Overview

Darktrace empowers defenders to reduce risk and minimize cyber disruption. Its Self-Learning AI technology develops a deep and evolving understanding of your bespoke organization, allowing it to prevent, detect, and respond to unpredictable cyber-attacks across the entire digital environment – from cloud and email to endpoints and OT networks.

Integrating Darktrace with Hunters will allow triaging of Darktrace alerts and incidents via the Hunters console, as well as further investigating and correlating them to related threats.

Supported data types

  • Darktrace Model Breaches - alerts for model breaches by Darktrace.

  • Darktrace AI Analyst - alerts for AI Analyst by Darktrace.

  • Darktrace Audit Logs - internal audit logs by Darktrace. (Available only via Syslog export)

Sending data to Hunters

Sharing Darktrace data is possible via 2 methods - API Integration and Syslog Integration.

API Integration

Hunters support API collection only for Darktrace ai-analyst and model-breachesevents. In order to allow this collection method, make sure your appliance is accessible to Hunters publicly. Then, supply the following API keys in the Hunters platform:

  • Domain - the required format: https://domain.customer.com

  • Public Token

  • Private Token

Getting the API keys is possible by following the next guide:

Darktrace API Keys Export

Acquiring the API Token Pair

Before any data can be queried, an API token pair is needed for each Master appliance. Creating the API token requires access to the Darktrace Threat Visualizer interface and a user account with appropriate permissions to access and modify the System Config page.

  1. Navigate to the System Config page on the Threat Visualizer of the appliance you wish to request data from. Select “Settings” from the left-hand menu.

  2. Locate the ‘API Token’ subsection and click ‘New’.

  3. Two values will be displayed, a Public and Private token, the Private token will not be displayed again.

Both Tokens are required to generate the DT-API Signature value, which must be passed with every API request made to the appliance, so make sure you record them securely.

Expected Format - API Integration

In case Darktrace events are already being collected on your environment via the API, it is possible to ship them to Hunters via a shared blob storage such as AWS S3.

The events should be shared to the bucket in separate prefixes, i.e. prefix per data type - ai-analyst and model-breaches. The expected format for the events is:

