Dragos Alerts
Vendor Documentation
Classification
| Rule Name | Rule Type | Classification | Common Event |
|---|---|---|---|
| Drago Alerts | Base Rule | Operations : Information | General Alert Message |
| Configuration Quad Alert | Sub Rule | Security : Activity | General Activity |
| Indicator Quad Alert | Sub Rule | Security : Attack | General Attack Activity |
| Modeling Quad Alert | Sub Rule | Security : Attack | General Attack Activity |
| Threat Behavior Quad Alert | Sub Rule | Security : Attack | General Attack Activity |
| Unassigned Quad Alert | Sub Rule | Security : Activity | General Activity |
Mapping with LogRhythm Schema
| Device Key in Log Message | LogRhythm Schema | Data Type | Schema Description |
|---|---|---|---|
| CEF:Version | N/A | N/A | Identifies the version of the CEF format. |
| Device Vendor | N/A | N/A | Identifies the vendor of the sending device. |
| Device Product | N/A | N/A | Identifies the product of the sending device. |
| Device Version | <version> | Number | Identifies the version of the sending device. |
| Signature ID | N/A | N/A | Unique event-type identifier. |
| Name | <vmid> | String | Description of the event. |
| Severity | <severity> | Number | Reflects the importance of the event. |
| Extension | N/A | N/A | Collection of key-value pairs. |
| content | <vendorinfo> | String | Detailed description of the event. |
| asset_ip | N/A | N/A | Asset IP address for single asset events. |
| asset_hostname | N/A | N/A | Asset hostname(s) for single asset events. |
| dst_asset_ip | <dip> | IP Address | Destination asset IP address for multiple asset events. |
| dst_asset_hostname | <dname> | String | Destination asset host names for directional events. |
| dst_asset_mac | <dmac> | String | Destination asset MAC address for multiple asset events. |
| dst_asset_domain | N/A | N/A | Destination asset domain names for directional events. |
| src_asset_ip | <sip> | IP Address | Destination asset IP address for multiple asset events. |
| src_asset_hostname | <sname> | String | Destination asset host names for directional events. |
| src_asset_mac | <smac> | String | Destination asset MAC address for multiple asset events. |
| src_asset_domain | N/A | N/A | Destination asset domain names for directional events. |
| id | <session> | Number | Unique ID for the event. |
| asset_domain | N/A | N/A | Asset domain names for single asset events. |
| asset_id | N/A | N/A | Dragos system asset ID for single asset events. |
| asset_mac | N/A | N/A | Asset MAC address for single asset events. |
| createdAt | N/A | N/A | Date and time when the event was created (not the same as the transmission time sent in syslog). |
| detection quad | <tag1>,<objecttype> | String | Name of the quad in the four types of detection quad used in the Dragos platform. |
| detectorid | <object> | String | Unique ID of the collector that originated the event. |
| dst_asset_id | N/A | N/A | Dragos system destination asset ID for multiple asset events. |
| matchedRuleId | N/A | N/A | Dragos notification rule that triggered sending the alert over syslog. |
| occurredAt | N/A | N/A | Date and time the event occurred at based off the record(s) processed by the sensor. |
| originalSeverity | N/A | N/A | Original Dragos severity; some events become higher severity if they are repeated over time. |
| reviewed | N/A | N/A | True if the event has been marked reviewed by a human. |
| src_asset_id | N/A | N/A | Dragos system destination asset ID for multiple asset events. |
| type | N/A | N/A | Type of event; this field is free form so the values can be inconsistent at times. |