Integrate Dragos with Red Canary
    • 24 Jul 2024
    • 3 Minutes to read
    • PDF

    Integrate Dragos with Red Canary

    • PDF

    Article summary

    Integrating Dragos with Red Canary provides a robust defense-in-depth strategy for industrial control systems (ICS) environments. This means you can significantly enhance your ability to prevent, detect, and respond to cyberattacks targeting critical infrastructure. To integrate Dragos with Red Canary, follow the procedure below from beginning to end.

    Prerequisites

    • Before you connect Dragos to Red Canary, make sure that Dragos is deployed and monitoring your Industrial control systems (ICS) and Operational technology (OT) environment.

    Step 1: Red Canary–Create your Red Canary generated URL

    Create a Red Canary provided-URL to send Dragos alerts for ingestion

    1. From your Red Canary dashboard click Integrations, and select See all integrations.

    2. Type and select Drago Platform.

    3. Click Configure.

    4. Enter a name for your integration.

    5. Select a Display Category.

    6. From the Ingest Format/Method section, select Dragos Platform via syslog

    7. Select Use custom TLS server certificate for ingest over TLS?.

    8. Click Save Configuration.

    9. Click Edit Configuration.

    10. Click Activate. 

    11. After a few minutes, Red Canary will generate a URL (Collector ID) that you will use to input into your Dragos account. Copy and then save this URL. You will use this in a later step. 

      Example: prod1-use2-1234567.prod1.collectors.redcanary.io

    Step 2: Command Line Terminal–Generate TLS certificates

    Generate the necessary Transport Layer Security (TLS) certificates that are used to configure the Dragos platform to send syslogs to Red Canary.

    Note: If you are running any version before OpenSSL (version 1.1.), you do not need to include the "-traditional"  in the commands provided below. To learn what version of OpenSSL you currently have, enter openssl version in your native terminal.

    1. Open your native terminal.1.1.png

    2. Copy and run the command below to generate a Certificate Authority (CA) Private Key:

      1. openssl genrsa -traditional -out ca.key 2048

    3. Copy and run the command below to generate the Certificate Authority Certificate:

      1. openssl req -new -x509 -sha256 -key ca.key -out ca.crt

        Note: If you are prompted for a Common name, enter the host name or IP address of your Dragos environment.

    4. Copy and run the command below to generate a Server Certificate Private Key:

      1. openssl genrsa -traditional -out server.key 2048

    5. Copy and run the command below to generate a Server Certificate Signing Request:

      1. openssl req -new -sha256 -key server.key -out server.csr

        Note: If you are prompted for a Common name, enter the FQDN from Step 1.12.

    6. Copy and run the command below to generate a Server Certificate:

      1. openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1000 -sha256

    7. Copy and run the command below to generate a Client Certificate Private Key:

      1. openssl genrsa -traditional -out client1.key 2048

    8. Copy and run the command below to generate a Client Certificate Signing Request:

      1. openssl req -new -sha256 -key client1.key -out client1.csr

        Note: If you are prompted for a Common name, enter the FQDN from Step 1.12.

    9. Copy and run the command below to generate a Client Certificate:

      1. openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client1.crt -days 1000

    10. With your TLS certificates generated, log in to Red Canary.

    Step 3: Red Canary–Upload custom certificates to Red Canary

    Connect your custom certificates to Red Canary in order to start receiving Dragos alerts.

    1. From your Red Canary homepage, click Integrations.

    2. Scroll down, and then select your third-party security source.

    3. Click Edit Configuration.

    4. Upload the certificates you generated in Step 1:

      1. Upload a certificate file (PEM or DER)–Upload the server.crt.

      2. Upload the corresponding private key file–Upload the server.key.

      3. Enter the Private key passphrase used to generate the server key.

        Note: Leave this field blank if there isn't a passphrase.

      4. Upload the CA certificate corresponding to your certificate–Upload the ca.crt.

        4.png

      5. With your custom certificates uploaded, log in to Dragos.

    Step 4: Dragos–Add and configure a destination server in Dragos

    Connect your custom certificates to Dragos in order to start sending alerts to Red Canary.

    1. From your Dragos dashboard, click Admin.

    2. Under Syslog, click Launch.

      5.png

    3. Click Servers, and then click Add Server.

      6.png

    4. Enter a name for the server.

    5. Enter a Hostname.

    6. Enter a Port number.

    7. From the Protocol dropdown, select mTLS.

    8. Enter the Server Common name using the Hostname from Step 4.5.

    9. Upload the certificates you generated in Step 2:

      1. Server Certificate Or CA Certificate–Upload the ca.crt.

      2. Client Certificate–Upload the client1.crt.

      3. Client Key–Upload the client1.key.

    10. Leave all other fields set to their default state.

    11. Click Next: Set Template.

      7.png
    12. From the Output Message Format dropdown, select JSON.

    13. Copy and paste the following text into the Message field:

      {"system":"Dragos Platform", "id":#{id}, "created_at":#{createdAt}, "occurred_at":#{occurredAt}, "severity":#{severity}, "cef_severity":#{cef_severity}, "original_severity":#{originalSeverity}, "summary":#{summary}, "source":#{source}, "content":#{content}, "detection_quad":#{detection_quad}, "detector_id":#{detectorId}, "matched_rule_id":#{matchedRuleId}, "reviewed":#{reviewed}, "type":#{type}, "attack_tactic":#{attack_tactic}, "attack_technique":#{attack_technique}, "asset_id":#{asset_id}, "asset_ip":#{asset_ip}, "asset_hostname":#{asset_hostname}, "asset_mac":#{asset_mac}, "asset_domain":#{asset_domain}, "src_asset_id":#{src_asset_id}, "src_asset_ip":#{src_asset_ip}, "src_asset_hostname":#{src_asset_hostname}, "src_asset_mac":#{src_asset_mac}, "src_asset_domain":#{src_asset_domain}, "dst_asset_id":#{dst_asset_id}, "dst_asset_ip":#{dst_asset_ip}, "dst_asset_hostname":#{dst_asset_hostname}, "dst_asset_mac":#{dst_asset_mac}, "dst_asset_domain":#{dst_asset_domain}}

      8.png

    14. Leave all other fields set to their default state.

    15. Click Save.


    Was this article helpful?