Collect Claroty xDome logs

Supported in:

Google secops SIEM

This document explains how to ingest Claroty xDome logs to Google Security Operations using the Bindplane agent.

The parser extracts fields from Claroty xDome syslog formatted logs. It uses grok and/or kv to parse the log message and then maps these values to the Unified Data Model (UDM). It also sets default metadata values for the event source and type.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance
A Windows 2016 or later or Linux host with systemd
If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
Privileged access to the Claroty xDome management console or appliance

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File.
Save the file securely on the system where the Bindplane agent will be installed.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer IDfrom the Organization Detailssection.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

Open the Command Promptor PowerShellas an administrator.

Run the following command:

  msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

 sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 " 
  
install_unix.sh

Additional installation resources

For additional installation options, see the Bindplane agent installation guide .

Configure the Bindplane agent to ingest Syslog and send to Google SecOps

Access the Configuration File:
- Locate the config.yaml file. Typically, it's in the /etc/bindplane-agent/ directory on Linux or in the installation directory on Windows.
- Open the file using a text editor (for example, nano , vi , or Notepad).
Edit the config.yaml file as follows:

Option A: UDP configuration (less secure)

Note:Using UDP, especially the "send from cloud" option sends security data unencrypted and might allow attackers to intercept data.

  receivers 
 : 
  
 udplog 
 : 
  
 # Replace the port and IP address as required 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
 exporters 
 : 
  
 chronicle/chronicle_w_labels 
 : 
  
 compression 
 : 
  
 gzip 
  
 # Adjust the path to the credentials file you downloaded in Step 1 
  
 creds_file_path 
 : 
  
 '/path/to/ingestion-authentication-file.json' 
  
 # Replace with your actual customer ID from Step 2 
  
 customer_id 
 : 
  
< customer_id 
>  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 # Add optional ingestion labels for better organization 
  
 log_type 
 : 
  
 'CLAROTY_XDOME' 
  
 raw_log_field 
 : 
  
 body 
  
 ingestion_labels 
 : 
 service 
 : 
  
 pipelines 
 : 
  
 logs/source0__chronicle_w_labels-0 
 : 
  
 receivers 
 : 
  
 - 
  
 udplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/chronicle_w_labels

Option B: TCP with TLS configuration (recommended for security)

The TCP with TLS configuration:

  receivers 
 : 
  
 tcplog 
 : 
  
 # Replace the port and IP address as required 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
  
 tls 
 : 
  
 # Path to the server's public TLS certificate file when using self-signed certificates 
  
 cert_file 
 : 
  
 /etc/bindplane/certs/cert.pem 
  
 key_file 
 : 
  
 /etc/bindplane/certs/key.pem 
 exporters 
 : 
  
 chronicle/chronicle_w_labels 
 : 
  
 compression 
 : 
  
 gzip 
  
 # Adjust the path to the credentials file you downloaded in Step 1 
  
 creds_file_path 
 : 
  
 '/path/to/ingestion-authentication-file.json' 
  
 # Replace with your actual customer ID from Step 2 
  
 customer_id 
 : 
  
< customer_id 
>  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 # Add optional ingestion labels for better organization 
  
 log_type 
 : 
  
 'CLAROTY_XDOME' 
  
 raw_log_field 
 : 
  
 body 
  
 ingestion_labels 
 : 
 service 
 : 
  
 pipelines 
 : 
  
 logs/source0__chronicle_w_labels-0 
 : 
  
 receivers 
 : 
  
 - 
  
 tcplog 
  
 exporters 
 : 
  
 - 
  
 chronicle/chronicle_w_labels

Replace the port and IP address as required in your infrastructure.
Replace <customer_id> with the actual Customer ID.
Update /path/to/ingestion-authentication-file.json to the file path where the authentication file was saved in Step 1.
For TLS configuration, ensure the certificate files exist at the specified paths or generate self-signed certificates if needed.

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux, run the following command:

 sudo  
systemctl  
restart  
observiq-otel-collector

To restart the Bindplane agent in Windows, you can either use the Servicesconsole or enter the following command:
```
 net stop observiq-otel-collector && net start observiq-otel-collector 
```

