Incoming feed - Dragos Threat Feed#

Note

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.

Specifications

Transport types

Dragos Threat Feed

Content type

Dragos JSON

Ingested data

Ingests reports and its associated indicators from the Dragos WorldView API.

Processed data

Reports are ingested as Report entities on the platform. The PDF version of the report is included as an attachment in the Report entity. Indicators associated with the report are ingested as Indicator entities and are attached to the report through a relationship.

Requirements#

  • Dragos API key.

  • Dragos API secret.

Execution schedule recommendation#

The Execution schedule field allows you to set the feed to run automatically at specified intervals. Running the feed too frequently can strain resources and exhaust API rate limits. Follow your feed provider’s recommendations when setting the Execution schedule.

The Execution schedule field is set to None by default.

Dragos recommends that you:

  • Manually run the incoming feed. Set the Execution schedule to None.

  • Or automatically run the incoming feed a maximum of once every 6 hours:

    1. Set the Execution schedule to: Every [n] hours

    2. Then, select 6 from the drop-down menu that appears below so that the line reads:

      “Every 6 hours”

Configure the incoming feed#

  1. Create or edit an incoming feed.

  2. Under Transport and content, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select Dragos Threat Feed from the drop-down menu.

    Content type*

    Select Dragos JSON from the drop-down menu.

    API URL*

    Set this to the Dragos REST API endpoint.

    By default, this is set to https://intel.dragos.com:443.

    API key*

    Set this to your Dragos API key.

    API secret*

    Set this to your Dragos API secret.

    SSL verification

    Selected by default. Select this option to enable SSL for this feed.

    Path to SSL certificate file.

    Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

    Start ingesting from*

    Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.

  3. Under Schedule, set an Execution schedule according to instructions in the Execution schedule recommendation section.

  4. Store your changes by selecting Save.

Report types#

The names of reports from Dragos are prefixed with a string of characters that describes its type. The table below is a list of prefixes and their descriptions:

Report type prefix

Report type

Description

WVW

WorldView Weekly

Trending issues and a summary of new reports and vulnerabilities.

WVM

WorldView Monthly

A monthly rollup of WorldView reports.

WVS

WorldView Special

Trending issue that is a major concern across ICS.

TR

Technical Report

Deep dive into strategy, tools, techniques, and procedures of operations and activity.

AG

Activity Group Report

Detailed report related to an Activity Group.

DOM

Suspect Domain Report

Weekly report on questionable domain registrations.

VUL

Vulnerability Report

Deep dive into vulnerability research.

AA

Advisory Alert

Summary of attacks, vulnerabilities, or activities and defensive recommendations.

ETI

Executive Threat Insights

High-level information to keep C-Suite personnel up-to-date on threats in the ICS space.

VA

Vulnerability Assessment Report

Assessing public vulnerabilities reported in WorldView Weekly.