xDome Device Security Alert
OT/IoT/ICS security alerts with device context and risk scoring
Security alerts generated by Claroty xDome for OT/IoT/ICS devices including firmware vulnerabilities, unauthorized communications, policy violations, and threat detections with MITRE ATT&CK mappings.
security-alerts
ot-security
ics
industrial
medical-devices
vulnerability
threat-detection
mitre-attack
JSON Format
29 Fields
Medium Frequency
Generator
Overview
Security alerts generated by Claroty xDome platform for industrial control systems, IoT devices, and medical equipment including vulnerability detections, unauthorized communications, policy violations, and threat indicators.
When Generated:
- When outdated or vulnerable firmware is detected on OT/IoT devices
- When unauthorized network communications are observed
- When devices violate network segmentation policies
- When anomalous protocol behavior is detected
- When configuration changes occur on critical assets
- When baseline deviations are identified
- When MITRE ATT&CK techniques are observed
Security Relevance:
HighCompliance:
NERC CIP
IEC 62443
NIST Cybersecurity Framework
ISA/IEC 62443
HIPAA (for medical devices)
FDA Cybersecurity Guidance
Frequency Notes:
Moderate frequency with higher rates during business hours when security teams actively investigate alerts. Frequency increases during vulnerability scans or after new device discoveries. Critical environments may see 20-50 alerts per hour.
Resources
Documentation
- Claroty xDome Documentation official
- Claroty xDome Integration - Rapid7 reference
- MITRE ATT&CK for ICS reference
- Purdue Model for ICS Security reference
Tools
-
Claroty xDome Platform
Unified platform for OT/IoT/ICS security
-
MITRE ATT&CK Navigator
Tool for visualizing ATT&CK techniques
Generation Configuration
Base Frequency: 25 events/hour
Time Patterns:
business_hours
night_hours
weekend
Business Hours Multiplier: 2.5x
Night Hours Multiplier: 0.3x
Weekend Multiplier: 0.2x
Field Definitions
Complete field reference for this event type with data types, descriptions, and example values.
| Field Name | Type | Required | Format | Description | Example | Possible Values |
|---|---|---|---|---|---|---|
|
alert_assignees
Source: random_choice of common security team roles
|
Array | Optional | — | List of users assigned to investigate this alert |
["Admin", "Security Team"]
|
— |
|
alert_category
Source: random_choice from category list
|
String | Required | — | High-level categorization of the alert type |
Risk
|
Risk
— Device configuration or state presents security risk
Threat
— Active threat or attack detected
Vulnerability
— Known security vulnerability identified
Policy Violation
— Device violates security policy
Anomaly
— Unusual behavior detected
|
|
alert_class
Source: random_choice from class types
|
String | Required | — | Classification of how the alert rule was created |
predefined
|
predefined
— Built-in Claroty alert rule
custom
— User-created custom alert rule
user_defined
— Organization-specific alert definition
|
|
alert_description
Source: Dynamic template combining alert type with device count and category
|
String | Required | — | Human-readable description of the security alert |
Outdated firmware detected on 2 Medical devices
|
— |
|
alert_id
Source: random_int(1, 100000)
|
Integer | Required | — | Unique identifier for this alert instance |
12345
|
— |
|
alert_labels
Source: random_choice of common priority and category labels
|
Array | Optional | — | Tags applied to categorize or prioritize the alert |
["Top Priority", "Compliance"]
|
— |
|
alert_type_name
Source: random_choice from alert type catalog
|
String | Required | — | Specific name of the alert rule that triggered |
Outdated Firmware
|
Outdated Firmware
— Device running old firmware version
Unauthorized Communication
— Unexpected network traffic detected
Critical Vulnerability
— High-severity CVE detected
Protocol Anomaly
— Unusual industrial protocol behavior
Configuration Change
— Device configuration was modified
Baseline Deviation
— Behavior differs from learned baseline
Segmentation Violation
— Traffic crosses network zones improperly
Malware Detection
— Known malware indicators found
|
|
device_alert_detected_time
Source: now() | iso8601
|
DateTime | Required |
ISO 8601 with timezone
|
Timestamp when the alert was first detected |
2023-10-19T16:21:01+00:00
|
— |
|
device_alert_status
Source: random_choice from status workflow
|
String | Required | — | Current status of the alert in the workflow |
Unresolved