Darktrace Model Breaches Sample

{
"commentCount": 0,
"pbid": 1959,
"time": 1654135310000,
"creationTime": 1654135318000,
"model": {
"then": {
"name": "Compromise::Ransomware::Suspicious SMB Activity",
"pid": 511,
"phid": 4356,
"uuid": "22218471-4b8a-4523-86ef-49a25f6665ff",
"logic": {
"data": [
{
"cid": 8580,
"weight": 3
},
{
"cid": 8573,
"weight": 3
},
{
"cid": 8575,
"weight": 3
},
{
"cid": 8576,
"weight": 3
},
{
"cid": 8578,
"weight": 3
},
{
"cid": 8577,
"weight": 1
},
{
"cid": 8574,
"weight": 4
},
{
"cid": 8579,
"weight": 4
},
{
"cid": 8572,
"weight": 4
}
],
"targetScore": 4,
"type": "weightedComponentList",
"version": 1
},
"throttle": 21600,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [
"",
"Enhanced Monitoring",
"OT Engineer"
],
"interval": 21600,
"delay": 0,
"sequenced": false,
"active": true,
"modified": "2021-10-02 15:32:20",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "A device has significantly changed its SMB behavior. The device has begun reading and writing similar volumes of data to remote file shares, alongside sustained file MIME type conversion (e.g. text, image, application, etc.). This is commonly seen during ransomware attacks when the device reads files then overwrites them with an encrypted version.\n\nAction: Look at file writes from this device to identify the cause of this activity. Suspicious file extensions are a common indicator of ransomware.",
"behaviour": "decreasing",
"created": {
"by": "System"
},
"edited": {
"by": "System"
},
"version": 41,
"priority": 5,
"category": "Critical",
"compliance": false
},
"now": {
"name": "Compromise::Ransomware::Suspicious SMB Activity",
"pid": 511,
"phid": 7030,
"uuid": "22218471-4b8a-4523-86ef-49a25f6665ff",
"logic": {
"data": [
{
"cid": 13654,
"weight": 3
},
{
"cid": 13651,
"weight": 3
},
{
"cid": 13657,
"weight": 3
},
{
"cid": 13659,
"weight": 3
},
{
"cid": 13653,
"weight": 3
},
{
"cid": 13658,
"weight": 1
},
{
"cid": 13655,
"weight": 4
},
{
"cid": 13652,
"weight": 4
},
{
"cid": 13656,
"weight": 4
}
],
"targetScore": 4,
"type": "weightedComponentList",
"version": 1
},
"throttle": 21600,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [
"",
"Enhanced Monitoring",
"OT Engineer"
],
"interval": 21600,
"delay": 0,
"sequenced": false,
"active": true,
"modified": "2022-07-14 20:01:13",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "A device has significantly changed its SMB behavior. Examples include reading and writing similar volumes of data to remote file shares, sustained file MIME type conversion, appending files with additional extensions, possible ransom words detected in SMB activity or unusual external connectivity (e.g. DNS requests for Tor domains or possible callback events).\n\nSuch unusual SMB activity is commonly seen during ransomware attacks when the device reads files then overwrites them with an encrypted version. In the event of unusual SMB activity seen alongside external connectivity, the device could be involved in malware command and control as well as ransomware payments.\n\nAction: Look at file writes from this device to identify the cause of this activity. Suspicious file extensions are a common indicator of ransomware.",
"behaviour": "decreasing",
"created": {
"by": "System"
},
"edited": {
"by": "System"
},
"message": "Updated model description",
"version": 43,
"priority": 5,
"category": "Critical",
"compliance": false
}
},
"triggeredComponents": [
{
"time": 1654135309000,
"cbid": 1984,
"cid": 8575,
"chid": 13357,
"size": 1,
"threshold": 0,
"interval": 3600,
"logic": {
"data": {
"left": {
"left": "A",
"operator": "AND",
"right": "C"
},
"operator": "OR",
"right": {
"left": {
"left": "B",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "D",
"operator": "AND",
"right": "E"
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "D",
"operator": "AND",
"right": "F"
},
"operator": "OR",
"right": {
"left": "D",
"operator": "AND",
"right": {
"left": "E",
"operator": "AND",
"right": "G"
}
}
}
}
},
"version": "v0.1"
},
"metric": {
"mlid": 233,
"name": "dtmodelbreach",
"label": "Model"
},
"triggeredFilters": [
{
"cfid": 98649,
"id": "A",
"filterType": "Message",
"arguments": {
"value": "Ransom or Offensive Words Written to SMB"
},
"comparatorType": "contains",
"trigger": {
"value": "Compromise / Ransomware / Ransom or Offensive Words Written to SMB"
}
},
{
"cfid": 98651,
"id": "C",
"filterType": "New or uncommon occurrence",
"arguments": {
"value": 50
},
"comparatorType": ">",
"trigger": {
"value": "100"
}
},
{
"cfid": 98652,
"id": "D",
"filterType": "New or uncommon occurrence",
"arguments": {
"value": 90
},
"comparatorType": ">",
"trigger": {
"value": "100"
}
},
{
"cfid": 98653,
"id": "E",
"filterType": "Age of source",
"arguments": {
"value": 86400
},
"comparatorType": ">",
"trigger": {
"value": "476589"
}
},
{
"cfid": 98654,
"id": "d1",
"filterType": "Message",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "Compromise / Ransomware / Ransom or Offensive Words Written to SMB"
}
},
{
"cfid": 98655,
"id": "d2",
"filterType": "New or uncommon occurrence",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "100"
}
}
]
},
{
"time": 1654135309000,
"cbid": 1985,
"cid": 8573,
"chid": 13355,
"size": 1,
"threshold": 0,
"interval": 3600,
"logic": {
"data": {
"left": "A",
"operator": "AND",
"right": "B"
},
"version": "v0.1"
},
"metric": {
"mlid": 233,
"name": "dtmodelbreach",
"label": "Model"
},
"triggeredFilters": [
{
"cfid": 98640,
"id": "A",
"filterType": "Message",
"arguments": {
"value": "Additional Extension Appended to SMB File"
},
"comparatorType": "contains",
"trigger": {
"value": "Anomalous File / Internal / Additional Extension Appended to SMB File"
}
},
{
"cfid": 98641,
"id": "B",
"filterType": "New or uncommon occurrence",
"arguments": {
"value": 50
},
"comparatorType": ">",
"trigger": {
"value": "100"
}
},
{
"cfid": 98642,
"id": "d1",
"filterType": "Message",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "Anomalous File / Internal / Additional Extension Appended to SMB File"
}
},
{
"cfid": 98643,
"id": "d2",
"filterType": "New or uncommon occurrence",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "100"
}
}
]
}
],
"score": 1.0,
"device": {
"did": 33,
"macaddress": "06:c4:ct:ba:84:16",
"vendor": "",
"ip": "192.168.1.4",
"ips": [
{
"ip": "192.168.1.4",
"timems": 1658962800000,
"time": "2022-07-27 23:00:00",
"sid": 3
}
],
"sid": 3,
"hostname": "windowsdevice",
"firstSeen": 1653658719000,
"lastSeen": 1658962816000,
"devicelabel": "testing label",
"typename": "desktop",
"typelabel": "Desktop",
"credentials": [
"vagrant"
]
}
}

Darktrace AI Analyst Sample

{
"summariser": "SslC2Summary",
"acknowledged": false,
"pinned": true,
"createdAt": 1646162087464,
"attackPhases": [
2
],
"title": "Possible SSL Command and Control",
"id": "b8b97bae-76d5-4172-bdf2-3ac5e4ceb429",
"children": [
"b8b97bae-76d5-4172-bdf2-3bc5e3ceb429"
],
"category": null,
"currentGroup": null,
"groupCategory": null,
"groupScore": null,
"groupPreviousGroups": null,
"activityId": "da39a3ee",
"groupingIds": [
"9e6a55b6"
],
"groupByActivity": false,
"userTriggered": false,
"externalTriggered": false,
"aiaScore": 82.0,
"summary": "The device sample.windomain.local was observed making multiple SSL connections to the rare external endpoint rare.com, with the same SSL fingerprint (JA3 hash).\n\nMoreover, this device only used this fingerprint for connections to a limited set of endpoints - suggesting that the activity was initiated by a standalone software process as opposed to a web browser.\n\nIf such behaviour is unexpected, further investigation may be required to determine if this activity represents malicious command and control as opposed to legitimate telemetry of some form.",
"periods": [
{
"start": 1646158715797,
"end": 1646159346038
}
],
"breachDevices": [
{
"identifier": “sample.windomain.local",
"hostname": “sample.windomain.local",
"ip": "192.168.1.3",
"mac": "06:7b:81:5d:4b:5c",
"subnet": null,
"did": 18,
"sid": 3
}
],
"relatedBreaches": [
{
"modelName": "Device / Suspicious Domain",
"pbid": 1777,
"threatScore": 33.0,
"timestamp": 1646158351000
}
],
"details": [
[
{
"header": "Device Making Suspicious Connections",
"contents": [
{
"key": null,
"type": "device",
"values": [
{
"identifier": “sample.windomain.local",
"hostname": “sample.windomain.local",
"ip": "192.168.1.3",
"mac": "06:7b:81:5d:4b:5c",
"subnet": null,
"did": 18,
"sid": 3
}
]
},
{
"key": "Username observed prior to activity",
"type": "string",
"values": [
"vagrant"
]
},
{
"key": "Source of username",
"type": "string",
"values": [
"NTLM login"
]
},
{
"key": "Time observed",
"type": "timestamp",
"values": [
1646155963000
]
},
{
"key": "Event UID",
"type": "string",
"values": [
"COA5nI1DSlb9fHeUYg02"
]
}
]
}
],
[
{
"header": "Suspicious Application",
"contents": [
{
"key": "JA3 client hash",
"type": "string",
"values": [
"598872011444709327b861ae817a4b60"
]
}
]
},
{
"header": "Suspicious Endpoint Contacted by Application",
"contents": [
{
"key": "Time",
"type": "timestampRange",
"values": [
{
"start": 1646158715797,
"end": 1646159346038
}
]
},
{
"key": "Endpoint",
"type": "externalHost",
"values": [
{
"hostname": “rare.com",
"ip": null
}
]
},
{
"key": "Hostname rarity",
"type": "percentage",
"values": [
76.0
]
},
{
"key": "Hostname first observed",
"type": "timestamp",
"values": [
1646158293000
]
},
{
"key": "Most recent destination IP",
"type": "externalHost",
"values": [
{
"hostname": "104.18.3.114",
"ip": "104.18.3.114"
}
]
},
{
"key": "Most recent ASN",
"type": "string",
"values": [
"AS13335 CLOUDFLARENET"
]
},
{
"key": "Destination port",
"type": "integer",
"values": [
443
]
},
{
"key": "Connection count",
"type": "integer",
"values": [
22
]
},
{
"key": "Total data in",
"type": "dataVolume",
"values": [
29838
]
},
{
"key": "Total data out",
"type": "dataVolume",
"values": [
88768
]
},
{
"key": "Validation Status",
"type": "string",
"values": [
"Unknown"
]
},
{
"key": "Issuer",
"type": "string",
"values": [
"Unknown"
]
}
]
}
]
]
}

Syslog Integration

In case the Darktrace events are being exported from your on-premise appliance to a syslog server, the events can be shipped to Hunters via an S3 bucket.

The events should be shared to the bucket in separate prefixes, i.e. prefix per data type - ai-analyst and model-breaches. in a syslog-json format, as detailed in the following guide by Darktrace:

Darktrace syslog-json Guide

Configuring Syslog JSON Alerts

The process for configuring syslog-format alerts is identical across CEF, LEEF and JSON formats. Generic configuration guidance is provided below.

Syslog Alert Configuration Process

  1. Open the Threat Visualizer and navigate to the System Config page (Main menu › Admin). From the left-side menu, select Modules, then navigate to the Workflow Integrations section and choose Syslog. A window with four tabs will open, a Status tab that lists existing configurations per-Syslog server and an individual tab for each Syslog format. The Status tab may not be present if there are no existing configurations.

  2. If the instance is not a Unified View, proceed to Step 3. If the instance where configuration is being performed is a Darktrace Unified View instance, choose which Darktrace master instance will send alerts at the top of the page. If a a subordinate master (submaster) is selected, the master will be the instance to emit alerts but will only generate alerts originating itself. If the UV instance is selected, an additional field - Master - will appear further down the page. This field is used to control the source of alerts sent by the Unified View for this configuration.

  3. Syslog can be sent in one of three formats: CEF, LEEF or JSON. Select the corresponding tab for the desired format the alerts will be sent in. Existing configurations using that format will be listed by destination server.

  4. Scroll past any existing configurations and click New to set up forwarding Darktrace alerts to a new server via syslog.

  5. Enter the IP address of the syslog server in the Server field and optionally modify the communication port. Ensure that the port selected is allowed by any intermediary firewalls.

  6. If the instance is not a Unified View, proceed to Step 7. If the instance where configuration is being performed is a Darktrace Unified View instance, and the Unified View has been selected to send alerts from, an additional field - Master - will appear. This field is used to control the source of alerts sent by the Unified View for this configuration. If a submaster is selected, the UV will only send alerts from that submaster for this configuration. If “all” is selected, alerts sourced from all submasters will be sent. Select the appropriate source.

  7. Turn on Show Advanced Options. All options and settings are covered in Optional Filters and Settings. In the first section, configure any optional settings for connectivity (such as TCP-format alerting) and syslog message format. Please note that fields are read-only if configured globally. DARKTRACE JSON FORMAT SYSLOG ALERTS 5

  8. Turn on Send AI Analyst Alerts and configure alerting thresholds for AI analyst events. Configure any optional filters and settings as described in Optional Filters and Settings, or leave the default options selected. Alerts will only be sent once the master Send Alerts toggle is turned on (Step 13.)

  9. Turn on Send Model Breach Alerts and configure alerting thresholds for model breaches. Configure any optional filters and settings as described in Optional Filters and Settings, or leave the default options selected. Alerts will only be sent once the master Send Alerts toggle is turned on (Step 13.)

  10. Turn on Send System Status Alerts and configure alerting thresholds for System Status Alerts. Configure any optional filters and settings as described in Optional Filters and Settings, or leave the default options selected. Alerts will only be sent once the master Send Alerts toggle is turned on (Step 13.)

