Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

External Systems Configuration Guide

Dragos Platform

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog   Dragos Alert logs regarding Modeling, Indicator, Configuration, Threat Behavior Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "dragos" to see the event types associated with this device. In FortiSIEM 6.2.0, there are 5 event types defined.

Rules

There are no specific rules available for Dragos.

Reports

There are no specific reports available for Dragos.

 

There are no specific reports available for Dragos. You can view all Dragos events by taking the following steps.

  1. From the ANALYTICS page, click in the Edit Filters and Time Range field.
  2. Under Filter, select Event Attribute.
  3. In the Attribute field, select/enter "Event Type".
  4. In the Operator field, select "CONTAIN".
  5. In the Value field, enter "Dragos".
  6. (Optional) Click Save to save the search parameters for future related searches.
  7. Click Apply & Run.

Configuration

Syslog

FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514.

 

Sample Syslog

<13>1 2020-07-02T14:58:31.538019Z dragos dragos_syslog - - system="Dragos Platform" createdAt="2020-07-02T14:58:31Z" summary="Test Message from Dragos App" severity="{severity}" content="This test message was created by the Dragos Syslog App" asset_ip=#"{asset_ip}" asset_hostname="Test" dst_asset_ip="10.0.0.9" dst_asset_hostname="Test" dst_asset_mac="83:77:DB:E3:A3:38" dst_asset_domain="ip-10-10-255-1.ec2.test" src_asset_ip="10.0.0.9" src_asset_hostname="Test" src_asset_mac="89:3A:EE:01:0F:D3" src_asset_domain="ip-10-10-test.ec2.test" id="1234567" asset_domain="ip-10-10-255-1.ec2.test" asset_id="111111" asset_mac="06:92:1C:1B:F2:72" detection_quad="Modeling" detectorId="test-detector-1111" dst_asset_id="333333" matchedRuleId="16" occurredAt="2020-07-02T14:58:31Z" originalSeverity="0" reviewed="False" src_asset_id="222222" type="Test"
 
<8>May 06 21:06:19 dragos dragos_syslog: CEF:0|Dragos|Platform|1.6|notification|Test Message from Dragos App|5|content=This test message was created by the Dragos Syslog App asset_ip=10.0.0.9 asset_hostname=Test dst_asset_ip=10.0.0.9 dst_asset_hostname=Test dst_asset_mac=9C:B6:TE:ST:4B:95 dst_asset_domain=ip-10-10-255-1.ec2.test src_asset_ip=10.0.0.9 src_asset_hostname=Test src_asset_mac=TE:ST:D0:F2:4B:95 src_asset_domain=ip-10-10-test.ec2.test id=1234567 asset_domain=ip-10-10-255-1.ec2.test asset_id=111111 asset_mac=9C:B6:D0:F2:TE:ST createdAt=2020-05-06T21:06:24Z detection_quad=Indicator detectorId=test-detector-4444 dst_asset_id=333333 matchedRuleId=16 occurredAt=2020-05-06T21:06:24Z originalSeverity=5 reviewed=False src_asset_id=222222 type=Test

Dragos Platform

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog   Dragos Alert logs regarding Modeling, Indicator, Configuration, Threat Behavior Security Monitoring

Event Types

In ADMIN > Device Support > Event Types, search for "dragos" to see the event types associated with this device. In FortiSIEM 6.2.0, there are 5 event types defined.

Rules

There are no specific rules available for Dragos.

Reports

There are no specific reports available for Dragos.

 

There are no specific reports available for Dragos. You can view all Dragos events by taking the following steps.

  1. From the ANALYTICS page, click in the Edit Filters and Time Range field.
  2. Under Filter, select Event Attribute.
  3. In the Attribute field, select/enter "Event Type".
  4. In the Operator field, select "CONTAIN".
  5. In the Value field, enter "Dragos".
  6. (Optional) Click Save to save the search parameters for future related searches.
  7. Click Apply & Run.

Configuration

Syslog

FortiSIEM processes events from this device via syslog. Configure the device to send syslog to FortiSIEM on port 514.

 

Sample Syslog

<13>1 2020-07-02T14:58:31.538019Z dragos dragos_syslog - - system="Dragos Platform" createdAt="2020-07-02T14:58:31Z" summary="Test Message from Dragos App" severity="{severity}" content="This test message was created by the Dragos Syslog App" asset_ip=#"{asset_ip}" asset_hostname="Test" dst_asset_ip="10.0.0.9" dst_asset_hostname="Test" dst_asset_mac="83:77:DB:E3:A3:38" dst_asset_domain="ip-10-10-255-1.ec2.test" src_asset_ip="10.0.0.9" src_asset_hostname="Test" src_asset_mac="89:3A:EE:01:0F:D3" src_asset_domain="ip-10-10-test.ec2.test" id="1234567" asset_domain="ip-10-10-255-1.ec2.test" asset_id="111111" asset_mac="06:92:1C:1B:F2:72" detection_quad="Modeling" detectorId="test-detector-1111" dst_asset_id="333333" matchedRuleId="16" occurredAt="2020-07-02T14:58:31Z" originalSeverity="0" reviewed="False" src_asset_id="222222" type="Test"
 
<8>May 06 21:06:19 dragos dragos_syslog: CEF:0|Dragos|Platform|1.6|notification|Test Message from Dragos App|5|content=This test message was created by the Dragos Syslog App asset_ip=10.0.0.9 asset_hostname=Test dst_asset_ip=10.0.0.9 dst_asset_hostname=Test dst_asset_mac=9C:B6:TE:ST:4B:95 dst_asset_domain=ip-10-10-255-1.ec2.test src_asset_ip=10.0.0.9 src_asset_hostname=Test src_asset_mac=TE:ST:D0:F2:4B:95 src_asset_domain=ip-10-10-test.ec2.test id=1234567 asset_domain=ip-10-10-255-1.ec2.test asset_id=111111 asset_mac=9C:B6:D0:F2:TE:ST createdAt=2020-05-06T21:06:24Z detection_quad=Indicator detectorId=test-detector-4444 dst_asset_id=333333 matchedRuleId=16 occurredAt=2020-05-06T21:06:24Z originalSeverity=5 reviewed=False src_asset_id=222222 type=Test