Elisity supports simple API connectivity to Claroty xDome as a method to enrich IT, IoT, IoMT and OT device discovery and identity. This allows data from Claroty to be pulled into IdentityGraph for use as Core Effective Attributes when creating policies, as well as enforcement status and device labels sent back to Claroty, enhancing the precision and accuracy of device classification and Policy Group matching. The Claroty xDome connector supports multiple endpoint configurations, enabling organizations with more than one xDome deployment to connect up to four independent endpoints to Cloud Control Center, each with its own API URL, API token, advanced settings, sharing options, and status reporting.
Prerequisites
- API URL - https://api.claroty.com (one per endpoint; verify the URL for each xDome deployment)
API Token - User-Generated in xDome - See steps below to generate a token in xDome. Each endpoint requires its own API token.
Note: You can verify the API URL by going to Help Center > API Documentation in xDome and downloading the OpenAPI specification. At the bottom of the document you will find the API Server URL.
Steps to Connect Claroty xDome
Step 1. Create an API User in xDome by logging into Claroty xDome and navigating to Settings > Admin Settings > User Management. Select + Add User and create an API User.
NOTE:
To share the Enforcement Status of an asset known to both Elisity and Claroty, the API User must meet one of the following conditions:
- Be assigned to a full Read/Write Role in Claroty.
- Be assigned to a custom Role that includes the following permissions:
- View Custom Attributes
- Edit Custom Attribute Values
-
Add Custom Attributes
To create a custom role, please review the Claroty documentation.
Otherwise a Read-Only User Role in Claroty will suffice for IdentityGraph enrichment only.
Step 2. After creating the user, select the Generate Token button to the right of the user name in the list.
Step 3. Copy the token to your clipboard as it is used in the connector configuration.
Note: If connecting multiple xDome deployments, repeat Steps 1 through 3 for each deployment to generate a separate API token for each endpoint.
Step 4. Log into Elisity Cloud Control Center and navigate to Settings > Connectors and select + Add Connector.
A list of tiles will slide out from the right side of the screen. Select configure on the Claroty xDome connector.
Step 5. Configure the first endpoint on the Required Configuration tab. Enter an Endpoint Name to identify this xDome deployment (for example, "Headquarters xDome" or "DC-East"). Enter the API URL (found in the prerequisites section of this document) and the API Token generated in a previous step, and optionally provide a Description. The Required Configuration tab also contains two per-endpoint sharing options, described in the table below.
| Share Asset Enforcement Status | When enabled, Cloud Control Center shares the Elisity enforcement status of each asset back to this xDome endpoint. See Sharing Asset Enforcement Status with Claroty xDome below for the full procedure. |
| Share Asset Labels | When enabled, Cloud Control Center shares manually defined Label values to this xDome endpoint. Disabled by default. See Sharing Device Labels with Claroty below for the full procedure. |
Note: Share Asset Enforcement Status and Share Asset Labels are configured per endpoint. When multiple endpoints are configured, enable these options on each endpoint where sharing is required.
Note: Cloud Control Center validates each endpoint configuration independently. The API URL and API Token must pass validation before the endpoint can be saved.
Step 6 (optional). Configure Advanced Settings for the endpoint. The Add xDome Endpoint panel includes an Advanced Settings tab in addition to the Required Configuration tab. These settings are optional — the endpoint functions with the defaults — and control how Cloud Control Center queries this specific endpoint. They apply only to the endpoint you are currently configuring.
| IP Only Based Lookup | Enables fallback behavior to query by IP address when a query by MAC address does not return a result. Disabled by default. |
| Query Exclusion Rules | Prevent the platform from querying the connector for additional device details within selected scopes. Enable the options as needed to exclude by Subnet (up to 100 subnets), by Virtual Edge Node (up to 100 nodes), and by Random MAC to exclude devices that use a randomized MAC address. All exclusion rules are disabled by default. |
Note: The Advanced Settings configured here can be changed later for any endpoint from Settings > Connectors > expand Claroty xDome > endpoint Actions > Edit Endpoint > Advanced Settings. They are distinct from the connector-wide Global Settings described below.