  11. Click Add to save the configuration and observe a confirmation message.

  12. Scroll to the top of the entry and click Verify alert settings to send a test alert to the specified Syslog server.

  13. Finally, turn on Send Alerts and save changes.

Expected Format - API Integration

The following are examples of expected events

Darktrace model breaches syslog-json sample

{
"breachUrl": <URL>,
"commentCount": 0,
"creationTime": 1659398720000,
"device": {
"credentials": [<CREDS>],
"did": 123456,
"firstSeen": 1597644227000,
"hostname": <HOST>,
"ip": <IP>,
"ips": [
{
"ip": <IP>,
"sid": <SID>,
"time": "2022-08-02 00:00:00",
"timems": 1659398400000
}
],
"lastSeen": 1659398438000,
"macaddress": <MAC>,
"objecttype": "device",
"sid": <SID>,
"tags": [<TAGS>],
"typelabel": "Server",
"typename": "server",
"vendor": "VMware, Inc."
},
"mitreTechniques": [
{
"technique": "File and Directory Discovery Mitigation",
"techniqueID": "T1083"
},
{
"technique": "Lateral Tool Transfer",
"techniqueID": "T1570"
},
{
"technique": "SMB/Windows Admin Shares",
"techniqueID": "T1021.002"
},
{
"technique": "Taint Shared Content Mitigation",
"techniqueID": "T1080"
}
],
"model": {
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"active": true,
"activeTimes": {
"devices": {
<DEVICE>: [{}]
},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoSuppress": true,
"autoUpdatable": true,
"autoUpdate": true,
"behaviour": "decreasing",
"category": "Informational",
"compliance": true,
"created": {},
"defeats": [<DEFEATS>],
"delay": 0,
"description": <DESC>,
"edited": {},
"interval": 300,
"logic": {
"data": [<DATA>],
"targetScore": 1,
"type": "weightedComponentList",
"version": 1
},
"modified": "2022-06-30 10:58:06",
"name": "Compliance::SMB Drive Write",
"phid": <PHID>,
"pid": <PBID>,
"priority": 2,
"readOnly": true,
"sequenced": false,
"sharedEndpoints": true,
"tags": [<TAGS>],
"throttle": 3600,
"uuid": <UUID>,
"version": 35
},
"pbid": <PBID>,
"score": 0.443,
"time": 1659398709000,
"triggeredComponents": [<COMPONENTS>]
}

Darktrace ai analyst syslog-json sample

{
"acknowledged": false,
"activityId": <ID>,
"aiaScore": 60,
"attackPhases": [
5
],
"breachDevices": [
{
"did": <DID>,
"hostname": <HOSTNAME>,
"identifier": <ID>,
"ip": <IP>,
"mac": <MAC>,
"sid": <SID>,
"subnet": <SUBNET>
}
],
"category": "suspicious",
"children": [
<CHILDREN_UUIDS
],
"createdAt": 1659688285433,
"currentGroup": <CURRENT_GROUP>,
"details": [<DETAILS>],
"externalTriggered": false,
"groupByActivity": false,
"groupCategory": "suspicious",
"groupPreviousGroups": [],
"groupScore": 9.242343145200191,
"groupingIds": [<IDS>],
"id": <ID>,
"incidentEventUrl": <URL>,
"periods": [
{
"end": 1659688176525,
"start": 1659686819429
}
],
"pinned": false,
"relatedBreaches": [
{
"modelName": <NAME>,
"pbid": <PBID>,
"threatScore": <SCORE>,
"timestamp": <EPOCH>
}
],
"summariser": "LateralMovementCrawler",
"summary":<SUMMARY>,
"userTriggered": false
}

Darktrace Audit Logs syslog-json sample

Nov 14 22:11:15 us-11111-01.cloud.darktrace.com darktrace_audit {"username":"admin","method":"POST","endpoint":"/login","ip":"40.30.20.10","status":302,"description":"Partial login successful”}

Nov 14 22:11:15 us-11111-01.cloud.darktrace.com darktrace_audit {"username":"john","method":"POST","endpoint":"/systemconfig/modules/v1.0/config","ip":"40.30.20.10","status":200,"description":"A change wasmade on the System Config page”}