Dragos WorldView Intelligence Engine Integration User Guide

31 Jul 2024
12 Minutes to read

Print
Dark

Light

Dragos WorldView Intelligence Engine Integration User Guide

Updated on 31 Jul 2024
12 Minutes to read

Print
Dark

Light

Article summary

Did you find this summary helpful?

Thank you for your feedback

Software Version

This guide applies to the Dragos WorldView Intelligence Engine App version 1.0.x.

Overview

The ThreatConnect^® integration with Dragos^® ingests Indicators, Products, and Tags from Dragos WorldView and creates corresponding objects in ThreatConnect with select Dragos metadata.

Dependencies

ThreatConnect Dependencies

Active ThreatConnect Application Programming Interface (API) key
ThreatConnect instance with version 7.6.2 or newer installed

Note

All ThreatConnect dependencies will be provided by default to subscribing ThreatConnect Cloud customers. Customers on Dedicated Cloud and On-Premises instances can enable these settings on the Account Settings screen within their ThreatConnect instance.

Dragos Dependencies

Active Dragos API token

Important

Before deploying the Dragos WorldView Intelligence Engine App in ThreatConnect, you must reset the Dragos WorldView API rate limit. See the “Dragos Setup and Configuration” section for more information.

Dragos Setup and Configuration

Important

You must follow the steps in this section immediately before deploying the Dragos WorldView Intelligence Engine App in ThreatConnect.

Follow these steps to reset the Dragos WorldView API rate limit:

Log into the Dragos portal and navigate to the Account Information page.
Select the API tab.
Click RESET RATE LIMIT (Figure 1) immediately before deploying the Dragos WorldView Intelligence Engine App in ThreatConnect.

Application Setup and Configuration

Follow these steps to install and configure the Dragos WorldView Intelligence Engine App in ThreatConnect via TC Exchange™:

Log into ThreatConnect with a System Administrator account.
Hover over Settingson the top navigation bar and select TC Exchange Settings. Then select the Catalog tab on the TC Exchange Settings screen.
Locate the Dragos WorldView Intelligence Engine App on the Catalog tab. Then click Installin the Options column to install the App.
After you install the Dragos WorldView Intelligence Engine App, the Feed Deployer will open automatically. Use the Feed Deployer to set up and configure the App. See the “Configuration Parameters” section for more information on the parameters available during the configuration and deployment process.
Important
Before deploying the Dragos WorldView Intelligence Engine App, you must reset the Dragos WorldView API rate limit. See the “Dragos Setup and Configuration” section for more information.

Configuration Parameters

Parameter Definitions

The parameters defined in Table 1 apply to the configuration parameters available when using the Feed Deployer to configure the Dragos WorldView Intelligence Engine App.

Name	Description	Required?
Source Tab
Sources to Create	Enter the name of the Source to be created.	Required
Owner	Select the Organization in which the Source will be created.	Required
Activate Deprecation	Select this checkbox to allow the creation of depreciation rules for Indicators in the Source.	Optional
Create Attributes	Select this checkbox to allow the creation of custom Attribute Types in the Source.	Optional
Parameters Tab
Launch Server	Select tc-job as the launch server for the Service corresponding to the Feed API Service App.	Required
Variables Tab
Dragos API Token	Enter the Dragos API Token. Note You must enter the actual Dragos API Token value instead of populating this parameter with a ThreatConnect variable.	Required
Dragos Secret Key	Enter the Dragos Secret Key. Note You must enter the actual Dragos API Secret Key value instead of populating this parameter with a ThreatConnect variable.	Required
Lookback Option	Select the lookback period (i.e., period of time) from which the integration will ingest Dragos Indicator data. During the integration's initial run, all Dragos Reports will be ingested, regardless of which option you select for this parameter. Available options include the following: 90 days (requires at least one API rate limit reset after the deployment in most cases) 12 months (requires at least one API rate limit reset after the deployment in most cases) 18 months (requires at least two API rate limit resets after the deployment in most cases) All (requires at least two API rate limit resets after the deployment in most cases)	Required

Dragos WorldView Intelligence Engine

After successfully configuring and activating the Feed API Service for the Dragos WorldView Intelligence Engine App, you can access the Dragos WorldView Intelligence Engine user interface (UI). This UI allows you to interact with and manage the Dragos integration.