Step 7. To add additional endpoints, click CONFIGURE on the Claroty xDome tile in the Add Connector page. Each additional endpoint is configured the same way as a new connector — provide the endpoint name, description, API URL, and API token for the next xDome deployment. Repeat for each additional deployment. The connector supports up to four endpoints, and each endpoint is validated independently upon submission.
Step 8. After configuring all desired endpoints, select Submit to save the connector configuration. If the API URL and API Token for each endpoint are correct, all checks pass and the connector is created. After successful configuration, you should begin to see devices enriched by Claroty xDome in IdentityGraph.
Managing Connector and Endpoint Settings After Setup
The steps above cover the initial configuration. After the connector has been created, you can adjust its configuration at any time from Settings > Connectors. Configuration is separated into two levels: Global Settings that apply to the entire connector (all endpoints), and per-endpoint settings that apply only to an individual endpoint.
Global Settings (connector-wide)
To open Global Settings, locate the Claroty xDome connector row on the Connectors page, select the Actions (three-dot) menu, and choose Global Settings. These settings apply to every endpoint configured under the connector.
The Global Settings dialog contains two tabs: Advanced Settings and Interval Settings.
Advanced Settings tab
| Connector Data Purging | When Connector Data Purging is enabled, Cloud Control Center will purge all data learned about a device from this connector if the device is no longer found when querying the connected application. The time period between purge events is configurable and can be set between 1 and 90 days. While a device is no longer known by the connector but before the purge event occurs, the connector status for that device changes from "Up to Date" to "Stale." |
| Trusted Connector | Sets enrichment from this source to Trusted for Policy Groups and designates this connector as an authoritative identity source for Insights. |
Interval Settings tab
| Initial Delay | A configurable delay, in seconds, before Cloud Control Center checks the connector for updates. This setting applies to all configured endpoints. Default is 0 seconds. |
Per-Endpoint Settings
Each endpoint keeps its own Required Configuration and Advanced Settings. To change an endpoint after setup, expand the Claroty xDome connector row to reveal its configured endpoints, select the Actions (three-dot) menu on the endpoint row, and choose Edit Endpoint.
The Edit Endpoint dialog presents the same two tabs you used when first configuring the endpoint — Required Configuration (Endpoint Name, API URL, API Token, Description, and the Share Asset Enforcement Status and Share Asset Labels sharing options) and Advanced Settings (IP Only Based Lookup and Query Exclusion Rules). These fields are described under Steps 5 and 6 above and can be updated at any time. Changes apply only to the endpoint being edited.
Retired Device Enrichment: Cloud Control Center continues to enrich devices even when they are marked as "retired" in Claroty xDome. This ensures continuous device visibility and accurate policy group assignments, eliminating gaps in device classification and maintaining consistent segmentation policies.
Managing Multiple Endpoints
The Claroty xDome connector supports up to four endpoint configurations. Each endpoint represents an independent xDome deployment with its own API URL, API token, name, and status. This is useful for organizations that operate separate xDome instances across different sites, business units, or regions.
Endpoint Name Attribution: When a device is enriched by Claroty xDome, the endpoint name is recorded alongside the enrichment data. This allows administrators to identify which xDome deployment provided the enrichment for a given device in IdentityGraph device details.
Key considerations for multiple endpoints:
- Each endpoint is validated independently. If an endpoint fails validation, it does not affect other configured endpoints.
- The connector supports a maximum of four endpoints.
- Endpoint ordering cannot be changed after creation.
- The Share Asset Enforcement Status and Share Asset Labels options are configured per endpoint on the endpoint’s Required Configuration tab. Enable them on each endpoint where sharing is required.
- Global Settings (Connector Data Purging, Trusted Connector, and Initial Delay) apply at the connector level and affect all endpoints. Per-endpoint Advanced Settings (IP Only Based Lookup and Query Exclusion Rules) apply only to the endpoint on which they are configured.
- Existing single-endpoint configurations are fully compatible and do not require reconfiguration.
Connector Status
The Connector status reflects the health and availability of each configured endpoint based on recent query performance. To ensure accuracy and reduce false positives, the status is determined using a rolling 15-minute evaluation window. When multiple endpoints are configured, each endpoint reports its status independently.
