Darktrace

Table name: darktrace_model_breaches

Darktrace Model Breaches Alerts are part of an advanced cybersecurity framework that utilizes AI and machine learning to detect and respond to threats within an organization's digital environment. These alerts are generated when the Darktrace system identifies behavior or activity that deviates from the 'normal' patterns of operation within a network, indicating potential security incidents or threats.

Table name: darktrace_ai_analyst

Darktrace's AI Analyst is an advanced component of the Darktrace cyber defense platform, designed to automatically investigate security incidents and distill billions of data points down to a manageable number of critical incidents for human review.

Table name: darktrace_model_breaches_details

Darktrace Model Breaches Details are a supplement to the Alert logs. They are used to gather detailed information about a specific model breach alert, or about a device and its connections for investigation or monitoring purposes.

Table name: darktrace_audit

Darktrace audit logs are records that track system activities and changes within the Darktrace platform. They provide detailed information about operations performed, such as configuration changes or user actions, ensuring transparency and accountability. These logs are crucial for security auditing, compliance, and forensic analysis, helping organizations monitor and verify the integrity and security of their Darktrace deployment.

Hunters support API collection for Darktrace events. To enable it, Hunters requires the following information:

• Domain

• Public Token

• Private Token

To connect Darktrace logs:

1. Navigate to the System Config page on the Threat Visualizer of the appliance you wish to request data from.

2. Select Settings from the left-hand menu.

3. Locate the API Token subsection and click New.
   Two values will be displayed, a Public and Private token. The Private token will not be displayed again. Both Tokens are required to generate the DT-API Signature value, which must be passed with every API request made to the appliance, so make sure you record them securely.

4. Complete the process on the Hunters platform, following this guide.

In case the Darktrace events are being exported from your on-premise appliance to a syslog server, the events can be shipped to Hunters via AWS S3.

The process for configuring syslog-format alerts is identical across CEF, LEEF and ND-JSON formats, as well as for AI Analyst Alerts, Model Breach Alerts and System Status Alerts.

First, you'll need to create a different Syslog Forwarder with different ports for each data stream.

1. Open the Darktrace Threat Visualizer Dashboard and navigate to the System Config page (Main menu › Admin).

2. From the left-side menu, select Modules, then navigate to the Workflow Integrations section and choose Syslog.

3. Select the Syslog JSON tab and click New to set up a new Syslog Forwarder.

4. In the Server field, enter the IP Address and Port of the Syslog server that is running the integration in the Server and Server Port fields respectively.

5. Continue with the following items:

   • For AI Analyst Alert, follow the below configuration under the settings in Show Advanced Options:
     

   • For Model Breach Alert, follow the below configuration under the settings in Show Advanced Options:
     

   • For Audit logs,  follow the below configuration under the settings in Show Advanced Options:
     

In case Darktrace events are already being collected on your environment, it is possible to ship them to Hunters via shared storage such as AWS S3.

The events should be shared to the bucket in separate prefixes, i.e. prefix per data type - ai-analyst and model-breaches. The expected format for the events is:

