device_domainsListThe domain name of the network that the device belongs to.
XDome.DeviceVulnerability.device_internet_communicationStringThe manner of the device's communication over the internet.
XDome.DeviceVulnerability.device_edr_is_up_to_date_textStringDetermines whether the endpoint security application installed on the device is up-to-date.
XDome.DeviceVulnerability.device_mac_oui_listListThe vendor of the device's NIC, according to the OUI (Organizational Unique Identifier) in the MAC address.
XDome.DeviceVulnerability.device_ip_assignment_listListThe device's IP assignment method, extracted from DHCP protocol traffic, such as "DHCP", "DHCP (Static Lease)", or "Static".
XDome.DeviceVulnerability.device_vlan_name_listListThe name of the VLAN, extracted from switch configurations.
XDome.DeviceVulnerability.device_vlan_description_listListThe description of the VLAN, extracted from switch configurations.
XDome.DeviceVulnerability.device_connection_type_listListThe connection types of a device, such as "Ethernet".
XDome.DeviceVulnerability.device_ssid_listListThe name of the wireless network the device is connected to, such as "Guest".
XDome.DeviceVulnerability.device_ap_location_listListThe location of the access point the device is connected to, extracted from Network Management integrations.
XDome.DeviceVulnerability.device_switch_port_listListThe port identifier of the switch the device is connected to.
XDome.DeviceVulnerability.device_switch_location_listListThe location of the switch the device is connected to.
XDome.DeviceVulnerability.device_number_of_nicsNumberThe number of network interface cards seen on the network.
XDome.DeviceVulnerability.device_last_seen_listListThe date and time a device's NIC was last seen.
XDome.DeviceVulnerability.device_first_seen_listListThe date and time a device's NIC was first seen.
XDome.DeviceVulnerability.device_is_onlineBooleanA boolean field indicating whether the device is online or not.
XDome.DeviceVulnerability.device_network_scope_listListThe device's Network Scope - used to differentiate between internal networks that share the same IP subnets.
XDome.DeviceVulnerability.device_nameStringThe Device Name attribute is set automatically based on the priority of the Auto-Assigned Device attribute. You can also set it manually. The Device Name can be the deviceā€™s IP, hostname, etc.
XDome.DeviceVulnerability.device_manufacturerStringManufacturer of the device, such as "Alaris".
XDome.DeviceVulnerability.device_site_nameStringThe name of the site within the healthcare organization the device is associated with.
XDome.DeviceVulnerability.device_risk_scoreStringThe calculated risk level of a device, such as "Critical", or "High".
XDome.DeviceVulnerability.device_risk_score_pointsNumberThe calculated risk points of a device, such as "54.1".
XDome.DeviceVulnerability.device_effective_likelihood_subscoreStringThe calculated effective likelihood subscore level of a device, such as "Critical", or "High".
XDome.DeviceVulnerability.device_effective_likelihood_subscore_pointsNumberThe calculated effective likelihood subscore points of a device, such as "54.1".
XDome.DeviceVulnerability.device_likelihood_subscoreStringThe calculated likelihood subscore level of a device, such as "Critical", or "High".
XDome.DeviceVulnerability.device_likelihood_subscore_pointsNumberThe calculated likelihood subscore points of a device, such as "54.1".
XDome.DeviceVulnerability.device_impact_subscoreStringThe calculated impact subscore level of a device, such as "Critical", or "High".
XDome.DeviceVulnerability.device_impact_subscore_pointsNumberThe calculated impact subscore points of a device, such as "54.1".
XDome.DeviceVulnerability.device_suspiciousListThe reasons for which the device was marked as suspicious.
XDome.DeviceVulnerability.device_authentication_user_listListThe User name used to authenticate the device to the network using Radius/802.1x is extracted from the NAC integration and the traffic.
XDome.DeviceVulnerability.device_software_or_firmware_versionStringThe application version running on the device.