Detailed Syslog configuration

Sign in to the Claroty xDomeWeb UI.
Click the Settingstab in the navigation bar.
Select System Settingsfrom the drop-down menu.
Click My Integrationsin the Integrations section.
Click + Add Integration.
Select Internal Servicesfrom the Category drop-down menu.
Select SIEMand Syslogfrom the Integration drop-down menu.
Click Add.
Enter the following configuration details:
- Destination IP: Enter the Bindplane agent IP address.
- Transport Protocol: Select UDPor TCP, or TLSdepending on your Bindplane configuration.
- If you select the TLS security protocol, do the following:
  - Check the Check Hostnamesoption to verify if the server's hostname matches any of the names present in the X.509 certificate.
  - Check the Use Custom Certificate Authorityoption to use a custom Certificate Authority (CA) instead of the default CA. Upload the custom certificate file or insert the certificate (in PEM format) into the space provided.
- Destination Port: The default value for TCP, TLS, and UDP is 514. (Hover over the field to use the clickable arrows to select a different destination port).
- Advanced Options: Enter the Advanced Options settings:
  - Message Format: Select CEF(other options include JSON, or LEEF format).
  - Syslog Protocol Standard: Select RFC 5424or RFC 3164.
- Integration Name: Enter a meaningful name for the integration (for example, Google SecOps syslog ).
- Deployment options: Select Run from the collection serveror Run from the cloudoption depending on your xDome configuration.
Go to the Integration Tasksparameters.
Turn on the Export Claroty xDome Communication Events Using Syslogoption to enable exporting Claroty xDome communication events.
From the Event Types Selectiondrop-down menu, click Select All.
Choose the device conditions to export: Select All Devicesoption to export the communication event data of all affected devices.

Note: To receive OT Activity events through Syslog, it's necessary to create and enable OT Activity Alerts for the relevant event types. This is because xDome only sends events related to alerts for OT Activity.
Turn on the Export Claroty xDome Device Changes Alerts Change Log to Syslogoption to export Claroty xDome change events.
In the Change Event Types Selectiondrop-down, select the change event typesyou want to export.
Choose the device conditions you want to export: Select All Devicesto export the change event data of all the affected devices.
Turn on the Export Claroty xDome Alert Information for Affected Devices Using Syslogoption to export alert information for any alert type, including custom alerts.
From Alert Types, click Select All.
Turn on the Export Claroty xDome Vulnerability Information for Affected Devices Using Syslogoption to export Claroty xDome vulnerability types.
In the Vulnerability Types Selectiondrop-down menu, select the vulnerability typesyou want to export.
Specify the CVSS Thresholdnumber. This parameter allows you to set a CVSS threshold to send a vulnerability using Syslog. (Only vulnerabilities greater or equal to this threshold will be exported. The threshold will revert to the CVSS V3 Base Score by default and CVSS V2 Base Score if the CVSS V3 score is unknown).
Choose the device conditions to export: Select All Devicesto export the data of all affected devices.
Turn on the Export Claroty xDome Server Incidents Information to Syslogoption to export Claroty xDome server incidents.
Select the collection server types you want to export from the Collection Server Selectiondrop-down menu.
Select the server incidents you want to export on the Server Incidents Selectiondrop-down menu.
Click Applyto save the configuration settings.

