Dragos Platform Integration Guide
The Dragos Platform provides industrial organizations with comprehensive asset ID, threat detection, and response capabilities.
The following instructions are for configuring the Dragos Platform to facilitate log ingestion into Secureworks® Taegis™ XDR.
Important
Adding this integration to your XDR tenant requires Taegis™ XDR for OT. Contact your account manager or CSM to acquire the required license.
Connectivity Requirements ⫘
Source | Destination | Port/Protocol |
---|---|---|
Dragos Platform | Taegis™ XDR Collector (mgmt IP) | TCP/601 |
Data Provided from Integration ⫘
The following Dragos event types are supported by XDR.
- Alerts (all Alert Types)
Note
Dragos event types not listed above are normalized to the generic
schema.
Antivirus | Auth | DHCP | DNS | Encrypt | File | HTTP | Management | Netflow | NIDS | Process | Thirdparty | ||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Dragos Platform | D | V |
Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections
Note
XDR detectors are not guaranteed to be triggered, even if a data source's logs are normalized to a schema associated with a given detector. However, you can create Custom Alert Rules to generate alerts based on normalized data from a data source.
Configure the Dragos Platform ⫘
Follow the instructions in the Dragos Syslog Integration Guide to configure Syslog forwarding.
Syslog configuration using TCP port 601
Syslog Configuration Options ⫘
There are 3 possible configurations for sending logs via Syslog from the Dragos platform: TCP, UDP and TLS.
Enter the following information appropriate for the chosen configuration:
TCP ⫘
Parameter | Value |
---|---|
Name | Any string |
Hostname/IP | XDR Collector (mgmt IP) |
Port | 601 |
Protocol | TCP |
Source Hostname | Hostname/IP of Dragos Platform |
Source Process | Any string |
Message Format | RFC 3164 BSD Syslog |
Message Delimiter | Use newline delimiter for TCP and TLS streams |
UDP ⫘
Parameter | Value |
---|---|
Name | Any string |
Hostname/IP | XDR Collector (mgmt IP) |
Port | 514 |
Protocol | UDP |
Source Hostname | Hostname/IP of Dragos Platform |
Source Process | Any string |
Message Format | RFC 3164 BSD Syslog |
Message Delimiter | Use newline delimiter for TCP and TLS streams |
TLS ⫘
Refer to the documentation to configure the XDR Collector for Syslog over TLS.
Parameter | Value |
---|---|
Name | Any string |
Hostname/IP | XDR Collector (mgmt IP) |
Port | 514, 6514 or 1470 |
Protocol | TLS |
Source Hostname | Hostname/IP of Dragos Platform |
Source Process | Any string |
Message Format | RFC 3164 BSD Syslog |
Message Delimiter | Use newline delimiter for TCP and TLS streams |
Sample Logs ⫘
Dragos Alerts ⫘
<8>1 2022-03-03T15:02:28.652971Z dragos dragos_syslog - - system="Dragos Platform" createdAt="2022-03-03T15:02:33Z" summary="Test Message from Dragos App" severity="5" content="This test message was created by the Dragos Syslog App" asset_ip="00.000.000.0" asset_hostname="test" dst_asset_ip="00.00.00.0" dst_asset_hostname="test" dst_asset_mac="02:00:00:20:0e:71" dst_asset_domain="ip-10-10-255-1.ec2.test" src_asset_ip="00.000.000.0" src_asset_hostname="test" src_asset_mac="00:00:00:00:00:00" src_asset_domain="ip-10-10-test.ec2.test" id="1234567" asset_domain="ip-10-10-255-1.ec2.test" asset_id="12783" asset_mac="00:00:00:00:00:00" detection_quad="Indicator" detectorId="test-detector-4444" dst_asset_id="36263" matchedRuleId="16" occurredAt="2022-03-03T15:02:33Z" originalSeverity="5" reviewed="False" src_asset_id="29596" type="Test"