Collect Claroty xDome for Healthcare logs

Supported in:

Google secops SIEM

This document explains how you can ingest Claroty xDome for Healthcare logs to Google SecOps using Bindplane agent.

Claroty xDome for Healthcare (formerly Medigate Device Security Platform) is a healthcare-focused cybersecurity platform that provides visibility, threat detection, and risk management for medical IoT (XIoT) devices. The platform monitors connected medical devices, identifies vulnerabilities, detects anomalous behavior, and provides actionable insights to protect healthcare networks from cyber threats.

Before you begin

Make sure you have the following prerequisites:

A Google SecOps instance
Windows Server 2016 or later, or Linux host with systemd
Network connectivity between the Bindplane agent and Claroty xDome for Healthcare
If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
Privileged access to the Claroty xDome for Healthcare management console
Administrator or Security Manager role in Claroty xDome for Healthcare

Get Google SecOps ingestion authentication file

Sign in to the Google SecOps console.
Go to SIEM Settings > Collection Agents.
Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.

Get Google SecOps customer ID

Sign in to the Google SecOps console.
Go to SIEM Settings > Profile.
Copy and save the Customer IDfrom the Organization Detailssection.

Install the Bindplane agent

Install the Bindplane agent on your Windows or Linux operating system according to the following instructions.

Windows installation

Open Command Promptor PowerShellas an administrator.

Run the following command:

  msiexec 
  
 / 
 i 
  
 "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" 
  
 / 
 quiet

Wait for the installation to complete.
Verify the installation by running:
```
 sc query observiq-otel-collector 
```

The service should show as RUNNING.

Linux installation

Open a terminal with root or sudo privileges.

Run the following command:

 sudo  
sh  
-c  
 " 
 $( 
curl  
-fsSlL  
https://github.com/observiq/bindplane-agent/releases/latest/download/install_unix.sh ) 
 " 
  
install_unix.sh

Wait for the installation to complete.

Verify the installation by running:

 sudo  
systemctl  
status  
observiq-otel-collector

The service should show as active (running).

Additional installation resources

For additional installation options and troubleshooting, see Bindplane agent installation guide .

Configure Bindplane agent to ingest syslog and send to Google SecOps

Locate the configuration file

Linux:

 sudo  
nano  
/etc/bindplane-agent/config.yaml

Windows:

 notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"

Edit the configuration file

Replace the entire contents of config.yaml with the following configuration:

  receivers 
 : 
  
 syslog 
 : 
  
 tcp 
 : 
  
 listen_address 
 : 
  
 "0.0.0.0:514" 
  
 protocol 
 : 
  
 rfc5424 
 exporters 
 : 
  
 chronicle/claroty_xdome 
 : 
  
 compression 
 : 
  
 gzip 
  
 creds_file_path 
 : 
  
 '/etc/bindplane-agent/ingestion-auth.json' 
  
 customer_id 
 : 
  
 'YOUR_CUSTOMER_ID' 
  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 log_type 
 : 
  
 MEDIGATE_IOT 
  
 raw_log_field 
 : 
  
 body 
 service 
 : 
  
 pipelines 
 : 
  
 logs/claroty_to_chronicle 
 : 
  
 receivers 
 : 
  
 - 
  
 syslog 
  
 exporters 
 : 
  
 - 
  
 chronicle/claroty_xdome

Configuration parameters

Replace the following placeholders:
- Receiver configuration:
  - The receiver is configured for TCP syslog using RFC 5424 protocol
  - Listen address 0.0.0.0:514 accepts connections on all interfaces on port 514
  - For Linux non-root installations, use port 1514 instead of 514
- Exporter configuration:
- creds_file_path : Full path to ingestion authentication file:
  - Linux: /etc/bindplane-agent/ingestion-auth.json
  - Windows: C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json
- customer_id : Replace YOUR_CUSTOMER_ID with the Customer ID from the previous step
- endpoint : Regional endpoint URL:
  - US: malachiteingestion-pa.googleapis.com
  - Europe: europe-malachiteingestion-pa.googleapis.com
  - Asia: asia-southeast1-malachiteingestion-pa.googleapis.com
  - See Regional Endpoints for complete list
- log_type : Set to MEDIGATE_IOT (supports both Claroty and Medigate log formats)

Example configuration for Linux

  receivers 
 : 
 syslog 
 : 
  
 tcp 
 : 
  
 listen_address 
 : 
  
