The Dragos Platform must alert the information system security officer (ISSO), information system security manager (ISSM), and other individuals designated by the local organization when events are detected that indicate a compromise or potential for compromise.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-271070 | DRAG-OT-002120 | SV-271070r1058032_rule | Medium |
| Description |
| When a security event occurs, Dragos Platform must immediately notify the appropriate support personnel so they can respond appropriately. Alerts may be generated from a variety of sources, including audit records or inputs from malicious code protection mechanisms, intrusion detection mechanisms, or prevention mechanisms. IOCs are forensic artifacts from intrusions that are identified on organizational information systems (at the host or network level). IOCs provide organizations with valuable information on objects or information systems that have been compromised. These indicators reflect the occurrence of a compromise or a potential compromise. |
| STIG | Date |
| Dragos Platform 2.x Security Technical Implementation Guide | 2024-12-23 |
Details
| Check Text (C-75113r1058014_chk) |
| 1. Check Server Configuration. If using Syslog Server: Verify third-party server is used to receive communication-related notifications. Check for a configured Syslog Server. In the UI, navigate to Admin >> Integrations. Click "LAUNCH" in the Syslog section. If using Email Server: Check that the Email Server is configured. In the UI, navigate to Admin >> Integrations. Click "LAUNCH" on the email block. If no server is configured or the status is not "Connected", this is a finding. If no recipient is configured, this is a finding. 2. Check Rules: Navigate to Notification >> RULES Tab. Verify a rule exists and has the following: Action = "Send (<your syslog server or email server>)" Criteria = "Notification Type Equals System" "Notification Type Equals System Failure" If a rule does not exist with the correct Action and Criteria, this is a finding. |
| Fix Text (F-75014r1058015_fix) |
| 1. Configure Servers. If using Syslog Server: Create a Syslog server on a third-party device. The steps may vary depending on the chosen Syslog server software. Refer to 2.3.x Dragos Platform Syslog Integration Guide in the Customer Portal for additional help. Create a syslog server output in the Dragos UI. Navigate to Admin >> Integrations. Click "LAUNCH" in the Syslog section. Click "ADD NEW SERVER". Enter third-party server information and click "NEXT". Input Message Template. Click "SAVE". If using Email Server: In the UI, navigate to Admin >> Integrations. Click "LAUNCH" on the email block. Configure the Email Server and Recipients: Refer to 2.3.x Dragos Platform Email Integration Guide in the Customer Portal for additional help. 2. Creating System Rules: Navigate to Notification >> RULES Tab. Click "NEW RULE". Fill in Name and Processing Order. Create two Attributes. Click "ADD ATTRIBUTE" in the "If ANY of the following" block: Type = "Notification Type" Select Operation = "Equals" Select Value = "System" Click "ADD ATTRIBUTE" in the "If ANY of the following" block: Type = "Notification Type" Select Operation = "Equals" Select Value = "System failure" In the "THEN perform the following actions block: Click "ADD ACTION". Action = "Send (<your syslog server or email server>)" Click "SAVE". |