UDM mapping table

Log Field	UDM Mapping	Logic
`add_alert_id`	`additional.fields`	Merged
`additional_data`	`additional.fields`	Merged
`affected_device_data_available`	`additional.fields`	Mapped: `true` → `additional_data`
`alert_info_firmware_device_type_label`	`additional.fields`	Merged
`alert_info_firmware_model_label`	`additional.fields`	Merged
`alert_info_latest_software_version_label`	`additional.fields`	Merged
`alert_type_label`	`additional.fields`	Merged
`destination_printJobName_label`	`additional.fields`	Merged
`destination_printedFilesBackupPath_label`	`additional.fields`	Merged
`destination_printerName_label`	`additional.fields`	Merged
`device_connection_type_list_label`	`additional.fields`	Merged
`device_managed_device_label`	`additional.fields`	Merged
`device_network_list_label`	`additional.fields`	Merged
`device_type_family_label`	`additional.fields`	Merged
`device_vulnerability_manufacturer_remediation_info_label`	`additional.fields`	Merged
`device_vulnerability_relevance_source_label`	`additional.fields`	Merged
`evnt_action_label`	`additional.fields`	Merged
`firmware_device_type_label`	`additional.fields`	Merged
`firmware_model_label`	`additional.fields`	Merged
`firmware_original_versions`	`additional.fields`	Merged
`latest_hardware_version_label`	`additional.fields`	Merged
`latest_software_version_label`	`additional.fields`	Merged
`map_field`	`additional.fields`	Merged
`original_hardware_version_label`	`additional.fields`	Merged
`original_software_version_label`	`additional.fields`	Merged
`process_owner_label`	`additional.fields`	Merged
`vulnerability_release_date_label`	`additional.fields`	Merged
`comm_tuple_server_port`	`intermediary.port`	Directly mapped
`server_port`	`intermediary.port`	Directly mapped
`event_description`	`metadata.description`	Directly mapped
`evnt_description`	`metadata.description`	Directly mapped
`devTime`	`metadata.event_timestamp`	Parsed as `yyyy-MM-dd HH:mm:ssZZ`
`evnt.ingested`	`metadata.event_timestamp`	Parsed as `ISO8601`
`evnt.inserted`	`metadata.event_timestamp`	Parsed as `yyyy-MM-ddTHH:mm:ss.SSSSSSSSSZ`
`evnt.timestamp`	`metadata.event_timestamp`	Parsed as `RFC3339`
`time`	`metadata.event_timestamp`	Parsed as `ISO8601`
`timestamp`	`metadata.event_timestamp`	Parsed as `ISO8601`
`ts`	`metadata.event_timestamp`	Parsed as `ISO8601`
`vulnerability_info.release_date`	`metadata.event_timestamp`	Parsed as `yyyy-MM-ddTHH:mm:ss.SSSSSSZZ`
`msg_category`	`metadata.event_type`	Mapped: `vulnerability_affected_device` → `SCAN_VULN_HOST`
`msg_category`	`metadata.product_event_type`	Directly mapped
`sub_category`	`metadata.product_event_type`	Directly mapped
`event_id`	`metadata.product_log_id`	Directly mapped
`evnt_id`	`metadata.product_log_id`	Directly mapped
`version`	`metadata.product_version`	Directly mapped
`app_protocol_output`	`network.application_protocol`	Directly mapped
`evnt_extra_info.ip_protocol`	`network.ip_protocol`	Directly mapped
`observer_hostname`	`observer.hostname`	Directly mapped
`event_observer_label`	`observer.labels`	Merged
`group`	`principal.administrative_domain`	Directly mapped
`affected_device.asset_id`	`principal.asset.asset_id`	Directly mapped
`user_deviceUid`	`principal.asset.asset_id`	Directly mapped
`affected_device_app_version_label`	`principal.asset.attribute.labels`	Merged
`affected_device_device_subcategory_label`	`principal.asset.attribute.labels`	Merged
`affected_device_device_type_family_label`	`principal.asset.attribute.labels`	Merged
`affected_device_device_type_label`	`principal.asset.attribute.labels`	Merged
`affected_device_retired_label`	`principal.asset.attribute.labels`	Merged
`affected_device_risk_score_label`	`principal.asset.attribute.labels`	Merged
`alert_info_firmware_manufacturer_label`	`principal.asset.attribute.labels`	Merged
`connection_type_list_label`	`principal.asset.attribute.labels`	Merged
`device_retired_label`	`principal.asset.attribute.labels`	Merged
`device_subcategory_label`	`principal.asset.attribute.labels`	Merged
`device_type_label`	`principal.asset.attribute.labels`	Merged
`firmware_manufacturer_label`	`principal.asset.attribute.labels`	Merged
`network_list_label`	`principal.asset.attribute.labels`	Merged
`affected_device_device_category`	`principal.asset.category`	Directly mapped
`device_category`	`principal.asset.category`	Directly mapped
`hardware`	`principal.asset.hardware`	Merged
`device_name`	`principal.asset.hostname`	Directly mapped
`management_ip`	`principal.asset.ip`	Merged
`mac_check`	`principal.asset.mac`	Merged
`device_asset_id`	`principal.asset.network_domain`	Directly mapped
`affected_device_os`	`principal.asset.platform_software.platform`	Mapped: `windows` → `WINDOWS` , `linux` → `LINUX` , `mac` → `MAC`
`device_os`	`principal.asset.platform_software.platform`	Mapped: `windows` → `WINDOWS` , `linux` → `LINUX` , `mac` → `MAC`
`source_operatingSystem`	`principal.asset.platform_software.platform`	Mapped: `windows` → `WINDOWS` , `linux` → `LINUX` , `mac` → `MAC`
`affected_device_uid`	`principal.asset.product_object_id`	Directly mapped