Follow these steps to access the Dragos WorldView Intelligence Engine UI:

Log into ThreatConnect with a System Administrator account.
On the top navigation bar, hover over Playbooks and select Services.
Locate the Dragos Intelligence Engine Feed API Service on the Services screen, and then click the link in the Service’s API Path field to open the DASHBOARD screen of the Dragos WorldView Intelligence Engine UI.

The following screens are available in the Dragos WorldView Intelligence Engine UI:

DASHBOARD
JOBS
TASKS
DOWNLOAD
REPORT

DASHBOARD

The DASHBOARD screen (Figure 2) provides an overview of the total number of Indicators (Domain, IP, MD5, SHA1, and SHA256) and Products (i.e., Reports) that ThreatConnect has ingested from Dragos.

Figure 2_Dragos WorldView Intelligence Engine Integration User Guide_Software Version 1.0

JOBS

The JOBS screen (Figure 3) breaks down the ingestion of Dragos data into manageable Job-like tasks.

Figure 3_Dragos WorldView Intelligence Engine Integration User Guide_Software Version 1.0

Job Type: If desired, select a Job type by which to filter Jobs. Available types include ad-hoc and scheduled.
Status:(Optional) Select a Job status by which to filter Jobs. Available statuses include the following:
1. Download In Progress
2. Download Complete
3. Convert In Progress
4. Convert Complete
5. Upload In Progress
6. Upload Complete
Request ID: (Optional) Enter text into this box to search for a specific Job by its request ID.
+ Add Request: Click this button to display the ADD REQUEST window (Figure 4). On this window, you can specify the date range for an ad-hoc Job request. After a Job request is added, it will be displayed in the table on the JOBS screen (Figure 3), and its Job type will be listed as ad-hoc.

TASKS

The TASKS screen (Figure 5) is where you can view and manage the Tasks for each Job.

Figure 5_Dragos WorldView Intelligence Engine Integration User Guide_Software Version 1.0

DOWNLOADS

The DOWNLOADS screen (Figure 6) is where you can download specific data from Dragos.

Figure 6_Dragos WorldView Intelligence Engine Integration User Guide_Software Version 1.0

Type: Select the type of Dragos object to download. Available options include Indicator and Product.
ID(s): Enter the Dragos ID(s) for the object(s) to download. Data will be retrieved in JavaScript ^® Object Notation (JSON) format.
Convert: Select this checkbox to convert the data to ThreatConnect batch format.
Enrich: Select this checkbox to submit the data to the ThreatConnect Batch API.

REPORTS

The REPORTS screen provides two views: BATCH ERRORS and PDF TRACKER. The BATCH ERRORS screen (Figure 7) displays batch errors for each request in a tabular format. Details provided for each error include the error’s code, message, and reason.

Figure 7_Dragos WorldView Intelligence Engine Integration User Guide_Software Version 1.0

The PDF TRACKER screen (Figure 8) is where you can view attempts ThreatConnect made to download PDFs from Dragos. The table on this screen displays the most recent date on which ThreatConnect attempted to download a PDF, the number of times an attempt to download the PDF was made, and whether the PDF was downloaded successfully. You can also search for PDFs by ID on this screen, which can be useful if you do not see a Dragos PDF in ThreatConnect as expected.

Figure 8_Dragos WorldView Intelligence Engine Integration User Guide_Software Version 1.0

Data Mappings

The data mappings in Table 2 through Table 5 illustrate how data are mapped from Dragos WorldView API endpoints into the ThreatConnect data model.

Indicators

ThreatConnect object type: Indicator

Dragos API Field	ThreatConnect Field
id	Attribute: "External ID"
value	Name/Summary
indicator_type	Type IP in Dragos → Address in ThreatConnect Domain in Dragos → Host in ThreatConnect MD5 in Dragos → File in ThreatConnect SHA1 in Dragos → File in ThreatConnect SHA256 in Dragos → File in ThreatConnect
category	N/A
comment	Attribute: "Description"
created_at	N/A
first_seen	Attribute: "First Seen"
last_seen	Attribute: "Last Seen"
updated_at	Attribute: "External Date Last Modified"
lock_comment	N/A
products	Indicator-to-Report Association
confidence	Low in Dragos → 20% Confidence Rating in ThreatConnect Medium in Dragos → 50% Confidence Rating in ThreatConnect High in Dragos → 80% Confidence Rating in ThreatConnect
kill_chain	Attribute: "ICS Kill Chain"
uuid	Attribute: "UUID"
status	Attribute: "Dragos Status"
severity	N/A
attack_techniques	Tag
ics_attack_techniques	ATT&CK® Tag
kill_chains	N/A
pre_attack_techniques	Tag
threat_groups	Indicator-to-Intrusion-Set Association
activity_groups	N/A

Products

ThreatConnect object type: Report Group

Dragos API Field	ThreatConnect Field
tlp_level	Security Label
title	Name/Summary
executive_summary	Attribute: "Description" (default)
updated_at	Attribute: "External Date Last Modified"
report_date	N/A
release_date	Attribute: "Report Publish Date"
threat_level	Attribute: "Threat Level"
serial	Attribute: "External ID"
tags	Varies based on the properties of the Dragos Tag (see the “Product Tags” section for data mappings)
report_link	Attribute: "Source" (default)
ioc_count	N/A
report_link	File Attachment
slides_link	Report-to-Document Association
type	Attribute: "Report Type"
ioc_csv_link	Attribute: "Indicator CSV Link"
ioc_stix2_link	Attribute: "Indicator STIX Link"

Product Tags

ThreatConnect object type: Varies

Dragos API Field	ThreatConnect Field
ATT&CK Technique	ATT&CK Tag
CVE	Vulnerability Group whose summary is the Common Vulnerabilities Exposure (CVE®) ID Report-to-Vulnerability Association Tag Attributes related to the Common Vulnerability Scoring System (CVSS) pulled from the Dragos WorldView API’s Tags endpoint (see the “Tags” section for data mappings)
Vulnerability Type	If Vulnerability Type belongs to the Common Weakness Enumeration (CWE™) list, Vulnerability Group whose summary is the CWE ID If Vulnerability Type does not belong to the CWE list, Vulnerability Group whose summary is a long name provided by the Dragos WorldView API’s Tags endpoint Report-to-Vulnerability Association Tag
Malware or Ransomware	Malware Group Report-to-Malware Association Tag
ExternalName	Intrusion Set Group Report-to-Intrusion-Set Association
IntelRequirement	Intelligence Requirement (IR) created in your Organization Tag
NAICS	Tag If the length of the North American Industry Classification System (NAICS) code is greater than or equal to 4, two- and three-digit CAL™ ATL industry classification NAICS Tags If the length of the NAICS code equals 3, two-digit CAL ATL industry classification NAICS Tag

Dragos API Field	ThreatConnect Field
special_tag.dragos_cvss_score	Attribute: "CVSS Score Dragos"
special_tag.dragos_cvss_string	Attribute: "CVSS String Dragos"
special_tag.icsa_cvss_score	Attribute: "CVSS Score ICSA"
special_tag.icsa_cvss_string	Attribute: "CVSS String ICSA"
special_tag.nvd_cvss_score	Attribute: "CVSS v3 Score"
special_tag.nvd_cvss_string	Attribute: "CVSS v3 String"
special_tag.nvd_v2_cvss_score	Attribute: "CVSS v2 Score"
special_tag.nvd_v2_cvss_string	Attribute: "CVSS v2 String"

Frequently Asked Questions (FAQ)

How can I transition to the Dragos WorldView Intelligence Engine App seamlessly?

