Incoming feed - Dragos Threat Feed
This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Configure incoming feeds general options.
|
Specifications |
Transport types |
Dragos Threat Feed |
Content type |
Dragos JSON |
Ingested data |
Ingests reports and its associated indicators from the Dragos WorldView API. |
Processed data |
Reports are ingested as Report entities on the platform. The PDF version of the report is included as an attachment in the Report entity. Indicators associated with the report are ingested as Indicator entities and are attached to the report through a relationship. |
Requirements
Dragos API key.
Dragos API secret.
Execution schedule recommendation
The Execution schedule field allows you to set the feed to run automatically at specified intervals. Running the feed too frequently can strain resources and exhaust API rate limits. Follow your feed provider’s recommendations when setting the Execution schedule.
The Execution schedule field is set to None by default.
Dragos recommends that you:
Manually run the incoming feed. Set the Execution schedule to None.
Or automatically run the incoming feed a maximum of once every 6 hours:
Set the Execution schedule to: Every [n] hours
Then, select 6 from the drop-down menu that appears below so that the line reads:
“Every 6 hours”
Configure the incoming feed
Create or edit an incoming feed.
Under Transport and content, fill out these fields:
Required fields are marked with an asterisk (*).
Field
Description
Transport type*
Select Dragos Threat Feed from the drop-down menu.
Content type*
Select Dragos JSON from the drop-down menu.
API URL*
Set this to the Dragos REST API endpoint.
By default, this is set to https://intel.dragos.com:443.
API key*
Set this to your Dragos API key.
API secret*
Set this to your Dragos API secret.
SSL verification
Selected by default. Select this option to enable SSL for this feed.
Path to SSL certificate file.
Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.
Start ingesting from*
Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.
Under Schedule, set an Execution schedule according to instructions in the Execution schedule recommendation section.
Store your changes by selecting Save.
Report types
The names of reports from Dragos are prefixed with a string of characters that describes its type. The table below is a list of prefixes and their descriptions:
Report type prefix |
Report type |
Description |
WVW |
WorldView Weekly |
Trending issues and a summary of new reports and vulnerabilities. |
WVM |
WorldView Monthly |
A monthly rollup of WorldView reports. |
WVS |
WorldView Special |
Trending issue that is a major concern across ICS. |
TR |
Technical Report |
Deep dive into strategy, tools, techniques, and procedures of operations and activity. |
AG |
Activity Group Report |
Detailed report related to an Activity Group. |
DOM |
Suspect Domain Report |
Weekly report on questionable domain registrations. |
VUL |
Vulnerability Report |
Deep dive into vulnerability research. |
AA |
Advisory Alert |
Summary of attacks, vulnerabilities, or activities and defensive recommendations. |
ETI |
Executive Threat Insights |
High-level information to keep C-Suite personnel up-to-date on threats in the ICS space. |
VA |
Vulnerability Assessment Report |
Assessing public vulnerabilities reported in WorldView Weekly. |