Dragos WorldView
App Vendor: Dragos
App Category: Data Enrichment & Threat Intelligence
App Version in Orchestrate: 1.0.0
Product version: 1.0.0
Product API Document version: 1.0.0
About App
The Dragos WorldView app in the Orchestrate application allows security teams to integrate with Dragos WorldView Enterprise application to fetch data such as indicators, incidents, and STIX 2.0 JSON bundle.This data provides access to real-time information about Industrial Control System (ICS) related threats and enables organizations to be proactive against threats that target critical infrastructure.
The Dragos WorldView app in the Orchestrate application can perform the below listed actions:
Action Name | Description |
|---|---|
Fetch Indicators | This action can be used to get a list of all indicators. |
Fetch Metadata of a product | This action can be used to get the details of an incident identified by a given serial. |
Fetch Products | This action can be used to return a list of all incidents. Specific incidents identified by serial can also be returned. |
Fetch STIX 2.0 | This action can be used to get the STIX 2.0 JSON bundle for the indicators identified by a given serial. |
Prerequisites
All the actions configured in the Dragos WorldView app relate to private APIs. Dragos WorldView Enterprise subscription is required to access the private APIs.
Configuration parameters
The following configuration parameters are required for the Dragos WorldView app to communicate with Dragos WorldView Enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
API Token | Token for interacting with the API. | Text | Required | |
API Secret | Authentication key for interacting with the API | Password | Required | |
SSL Verification | Optional action to either verify or not verify the SSL certificate. | Boolean | Optional | Allowed boolean values:
Defaults to “No”. |
Action: Fetch Indicators
This action can be used to get a list of all indicators.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Page | Enter the page number. For example, 3 | Text | Optional | Default page number is 1. |
Page Size | Enter the page size For example, 50 | Text | Optional | Default page size is 50. Must be less than 1001. |
Updated After | Enter the UTC timestamp in YYYY-mm-dd format to filter recent indicators For example, 2020-06-06 | Text | Optional | Optional format: HH:mm:ss |
Indicator value | Enter the value of the indicator. For example, tre.pl | Text | Optional | Allowed values:
|
Types | Enter the type of indicator | Text | Optional | Allowed values:
|
Serial | Enter the serial to search for indicators matching a particular report serial. For example, DOM-2019-01 | Text | Optional | Can be a single string or array. |
Tags | Enter the tags to search/filter related indicators. For example, ip | Text | Optional | Can be a single string or array. |
Example Request
[
{
"page": "3",
"tags": "ip",
"types": "domain",
"value": "tre.pl",
"serial": "DOM-2019-01",
"page_size": "50",
"updated_after": "2020-06-06"
}
]Action: Fetch Products
This action can be used to return a list of all incidents. Specific incidents identified by serial can also be returned.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
Page | Enter the page number. For example, 2 | Text | Optional | Default page number is 1. |
Page Size | Enter the page size. For example, 50 | Text | Optional | Default page size is 50. Must be less than 1001. |
Sort By | Enter the field to sort the returned products. | Text | Optional | Allowed values:
Default sorting field is "release_at". |
Sort Desc | Enter the descending sort option. | Text | Optional | Boolean values:
Default option is "False". |
Updated After | Enter the UTC timestamp in YYYY-mm-dd format to filter recent Indicators. For example, 2020-06-06 | Text | Optional | Optional format: HH:mm:ss |
Serial | Enter the serial to search for products matching the serial. For example, DOM-2019-2 | Text | Optional | |
Indicator | Enter the indicator. For example, tr.pl | Text | Optional | Only exact matches are fetched. |
Example Request
[
{
"page": "2",
"serial": "DOM-2019-2",
"sort_by": "release_at",
"indicator": "tr.pl",
"page_size": "50",
"sort_desc": "false",
"updated_after": "2020-06-06"
}
]Action: Fetch Metadata of a Product
This action can be used to get the details of an incident identified by a given serial.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
ID | Enter the ID. For example, TR-2019-02 | Text | Required | ID is the “Serial” of the product which can be retrieved by using the Fetch Products action. |
Example Request
[
{
"ids": "TR-2019-02"
}
]Action: Fetch STIX 2.0
This action can be used to get a STIX 2.0 JSON bundle for the indicators related to a given serial.
Input Parameters
Parameter | Description | Field Type | Required / Optional | Comments |
|---|---|---|---|---|
ID | Enter the ID. For example, DOM-2019-1 | Text | Required | ID is the “Serial” of the product which can be retrieved by using the Fetch Products action. |
Example Request
[
{
"ids": "DOM-2019-1"
}
]