implementing-dragos-platform-for-ot-monitoring
Deploy and configure the Dragos Platform for OT network monitoring, leveraging its 600+ industrial protocol parsers, intelligence-driven threat detection analytics, and asset visibility capabilities to protect ICS environments against threat groups like VOLTZITE, GRAPHITE, and BAUXITE.
What this skill does
# Implementing Dragos Platform for OT Monitoring
## When to Use
- When deploying an OT-specific network detection and response (NDR) solution for industrial environments
- When needing threat intelligence-driven detection against known ICS threat groups (VOLTZITE, CHERNOVITE, KAMACITE)
- When building an OT SOC capability with purpose-built industrial security tooling
- When requiring asset discovery and vulnerability management alongside threat detection in a single platform
- When integrating OT security monitoring with an enterprise SIEM (Splunk, Sentinel, QRadar)
**Do not use** for IT-only network monitoring without ICS components, for endpoint detection and response (EDR) on OT workstations, or for environments standardized on Claroty or Nozomi (see respective skills).
## Prerequisites
- Dragos Platform license and deployment package
- Network TAP or SPAN port at OT network boundaries (one sensor per monitored segment)
- Dragos sensor hardware (physical appliance) or virtual appliance meeting minimum specifications
- Firewall rules allowing sensor-to-Dragos-SiteStore communication (encrypted, outbound only from OT)
- Dragos Knowledge Pack subscription for threat intelligence updates
## Workflow
### Step 1: Deploy Dragos Sensors and Configure Monitoring
```python
#!/usr/bin/env python3
"""Dragos Platform Deployment Validator and Integration Tool.
Validates Dragos sensor deployment, checks connectivity, and
configures integration with enterprise SIEM for OT alert forwarding.
"""
import json
import sys
import csv
from datetime import datetime
from typing import Optional, List, Dict
try:
import requests
except ImportError:
print("Install requests: pip install requests")
sys.exit(1)
class DragosPlatformManager:
"""Interface with Dragos Platform API for OT monitoring management."""
def __init__(self, base_url: str, api_key: str, api_secret: str, verify_ssl: bool = True):
self.base_url = base_url.rstrip("/")
self.session = requests.Session()
self.session.headers.update({
"API-Key": api_key,
"API-Secret": api_secret,
"Content-Type": "application/json",
})
self.session.verify = verify_ssl
def get_sensors(self) -> List[Dict]:
"""Retrieve all deployed Dragos sensors and their status."""
resp = self.session.get(f"{self.base_url}/api/v1/sensors")
resp.raise_for_status()
return resp.json().get("sensors", [])
def get_assets(self, asset_type: Optional[str] = None) -> List[Dict]:
"""Retrieve OT assets discovered by Dragos."""
params = {}
if asset_type:
params["type"] = asset_type
resp = self.session.get(f"{self.base_url}/api/v1/assets", params=params)
resp.raise_for_status()
return resp.json().get("assets", [])
def get_notifications(self, severity: str = "high", limit: int = 50) -> List[Dict]:
"""Retrieve threat detection notifications."""
params = {"min_severity": severity, "limit": limit}
resp = self.session.get(f"{self.base_url}/api/v1/notifications", params=params)
resp.raise_for_status()
return resp.json().get("notifications", [])
def get_vulnerabilities(self, severity: str = "critical") -> List[Dict]:
"""Retrieve OT vulnerabilities with Dragos-specific context."""
params = {"min_severity": severity}
resp = self.session.get(f"{self.base_url}/api/v1/vulnerabilities", params=params)
resp.raise_for_status()
return resp.json().get("vulnerabilities", [])
def get_threat_groups(self) -> List[Dict]:
"""Retrieve tracked ICS threat group activity relevant to the environment."""
resp = self.session.get(f"{self.base_url}/api/v1/threat-groups")
resp.raise_for_status()
return resp.json().get("threat_groups", [])
def validate_deployment(self):
"""Validate sensor deployment health and coverage."""
sensors = self.get_sensors()
assets = self.get_assets()
print(f"\n{'='*65}")
print("DRAGOS PLATFORM DEPLOYMENT VALIDATION")
print(f"{'='*65}")
print(f"Validation Time: {datetime.now().isoformat()}")
print(f"\n--- SENSOR STATUS ---")
healthy_sensors = 0
for sensor in sensors:
status = sensor.get("status", "unknown")
icon = "[OK]" if status == "connected" else "[!!]"
print(f" {icon} {sensor.get('name', 'Unknown')} | Status: {status}")
print(f" IP: {sensor.get('ip_address')} | Segment: {sensor.get('monitored_segment')}")
print(f" Last Seen: {sensor.get('last_seen')} | Packets/sec: {sensor.get('pps', 0)}")
print(f" Knowledge Pack: {sensor.get('knowledge_pack_version', 'N/A')}")
if status == "connected":
healthy_sensors += 1
print(f"\n Sensor Health: {healthy_sensors}/{len(sensors)} operational")
print(f"\n--- ASSET VISIBILITY ---")
print(f" Total Assets Discovered: {len(assets)}")
asset_types = {}
for asset in assets:
atype = asset.get("type", "Unknown")
asset_types[atype] = asset_types.get(atype, 0) + 1
for atype, count in sorted(asset_types.items(), key=lambda x: -x[1]):
print(f" {atype}: {count}")
protocols = set()
for asset in assets:
protocols.update(asset.get("protocols", []))
print(f" Protocols Observed: {', '.join(sorted(protocols))}")
print(f"\n--- THREAT INTELLIGENCE ---")
groups = self.get_threat_groups()
print(f" Relevant Threat Groups: {len(groups)}")
for group in groups:
print(f" - {group.get('name')}: {group.get('description', '')[:80]}")
print(f" Targets: {', '.join(group.get('target_sectors', []))}")
print(f" Activity Level: {group.get('activity_level', 'Unknown')}")
def generate_siem_integration_config(self, siem_type: str = "splunk"):
"""Generate SIEM integration configuration for Dragos alerts."""
