This article leads you through the process of integrating Dragos with Red Canary. Follow the procedure from beginning to end.
Prerequisites
- Before you connect Dragos to Red Canary, make sure that Dragos is deployed and monitoring your Industrial control systems (ICS) and Operational technology (OT) environment.
Step 1: Red Canary–Create your Red Canary generated URL
Create a Red Canary provided-URL to send Dragos alerts for ingestion.
- From your Red Canary dashboard click Integrations.
- From the Integrations section, locate and then click the security product you want to integrate with Red Canary. Note: If you do not see your security product listed, click See all integrations.
- In the search bar, type and then select your third-party security source.
- Continue onto the next step by configuring your third-party security source in Red Canary.
Note: Your third-party security source may require that you contact Red Canary to configure. - Enter a name for your integration.
- Select a Display Category.
- From the Ingest Format/Method section, select Dragos Platform via syslog.
- Select Use custom TLS server certificate for ingest over TLS?.
- Click Save Configuration.
- Click Edit Configuration.
- Click Activate.
- After a few minutes, Red Canary will generate a URL (Collector ID) that you will use to input into your Dragos account. Copy and then save this URL. You will use this in a later step.
Example: prod1-use2-1234567.prod1.collectors.redcanary.io
Step 2: Command Line Terminal–Generate TLS certificates
Generate the necessary Transport Layer Security (TLS) certificates that are used to configure the Dragos platform to send syslogs to Red Canary.
Note: If you are running any version before OpenSSL (version 1.1.), you do not need to include the "-traditional" in the commands provided below. To learn what version of OpenSSL you currently have, enter openssl version
in your native terminal.
- Open your native terminal.
- Copy and run the command below to generate a Certificate Authority (CA) Private Key:
openssl genrsa -traditional -out ca.key 2048
- Copy and run the command below to generate the Certificate Authority Certificate:
openssl req -new -x509 -sha256 -key ca.key -out ca.crt
Note: If you are prompted for a Common name, enter the host name or IP address of your Dragos environment.
- Copy and run the command below to generate a Server Certificate Private Key:
openssl genrsa -traditional -out server.key 2048
- Copy and run the command below to generate a Server Certificate Signing Request:
openssl req -new -sha256 -key server.key -out server.csr
Note: If you are prompted for a Common name, enter the FQDN from Step 1.12.
- Copy and run the command below to generate a Server Certificate:
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1000 -sha256
- Copy and run the command below to generate a Client Certificate Private Key:
openssl genrsa -traditional -out client1.key 2048
- Copy and run the command below to generate a Client Certificate Signing Request:
openssl req -new -sha256 -key client1.key -out client1.csr
Note: If you are prompted for a Common name, enter the FQDN from Step 1.12.
- Copy and run the command below to generate a Client Certificate:
openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client1.crt -days 1000
- With your TLS certificates generated, log in to Red Canary.
Step 3: Red Canary–Upload custom certificates to Red Canary
Connect your custom certificates to Red Canary in order to start receiving Dragos alerts.
-
From your Red Canary homepage, click Integrations.
- Scroll down, and then select your third-party security source.
- Click Edit Configuration.
- Upload the certificates you generated in Step 1:
- Upload a certificate file (PEM or DER)–Upload the
server.crt
. - Upload the corresponding private key file–Upload the
server.key
. - Enter the Private key passphrase used to generate the server key.
Note: Leave this field blank if there isn't a passphrase. - Upload the CA certificate corresponding to your certificate–Upload the
ca.crt
.
- Upload a certificate file (PEM or DER)–Upload the
- With your custom certificates uploaded, log in to Dragos.
Step 4: Dragos–Add and configure a destination server in Dragos
Connect your custom certificates to Dragos in order to start sending alerts to Red Canary.
- From your Dragos dashboard, click Admin.
- Under Syslog, click Launch.
- Click Servers, and then click Add Server.
- Enter a name for the server.
- Enter a Hostname.
- Enter a Port number.
- From the Protocol dropdown, select mTLS.
- Enter the Server Common name using the Hostname from Step 3.5.
- Upload the certificates you generated in Step 2:
- Server Certificate Or CA Certificate–Upload the
ca.crt.
- Client Certificate–Upload the
client1.crt
. - Client Key–Upload the
client1.key
.
- Server Certificate Or CA Certificate–Upload the
- Leave all other fields set to their default state.
- Click Next: Set Template.
- From the Output Message Format dropdown, select JSON.
- Copy and paste the following text into the Message field:
{"system":"Dragos Platform", "id":#{id}, "created_at":#{createdAt}, "occurred_at":#{occurredAt}, "severity":#{severity}, "cef_severity":#{cef_severity}, "original_severity":#{originalSeverity}, "summary":#{summary}, "source":#{source}, "content":#{content}, "detection_quad":#{detection_quad}, "detector_id":#{detectorId}, "matched_rule_id":#{matchedRuleId}, "reviewed":#{reviewed}, "type":#{type}, "attack_tactic":#{attack_tactic}, "attack_technique":#{attack_technique}, "asset_id":#{asset_id}, "asset_ip":#{asset_ip}, "asset_hostname":#{asset_hostname}, "asset_mac":#{asset_mac}, "asset_domain":#{asset_domain}, "src_asset_id":#{src_asset_id}, "src_asset_ip":#{src_asset_ip}, "src_asset_hostname":#{src_asset_hostname}, "src_asset_mac":#{src_asset_mac}, "src_asset_domain":#{src_asset_domain}, "dst_asset_id":#{dst_asset_id}, "dst_asset_ip":#{dst_asset_ip}, "dst_asset_hostname":#{dst_asset_hostname}, "dst_asset_mac":#{dst_asset_mac}, "dst_asset_domain":#{dst_asset_domain}}
- Leave all other fields set to their default state.
- Click Save.