 "0.0.0.0:1514" 
  
 protocol 
 : 
  
 rfc5424 
 exporters 
 : 
 chronicle/claroty_xdome 
 : 
  
 compression 
 : 
  
 gzip 
  
 creds_file_path 
 : 
  
 '/etc/bindplane-agent/ingestion-auth.json' 
  
 customer_id 
 : 
  
 'a1b2c3d4-e5f6-g7h8-i9j0-k1l2m3n4o5p6' 
  
 endpoint 
 : 
  
 malachiteingestion-pa.googleapis.com 
  
 log_type 
 : 
  
 MEDIGATE_IOT 
  
 raw_log_field 
 : 
  
 body 
  
 ingestion_labels 
 : 
  
 env 
 : 
  
 production 
  
 source 
 : 
  
 claroty_xdome 
 service 
 : 
 pipelines 
 : 
  
 logs/claroty_to_chronicle 
 : 
  
 receivers 
 : 
  
 - 
  
 syslog 
  
 exporters 
 : 
  
 - 
  
 chronicle/claroty_xdome

Save the configuration file

After editing, save the file:

Linux: Press Ctrl+O , then Enter , then Ctrl+X
Windows: Click File > Save

Restart the Bindplane agent to apply the changes

To restart the Bindplane agent in Linux:

Run the following command:

 sudo  
systemctl  
restart  
observiq-otel-collector

Verify the service is running:

 sudo  
systemctl  
status  
observiq-otel-collector

Check logs for errors:

 sudo  
journalctl  
-u  
observiq-otel-collector  
-f

To restart the Bindplane agent in Windows:

Choose one of the following options:
- Command Prompt or PowerShell as administrator:
```
 net stop observiq-otel-collector && net start observiq-otel-collector 
```
- Services console:
  1. Press Win+R , type services.msc , and press Enter.
  2. Locate observIQ OpenTelemetry Collector.
  3. Right-click and select Restart.
Verify the service is running:
```
 sc query observiq-otel-collector 
```

Check logs for errors:

  type 
  
 "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"

Configure Claroty xDome for Healthcare syslog forwarding

Sign in to Claroty xDome for Healthcare

Sign in to the Claroty xDome for Healthcareweb console.
Go to Settings > System Settings > My Integrations.

Create a new syslog integration

Click Add Integration.
In the Integration Typedrop-down, select Syslog.
Provide the following configuration details:
- Integration Name: Enter a descriptive name (for example, Chronicle-SIEM ).
- Description(optional): Enter Integration with Google Chronicle SIEM .

Configure syslog server settings

In the Syslog Serversection, provide the following details:

Host: Enter the IP address of the Bindplane agent host (for example, 192.168.1.100 ).
Port: Enter 514 (or 1514 if using non-root Linux installation).
Protocol: Select TCP.
Message Format: Select CEF(Common Event Format).
Syslog Protocol Standard: Select RFC 5424.

Select log types to export

In the Export Typessection, select the log types to forward to Google SecOps:

Alerts: Security alerts and risk alerts
Vulnerabilities: CVE data and vulnerability information
Device Changes: Asset inventory changes
OT Activity Events: Operational technology communication events

Configure timezone settings

In the Timezonesection, select UTCfrom the dropdown.

Test and save the configuration

Click Test Connectionto verify connectivity to the Bindplane agent.
Verify that the test shows Connection Successful.
Click Saveto activate the syslog integration.

Verify log forwarding

Wait 5-10 minutes for logs to begin flowing.

Check the Bindplane agent logs to verify syslog messages are being received:

Linux:

 sudo  
journalctl  
-u  
observiq-otel-collector  
-f  
 | 
  
grep  
-i  
claroty

Windows:

  type 
  
 "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log" 
  
