Self-service ingestion
Darktrace Audit Logs via AWS S3
Darktrace Analyst Alerts via API
Darktrace Model Breaches Alerts via API
Darktrace Model Breaches Details via API
The following will require the help of Hunters Support:
Darktrace Analyst Alerts and Darktrace Model Breaches Alerts via AWS S3.
TL;DR
Supported data types | 3rd party detection | Hunters detection | IOC search | Search | Table name | Log format | Collection method |
---|---|---|---|---|---|---|---|
Darktrace Model Breaches Alerts | ✅ | ✅ | ✅ | darktrace_model_breaches | NDJSON | API/S3 | |
Darktrace AI Analyst | ✅ | ✅ | darktrace_ai_analyst | NDJSON | API/S3 | ||
Darktrace Model Breaches Details | darktrace_model_breaches_details | NDJSON | API | ||||
Darktrace Audit Logs | ✅ | darktrace_audit | NDJSON | S3 |
Overview
Darktrace empowers defenders to reduce risk and minimize cyber disruption. Its Self-Learning AI technology develops a deep and evolving understanding of your bespoke organization, allowing it to prevent, detect, and respond to unpredictable cyber-attacks across the entire digital environment – from cloud and email to endpoints and OT networks.
Integrating Darktrace with Hunters will allow triaging of Darktrace alerts and incidents via the Hunters console, as well as further investigating and correlating them to related threats.
Supported data types
Darktrace Model Breaches Alerts
Table name: darktrace_model_breaches
Darktrace Model Breaches Alerts are part of an advanced cybersecurity framework that utilizes AI and machine learning to detect and respond to threats within an organization's digital environment. These alerts are generated when the Darktrace system identifies behavior or activity that deviates from the 'normal' patterns of operation within a network, indicating potential security incidents or threats.
Darktrace AI Analyst
Table name: darktrace_ai_analyst
Darktrace's AI Analyst is an advanced component of the Darktrace cyber defense platform, designed to automatically investigate security incidents and distill billions of data points down to a manageable number of critical incidents for human review.
Darktrace Model Breaches Details
Table name: darktrace_model_breaches_details
Darktrace Model Breaches Details are a supplement to the Alert logs. They are used to gather detailed information about a specific model breach alert, or about a device and its connections for investigation or monitoring purposes.
Darktrace Audit Logs
Table name: darktrace_audit
Darktrace audit logs are records that track system activities and changes within the Darktrace platform. They provide detailed information about operations performed, such as configuration changes or user actions, ensuring transparency and accountability. These logs are crucial for security auditing, compliance, and forensic analysis, helping organizations monitor and verify the integrity and security of their Darktrace deployment.
Send data to Hunters
You can collect logs using 2 methods:
API - connect your Darktrace instance to Hunters using API by performing a few simple steps.
S3 storage - route logs to an S3 bucket and provide Hunters with the details.
⚠️Attention
Darktrace audit logs are not supported via API by Darktrace, only via syslog export to S3.
Using API
Hunters support API collection for Darktrace events. To enable it, Hunters requires the following information:
Domain
Public Token
Private Token
To connect Darktrace logs:
💡Before you start
Before any data can be queried, an API token pair is needed for each Master appliance. Creating the API token requires access to the Darktrace Threat Visualizer interface and a user account with appropriate permissions to access and modify the System Config page.
Navigate to the System Config page on the Threat Visualizer of the appliance you wish to request data from.
Select Settings from the left-hand menu.
Locate the API Token subsection and click New.
Two values will be displayed, a Public and Private token. The Private token will not be displayed again. Both Tokens are required to generate the DT-API Signature value, which must be passed with every API request made to the appliance, so make sure you record them securely.Complete the process on the Hunters platform, following this guide.
Using S3 storage
In case the Darktrace events are being exported from your on-premise appliance to a syslog server, the events can be shipped to Hunters via AWS S3.
Once the export is completed and the logs are collected to S3, follow the steps in this section.
