Dragos
Connector Category: API Feed Source
About Integration
CTIX integrates with Dragos WorldView to retrieve threat data feeds related to industrial control systems (ICS). This integration provides visibility into the global landscape of threats targeting industrial environments. By leveraging the threat data, security teams can proactively implement preventive measures, effectively thwarting potential attacks, and safeguarding their critical infrastructure.
Use Cases
Ingest the latest threats targeting industrial environments.
Analyze and understand the threats to identify potential risks and vulnerabilities.
Correlate threat data from Dragos WorldView with internal network data. By analyzing patterns and anomalies, security teams can identify suspicious activities that could indicate a potential attack on industrial control systems.
Ensure that the industrial control systems meet required security and risk management criteria.
Benefits
Automatically collect ICS threat intel with rich context.
Prioritize threats based on the severity level.
Download artifacts attached to the observable threat data objects in PDF format.
Import tags of the threat data feed into CTIX.
Configure Dragos as an API Feed Source
Configure Dragos as an API feed source to receive threat data feeds from Dragos WorldView.
Before you Start
You must have the View API Feed, View Feed Source, Create Feed Source, and Update Feed Source permissions in CTIX.
You must have the base URL, client ID, and client secret key of your Dragos WorldView account.
Note
Ensure that the client ID includes the permissions to retrieve product threat data. If the client ID does not have permission to retrieve product threat data feed, then the feed channel is disabled automatically and displays a connection error.
Steps
To configure Dragos WorldView as an API feed source in CTIX, do the following:
Go to Administration > Integration Management > FEED SOURCES > APIs.
Click Add API source.
Search and select the Dragos app.
Click Add Instance.
Enter a unique name to identify the instance name. For example, Dragos-Prod.
Enter the base URL of your Dragos instance. The default base URL is
https://intel.dragos.com/api/v1/.Enter the client ID, and client secret key of your Dragos WorldView account to authenticate communication between the CTIX and Dragos WorldView servers.
Select Verify SSL to verify the SSL certificate and secure the connection between the CTIX and Dragos WorldView servers. By default, Verify SSL is selected.
Note
Cyware recommends you select Verify SSL. If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection.
Click Save.
The Dragos instance is configured and you can view the Dragos WorldView feed channels. You can configure multiple instances by clicking Manage > Add More.
Configure Dragos Feed Channels
Configure the feed channels to retrieve threat data feeds from Dragos WorldView and store the feeds in a collection.
Steps
To configure a Dragos channel, do the following:
Go to Administration > Integration Management > FEED SOURCES > APIs.
Search and select the Dragos app.
Click the ellipsis on the top right corner and select Manage.
Click Manage Feed Channels.
Select a feed channel and enable the toggle.
Enter the date and time to start polling feeds. Select a date within 15 days from the current date.
Enter the name of the collection to group the feed data. For example, Dragos Feeds. CTIX creates the collection and stores all the feeds from the feed channel.
Select from one of the following Polling Cron Schedule types to define when to poll the data:
Manual: Allows you to manually poll from the source collection.
Auto: Allows you to automatically poll for threat intel from sources at specific time intervals. The default polling cron schedule is Auto.
Enter a frequency in minutes between 60 and 10080 minutes in Polling Time. The default polling time is 240 minutes.
Set a default TLP and confidence score to assign to the feeds that do not have a TLP and confidence score already assigned. By default, the default TLP and confidence score are set to Amber and 100 respectively.
Select any tags to identify and categorize the feeds.
Click Save.
The feed channel is configured and you can poll feeds from the channel. You can enable the other feed channels, poll feeds, and view the feeds. For more information, see API Integrations.
Test Dragos Feed Channel Connectivity
Test the connectivity of the Dragos API feed channels to ensure that the connection with the correct API endpoint is established and you have permission to poll feeds.
Before you Start
Ensure that the Dragos API integration is enabled.
Ensure that the feed channel for which you want to test connectivity is enabled.
Steps
To test the connectivity of a feed channel, do the following:
Go to Administration > Integration Management > FEED SOURCES > APIs.
Search and select the Dragos app.
On a feed channel, click the vertical ellipses and select View Details.
In the Working Status section, click Test Connectivity.
If the connection is established, then the working status shows Running. If the connectivity is broken, then the working status shows Connection Error. Hover over the tooltip next to Connection Error to view the error code.
Note
When the connectivity of a feed channel breaks, CTIX disables the channel and re-attempts to restore the connectivity three times every hour. After a successful re-attempt to restore the connectivity, CTIX enables the feed channel automatically.
To understand the error code and troubleshoot broken connectivity, see Troubleshoot Integrations.
Dragos Feed Channels
CTIX provides a channel to poll feeds from Dragos. The following table lists the feed channel and the API endpoint used to retrieve feeds.
Feed Channel | API Endpoint |
|---|---|
Fetch Product Feeds |
|
CTIX ingests the product feeds of Dragos as reports. If there are IOCs associated with a report, then CTIX ingests the IOCs as indicator objects.