🌙
 

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Dragos Platform Integration Guide

integrations OT dragos


The Dragos Platform provides industrial organizations with comprehensive asset ID, threat detection, and response capabilities.

The following instructions are for configuring the Dragos Platform to facilitate log ingestion into Taegis™ XDR.

Important

Adding this integration to your Taegis XDR tenant requires Taegis™ XDR for OT. Contact your account manager or CSM to acquire the required license.

Connectivity Requirements

Source Destination Port/Protocol
Dragos Platform Taegis™ XDR Collector (mgmt IP) TCP/601

Data Provided from Integration

The following Dragos event types are supported by Taegis™ XDR.

Note

Dragos event types not listed above are normalized to the generic schema.

  Antivirus Auth DHCP DNS Email Encrypt File HTTP Management Netflow NIDS Process Thirdparty
Dragos Platform                   D     V

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Note

Taegis™ XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.

Configure the Dragos Platform

Follow the instructions in the Dragos Syslog Integration Guide to configure Syslog forwarding.

Syslog Configuration

Syslog Configuration

Enter the following information:

Parameter Value
Name Any string
Hostname/IP Taegis™ XDR Collector (mgmt IP)
Port 601
Protocol TCP
Source Hostname Hostname/IP of Dragos Platform
Source Process Any string
Message Format RFC 3164 BSD Syslog
Message Delimiter Use newline delimiter for TCP and TLS streams

Sample Logs

Dragos Alerts

<8>1 2022-03-03T15:02:28.652971Z dragos dragos_syslog - - system="Dragos Platform" createdAt="2022-03-03T15:02:33Z" summary="Test Message from Dragos App" severity="5" content="This test message was created by the Dragos Syslog App" asset_ip="00.000.000.0" asset_hostname="test" dst_asset_ip="00.00.00.0" dst_asset_hostname="test" dst_asset_mac="02:00:00:20:0e:71" dst_asset_domain="ip-10-10-255-1.ec2.test" src_asset_ip="00.000.000.0" src_asset_hostname="test" src_asset_mac="00:00:00:00:00:00" src_asset_domain="ip-10-10-test.ec2.test" id="1234567" asset_domain="ip-10-10-255-1.ec2.test" asset_id="12783" asset_mac="00:00:00:00:00:00"  detection_quad="Indicator" detectorId="test-detector-4444" dst_asset_id="36263" matchedRuleId="16" occurredAt="2022-03-03T15:02:33Z" originalSeverity="5" reviewed="False" src_asset_id="29596" type="Test"

 

On this page: