Skip to main content
Red Canary help

Integrate Dragos with Red Canary

  • Updated .

This article leads you through the process of integrating Dragos with Red Canary. Follow the procedure from beginning to end.

Prerequisites

  • Before you connect Dragos to Red Canary, make sure that Dragos is deployed and monitoring your Industrial control systems (ICS) and Operational technology (OT) environment.
  • Make sure that you have OpenSSL (version 1.1.) installed.

Step 1: Command Line Terminal–Generate TLS certificates

Generate the necessary Transport Layer Security (TLS) certificates that are used to configure the Dragos platform to send syslogs to Red Canary.

  1. Open your native terminal.
    1.1.png
  2. Copy and run the command below to generate a Certificate Authority (CA) Private Key:
    1. openssl ecparam -name prime256v1 -genkey -noout -out ca.key
  3. Copy and run the command below to generate the Certificate Authority Certificate:
    1. openssl req -new -x509 -sha256 -key ca.key -out ca.crt
  4. Copy and run the command below to generate a Server Certificate Private Key:
    1. openssl ecparam -name prime256v1 -genkey -noout -out server.key
  5. Copy and run the command below to generate a Server Certificate Signing Request:
    1. openssl req -new -sha256 -key server.key -out server.csr
  6. Copy and run the command below to generate a Server Certificate:
    1. openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 1000 -sha256
  7. Copy and run the command below to generate a Client Certificate Private Key:
    1. openssl ecparam -name prime256v1 -genkey -noout -out client1.key
  8. Copy and run the command below to generate a Client Certificate Signing Request:
    1. openssl req -new -sha256 -key client1.key -out client1.csr
  9. Copy and run the command below to generate a Client Certificate:
    1. openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client1.crt -days 1000
  10. With your TLS certificates generated, log in to Red Canary.

Step 2: Red Canary–Upload custom certificates to Red Canary

Connect your custom certificates to Red Canary in order to start receiving Dragos alerts.

  1. From the navigation menu, click the Integrations dropdown, and then click Alert Sources.
  2. In the search bar, type and select Dragos.
    2.png
  3. To configure your new alert source, scroll down and click Dragos.
  4. Select Use custom TLS server certificate for ingest over TLS?.
  5. Upload the certificates you generated in Step 1:

    1. Upload a certificate file (PEM or DER)Upload the server.crt.

    2. Upload the corresponding private key fileUpload the server.key.

    3. Enter the Private key passphrase used to generate the server key.
      Note: Leave this field blank if there isn't a passphrase.

    4. Upload the CA certificate corresponding to your certificateUpload the ca.crt.
      4.png

  6. With your custom certificates uploaded, log in to Dragos.

Step 3: Dragos–Add and configure a destination server in Dragos

Connect your custom certificates to Dragos in order to start sending alerts to Red Canary.

  1. From your Dragos dashboard, click Admin.
  2. Under Syslog, click Launch.
    5.png
  3. Click Servers, and then click Add Server.
    6.png
  4. Enter a name for the server.
  5. Enter a Hostname.
  6. Enter a Port number.
  7. From the Protocol dropdown, select TLS.
  8. Enter the Server Common name using the Hostname from Step 3.5.
  9. Upload the certificates you generated in Step 1:
    1. Server Certificate Or CA Certificate–Upload the server.crt.
      Note: Do not use the ca.crt.
    2. Client CertificateUpload the client1.crt.
    3. Client Key–Upload the client1.key.
  10. Leave all other fields set to their default state.
  11. Click Next: Set Template.
    7.png
  12. From the Output Message Format dropdown, select JSON.
  13. Copy and paste the following text into the Message field:
    {"system":"Dragos Platform", "id":#{id}, "created_at":#{createdAt}, "occurred_at":#{occurredAt}, "severity":#{severity}, "cef_severity":#{cef_severity}, "original_severity":#{originalSeverity}, "summary":#{summary}, "source":#{source}, "content":#{content}, "detection_quad":#{detection_quad}, "detector_id":#{detectorId}, "matched_rule_id":#{matchedRuleId}, "reviewed":#{reviewed}, "type":#{type}, "attack_tactic":#{attack_tactic}, "attack_technique":#{attack_technique}, "asset_id":#{asset_id}, "asset_ip":#{asset_ip}, "asset_hostname":#{asset_hostname}, "asset_mac":#{asset_mac}, "asset_domain":#{asset_domain}, "src_asset_id":#{src_asset_id}, "src_asset_ip":#{src_asset_ip}, "src_asset_hostname":#{src_asset_hostname}, "src_asset_mac":#{src_asset_mac}, "src_asset_domain":#{src_asset_domain}, "dst_asset_id":#{dst_asset_id}, "dst_asset_ip":#{dst_asset_ip}, "dst_asset_hostname":#{dst_asset_hostname}, "dst_asset_mac":#{dst_asset_mac}, "dst_asset_domain":#{dst_asset_domain}}
    8.png
  14. Leave all other fields set to their default state.
  15. Click Save.