Overview

Darktrace empowers defenders to reduce risk and minimize cyber disruption. Its Self-Learning AI technology develops a deep and evolving understanding of your bespoke organization, allowing it to prevent, detect, and respond to unpredictable cyber-attacks across the entire digital environment – from cloud and email to endpoints and OT networks.

Integrating Darktrace with Hunters will allow triaging of Darktrace alerts and incidents via the Hunters console, as well as further investigating and correlating them to related threats.

Supported data types

  • Darktrace Model Breaches - alerts for model breaches by Darktrace.

  • Darktrace AI Analyst - alerts for AI Analyst by Darktrace.

Sending data to Hunters

API Integration

Hunters support API collection for Darktrace events. In order to enable it, supply the following API keys in the Hunters platform:

  • Domain

  • Public Token

  • Private Token

To get the keys, follow the guide as in the following picture:

Expected Format

In case Darktrace events are already being collected on your environment, it is possible to ship them to Hunters via a shared blob storage such as AWS S3. The expected format for the events is:

Darktrace Model Breaches Sample

{
"commentCount": 0,
"pbid": 1959,
"time": 1654135310000,
"creationTime": 1654135318000,
"model": {
"then": {
"name": "Compromise::Ransomware::Suspicious SMB Activity",
"pid": 511,
"phid": 4356,
"uuid": "22218471-4b8a-4523-86ef-49a25f6665ff",
"logic": {
"data": [
{
"cid": 8580,
"weight": 3
},
{
"cid": 8573,
"weight": 3
},
{
"cid": 8575,
"weight": 3
},
{
"cid": 8576,
"weight": 3
},
{
"cid": 8578,
"weight": 3
},
{
"cid": 8577,
"weight": 1
},
{
"cid": 8574,
"weight": 4
},
{
"cid": 8579,
"weight": 4
},
{
"cid": 8572,
"weight": 4
}
],
"targetScore": 4,
"type": "weightedComponentList",
"version": 1
},
"throttle": 21600,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [
"",
"Enhanced Monitoring",
"OT Engineer"
],
"interval": 21600,
"delay": 0,
"sequenced": false,
"active": true,
"modified": "2021-10-02 15:32:20",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "A device has significantly changed its SMB behavior. The device has begun reading and writing similar volumes of data to remote file shares, alongside sustained file MIME type conversion (e.g. text, image, application, etc.). This is commonly seen during ransomware attacks when the device reads files then overwrites them with an encrypted version.\n\nAction: Look at file writes from this device to identify the cause of this activity. Suspicious file extensions are a common indicator of ransomware.",
"behaviour": "decreasing",
"created": {
"by": "System"
},
"edited": {
"by": "System"
},
"version": 41,
"priority": 5,
"category": "Critical",
"compliance": false
},
"now": {
"name": "Compromise::Ransomware::Suspicious SMB Activity",
"pid": 511,
"phid": 7030,
"uuid": "22218471-4b8a-4523-86ef-49a25f6665ff",
"logic": {
"data": [
{
"cid": 13654,
"weight": 3
},
{
"cid": 13651,
"weight": 3
},
{
"cid": 13657,
"weight": 3
},
{
"cid": 13659,
"weight": 3
},
{
"cid": 13653,
"weight": 3
},
{
"cid": 13658,
"weight": 1
},
{
"cid": 13655,
"weight": 4
},
{
"cid": 13652,
"weight": 4
},
{
"cid": 13656,
"weight": 4
}
],
"targetScore": 4,
"type": "weightedComponentList",
"version": 1
},
"throttle": 21600,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [
"",
"Enhanced Monitoring",
"OT Engineer"
],
"interval": 21600,
"delay": 0,
"sequenced": false,
"active": true,
"modified": "2022-07-14 20:01:13",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "A device has significantly changed its SMB behavior. Examples include reading and writing similar volumes of data to remote file shares, sustained file MIME type conversion, appending files with additional extensions, possible ransom words detected in SMB activity or unusual external connectivity (e.g. DNS requests for Tor domains or possible callback events).\n\nSuch unusual SMB activity is commonly seen during ransomware attacks when the device reads files then overwrites them with an encrypted version. In the event of unusual SMB activity seen alongside external connectivity, the device could be involved in malware command and control as well as ransomware payments.\n\nAction: Look at file writes from this device to identify the cause of this activity. Suspicious file extensions are a common indicator of ransomware.",
"behaviour": "decreasing",
"created": {
"by": "System"
},
"edited": {
"by": "System"
},
"message": "Updated model description",
"version": 43,
"priority": 5,
"category": "Critical",
"compliance": false
}
},
"triggeredComponents": [
{
"time": 1654135309000,
"cbid": 1984,
"cid": 8575,
"chid": 13357,
"size": 1,
"threshold": 0,
"interval": 3600,
"logic": {
"data": {
"left": {
"left": "A",
"operator": "AND",
"right": "C"
},
"operator": "OR",
"right": {
"left": {
"left": "B",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "D",
"operator": "AND",
"right": "E"
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "D",
"operator": "AND",
"right": "F"
},
"operator": "OR",
"right": {
"left": "D",
"operator": "AND",
"right": {
"left": "E",
"operator": "AND",
"right": "G"
}
}
}
}
},
"version": "v0.1"
},
"metric": {
"mlid": 233,
"name": "dtmodelbreach",
"label": "Model"
},
"triggeredFilters": [
{
"cfid": 98649,
"id": "A",
"filterType": "Message",
"arguments": {
"value": "Ransom or Offensive Words Written to SMB"
},
"comparatorType": "contains",
"trigger": {
"value": "Compromise / Ransomware / Ransom or Offensive Words Written to SMB"
}
},
{
"cfid": 98651,
"id": "C",
"filterType": "New or uncommon occurrence",
"arguments": {
"value": 50
},
"comparatorType": ">",
"trigger": {
"value": "100"
}
},
{
"cfid": 98652,
"id": "D",
"filterType": "New or uncommon occurrence",
"arguments": {
"value": 90
},
"comparatorType": ">",
"trigger": {
"value": "100"
}
},
{
"cfid": 98653,
"id": "E",
"filterType": "Age of source",
"arguments": {
"value": 86400
},
"comparatorType": ">",
"trigger": {
"value": "476589"
}
},
{
"cfid": 98654,
"id": "d1",
"filterType": "Message",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "Compromise / Ransomware / Ransom or Offensive Words Written to SMB"
}
},
{
"cfid": 98655,
"id": "d2",
"filterType": "New or uncommon occurrence",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "100"
}
}
]
},
{
"time": 1654135309000,
"cbid": 1985,
"cid": 8573,
"chid": 13355,
"size": 1,
"threshold": 0,
"interval": 3600,
"logic": {
"data": {
"left": "A",
"operator": "AND",
"right": "B"
},
"version": "v0.1"
},
"metric": {
"mlid": 233,
"name": "dtmodelbreach",
"label": "Model"
},
"triggeredFilters": [
{
"cfid": 98640,
"id": "A",
"filterType": "Message",
"arguments": {
"value": "Additional Extension Appended to SMB File"
},
"comparatorType": "contains",
"trigger": {
"value": "Anomalous File / Internal / Additional Extension Appended to SMB File"
}
},
{
"cfid": 98641,
"id": "B",
"filterType": "New or uncommon occurrence",
"arguments": {
"value": 50
},
"comparatorType": ">",
"trigger": {
"value": "100"
}
},
{
"cfid": 98642,
"id": "d1",
"filterType": "Message",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "Anomalous File / Internal / Additional Extension Appended to SMB File"
}
},
{
"cfid": 98643,
"id": "d2",
"filterType": "New or uncommon occurrence",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "100"
}
}
]
}
],
"score": 1.0,
"device": {
"did": 33,
"macaddress": "06:c4:ct:ba:84:16",
"vendor": "",
"ip": "192.168.1.4",
"ips": [
{
"ip": "192.168.1.4",
"timems": 1658962800000,
"time": "2022-07-27 23:00:00",
"sid": 3
}
],
"sid": 3,
"hostname": "windowsdevice",
"firstSeen": 1653658719000,
"lastSeen": 1658962816000,
"devicelabel": "testing label",
"typename": "desktop",
"typelabel": "Desktop",
"credentials": [
"vagrant"
]
}
}