⚠️Attention
The events should be shared to the bucket in separate prefixes, i.e. prefix per data type - ai-analyst, model-breaches and audit-logs. in a syslog-json format.
The process for configuring syslog-format alerts is identical across CEF, LEEF and ND-JSON formats, as well as for AI Analyst Alerts, Model Breach Alerts and System Status Alerts.
First, you'll need to create a different Syslog Forwarder with different ports for each data stream.
Open the Darktrace Threat Visualizer Dashboard and navigate to the System Config page (Main menu › Admin).
From the left-side menu, select Modules, then navigate to the Workflow Integrations section and choose Syslog.
Select the Syslog JSON tab and click New to set up a new Syslog Forwarder.
In the Server field, enter the IP Address and Port of the Syslog server that is running the integration in the Server and Server Port fields respectively.
Continue with the following items:
For AI Analyst Alert, follow the below configuration under the settings in Show Advanced Options:
For Model Breach Alert, follow the below configuration under the settings in Show Advanced Options:
For Audit logs, follow the below configuration under the settings in Show Advanced Options:
Expected format
API Integration
In case Darktrace events are already being collected on your environment, it is possible to ship them to Hunters via shared storage such as AWS S3.
The events should be shared to the bucket in separate prefixes, i.e. prefix per data type - ai-analyst and model-breaches. The expected format for the events is:
Darktrace Model Breaches Alerts Sample
{"commentCount":0,"pbid":1959,"time":1654135310000,"creationTime":1654135318000,"model":{"then":{"name":"Compromise::Ransomware::Suspicious SMB Activity","pid":511,"phid":4356,"uuid":"22218471-4b8a-4523-86ef-49a25f6665ff","logic":{"data":[{"cid":8580,"weight":3},{"cid":8573,"weight":3},{"cid":8575,"weight":3},{"cid":8576,"weight":3},{"cid":8578,"weight":3},{"cid":8577,"weight":1},{"cid":8574,"weight":4},{"cid":8579,"weight":4},{"cid":8572,"weight":4}],"targetScore":4,"type":"weightedComponentList","version":1},"throttle":21600,"sharedEndpoints":false,"actions":{"alert":true,"antigena":{},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":["","Enhanced Monitoring","OT Engineer"],"interval":21600,"delay":0,"sequenced":false,"active":true,"modified":"2021-10-02 15:32:20","activeTimes":{"devices":{},"tags":{},"type":"exclusions","version":2},"autoUpdatable":true,"autoUpdate":true,"autoSuppress":true,"description":"A device has significantly changed its SMB behavior. The device has begun reading and writing similar volumes of data to remote file shares, alongside sustained file MIME type conversion (e.g. text, image, application, etc.). This is commonly seen during ransomware attacks when the device reads files then overwrites them with an encrypted version.\n\nAction: Look at file writes from this device to identify the cause of this activity. Suspicious file extensions are a common indicator of ransomware.","behaviour":"decreasing","created":{"by":"System"},"edited":{"by":"System"},"version":41,"priority":5,"category":"Critical","compliance":false},"now":{"name":"Compromise::Ransomware::Suspicious SMB Activity","pid":511,"phid":7030,"uuid":"22218471-4b8a-4523-86ef-49a25f6665ff","logic":{"data":[{"cid":13654,"weight":3},{"cid":13651,"weight":3},{"cid":13657,"weight":3},{"cid":13659,"weight":3},{"cid":13653,"weight":3},{"cid":13658,"weight":1},{"cid":13655,"weight":4},{"cid":13652,"weight":4},{"cid":13656,"weight":4}],"targetScore":4,"type":"weightedComponentList","version":1},"throttle":21600,"sharedEndpoints":false,"actions":{"alert":true,"antigena":{},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":["","Enhanced