Darktrace Model Breaches Alerts Sample

{"commentCount":0,"pbid":1959,"time":1654135310000,"creationTime":1654135318000,"model":{"then":{"name":"Compromise::Ransomware::Suspicious SMB Activity","pid":511,"phid":4356,"uuid":"22218471-4b8a-4523-86ef-49a25f6665ff","logic":{"data":[{"cid":8580,"weight":3},{"cid":8573,"weight":3},{"cid":8575,"weight":3},{"cid":8576,"weight":3},{"cid":8578,"weight":3},{"cid":8577,"weight":1},{"cid":8574,"weight":4},{"cid":8579,"weight":4},{"cid":8572,"weight":4}],"targetScore":4,"type":"weightedComponentList","version":1},"throttle":21600,"sharedEndpoints":false,"actions":{"alert":true,"antigena":{},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":["","Enhanced Monitoring","OT Engineer"],"interval":21600,"delay":0,"sequenced":false,"active":true,"modified":"2021-10-02 15:32:20","activeTimes":{"devices":{},"tags":{},"type":"exclusions","version":2},"autoUpdatable":true,"autoUpdate":true,"autoSuppress":true,"description":"A device has significantly changed its SMB behavior. The device has begun reading and writing similar volumes of data to remote file shares, alongside sustained file MIME type conversion (e.g. text, image, application, etc.). This is commonly seen during ransomware attacks when the device reads files then overwrites them with an encrypted version.\n\nAction: Look at file writes from this device to identify the cause of this activity. Suspicious file extensions are a common indicator of ransomware.","behaviour":"decreasing","created":{"by":"System"},"edited":{"by":"System"},"version":41,"priority":5,"category":"Critical","compliance":false},"now":{"name":"Compromise::Ransomware::Suspicious SMB Activity","pid":511,"phid":7030,"uuid":"22218471-4b8a-4523-86ef-49a25f6665ff","logic":{"data":[{"cid":13654,"weight":3},{"cid":13651,"weight":3},{"cid":13657,"weight":3},{"cid":13659,"weight":3},{"cid":13653,"weight":3},{"cid":13658,"weight":1},{"cid":13655,"weight":4},{"cid":13652,"weight":4},{"cid":13656,"weight":4}],"targetScore":4,"type":"weightedComponentList","version":1},"throttle":21600,"sharedEndpoints":false,"actions":{"alert":true,"antigena":{},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":["","Enhanced Monitoring","OT Engineer"],"interval":21600,"delay":0,"sequenced":false,"active":true,"modified":"2022-07-14 20:01:13","activeTimes":{"devices":{},"tags":{},"type":"exclusions","version":2},"autoUpdatable":true,"autoUpdate":true,"autoSuppress":true,"description":"A device has significantly changed its SMB behavior. Examples include reading and writing similar volumes of data to remote file shares, sustained file MIME type conversion, appending files with additional extensions, possible ransom words detected in SMB activity or unusual external connectivity (e.g. DNS requests for Tor domains or possible callback events).\n\nSuch unusual SMB activity is commonly seen during ransomware attacks when the device reads files then overwrites them with an encrypted version. In the event of unusual SMB activity seen alongside external connectivity, the device could be involved in malware command and control as well as ransomware payments.\n\nAction: Look at file writes from this device to identify the cause of this activity. Suspicious file extensions are a common indicator of ransomware.","behaviour":"decreasing","created":{"by":"System"},"edited":{"by":"System"},"message":"Updated model description","version":43,"priority":5,"category":"Critical","compliance":false}},"triggeredComponents":[{"time":1654135309000,"cbid":1984,"cid":8575,"chid":13357,"size":1,"threshold":0,"interval":3600,"logic":{"data":{"left":{"left":"A","operator":"AND","right":"C"},"operator":"OR","right":{"left":{"left":"B","operator":"AND","right":{"left":"C","operator":"AND","right":{"left":"D","operator":"AND","right":"E"}}},"operator":"OR","right":{"left":{"left":"D","operator":"AND","right":"F"},"operator":"OR","right":{"left":"D","operator":"AND","right":{"left":"E","operator":"AND","right":"G"}}}}},"version":"v0.1"},"metric":{"mlid":233,"name":"dtmodelbreach","label":"Model"},"triggeredFilters":[{"cfid":98649,"id":"A","filterType":"Message","arguments":{"value":"Ransom or Offensive Words Written to SMB"},"comparatorType":"contains","trigger":{"value":"Compromise / Ransomware / Ransom or Offensive Words Written to SMB"}},{"cfid":98651,"id":"C","filterType":"New or uncommon occurrence","arguments":{"value":50},"comparatorType":">","trigger":{"value":"100"}},{"cfid":98652,"id":"D","filterType":"New or uncommon occurrence","arguments":{"value":90},"comparatorType":">","trigger":{"value":"100"}},{"cfid":98653,"id":"E","filterType":"Age of source","arguments":{"value":86400},"comparatorType":">","trigger":{"value":"476589"}},{"cfid":98654,"id":"d1","filterType":"Message","arguments":{},"comparatorType":"display","trigger":{"value":"Compromise / Ransomware / Ransom or Offensive Words Written to SMB"}},{"cfid":98655,"id":"d2","filterType":"New or uncommon occurrence","arguments":{},"comparatorType":"display","trigger":{"value":"100"}}]},{"time":1654135309000,"cbid":1985,"cid":8573,"chid":13355,"size":1,"threshold":0,"interval":3600,"logic":{"data":{"left":"A","operator":"AND","right":"B"},"version":"v0.1"},"metric":{"mlid":233,"name":"dtmodelbreach","label":"Model"},"triggeredFilters":[{"cfid":98640,"id":"A","filterType":"Message","arguments":{"value":"Additional Extension Appended to SMB File"},"comparatorType":"contains","trigger":{"value":"Anomalous File / Internal / Additional Extension Appended to SMB File"}},{"cfid":98641,"id":"B","filterType":"New or uncommon occurrence","arguments":{"value":50},"comparatorType":">","trigger":{"value":"100"}},{"cfid":98642,"id":"d1","filterType":"Message","arguments":{},"comparatorType":"display","trigger":{"value":"Anomalous File / Internal / Additional Extension Appended to SMB File"}},{"cfid":98643,"id":"d2","filterType":"New or uncommon occurrence","arguments":{},"comparatorType":"display","trigger":{"value":"100"}}]}],"score":1,"device":{"did":33,"macaddress":"06:c4:ct:ba:84:16","vendor":"","ip":"192.168.1.4","ips":[{"ip":"192.168.1.4","timems":1658962800000,"time":"2022-07-27 23:00:00","sid":3}],"sid":3,"hostname":"windowsdevice","firstSeen":1653658719000,"lastSeen":1658962816000,"devicelabel":"testing label","typename":"desktop","typelabel":"Desktop","credentials":["vagrant"]}}

