This article leads you through the process of integrating Dragos with Red Canary. Follow the procedure from beginning to end.

Prerequisites

Before you connect Dragos to Red Canary, make sure that Dragos is deployed and monitoring your Industrial control systems (ICS) and Operational technology (OT) environment.

Step 1: Red Canary–Create your Red Canary generated URL

Create a Red Canary provided-URL to send Dragos alerts for ingestion.

From your Red Canary dashboard click Integrations.
From the Integrations section, locate and then click the security product you want to integrate with Red Canary. Note: If you do not see your security product listed, click See all integrations.
In the search bar, type and then select your third-party security source.
Continue onto the next step by configuring your third-party security source in Red Canary.
Note: Your third-party security source may require that you contact Red Canary to configure.
Enter a name for your integration.
Select a Display Category.
From the Ingest Format/Method section, select Dragos Platform via syslog.
Select Use custom TLS server certificate for ingest over TLS?.
Click Save Configuration.
Click Edit Configuration.
Click Activate.
After a few minutes, Red Canary will generate a URL (Collector ID) that you will use to input into your Dragos account. Copy and then save this URL. You will use this in a later step.
Example: prod1-use2-1234567.prod1.collectors.redcanary.io

Step 2: Command Line Terminal–Generate TLS certificates

Generate the necessary Transport Layer Security (TLS) certificates that are used to configure the Dragos platform to send syslogs to Red Canary.

Note: If you are running any version before OpenSSL (version 1.1.), you do not need to include the "-traditional" in the commands provided below. To learn what version of OpenSSL you currently have, enter openssl version in your native terminal.

Open your native terminal.
Copy and run the command below to generate a Certificate Authority (CA) Private Key:
1. openssl genrsa -traditional -out ca.key 2048
Copy and run the command below to generate the Certificate Authority Certificate:
1. openssl req -new -x509 -sha256 -key ca.key -out ca.crt
  Note: If you are prompted for a Common name, enter the host name or IP address of your Dragos environment.
Copy and run the command below to generate a Server Certificate Private Key:
1. openssl genrsa -traditional -out server.key 2048
Copy and run the command below to generate a Server Certificate Signing Request:
1. openssl req -new -sha256 -key server.key -out server.csr
  Note: If you are prompted for a Common name, enter the FQDN from Step 1.12.
Copy and run the command below to generate a Server Certificate:
1. openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1000 -sha256
Copy and run the command below to generate a Client Certificate Private Key:
1. openssl genrsa -traditional -out client1.key 2048
Copy and run the command below to generate a Client Certificate Signing Request:
1. openssl req -new -sha256 -key client1.key -out client1.csrNote: If you are prompted for a Common name, enter the FQDN from Step 1.12.
Copy and run the command below to generate a Client Certificate:
1. openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client1.crt -days 1000
With your TLS certificates generated, log in to Red Canary.

Step 3: Red Canary–Upload custom certificates to Red Canary

Connect your custom certificates to Red Canary in order to start receiving Dragos alerts.

From your Red Canary homepage, click Integrations.
Scroll down, and then select your third-party security source.
Click Edit Configuration.
Upload the certificates you generated in Step 1:
1. Upload a certificate file (PEM or DER)–Upload the server.crt.
2. Upload the corresponding private key file–Upload the server.key.
3. Enter the Private key passphrase used to generate the server key.
  Note: Leave this field blank if there isn't a passphrase.
4. Upload the CA certificate corresponding to your certificate–Upload the ca.crt.
With your custom certificates uploaded, log in to Dragos.

Step 4: Dragos–Add and configure a destination server in Dragos

Connect your custom certificates to Dragos in order to start sending alerts to Red Canary.

From your Dragos dashboard, click Admin.
Under Syslog, click Launch.
Click Servers, and then click Add Server.
Enter a name for the server.
Enter a Hostname.
Enter a Port number.
From the Protocol dropdown, select mTLS.
Enter the Server Common name using the Hostname from Step 3.5.
Upload the certificates you generated in Step 2:
1. Server Certificate Or CA Certificate–Upload the ca.crt.
2. Client Certificate–Upload the client1.crt.
3. Client Key–Upload the client1.key.
Leave all other fields set to their default state.
Click Next: Set Template.
From the Output Message Format dropdown, select JSON.
Copy and paste the following text into the Message field:
{"system":"Dragos Platform", "id":#{id}, "created_at":#{createdAt}, "occurred_at":#{occurredAt}, "severity":#{severity}, "cef_severity":#{cef_severity}, "original_severity":#{originalSeverity}, "summary":#{summary}, "source":#{source}, "content":#{content}, "detection_quad":#{detection_quad}, "detector_id":#{detectorId}, "matched_rule_id":#{matchedRuleId}, "reviewed":#{reviewed}, "type":#{type}, "attack_tactic":#{attack_tactic}, "attack_technique":#{attack_technique}, "asset_id":#{asset_id}, "asset_ip":#{asset_ip}, "asset_hostname":#{asset_hostname}, "asset_mac":#{asset_mac}, "asset_domain":#{asset_domain}, "src_asset_id":#{src_asset_id}, "src_asset_ip":#{src_asset_ip}, "src_asset_hostname":#{src_asset_hostname}, "src_asset_mac":#{src_asset_mac}, "src_asset_domain":#{src_asset_domain}, "dst_asset_id":#{dst_asset_id}, "dst_asset_ip":#{dst_asset_ip}, "dst_asset_hostname":#{dst_asset_hostname}, "dst_asset_mac":#{dst_asset_mac}, "dst_asset_domain":#{dst_asset_domain}}
Leave all other fields set to their default state.
Click Save.