Monitoring","OT Engineer"],"interval":21600,"delay":0,"sequenced":false,"active":true,"modified":"2022-07-14 20:01:13","activeTimes":{"devices":{},"tags":{},"type":"exclusions","version":2},"autoUpdatable":true,"autoUpdate":true,"autoSuppress":true,"description":"A device has significantly changed its SMB behavior. Examples include reading and writing similar volumes of data to remote file shares, sustained file MIME type conversion, appending files with additional extensions, possible ransom words detected in SMB activity or unusual external connectivity (e.g. DNS requests for Tor domains or possible callback events).\n\nSuch unusual SMB activity is commonly seen during ransomware attacks when the device reads files then overwrites them with an encrypted version. In the event of unusual SMB activity seen alongside external connectivity, the device could be involved in malware command and control as well as ransomware payments.\n\nAction: Look at file writes from this device to identify the cause of this activity. Suspicious file extensions are a common indicator of ransomware.","behaviour":"decreasing","created":{"by":"System"},"edited":{"by":"System"},"message":"Updated model description","version":43,"priority":5,"category":"Critical","compliance":false}},"triggeredComponents":[{"time":1654135309000,"cbid":1984,"cid":8575,"chid":13357,"size":1,"threshold":0,"interval":3600,"logic":{"data":{"left":{"left":"A","operator":"AND","right":"C"},"operator":"OR","right":{"left":{"left":"B","operator":"AND","right":{"left":"C","operator":"AND","right":{"left":"D","operator":"AND","right":"E"}}},"operator":"OR","right":{"left":{"left":"D","operator":"AND","right":"F"},"operator":"OR","right":{"left":"D","operator":"AND","right":{"left":"E","operator":"AND","right":"G"}}}}},"version":"v0.1"},"metric":{"mlid":233,"name":"dtmodelbreach","label":"Model"},"triggeredFilters":[{"cfid":98649,"id":"A","filterType":"Message","arguments":{"value":"Ransom or Offensive Words Written to SMB"},"comparatorType":"contains","trigger":{"value":"Compromise / Ransomware / Ransom or Offensive Words Written to SMB"}},{"cfid":98651,"id":"C","filterType":"New or uncommon occurrence","arguments":{"value":50},"comparatorType":">","trigger":{"value":"100"}},{"cfid":98652,"id":"D","filterType":"New or uncommon occurrence","arguments":{"value":90},"comparatorType":">","trigger":{"value":"100"}},{"cfid":98653,"id":"E","filterType":"Age of source","arguments":{"value":86400},"comparatorType":">","trigger":{"value":"476589"}},{"cfid":98654,"id":"d1","filterType":"Message","arguments":{},"comparatorType":"display","trigger":{"value":"Compromise / Ransomware / Ransom or Offensive Words Written to SMB"}},{"cfid":98655,"id":"d2","filterType":"New or uncommon occurrence","arguments":{},"comparatorType":"display","trigger":{"value":"100"}}]},{"time":1654135309000,"cbid":1985,"cid":8573,"chid":13355,"size":1,"threshold":0,"interval":3600,"logic":{"data":{"left":"A","operator":"AND","right":"B"},"version":"v0.1"},"metric":{"mlid":233,"name":"dtmodelbreach","label":"Model"},"triggeredFilters":[{"cfid":98640,"id":"A","filterType":"Message","arguments":{"value":"Additional Extension Appended to SMB File"},"comparatorType":"contains","trigger":{"value":"Anomalous File / Internal / Additional Extension Appended to SMB File"}},{"cfid":98641,"id":"B","filterType":"New or uncommon occurrence","arguments":{"value":50},"comparatorType":">","trigger":{"value":"100"}},{"cfid":98642,"id":"d1","filterType":"Message","arguments":{},"comparatorType":"display","trigger":{"value":"Anomalous