Darktrace AI Analyst Sample

{"summariser":"SslC2Summary","acknowledged":false,"pinned":true,"createdAt":1646162087464,"attackPhases":[2],"title":"Possible SSL Command and Control","id":"b8b97bae-76d5-4172-bdf2-3ac5e4ceb429","children":["b8b97bae-76d5-4172-bdf2-3bc5e3ceb429"],"category":null,"currentGroup":null,"groupCategory":null,"groupScore":null,"groupPreviousGroups":null,"activityId":"da39a3ee","groupingIds":["9e6a55b6"],"groupByActivity":false,"userTriggered":false,"externalTriggered":false,"aiaScore":82,"summary":"The device sample.windomain.local was observed making multiple SSL connections to the rare external endpoint rare.com, with the same SSL fingerprint (JA3 hash).\n\nMoreover, this device only used this fingerprint for connections to a limited set of endpoints - suggesting that the activity was initiated by a standalone software process as opposed to a web browser.\n\nIf such behaviour is unexpected, further investigation may be required to determine if this activity represents malicious command and control as opposed to legitimate telemetry of some form.","periods":[{"start":1646158715797,"end":1646159346038}],"breachDevices":[{"identifier":"sample.windomain.local","hostname":"sample.windomain.local","ip":"192.168.1.3","mac":"06:7b:81:5d:4b:5c","subnet":null,"did":18,"sid":3}],"relatedBreaches":[{"modelName":"Device / Suspicious Domain","pbid":1777,"threatScore":33,"timestamp":1646158351000}],"details":[[{"header":"Device Making Suspicious Connections","contents":[{"key":null,"type":"device","values":[{"identifier":"sample.windomain.local","hostname":"sample.windomain.local","ip":"192.168.1.3","mac":"06:7b:81:5d:4b:5c","subnet":null,"did":18,"sid":3}]},{"key":"Username observed prior to activity","type":"string","values":["vagrant"]},{"key":"Source of username","type":"string","values":["NTLM login"]},{"key":"Time observed","type":"timestamp","values":[1646155963000]},{"key":"Event UID","type":"string","values":["COA5nI1DSlb9fHeUYg02"]}]}],[{"header":"Suspicious Application","contents":[{"key":"JA3 client hash","type":"string","values":["598872011444709327b861ae817a4b60"]}]},{"header":"Suspicious Endpoint Contacted by Application","contents":[{"key":"Time","type":"timestampRange","values":[{"start":1646158715797,"end":1646159346038}]},{"key":"Endpoint","type":"externalHost","values":[{"hostname":"rare.com","ip":null}]},{"key":"Hostname rarity","type":"percentage","values":[76]},{"key":"Hostname first observed","type":"timestamp","values":[1646158293000]},{"key":"Most recent destination IP","type":"externalHost","values":[{"hostname":"104.18.3.114","ip":"104.18.3.114"}]},{"key":"Most recent ASN","type":"string","values":["AS13335 CLOUDFLARENET"]},{"key":"Destination port","type":"integer","values":[443]},{"key":"Connection count","type":"integer","values":[22]},{"key":"Total data in","type":"dataVolume","values":[29838]},{"key":"Total data out","type":"dataVolume","values":[88768]},{"key":"Validation Status","type":"string","values":["Unknown"]},{"key":"Issuer","type":"string","values":["Unknown"]}]}]]}

