Dragos Platform Integration Guide🔗
The Dragos Platform provides industrial organizations with comprehensive asset ID, threat detection, and response capabilities.
The following instructions are for configuring the Dragos Platform to facilitate log ingestion into Secureworks® Taegis™ XDR.
Important
Adding this integration to your XDR tenant requires Taegis™ XDR for OT. Contact your account manager or CSM to acquire the required license.
Connectivity Requirements🔗
| Source | Destination | Port/Protocol |
|---|---|---|
| Dragos Platform | Taegis™ XDR Collector (mgmt IP) | TCP/601 |
Data Provided from Integration🔗
The following Dragos event types are supported by XDR.
- Alerts (all Alert Types)
Note
Dragos event types not listed above are normalized to the generic schema.
| Normalized Data | Out-of-the-Box Detections | Vendor-Specific Detections | |
|---|---|---|---|
| Dragos Platform | Netflow | Thirdparty |
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Detection Rules to generate detections based on normalized data from a data source.
Configure the Dragos Platform🔗
Follow the instructions in the Dragos Syslog Integration Guide to configure Syslog forwarding.
Syslog Configuration Options🔗
There are 3 possible configurations for sending logs via Syslog from the Dragos platform: TCP, UDP and TLS.
Enter the following information appropriate for the chosen configuration:
TCP🔗
| Parameter | Value |
|---|---|
| Name | Any string |
| Hostname/IP | XDR Collector (mgmt IP) |
| Port | 601 |
| Protocol | TCP |
| Source Hostname | Hostname/IP of Dragos Platform |
| Source Process | Any string |
| Message Format | RFC 3164 BSD Syslog |
| Message Delimiter | Use newline delimiter for TCP and TLS streams |
UDP🔗
| Parameter | Value |
|---|---|
| Name | Any string |
| Hostname/IP | XDR Collector (mgmt IP) |
| Port | 514 |
| Protocol | UDP |
| Source Hostname | Hostname/IP of Dragos Platform |
| Source Process | Any string |
| Message Format | RFC 3164 BSD Syslog |
| Message Delimiter | Use newline delimiter for TCP and TLS streams |
TLS🔗
Refer to the documentation to configure the XDR Collector for Syslog over TLS.
| Parameter | Value |
|---|---|
| Name | Any string |
| Hostname/IP | XDR Collector (mgmt IP) |
| Port | 514, 6514 or 1470 |
| Protocol | TLS |
| Source Hostname | Hostname/IP of Dragos Platform |
| Source Process | Any string |
| Message Format | RFC 3164 BSD Syslog |
| Message Delimiter | Use newline delimiter for TCP and TLS streams |
Sample Logs🔗
Dragos Alerts🔗
<8>1 2022-03-03T15:02:28.652971Z dragos dragos_syslog - - system="Dragos Platform" createdAt="2022-03-03T15:02:33Z" summary="Test Message from Dragos App" severity="5" content="This test message was created by the Dragos Syslog App" asset_ip="00.000.000.0" asset_hostname="test" dst_asset_ip="00.00.00.0" dst_asset_hostname="test" dst_asset_mac="02:00:00:20:0e:71" dst_asset_domain="ip-10-10-255-1.ec2.test" src_asset_ip="00.000.000.0" src_asset_hostname="test" src_asset_mac="00:00:00:00:00:00" src_asset_domain="ip-10-10-test.ec2.test" id="1234567" asset_domain="ip-10-10-255-1.ec2.test" asset_id="12783" asset_mac="00:00:00:00:00:00" detection_quad="Indicator" detectorId="test-detector-4444" dst_asset_id="36263" matchedRuleId="16" occurredAt="2022-03-03T15:02:33Z" originalSeverity="5" reviewed="False" src_asset_id="29596" type="Test"