`device_uid`	`principal.asset.product_object_id`	Directly mapped
`software`	`principal.asset.software`	Merged
`device_name`	`principal.hostname`	Directly mapped
`principal_hostname`	`principal.hostname`	Directly mapped
`management_ip`	`principal.ip`	Merged
`evnt_extra_info_geo_location`	`principal.location.city`	Directly mapped
`comm_tuple_src_mac`	`principal.mac`	Merged
`mac_check`	`principal.mac`	Merged
`mac_list`	`principal.mac`	Merged
`srcMAC`	`principal.mac`	Merged
`affected_device.site_name`	`principal.namespace`	Directly mapped
`device_site_name`	`principal.namespace`	Directly mapped
`comm_tuple_src_port`	`principal.port`	Directly mapped
`srcPort`	`principal.port`	Directly mapped
`device_note_label`	`principal.resource.attribute.labels`	Merged
`password_length_label`	`principal.resource.attribute.labels`	Merged
`username_label`	`principal.user.attribute.labels`	Merged
`user_id`	`principal.user.product_object_id`	Directly mapped
`user_email`	`principal.user.userid`	Directly mapped
`file_changeType_label`	`security_result.about.resource.attribute.labels`	Merged
`tactics_data`	`security_result.attack_details.tactics`	Merged
`technique_data`	`security_result.attack_details.techniques`	Merged
`alert_category`	`security_result.category_details`	Merged
`alertcategory`	`security_result.category_details`	Merged
`alert_info_signature_confidence`	`security_result.confidence_score`	Directly mapped
`evnt_extra_info_ids_signature_info_signature_confidence`	`security_result.confidence_score`	Directly mapped
`alert_description`	`security_result.description`	Directly mapped
`alertdescription`	`security_result.description`	Directly mapped
`alert_device_status_label`	`security_result.detection_fields`	Merged
`alert_info_signature_severity_description`	`security_result.detection_fields`	Merged
`alert_type_name_label`	`security_result.detection_fields`	Merged
`alertdevice_status_label`	`security_result.detection_fields`	Merged
`device_vulnerability_manufacturer_remediation_info_source_label`	`security_result.detection_fields`	Merged
`device_vulnerability_overall_cvss_v3_score_label`	`security_result.detection_fields`	Merged
`device_vulnerability_relevance_label`	`security_result.detection_fields`	Merged
`event_vector_label`	`security_result.detection_fields`	Merged
`key`	`security_result.detection_fields`	Mapped: `"signature_first_released", "signature_last_updated", "signature_last_updated_by_sy...
`map_field`	`security_result.detection_fields`	Merged
`risk_indicator_id_label`	`security_result.detection_fields`	Merged
`risk_indicator_name_label`	`security_result.detection_fields`	Merged
`risk_indicator_weight_label`	`security_result.detection_fields`	Merged
`vulnerability_affected_products_label`	`security_result.detection_fields`	Merged
`vulnerability_device_info_overall_cvss_v3_score_label`	`security_result.detection_fields`	Merged
`vulnerability_device_info_relevance_label`	`security_result.detection_fields`	Merged
`vulnerability_device_info_relevance_source_label`	`security_result.detection_fields`	Merged
`vulnerability_info_affected_products_label`	`security_result.detection_fields`	Merged
`vulnerability_info_is_known_exploited_label`	`security_result.detection_fields`	Merged
`vulnerability_info_known_exploits_label`	`security_result.detection_fields`	Merged
`vulnerability_info_name_label`	`security_result.detection_fields`	Merged
`vulnerability_info_type_label`	`security_result.detection_fields`	Merged
`vulnerability_is_known_exploited_label`	`security_result.detection_fields`	Merged
`vulnerability_known_exploits_label`	`security_result.detection_fields`	Merged
`vulnerability_type_label`	`security_result.detection_fields`	Merged
`risk.score`	`security_result.risk_score`	Directly mapped
`signature_id`	`security_result.rule_id`	Directly mapped
`rule_name`	`security_result.rule_name`	Directly mapped
`alert_info_signature_active_rev`	`security_result.rule_version`	Directly mapped
`event_extra_info_ids_signature_info_signature_active_rev`	`security_result.rule_version`	Directly mapped
`vulnerability_note`	`security_result.summary`	Directly mapped
`client_id`	`target.asset.asset_id`	Directly mapped
`evnt_extra_info_client_id`	`target.asset.asset_id`	Directly mapped
`comm_tuple_dst_mac`	`target.mac`	Merged
`dstMAC`	`target.mac`	Merged
`comm_tuple_dst_port`	`target.port`	Directly mapped
`dstPort`	`target.port`	Directly mapped
N/A	`extensions.vulns.vulnerabilities`	Constant: `vulnerabilities`
N/A	`metadata.event_type`	Constant: `NETWORK_CONNECTION`
N/A	`metadata.product_name`	Constant: `xDome`
N/A	`metadata.vendor_name`	Constant: `Claroty`
N/A	`principal.asset.ip`	Constant: `principal_ips`
N/A	`principal.asset.platform_software.platform`	Constant: `WINDOWS`
N/A	`principal.ip`	Constant: `principal_ips`
N/A	`security_result.severity`	Constant: `CRITICAL`
N/A	`target.asset.ip`	Constant: `target_ips`
N/A	`target.ip`	Constant: `target_ips`

Need more help? Get answers from Community members and Google SecOps professionals.