Darktrace Model Breaches Details Sample

{"time": "2024-04-11 07:30:35", "timems": 1712820635000, "pbid": 1111111111111, "pid": 111111, "phid": 111111, "eventType": "policybreach", "action": "policybreach", "modelbreach": true, "creationTime": 1712820639000, "creationTimestamp": "2024-04-11 07:30:39", "name": "Device::Suspicious Domain", "components": [1111], "didRestrictions": [], "didExclusions": [], "throttle": 3600, "sharedEndpoints": false, "interval": 0, "sequenced": false, "active": true, "retired": false, "instanceID": 19000, "acknowledged": false, "state": "New", "score": 0.3098195, "commentCount": 0, "componentBreaches": [1111111111111], "componentBreachTimes": [1712820634000], "devices": [1111111111111], "deviceLabels": [""], "source_pbid": "1111111111111"}

Darktrace Audit Syslog - JSON sample

{"username":"aaa","method":"POST","endpoint":"/modelbreaches/123123123123/comments","ip":"10.11.222.321","status":200,"description":"Comment added to breach","additionalInfo":{"Details":"Comment added for breach number 123123123123","_pbid":"123123123123123","comment":"[Benign, None] confirmed benign and expected"}}

Darktrace Model Breaches Syslog - JSON sample

{"breachUrl": <URL>,"commentCount": 0,"creationTime": 1659398720000,"device": {"credentials": [<CREDS>],"did": 123456,"firstSeen": 1597644227000,"hostname": <HOST>,"ip": <IP>,"ips": [{"ip": <IP>,"sid": <SID>,"time": "2022-08-02 00:00:00","timems": 1659398400000}],"lastSeen": 1659398438000,"macaddress": <MAC>,"objecttype": "device","sid": <SID>,"tags": [<TAGS>],"typelabel": "Server","typename": "server","vendor": "VMware, Inc."},"mitreTechniques": [{"technique": "File and Directory Discovery Mitigation","techniqueID": "T1083"},{"technique": "Lateral Tool Transfer","techniqueID": "T1570"},{"technique": "SMB/Windows Admin Shares","techniqueID": "T1021.002"},{"technique": "Taint Shared Content Mitigation","techniqueID": "T1080"}],"model": {"actions": {"alert": true,"antigena": {},"breach": true,"model": true,"setPriority": false,"setTag": false,"setType": false},"active": true,"activeTimes": {"devices": {<DEVICE>: [{}]},"tags": {},"type": "exclusions","version": 2},"autoSuppress": true,"autoUpdatable": true,"autoUpdate": true,"behaviour": "decreasing","category": "Informational","compliance": true,"created": {},"defeats": [<DEFEATS>],"delay": 0,"description": <DESC>,"edited": {},"interval": 300,"logic": {"data": [<DATA>],"targetScore": 1,"type": "weightedComponentList","version": 1},"modified": "2022-06-30 10:58:06","name": "Compliance::SMB Drive Write","phid": <PHID>,"pid": <PBID>,"priority": 2,"readOnly": true,"sequenced": false,"sharedEndpoints": true,"tags": [<TAGS>],"throttle": 3600,"uuid": <UUID>,"version": 35},"pbid": <PBID>,"score": 0.443,"time": 1659398709000,"triggeredComponents": [<COMPONENTS>]}

Darktrace AI Analyst Syslog - JSON sample

{"acknowledged": false,"activityId": <ID>,"aiaScore": 60,"attackPhases": [5],"breachDevices": [{"did": <DID>,"hostname": <HOSTNAME>,"identifier": <ID>,"ip": <IP>,"mac": <MAC>,"sid": <SID>,"subnet": <SUBNET>}],"category": "suspicious","children": [<CHILDREN_UUIDS],"createdAt": 1659688285433,"currentGroup": <CURRENT_GROUP>,"details": [<DETAILS>],"externalTriggered": false,"groupByActivity": false,"groupCategory": "suspicious","groupPreviousGroups": [],"groupScore": 9.242343145200191,"groupingIds": [<IDS>],"id": <ID>,"incidentEventUrl": <URL>,"periods": [{"end": 1659688176525,"start": 1659686819429}],"pinned": false,"relatedBreaches": [{"modelName": <NAME>,"pbid": <PBID>,"threatScore": <SCORE>,"timestamp": <EPOCH>}],"summariser": "LateralMovementCrawler","summary":<SUMMARY>,"userTriggered": false}