Elisity supports simple API connectivity to Claroty xDome as a method to enrich IT, IoT, IoMT and OT device discovery and identity. This allows data from Claroty to be pulled into IdentityGraph for use as Core Effective Attributes when creating policies, as well as enforcement status and device labels sent back to Claroty, enhancing the precision and accuracy of device classification and Policy Group matching. The Claroty xDome connector supports multiple endpoint configurations, enabling organizations with more than one xDome deployment to connect up to four independent endpoints to Cloud Control Center, each with its own API URL, API token, and status reporting.
Prerequisites
- API URL - https://api.claroty.com (one per endpoint; verify the URL for each xDome deployment)
API Token - User-Generated in xDome - See steps below to generate a token in xDome. Each endpoint requires its own API token.
Note: You can verify the API URL by going to Help Center > API Documentation in xDome and downloading the OpenAPI specification. At the bottom of the document you will find the API Server URL.
Steps to Connect Claroty xDome
Step 1. Create an API User in xDome by logging into Claroty xDome and navigating to Settings > Admin Settings > User Management. Select + Add User and create an API User.
NOTE:
To share the Enforcement Status of an asset known to both Elisity and Claroty, the API User must meet one of the following conditions:
- Be assigned to a full Read/Write Role in Claroty.
- Be assigned to a custom Role that includes the following permissions:
- View Custom Attributes
- Edit Custom Attribute Values
-
Add Custom Attributes
To create a custom role, please review the Claroty documentation.
Otherwise a Read-Only User Role in Claroty will suffice for IdentityGraph enrichment only.
Step 2. After creating the user, select the Generate Token button to the right of the user name in the list.
Step 3. Copy the token to your clipboard as it is used in the connector configuration.
Note: If connecting multiple xDome deployments, repeat Steps 1 through 3 for each deployment to generate a separate API token for each endpoint.
Step 4. Log into Elisity Cloud Control Center and navigate to Settings > Connectors and select + Add Connector.
A list of tiles will slide out from the right side of the screen. Select configure on the Claroty xDome connector.
Step 5. Configure the first endpoint. Enter an Endpoint Name to identify this xDome deployment (for example, "Headquarters xDome" or "DC-East"). Optionally, provide an Endpoint Description. Enter the API URL (found in the prerequisites section of this document) and the API Token generated in a previous step.
Note: Cloud Control Center validates each endpoint configuration independently. The API URL and API Token must pass validation before the endpoint can be saved.
Step 6. To add additional endpoints, click CONFIGURE on the Claroty xDome tile in the Add Connector page. Each additional endpoint is configured the same way as a new connector — provide the endpoint name, description, API URL, and API token for the next xDome deployment. Repeat for each additional deployment. The connector supports up to four endpoints, and each endpoint is validated independently upon submission.
Step 7. After configuring all desired endpoints, select Submit to save the connector configuration.
Step 8 (optional). Configure advanced settings for the Claroty xDome connector.
The following chart provides details about each advanced setting:
| Global Timer | The frequency at which Cloud Control Center queries xDome for updates. This setting applies to all configured endpoints. From 1 to 168 hours. Default is 24 hours. |
| Initial Delay | The delay in seconds before Cloud Control Center initiates the first query to xDome after initially discovering a new device. This setting applies to all configured endpoints. Default is 0 seconds. |
| Query Exclusion Rules | Limit the scope of Cloud Control Center queries by specifying Subnets and Virtual Edge Nodes, and by enabling or disabling the querying of devices with Random MAC addresses. |
| Connector Data Purging | When the Connector Data Purging feature is enabled, Cloud Control Center will purge all data learned about the device from this connector if the device is no longer found when querying the connected application. The time period between purge events is configurable and can be set between 1 and 90 days. The connector status will change from "Up to Date" to "Stale" if the device is no longer known by the connector but prior to the purge event. |
Retired Device Enrichment: Cloud Control Center continues to enrich devices even when they are marked as "retired" in Claroty xDome. This ensures continuous device visibility and accurate policy group assignments, eliminating gaps in device classification and maintaining consistent segmentation policies.
If the API URL and API Token for each endpoint are correct, all checks pass and the connector is created. After successful configuration, you should begin to see devices enriched by Claroty xDome in IdentityGraph.
Managing Multiple Endpoints
The Claroty xDome connector supports up to four endpoint configurations. Each endpoint represents an independent xDome deployment with its own API URL, API token, name, and status. This is useful for organizations that operate separate xDome instances across different sites, business units, or regions.
Endpoint Name Attribution: When a device is enriched by Claroty xDome, the endpoint name is recorded alongside the enrichment data. This allows administrators to identify which xDome deployment provided the enrichment for a given device in IdentityGraph device details.