configs = {
"splunk": {
"syslog_format": "CEF",
"syslog_port": 514,
"severity_mapping": {
"critical": 10,
"high": 7,
"medium": 5,
"low": 3,
"info": 1,
},
"index": "ot_security",
"sourcetype": "dragos:notification",
"fields": [
"notification_id", "severity", "category", "source_ip",
"destination_ip", "asset_name", "protocol", "description",
"mitre_ics_technique", "threat_group",
],
},
"sentinel": {
"connector_type": "Syslog-CEF",
"workspace_id": "<workspace-id>",
"log_analytics_table": "DragosOTAlerts_CL",
"severity_mapping": {
"critical": "High",
"high": "High",
"medium": "Medium",
"low": "Low",
"info": "Informational",
},
},
}
config = configs.get(siem_type, configs["splunk"])
print(f"\n--- {siem_type.upper()} INTEGRATION CONFIG ---")
print(json.dumps(config, indent=2))
return config
if __name__ == "__main__":
manager = DragosPlatformManager(
base_url="https://dragos-sitestore.plant.local",
api_key="your-api-key",
api_secret="your-api-secret",
verify_ssl=True,
)
manager.validate_deployment()
manager.generate_siem_integration_config("splunk")
print(f"\n--- RECENT HIGH-SEVERITY NOTIFICATIONS ---")
notifications = manager.get_notifications(severity="high", limit=10)
for n in notifications:
priRelated in Cloud & DevOps
appbuilder-action-scaffolder
IncludedCreate, implement, deploy, and debug Adobe Runtime actions with consistent layout, validation, and error handling. Use this skill whenever the user needs to add actions to an App Builder project, understand action structure (params, response format, web/raw actions), configure actions in the manifest, use App Builder SDKs (State, Files, Events, database), deploy and invoke actions via CLI, debug action issues, or implement patterns such as webhook receivers, custom event providers, journaling consumers, large payload redirects, action sequence pipelines, and Asset Compute workers. Also trigger when users mention serverless functions in Adobe context, action logging, IMS authentication for actions, or cron-style scheduled actions.
orchestrating-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. Use this skill when the user needs a multi-step Data Cloud pipeline, cross-phase troubleshooting, or data space and data kit management. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase sf data360 workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching phase-specific skill), the task is STDM/session tracing/parquet telemetry (use observing-agentforce), standard CRM SOQL (use querying-soql), or Apex implementation (use generating-apex).
github-project-automation
IncludedAutomate GitHub repository setup with CI/CD workflows, issue templates, Dependabot, and CodeQL security scanning. Includes 12 production-tested workflows and prevents 18 errors: YAML syntax, action pinning, and configuration. Use when: setting up GitHub Actions CI/CD, creating issue/PR templates, enabling Dependabot or CodeQL scanning, deploying to Cloudflare Workers, implementing matrix testing, or troubleshooting YAML indentation, action version pinning, secrets syntax, runner versions, or CodeQL configuration. Keywords: github actions, github workflow, ci/cd, issue templates, pull request templates, dependabot, codeql, security scanning, yaml syntax, github automation, repository setup, workflow templates, github actions matrix, secrets management, branch protection, codeowners, github projects, continuous integration, continuous deployment, workflow syntax error, action version pinning, runner version, github context, yaml indentation error
sf-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase `sf data360` workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching sf-datacloud-* skill), the task is STDM/session tracing/parquet telemetry (use sf-ai-agentforce-observability), standard CRM SOQL (use sf-soql), or Apex implementation (use sf-apex).
fabric-cli
IncludedUse this skill for Fabric.so CLI workflows with the `fabric` terminal command: diagnose/install/login, search or browse a Fabric library, save notes/links/files, create folders, ask the Fabric AI assistant, manage tasks/workspaces, generate shell completion, check subscription usage, produce JSON output, and use Fabric as persistent agent memory. Do not use for Microsoft Fabric/Azure/Power BI `fab`, Daniel Miessler's Fabric framework, Python Fabric SSH, Fabric.js, or textile/fashion fabric.
lark
IncludedLark/Feishu CLI skills: lark-cli operations for docs, markdown, sheets, base, calendar, im, mail, task, okr, drive, wiki, slides, whiteboard, apps, approval, attendance, contact, vc, minutes, event. Use when the user needs to operate Lark/Feishu resources via lark-cli, send messages, manage documents, spreadsheets, calendars, tasks, OKRs, deploy web pages, or any Feishu/Lark workspace operations.