Connector Status Levels:
- Active: Normal operation with minimal query failures.
- Degraded: Increased query failures detected, but the endpoint is still operational.
- Inactive: The endpoint is unresponsive due to persistent failures.
Failures are defined as unsuccessful query responses, and the platform continuously monitors performance to update the status accordingly. These status changes are visible in the UI, event logs, and notifications pane for better troubleshooting. Email alerts can also be configured for connector status changes.
If an endpoint has not been queried within the evaluation window, the last known status is retained. This approach ensures reliable status reporting and helps identify potential issues before they impact operations.
Sharing Asset Enforcement Status with Claroty xDome
Step 1. Ensure that the Share Asset Enforcement Status option is selected on the endpoint’s Required Configuration tab (Settings > Connectors > expand Claroty xDome > endpoint Actions > Edit Endpoint). This option is configured per endpoint; enable it on each endpoint where enforcement status should be shared.
Step 2. Ensure that at least one asset in the Cloud Control Center has an Enforcement Status of "Enforced." For an asset to display "Enforced" status, it must be associated with a Policy Group that belongs to an active policy set containing at least one active policy for that Policy Group. Note that simulated policies do not contribute to the "Enforced" status.
Step 3. Log into Claroty xDome and navigate to Devices > All Devices.
Step 4. On the device table select the gear icon.
Step 5. On the column selection window, choose + Custom Attribute.
Step 6. Fill out Attribute Name (ELISITY ENFORCED) and Attribute API Name (custom_attribute_elisity) exactly as shown below and select Add.
Step 7. Select the newly created "Elisity Enforced" attribute in the list and then select Add.
Step 8. On the device table page, make sure to create a new custom view so that the "Elisity Enforced" column stays persistent.
Creating at Custom Compensating Control with Elisity Enforced Status
NOTE:
Elisity recommends collaborating with your Claroty representative to design a Custom Compensating Control profile that aligns with best practices.
Step 1. Log into Claroty xDome and navigate to Risk > Risk Configurations.
Step 2. Under Device Risk Configurations select the Compensating Controls Subscore option and then select the Custom Controls tab. Select Create New Custom Control.
Step 3. In the Create Custom Control window, provide a Control Name and Description then select + Add Value.
Step 4. Configure a Value Name and Points and then select Select Attribute > All Attributes.
Step 5. In the list of attributes, select Elisity Enforced and then select Apply.
Step 6. Change the device condition to Elisity Enforced - In - Enforced and select Apply.
Step 7. Select the Enable control after applying option and then select Apply.
Step 8. Save the new Custom Compensating Controls configuration and then select Activate.
Sharing Device Labels with Claroty
Step 1. Ensure that the "Share Asset Labels" option is selected on the endpoint’s Required Configuration tab (Settings > Connectors > expand Claroty xDome > endpoint Actions > Edit Endpoint). This option is configured per endpoint and is disabled by default.
After enabling this feature, Elisity will share manually defined Label values from Cloud Control Center to Claroty. These labels provide contextual information about each asset's logical grouping or function, such as department, zone, or building, allowing Claroty to display Elisity segmentation context directly in its device inventory.
This enables the sharing of Manually Configured Labels in Elisity for any Claroty-enriched device. See the following example values, which we will share to Claroty as an example.
Step 2. Log into your Claroty platform and navigate to Devices > All Devices. On the device table, select the gear icon in the upper right corner to open the column selection window.
Step 3. In the column selector, choose + Custom Attribute.
Step 4. In the Add Custom Attribute window, enter the following values as shown below, and then select Add. The Attribute API Name value must match exactly the format below, as this value is hard-coded into the API integration.
| Field | Value |
|---|---|
| Attribute Name | ELISITY LABEL (example) |
| Attribute API Name (Exact) | custom_attribute_elisitylabel |
Step 5. After the attribute has been created, locate ELISITY LABEL in the list of available attributes and select the checkbox next to it. Then, select Apply to include the column in your device table.
Step 6. Once synchronization occurs, the ELISITY LABEL field will populate under each device record's Custom Attributes section within Claroty.
This field will display all label values pushed from Elisity Cloud Control Center for that asset, such as East Wing, ICU, or other organizational context.