 | 
  
 findstr 
  
 / 
 i 
  
 claroty

UDM mapping table

Log Field	UDM Mapping	Logic
info_ip_desc	about.labels	Labels associated with the event
info.as_org	about.labels
info.org	about.labels
info.isp	about.labels
info.country_code	about.labels
info.malicious_anomali_info.itype	about.labels
info.malicious_anomali_info.ip	about.labels
info.malicious_anomali_info.source	about.labels
info.malicious_anomali_info.org	about.labels
info.malicious_anomali_info.country	about.labels
info.malicious_anomali_info.classification	about.labels
info.malicious_anomali_info.maltype	about.labels
info.malicious_anomali_info.stream_id	about.labels
info.malicious_anomali_info.threat_type	about.labels
info.malicious_anomali_info.resource_uri	about.labels
info.malicious_anomali_info.threatscore	about.labels
info.malicious_anomali_info.confidence	about.labels
info.malicious_anomali_info.source_reported_confidence	about.labels
info.protocol	about.labels
info.human_name	about.labels
info.dest.human_name	about.labels
info.network	about.labels
info.parent_human_name	about.labels
info.parent_uid	about.labels
target_ip_desc	about.labels
label_resource_uri	about.labels
label_threatscore	about.labels
label_confidence	about.labels
label_source_reported_confidence	about.labels
alert.mitre_technique_ids	additional.fields	Additional free-form metadata about the event
alert.mitre_technique_names	additional.fields
alert.mitre_technique_enterprise_ids	additional.fields
alert.mitre_technique_enterprise_names	additional.fields
affected_device.device_type_family	additional.fields
affected_device.connection_type_list	additional.fields
affected_device.network_list	additional.fields
msg_category	additional.fields
interface_name	additional.fields
interface_type	additional.fields
status	additional.fields
alert_info.certificate_thumbprint	additional.fields
alert_info.certificate_expiry_date	additional.fields
alert_info.certificate_start_date	additional.fields
alert_info.certificate_type	additional.fields
affected_device.management_status	additional.fields
affected_device.labels	additional.fields
affected_device.site_name	additional.fields
events_extra_info.client_id	additional.fields
extensions.auth.type	extensions.auth.type	Authentication type
hostname	intermediary.hostname	Hostname of the intermediary
events_extra_info.malicious_ip_info.malicious_ip	intermediary.ip	IP address of the intermediary
incident_type	metadata.description	Description of the event
text	metadata.description
events.description	metadata.description
metadata.event_type	metadata.event_type	Type of event
event_type	metadata.product_event_type	Product event type
events.type	metadata.product_event_type
incident_id	metadata.product_log_id	Product log ID
events.id	metadata.product_log_id
network.application_protocol	network.application_protocol	Application protocol
network.direction	network.direction	Direction of the network connection
protocol_number_src	network.ip_protocol	IP protocol
server_name	network.tls.client.server_name	Server name indicated by the client during TLS handshake
alert_info.certificate_thumbprint	network.tls.server.certificate.sha256	SHA256 hash of the server certificate
version	network.tls.version	TLS version
proto	network.tls.version_protocol	TLS version protocol
info.domain	principal.administrative_domain	Administrative domain of the principal
events_extra_info.domain	principal.administrative_domain
affected_device.asset_id	principal.asset.asset_id	Asset ID of the asset
hardware	principal.asset.hardware	Hardware of the asset
affected_device.device_name	principal.asset.hostname	Hostname of the asset
events_extra_info.certificate_info.CN	principal.asset.hostname
management_ip	principal.asset.ip	IP address of the asset
info.ip	principal.asset.ip
comm_tuple.src_ip	principal.asset.ip
info.tuple.2	principal.asset.ip
info.tuple.3	principal.asset.ip
affected_device.ip_list	principal.asset.ip
info.subject_components.CN	principal.hostname	Hostname of the principal
affected_device.device_name	principal.hostname
events_extra_info.certificate_info.CN	principal.hostname
management_ip	principal.ip	IP address of the principal
info.ip	principal.ip
comm_tuple.src_ip	principal.ip
info.tuple.2	principal.ip
info.tuple.3	principal.ip
affected_device.ip_list	principal.ip
info.subject_components.L	principal.location.city	City of the location
events_extra_info.certificate_info.L	principal.location.city
location	principal.location.country_or_region	Country or region of the location
info.subject_components.C	principal.location.country_or_region
events_extra_info.certificate_info.C	principal.location.country_or_region
info.subject_components.ST	principal.location.state	State of the location
events_extra_info.certificate_info.ST	principal.location.state
principal.platform	principal.platform	Platform of the principal
affected_device.os	principal.platform_version	Platform version of the principal
device_uid	principal.resource.id	ID of the resource
info.device_type_family	principal.resource.name	Name of the resource
affected_device.device_type	principal.resource.name
affected_device.uid	principal.resource.product_object_id	Product object ID of the resource