File / Internal / Additional Extension Appended to SMB File"}},{"cfid":98643,"id":"d2","filterType":"New or uncommon occurrence","arguments":{},"comparatorType":"display","trigger":{"value":"100"}}]}],"score":1,"device":{"did":33,"macaddress":"06:c4:ct:ba:84:16","vendor":"","ip":"192.168.1.4","ips":[{"ip":"192.168.1.4","timems":1658962800000,"time":"2022-07-27 23:00:00","sid":3}],"sid":3,"hostname":"windowsdevice","firstSeen":1653658719000,"lastSeen":1658962816000,"devicelabel":"testing label","typename":"desktop","typelabel":"Desktop","credentials":["vagrant"]}}
Darktrace AI Analyst Sample
{"summariser":"SslC2Summary","acknowledged":false,"pinned":true,"createdAt":1646162087464,"attackPhases":[2],"title":"Possible SSL Command and Control","id":"b8b97bae-76d5-4172-bdf2-3ac5e4ceb429","children":["b8b97bae-76d5-4172-bdf2-3bc5e3ceb429"],"category":null,"currentGroup":null,"groupCategory":null,"groupScore":null,"groupPreviousGroups":null,"activityId":"da39a3ee","groupingIds":["9e6a55b6"],"groupByActivity":false,"userTriggered":false,"externalTriggered":false,"aiaScore":82,"summary":"The device sample.windomain.local was observed making multiple SSL connections to the rare external endpoint rare.com, with the same SSL fingerprint (JA3 hash).\n\nMoreover, this device only used this fingerprint for connections to a limited set of endpoints - suggesting that the activity was initiated by a standalone software process as opposed to a web browser.\n\nIf such behaviour is unexpected, further investigation may be required to determine if this activity represents malicious command and control as opposed to legitimate telemetry of some form.","periods":[{"start":1646158715797,"end":1646159346038}],"breachDevices":[{"identifier":"sample.windomain.local","hostname":"sample.windomain.local","ip":"192.168.1.3","mac":"06:7b:81:5d:4b:5c","subnet":null,"did":18,"sid":3}],"relatedBreaches":[{"modelName":"Device / Suspicious Domain","pbid":1777,"threatScore":33,"timestamp":1646158351000}],"details":[[{"header":"Device Making Suspicious Connections","contents":[{"key":null,"type":"device","values":[{"identifier":"sample.windomain.local","hostname":"sample.windomain.local","ip":"192.168.1.3","mac":"06:7b:81:5d:4b:5c","subnet":null,"did":18,"sid":3}]},{"key":"Username observed prior to activity","type":"string","values":["vagrant"]},{"key":"Source of username","type":"string","values":["NTLM login"]},{"key":"Time observed","type":"timestamp","values":[1646155963000]},{"key":"Event UID","type":"string","values":["COA5nI1DSlb9fHeUYg02"]}]}],[{"header":"Suspicious Application","contents":[{"key":"JA3 client hash","type":"string","values":["598872011444709327b861ae817a4b60"]}]},{"header":"Suspicious Endpoint Contacted by Application","contents":[{"key":"Time","type":"timestampRange","values":[{"start":1646158715797,"end":1646159346038}]},{"key":"Endpoint","type":"externalHost","values":[{"hostname":"rare.com","ip":null}]},{"key":"Hostname rarity","type":"percentage","values":[76]},{"key":"Hostname first observed","type":"timestamp","values":[1646158293000]},{"key":"Most recent destination IP","type":"externalHost","values":[{"hostname":"104.18.3.114","ip":"104.18.3.114"}]},{"key":"Most recent ASN","type":"string","values":["AS13335 CLOUDFLARENET"]},{"key":"Destination port","type":"integer","values":[443]},{"key":"Connection count","type":"integer","values":[22]},{"key":"Total data in","type":"dataVolume","values":[29838]},{"key":"Total data out","type":"dataVolume","values":[88768]},{"key":"Validation Status","type":"string","values":["Unknown"]},{"key":"Issuer","type":"string","values":["Unknown"]}]}]]}