|
Unresolved
— Alert is active and not yet addressed
In Progress
— Alert is being investigated
Resolved
— Issue has been remediated
Acknowledged
— Alert has been reviewed but not resolved
False Positive
— Alert determined to be non-issue
|
|
device_alert_updated_time
Source: now() | iso8601
|
DateTime | Required |
ISO 8601 with timezone
|
Timestamp of last update to this alert |
2023-10-19T16:21:01+00:00
|
— |
|
device_assignees
Source: random_choice of user roles
|
Array | Optional | — | Users assigned to manage this device |
["Admin"]
|
— |
|
device_category
Source: random_choice from industry categories
|
String | Required | — | High-level industry or functional category |
Medical
|
Medical
— Healthcare/medical devices
Manufacturing
— Industrial manufacturing equipment
Energy
— Power generation or distribution
Building Automation
— HVAC, lighting, physical security
Critical Infrastructure
— Essential services infrastructure
|
|
device_first_seen_list
Source: Past timestamp 1-30 days ago
|
Array | Required |
Array of ISO 8601 timestamps
|
Timestamps when device was first discovered (may have multiple discovery times) |
["2023-10-19T16:32:04.127979+00:00"]
|
— |
|
device_ip_list
Source: random_private_ip() in array
|
Array | Required | — | List of IP addresses associated with this device |
["10.101.10.27"]
|
— |
|
device_labels
Source: random_choice of asset classification labels
|
Array | Optional | — | Tags applied to categorize the device |
["Critical Asset", "Production"]
|
— |
|
device_last_seen_list
Source: Recent timestamp within last hour
|
Array | Required |
Array of ISO 8601 timestamps
|
Timestamps when device was last observed active |
["2023-10-19T16:32:01+00:00"]
|
— |
|
device_mac_list
Source: fake.mac_address()
|
Array | Required |
Colon-separated MAC addresses
|
List of MAC addresses for this device |
["00:40:9d:10:15:b7"]
|
— |
|
device_network_list
Source: random_choice of network zone names
|
Array | Required | — | Network segments where device is located |
["Corporate"]
|
— |
|
device_purdue_level
Source: random_choice from Purdue levels
|
String | Required | — | Purdue Model level classification for OT/ICS environments |
Level 4
|
Level 0
— Physical process (sensors, actuators)
Level 1
— Intelligent devices (PLCs, RTUs)
Level 2
— Control systems (SCADA, DCS)
Level 3
— Operations management
Level 4
— Business planning (ERP, MES)
Level 5
— Enterprise network
|
|
device_retired
Source: Weighted choice favoring false (75%)
|
Boolean | Required | — | Whether device is marked as decommissioned |
false
|
— |
|
device_risk_score
Source: random_choice from risk levels
|
String | Required | — | Calculated risk level for this device |
Very Low
|
Very Low
— Minimal security risk
Low
— Limited risk exposure
Medium
— Moderate risk requiring attention
High
— Significant risk requiring remediation
Critical
— Severe risk requiring immediate action
|
|
device_site_name
Source: random_choice from facility names
|
String | Required | — | Physical location or facility name |
New York General Hospital
|
— |
|
device_subcategory
Source: random_choice aligned with device_category
|
String | Required | — | Specific device type within the category |
Patient Devices
|
— |
|
device_type
Source: random_choice from device type catalog
|
String | Required | — | Specific model or function of the device |
Patient Monitor
|
— |
|
device_uid
Source: random_guid()
|
String | Required |
UUID
|
Unique identifier for the device in Claroty xDome |
f342efb7-4f4a-4ac0-8045-0711fb2c5528
|
— |
|
mitre_technique_enterprise_ids
Source: random_choice of common ICS-related Enterprise techniques
|
Array | Optional | — | MITRE ATT&CK Enterprise technique IDs associated with this alert |
["T1190", "T1133"]
|
— |
|
mitre_technique_enterprise_names
Source: Corresponds to mitre_technique_enterprise_ids
|
Array | Optional | — | Human-readable names for Enterprise MITRE techniques |
["Exploit Public-Facing Application"]
|
— |
|
mitre_technique_ics_ids
Source: random_choice of ICS-specific MITRE techniques
|
Array | Optional | — | MITRE ATT&CK ICS technique IDs associated with this alert |
["T0883", "T0885"]
|
— |
|
mitre_technique_ics_names
Source: Corresponds to mitre_technique_ics_ids
|
Array | Optional | — | Human-readable names for ICS MITRE techniques |
["Internet Accessible Device"]
|
— |
Details
29
Fields
Medium
Frequency
8
Tags
device_alert
Event Type
Tags:
security-alerts
ot-security
ics
industrial
medical-devices
vulnerability
threat-detection
mitre-attack
Feedback
No ratings yet