affected_device.device_category	principal.resource.resource_subtype	Subtype of the resource
principal.resource.resource_type	principal.resource.resource_type	Type of the resource
info.device_category	principal.resource.type	Type of the resource
updated_by	principal.user.userid	Userid of the user
info.login_username	principal.user.userid
events_extra_info.sender_id	principal.user.userid
events_extra_info.username	principal.user.userid
info.malicious_anomali_info.itype	security_result.about.labels	Labels associated with the security result
info.malicious_anomali_info.ip	security_result.about.labels
info.malicious_anomali_info.source	security_result.about.labels
info.malicious_anomali_info.org	security_result.about.labels
info.malicious_anomali_info.country	security_result.about.labels
info.malicious_anomali_info.classification	security_result.about.labels
info.malicious_anomali_info.maltype	security_result.about.labels
info.malicious_anomali_info.stream_id	security_result.about.labels
info.malicious_anomali_info.threat_type	security_result.about.labels
events_extra_info.malicious_ip_info.source	security_result.about.labels
events_extra_info.malicious_ip_info.threat_type	security_result.about.labels
security_result.category	security_result.category	Category of the security result
alert.category	security_result.category_details	Category details of the security result
events_extra_info.malicious_ip_info.type	security_result.category_details
events_extra_info.malicious_ip_info.confidence	security_result.confidence_details	Confidence details of the security result
alert.description	security_result.description	Description of the security result
alert.type_name	security_result.detection_fields	Detection fields associated with the security result
alert.device_status	security_result.detection_fields
alert.category	security_result.detection_fields
alert.description	security_result.detection_fields
vulnerability_info.name	security_result.detection_fields
vulnerability_info.type	security_result.detection_fields
vulnerability_info.release_date	security_result.detection_fields
vulnerability_info.cves	security_result.detection_fields
vulnerability_info.cvssv3_base_score	security_result.detection_fields
vulnerability_info.description	security_result.detection_fields
vulnerability_info.affected_products	security_result.detection_fields
vulnerability_info.is_known_exploited	security_result.detection_fields
vulnerability_device_info.relevance_source	security_result.detection_fields
vulnerability_info.cvssv2_base_score	security_result.detection_fields
affected_device.device_subcategory	security_result.detection_fields
affected_device.retired	security_result.detection_fields
affected_device.app_version	security_result.detection_fields
events_extra_info.communication_type	security_result.detection_fields
events_extra_info.malicious_ip_info.tags	security_result.detection_fields
alert_info.certificate_thumbprint	security_result.detection_fields
alert_info.certificate_expiry_date	security_result.detection_fields
alert_info.certificate_start_date	security_result.detection_fields
alert_info.certificate_type	security_result.detection_fields
alert.id	security_result.rule_id	Rule ID of the security result
events.alert_id	security_result.rule_id
alert.name	security_result.rule_name	Rule name of the security result
info.malicious_anomali_info.severity	security_result.severity	Severity of the security result
affected_device.risk_score	security_result.severity_details	Severity details of the security result
info.malicious_anomali_info.threat_type	security_result.threat_name	Threat name of the security result
events_extra_info.malicious_ip_info.threat_type	security_result.threat_name
target.asset.hostname	target.asset.hostname	Hostname of the target asset
info.tuple.3	target.asset.ip	IP address of the target asset
info.tuple.2	target.asset.ip
comm_tuple.dst_ip	target.asset.ip
info.file_name	target.file.full_path	Full path of the target file
events_extra_info.file_name	target.file.full_path
events_extra_info.file_type	target.file.mime_type	MIME type of the target file
info.fqdn	target.hostname	Hostname of the target
info.tuple.3	target.ip	IP address of the target
info.tuple.2	target.ip
comm_tuple.dst_ip	target.ip
country	target.location.country_or_region	Country or region of the target location
info.geolocation	target.location.country_or_region
country	target.location.country_or_region
events_extra_info.geo_location	target.location.country_or_region
state	target.location.state	State of the target location
state	target.location.state
target_mac	target.mac	MAC address of the target
comm_tuple.dst_mac	target.mac
comm_tuple.dst_port	target.port	Port of the target
dest_device_uid	target.resource.id	ID of the target resource
info.login_username	target.user.userid	Userid of the target user
events_extra_info.username	target.user.userid
metadata.product_name	metadata.product_name	Product name
metadata.vendor_name	metadata.vendor_name	Vendor name

Need more help? Get answers from Community members and Google SecOps professionals.