Please read through all documentation carefully and thoroughly before installing and deploying the Dragos WorldView Intelligence Engine App. During the first few weeks after the App has been installed, perform these actions to ensure that the App ingests historical data properly:

Reset the Dragos WorldView API rate limit immediately before installing the Dragos WorldView Intelligence Engine App. (See the “Dragos Setup and Configuration” section for more information.)
During the first two weeks after the Dragos WorldView Intelligence Engine App has been installed, verify that the App is running in ThreatConnect on a frequent basis.
If you are viewing the JOBS screen of the Dragos WorldView Intelligence Engine UI (Figure 3) and it does not seem like the Dragos WorldView Intelligence Engine App is ingesting data, reset the API rate limit for your Organization in Dragos, and then restart the App as soon as possible to ensure that it continues ingesting data. (Note that you may need to reset the Dragos WorldView API rate limit again in a few hours.) If you ignore error messages returned by the integration and do not reset the Dragos WorldView API rate limit, the integration may take at least four weeks to ingest all historical Dragos data.
Do not delete the API user created for the Dragos WorldView Intelligence Engine App (ApiUser-dragos_worldview_intelligence). Doing so may break the integration, which will require you to delete and reinstall the App.

How can I ingest all of Dragos's Tags, Reports, and Indicators into ThreatConnect?

Select All for the Lookback Option parameter when deploying the Dragos WorldView Intelligence Engine App with the ThreatConnect Feed Deployer. Due to the Dragos WorldView API rate limit (1000 API requests per week), you must visit the Dragos portal to reset the API rate limit for your Organization within a few hours of deployment to ensure that the App runs continuously. If a download stalls due to the API rate limit, reset the API rate limit for your Organization in Dragos, and then restart the Service for the Dragos WorldView Intelligence Engine App on the Services screen in ThreatConnect.

Note

Expect to reset the Dragos WorldView API rate limit at least two times after deployment if the Dragos WorldView Intelligence Engine App is the only resource making API requests with the Dragos API credentials provided when configuring the App. If the Dragos API credentials provided for the App are shared with multiple resources (i.e., users, Apps, and instances), you may need to reset the API rate limit more often.

The Dragos WorldView Intelligence Engine App stopped ingesting data. What should I do?

In this scenario, the App likely exceeded the Dragos WorldView API limit of 1000 API requests per week. To resolve this issue, reset the API rate limit for your Organization in Dragos, and then restart the Service for the Dragos WorldView Intelligence Engine App on the Services screen in ThreatConnect.

What is the easiest way to identify that the Dragos WorldView API rate limit needs to be reset?

The Service for the Dragos WorldView Intelligence Engine App includes a metric labeled API Limit Hit. When the Dragos WorldView API rate limit is reached, the API Limit Hit metric will have a value of True (Figure 9). In this scenario, reset the Dragos WorldView API rate limit, and then restart the Service for the Dragos WorldView Intelligence Engine App on the Services screen in ThreatConnect. After restarting the Service, the API Limit Hit metric should have a value of False.

Figure 9_Dragos WorldView Intelligence Engine Integration User Guide_Software Version 1.0

How does the Dragos WorldView Intelligence Engine App differ from the existing Dragos WorldView Job App?

The Dragos WorldView Job App lets you do the following:

Collect data from the Dragos WorldView API’s Product and Indicator endpoints
Create Dragos Indicators in ThreatConnect with fields like Description, First Seen, Last Seen, and External Date Last Modified
Create Indicator-to-Product associations (Indicator-to-Report associations in ThreatConnect)
Create Dragos Reports in ThreatConnect with fields like Description, External Date Last Modified, Publish Date, and Tags
Ingest Dragos Report PDFs and upload them as file attachments to Report Groups in ThreatConnect

With the Dragos WorldView Intelligence Engine Feed API Service App, you can do the following:

Ingest Dragos data in a flexible manner, from the last 90 days to all available historical data
Collect data from the Dragos WorldView API’s Product, Indicator, and Tag endpoints
Create Dragos Indicators in ThreatConnect with fields like Description, First Seen, Last Seen, and External Date Last Modified, as well as additional Attributes (see Table 2 in the “Indicators” section for more information)
Create Indicator-to-Product associations (Indicator-to-Report associations in ThreatConnect)
Create Indicator-to-Threat Group associations (Indicator-to-Intrusion-Set associations in ThreatConnect)
Add ATT&CK Tags to ingested data when applicable
Create Dragos Reports in ThreatConnect with fields like Description, External Date Last Modified, Publish Date, and Tags
Ingest Dragos Report PDFs and upload them as file attachments to Report Groups in ThreatConnect
Ingest Dragos Slides PDFs as Document Groups in ThreatConnect and associate them to relevant Report Groups
Create Vulnerability Groups with CVSS or CWE information provided by the Dragos WorldView API’s Tags endpoint
Create Malware Groups based on Dragos Report Tags
Create Intrusion Set Groups from Dragos Report Tags and Dragos Reports whose Report Type is Actor Profile
Enhance Dragos’s Intel Requirement Tags by mapping them to Intelligence Requirement objects in ThreatConnect for additional research and analysis
Ingest NAICS codes and apply additional NAICS Tags in the CAL ATL industry classification framework to further organize data

Why are Intelligence Requirements being created in my Organization in ThreatConnect?

An Intelligence Requirement (IR) is a collection of topics or a research question reflecting an organization’s cyber threat–related priorities that guide a security or threat intelligence team’s research and analysis efforts. Dragos provides its IRs via Tags, while ThreatConnect uses a dedicated Intelligence Requirement object to model IRs.

By representing Dragos IRs as IR objects in ThreatConnect, you can view data relevant to questions or topics Dragos populated across your Organization. In addition, you can review results returned from an IR’s keyword query in ThreatConnect and then manage those results by associating them to the IR object, archiving them, or marking them as false results.

For the Dragos WorldView Intelligence Engine App, ThreatConnect pre-populates keywords for IRs where appropriate. However, you can navigate to the Details screen for an IR and modify its keywords based on your organization’s needs and standards.

For more information on how IRs work in ThreatConnect, see Intelligence Requirements.

Why are additional NAICS-related Tags added to ThreatConnect Report Groups representing Dragos Reports?

The Dragos WorldView Intelligence Engine App applies CAL ATL industry classification Tags corresponding to NAICS codes for industry sectors (two-digit code) and subsectors (three-digit code) to Report Groups representing Dragos Reports automatically. Doing so enables you to visualize and pivot on these associations in Threat Graph.

How often should I expect to reset the Dragos WorldView API rate limit during the integration’s initial ingestion of Dragos data?

The frequency at which you will need to reset the Dragos WorldView API rate limit during the initial ingestion of Dragos data will vary depending on how many resources (i.e., users, Apps, and instances) are using the API credentials provided for the Dragos WorldView Intelligence Engine App. For example, one user using API credentials only for the Dragos WorldView Intelligence Engine App in only one ThreatConnect instance to retrieve all historical data will likely need to perform at least three Dragos WorldView API rate limit resets (including the initial reset performed immediately before deploying the integration) about 20 minutes to one hour apart. It is recommended that you check the DASHBOARD screen (Figure 2) often to see when the integration last ingested or updated data in order to determine whether an additional API rate limit reset is needed.

ThreatConnect^® is a registered trademark, and CAL™ and TC Exchange™ are trademarks, of ThreatConnect, Inc.
Dragos^® is a registered trademark of Dragos, Inc.
JavaScript^® is a registered trademark of Oracle Corporation.
CVE^® (Common Vulnerabilities and Exposures), MITRE ATT&CK^®, and ATT&CK^® are registered trademarks, and CWE™ (Common Weakness Enumeration) is a trademark, of The MITRE Corporation.

30088-01 EN Rev. A

Was this article helpful?

What's Next

Dragos WorldView Integration Configuration Guide

Table of contents

Overview
Dependencies
Dragos Setup and Configuration
Application Setup and Configuration
Configuration Parameters
Dragos WorldView Intelligence Engine
Data Mappings
Frequently Asked Questions (FAQ)

Company

Sales and Support