Integrate Dragos with Red Canary

Create a Red Canary provided-URL to send Dragos alerts for ingestion

1. From your Red Canary dashboard click Integrations, and select See all integrations.

   

2. Type and select Drago Platform.

   

3. Click Configure.

4. Enter a name for your integration.

5. Select a Display Category.

6. From the Ingest Format/Method section, select Dragos Platform via syslog. 

7. Select Use custom TLS server certificate for ingest over TLS?.

8. Click Save Configuration.

9. Click Edit Configuration.

10. Click Activate. 

11. After a few minutes, Red Canary will generate a URL (Collector ID) that you will use to input into your Dragos account. Copy and then save this URL. You will use this in a later step. 

    Example: prod1-use2-1234567.prod1.collectors.redcanary.io

Generate the necessary Transport Layer Security (TLS) certificates that are used to configure the Dragos platform to send syslogs to Red Canary.

Note: If you are running any version before OpenSSL (version 1.1.), you do not need to include the "-traditional"  in the commands provided below. To learn what version of OpenSSL you currently have, enter openssl version in your native terminal.

1. Open your native terminal.

2. Copy and run the command below to generate a Certificate Authority (CA) Private Key:

   1. openssl genrsa -traditional -out ca.key 2048

3. Copy and run the command below to generate the Certificate Authority Certificate:

   1. openssl req -new -x509 -sha256 -key ca.key -out ca.crt

      Note: If you are prompted for a Common name, enter the host name or IP address of your Dragos environment.

4. Copy and run the command below to generate a Server Certificate Private Key:

   1. openssl genrsa -traditional -out server.key 2048

5. Copy and run the command below to generate a Server Certificate Signing Request:

   1. openssl req -new -sha256 -key server.key -out server.csr

      Note: If you are prompted for a Common name, enter the FQDN from Step 1.12.

6. Copy and run the command below to generate a Server Certificate:

   1. openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1000 -sha256

7. Copy and run the command below to generate a Client Certificate Private Key:

   1. openssl genrsa -traditional -out client1.key 2048

8. Copy and run the command below to generate a Client Certificate Signing Request:

   1. openssl req -new -sha256 -key client1.key -out client1.csr

      Note: If you are prompted for a Common name, enter the FQDN from Step 1.12.

9. Copy and run the command below to generate a Client Certificate:

   1. openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client1.crt -days 1000

10. With your TLS certificates generated, log in to Red Canary.

Connect your custom certificates to Red Canary in order to start receiving Dragos alerts.

1. From your Red Canary homepage, click Integrations.
   

2. Scroll down, and then select your third-party security source.

3. Click Edit Configuration.

4. Upload the certificates you generated in Step 1:

   1. Upload a certificate file (PEM or DER)–Upload the server.crt.

   2. Upload the corresponding private key file–Upload the server.key.

   3. Enter the Private key passphrase used to generate the server key.

      Note: Leave this field blank if there isn't a passphrase.

   4. Upload the CA certificate corresponding to your certificate–Upload the ca.crt.

      

   5. With your custom certificates uploaded, log in to Dragos.

Connect your custom certificates to Dragos in order to start sending alerts to Red Canary.

1. From your Dragos dashboard, click Admin.

2. Under Syslog, click Launch.

   

3. Click Servers, and then click Add Server.

   

4. Enter a name for the server.

5. Enter a Hostname.

6. Enter a Port number.

7. From the Protocol dropdown, select mTLS.

8. Enter the Server Common name using the Hostname from Step 4.5.

9. Upload the certificates you generated in Step 2:

   1. Server Certificate Or CA Certificate–Upload the ca.crt.

   2. Client Certificate–Upload the client1.crt.

   3. Client Key–Upload the client1.key.

10. Leave all other fields set to their default state.

11. Click Next: Set Template.

    

12. From the Output Message Format dropdown, select JSON.

13. Copy and paste the following text into the Message field:

    {"system":"Dragos Platform", "id":#{id}, "created_at":#{createdAt}, "occurred_at":#{occurredAt}, "severity":#{severity}, "cef_severity":#{cef_severity}, "original_severity":#{originalSeverity}, "summary":#{summary}, "source":#{source}, "content":#{content}, "detection_quad":#{detection_quad}, "detector_id":#{detectorId}, "matched_rule_id":#{matchedRuleId}, "reviewed":#{reviewed}, "type":#{type}, "attack_tactic":#{attack_tactic}, "attack_technique":#{attack_technique}, "asset_id":#{asset_id}, "asset_ip":#{asset_ip}, "asset_hostname":#{asset_hostname}, "asset_mac":#{asset_mac}, "asset_domain":#{asset_domain}, "src_asset_id":#{src_asset_id}, "src_asset_ip":#{src_asset_ip}, "src_asset_hostname":#{src_asset_hostname}, "src_asset_mac":#{src_asset_mac}, "src_asset_domain":#{src_asset_domain}, "dst_asset_id":#{dst_asset_id}, "dst_asset_ip":#{dst_asset_ip}, "dst_asset_hostname":#{dst_asset_hostname}, "dst_asset_mac":#{dst_asset_mac}, "dst_asset_domain":#{dst_asset_domain}}

    

14. Leave all other fields set to their default state.

15. Click Save.