Key considerations for multiple endpoints:
- Each endpoint is validated independently. If an endpoint fails validation, it does not affect other configured endpoints.
- The connector supports a maximum of four endpoints.
- Endpoint ordering cannot be changed after creation.
- The Share Asset Enforcement Status and Share Label Values options apply to all configured endpoints at the connector level.
- Advanced settings (Global Timer, Initial Delay, Query Exclusion Rules, Connector Data Purging) apply at the connector level and affect all endpoints.
- Existing single-endpoint configurations are fully compatible and do not require reconfiguration.
Connector Status
The Connector status reflects the health and availability of each configured endpoint based on recent query performance. To ensure accuracy and reduce false positives, the status is determined using a rolling 15-minute evaluation window. When multiple endpoints are configured, each endpoint reports its status independently.
Connector Status Levels:
- Active: Normal operation with minimal query failures.
- Degraded: Increased query failures detected, but the endpoint is still operational.
- Inactive: The endpoint is unresponsive due to persistent failures.
Failures are defined as unsuccessful query responses, and the platform continuously monitors performance to update the status accordingly. These status changes are visible in the UI, event logs, and notifications pane for better troubleshooting. Email alerts can also be configured for connector status changes.
If an endpoint has not been queried within the evaluation window, the last known status is retained. This approach ensures reliable status reporting and helps identify potential issues before they impact operations.
Sharing Asset Enforcement Status with Claroty xDome
Step 1. Ensure that the Share Asset Enforcement Status option is selected under the connector configuration. This setting applies to all configured endpoints.
Step 2. Ensure that at least one asset in the Cloud Control Center has an Enforcement Status of "Enforced." For an asset to display "Enforced" status, it must be associated with a Policy Group that belongs to an active policy set containing at least one active policy for that Policy Group. Note that simulated policies do not contribute to the "Enforced" status.
Step 3. Log into Claroty xDome and navigate to Devices > All Devices.
Step 4. On the device table select the gear icon.
Step 5. On the column selection window, choose + Custom Attribute.
Step 6. Fill out Attribute Name (ELISITY ENFORCED) and Attribute API Name (custom_attribute_elisity) exactly as shown below and select Add.
Step 7. Select the newly created "Elisity Enforced" attribute in the list and then select Add.
Step 8. On the device table page, make sure to create a new custom view so that the "Elisity Enforced" column stays persistent.
Creating at Custom Compensating Control with Elisity Enforced Status
NOTE:
Elisity recommends collaborating with your Claroty representative to design a Custom Compensating Control profile that aligns with best practices.
Step 1. Log into Claroty xDome and navigate to Risk > Risk Configurations.
Step 2. Under Device Risk Configurations select the Compensating Controls Subscore option and then select the Custom Controls tab. Select Create New Custom Control.
Step 3. In the Create Custom Control window, provide a Control Name and Description then select + Add Value.
Step 4. Configure a Value Name and Points and then select Select Attribute > All Attributes.
Step 5. In the list of attributes, select Elisity Enforced and then select Apply.
Step 6. Change the device condition to Elisity Enforced - In - Enforced and select Apply.
Step 7. Select the Enable control after applying option and then select Apply.
Step 8. Save the new Custom Compensating Controls configuration and then select Activate.
Sharing Device Labels with Claroty
Step 1. Ensure that the "Share Label Values" option is selected under the connector configuration. This setting applies to all configured endpoints. It is disabled by default.
After enabling this feature, Elisity will share manually defined Label values from Cloud Control Center to Claroty. These labels provide contextual information about each asset's logical grouping or function, such as department, zone, or building, allowing Claroty to display Elisity segmentation context directly in its device inventory.
This enables the sharing of Manually Configured Labels in Elisity for any Claroty-enriched device. See the following example values, which we will share to Claroty as an example.
Step 2. Log into your Claroty platform and navigate to Devices > All Devices. On the device table, select the gear icon in the upper right corner to open the column selection window.
Step 3. In the column selector, choose + Custom Attribute.
Step 4. In the Add Custom Attribute window, enter the following values as shown below, and then select Add. The Attribute API Name value must match exactly the format below, as this value is hard-coded into the API integration.
| Field | Value |
|---|---|
| Attribute Name | ELISITY LABEL (example) |
| Attribute API Name (Exact) | custom_attribute_elisitylabel |
Step 5. After the attribute has been created, locate ELISITY LABEL in the list of available attributes and select the checkbox next to it. Then, select Apply to include the column in your device table.
Step 6. Once synchronization occurs, the ELISITY LABEL field will populate under each device record's Custom Attributes section within Claroty.
This field will display all label values pushed from Elisity Cloud Control Center for that asset, such as East Wing, ICU, or other organizational context.