Dragos Events | LogRhythm Documentation

Vendor Documentation

https://www.dragos.com/resource/dragos-platform-datasheet

Classification

Rule Name	Rule Type	Classification	Common Event
Dragos Events	Base Rule	Operations : Information	General Alert Message
Dragos Configuration Alert	Sub Rule	Operations : Information	General Alert Message
Dragos Indicator Alert	Sub Rule	Security : Attack	General Attack Activity
Dragos Modeling Alert	Sub Rule	Security : Attack	General Attack Activity
Dragos Threat Behavior Alert	Sub Rule	Security : Attack	General Attack Activity

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
(CEF Header) Version	N/A	N/A	N/A
(CEF Header) Device Vendor	N/A	N/A	N/A
(CEF Header) Device Product	N/A	N/A	N/A
(CEF Header) Device Version	<version>	Number	N/A
(CEF Header) Signature ID	N/A	N/A	N/A
(CEF Header) Name	<vmid>	String	Summary of the Event.
(CEF Header) Severity	<severity>	Number	Dragos Event Severity.
content	<vendorinfo>	Text/String	Detailed description of the Event.
asset_id	N/A	N/A	Asset ID for single Asset Events.
asset_ip	N/A	N/A	Asset IP Address(s) for single Asset Events.
asset_class	N/A	N/A	Asset class for single asset events.
asset_hostname	N/A	Text/String	Asset Hostname(s) for single Asset Events.
asset_mac	N/A	Text/String	Asset MAC Address(s) for single Asset events.
asset_domain	N/A	Text/String	Asset Domain(s) for single Asset Events.
dst_asset_id	N/A	N/A	Destination asset ID for multi-asset events.
dst_asset_ip	<dip>	Text/String	Destination asset IP address(s) for multi-asset events.
dst_asset_hostname	<dname>	Text/String	Destination asset name for multi-asset events.
dst_asset_mac	<dmac>	Text/String	Destination asset MAC Address(s) for multi-asset events.
dst_asset_domain	<domainimpacted>	Text/String	Destination asset domain for multi-asset events.
src_asset_id	N/A	N/A	Source asset ID for multi-asset events.
src_asset_ip	<sip>	Text/String	Source asset IP address(s) for multi-asset events.
src_asset_hostname	<sname>	Text/String	Source asset name for multi-asset events.
src_asset_mac	<smac>	Text/String	Source asset MAC Address(s) for multi-asset events.
src_asset_domain	<domainorigin>	Text/String	Source asset domain for multi-asset events.
id	<threatid>	Number	Unique ID for the Event.
createdAt	N/A	N/A	Date and time Event was created.
detection_quad	<objecttype> <tag1>	String	Dragos Threat Detection Type
detector_Id	<object>	Text/String	Unique ID of the Collector
matchedRuleId	N/A	N/A	Unique ID for the Match Rule.
attack_tactic	N/A	N/A	List of Dragos Attack Tactic Types
attack_technique	<threatname>	String	List of Dragos Attack Technique Types
occurredAt	N/A	N/A	Date and time the Event occurred.
originalSeverity	N/A	N/A	Original Dragos severity.
reviewed	N/A	N/A	True if the Event has been reviewed.
type	N/A	N/A	Type of Event.
sensor_description	N/A	N/A	N/A
sensor_hostname	N/A	N/A	N/A
sensor_geo	N/A	N/A	N/A