Darktrace Model Breaches Details Sample
{"time": "2024-04-11 07:30:35", "timems": 1712820635000, "pbid": 1111111111111, "pid": 111111, "phid": 111111, "eventType": "policybreach", "action": "policybreach", "modelbreach": true, "creationTime": 1712820639000, "creationTimestamp": "2024-04-11 07:30:39", "name": "Device::Suspicious Domain", "components": [1111], "didRestrictions": [], "didExclusions": [], "throttle": 3600, "sharedEndpoints": false, "interval": 0, "sequenced": false, "active": true, "retired": false, "instanceID": 19000, "acknowledged": false, "state": "New", "score": 0.3098195, "commentCount": 0, "componentBreaches": [1111111111111], "componentBreachTimes": [1712820634000], "devices": [1111111111111], "deviceLabels": [""], "source_pbid": "1111111111111"}
S3 Integration
Darktrace Audit Syslog - JSON sample
{"username":"aaa","method":"POST","endpoint":"/modelbreaches/123123123123/comments","ip":"10.11.222.321","status":200,"description":"Comment added to breach","additionalInfo":{"Details":"Comment added for breach number 123123123123","_pbid":"123123123123123","comment":"[Benign, None] confirmed benign and expected"}}
Darktrace Model Breaches Syslog - JSON sample
{"breachUrl": <URL>,"commentCount": 0,"creationTime": 1659398720000,"device": {"credentials": [<CREDS>],"did": 123456,"firstSeen": 1597644227000,"hostname": <HOST>,"ip": <IP>,"ips": [{"ip": <IP>,"sid": <SID>,"time": "2022-08-02 00:00:00","timems": 1659398400000}],"lastSeen": 1659398438000,"macaddress": <MAC>,"objecttype": "device","sid": <SID>,"tags": [<TAGS>],"typelabel": "Server","typename": "server","vendor": "VMware, Inc."},"mitreTechniques": [{"technique": "File and Directory Discovery Mitigation","techniqueID": "T1083"},{"technique": "Lateral Tool Transfer","techniqueID": "T1570"},{"technique": "SMB/Windows Admin Shares","techniqueID": "T1021.002"},{"technique": "Taint Shared Content Mitigation","techniqueID": "T1080"}],"model": {"actions": {"alert": true,"antigena": {},"breach": true,"model": true,"setPriority": false,"setTag": false,"setType": false},"active": true,"activeTimes": {"devices": {<DEVICE>: [{}]},"tags": {},"type": "exclusions","version": 2},"autoSuppress": true,"autoUpdatable": true,"autoUpdate": true,"behaviour": "decreasing","category": "Informational","compliance": true,"created": {},"defeats": [<DEFEATS>],"delay": 0,"description": <DESC>,"edited": {},"interval": 300,"logic": {"data": [<DATA>],"targetScore": 1,"type": "weightedComponentList","version": 1},"modified": "2022-06-30 10:58:06","name": "Compliance::SMB Drive Write","phid": <PHID>,"pid": <PBID>,"priority": 2,"readOnly": true,"sequenced": false,"sharedEndpoints": true,"tags": [<TAGS>],"throttle": 3600,"uuid": <UUID>,"version": 35},"pbid": <PBID>,"score": 0.443,"time": 1659398709000,"triggeredComponents": [<COMPONENTS>]}
Darktrace AI Analyst Syslog - JSON sample
{"acknowledged": false,"activityId": <ID>,"aiaScore": 60,"attackPhases": [5],"breachDevices": [{"did": <DID>,"hostname": <HOSTNAME>,"identifier": <ID>,"ip": <IP>,"mac": <MAC>,"sid": <SID>,"subnet": <SUBNET>}],"category": "suspicious","children": [<CHILDREN_UUIDS],"createdAt": 1659688285433,"currentGroup": <CURRENT_GROUP>,"details": [<DETAILS>],"externalTriggered": false,"groupByActivity": false,"groupCategory": "suspicious","groupPreviousGroups": [],"groupScore": 9.242343145200191,"groupingIds": [<IDS>],"id": <ID>,"incidentEventUrl": <URL>,"periods": [{"end": 1659688176525,"start": 1659686819429}],"pinned": false,"relatedBreaches": [{"modelName": <NAME>,"pbid": <PBID>,"threatScore": <SCORE>,"timestamp": <EPOCH>}],"summariser": "LateralMovementCrawler","summary":<SUMMARY>,"userTriggered": false}