Darktrace AI Analyst Sample

{
"summariser": "SslC2Summary",
"acknowledged": false,
"pinned": true,
"createdAt": 1646162087464,
"attackPhases": [
2
],
"title": "Possible SSL Command and Control",
"id": "b8b97bae-76d5-4172-bdf2-3ac5e4ceb429",
"children": [
"b8b97bae-76d5-4172-bdf2-3bc5e3ceb429"
],
"category": null,
"currentGroup": null,
"groupCategory": null,
"groupScore": null,
"groupPreviousGroups": null,
"activityId": "da39a3ee",
"groupingIds": [
"9e6a55b6"
],
"groupByActivity": false,
"userTriggered": false,
"externalTriggered": false,
"aiaScore": 82.0,
"summary": "The device sample.windomain.local was observed making multiple SSL connections to the rare external endpoint rare.com, with the same SSL fingerprint (JA3 hash).\n\nMoreover, this device only used this fingerprint for connections to a limited set of endpoints - suggesting that the activity was initiated by a standalone software process as opposed to a web browser.\n\nIf such behaviour is unexpected, further investigation may be required to determine if this activity represents malicious command and control as opposed to legitimate telemetry of some form.",
"periods": [
{
"start": 1646158715797,
"end": 1646159346038
}
],
"breachDevices": [
{
"identifier": “sample.windomain.local",
"hostname": “sample.windomain.local",
"ip": "192.168.1.3",
"mac": "06:7b:81:5d:4b:5c",
"subnet": null,
"did": 18,
"sid": 3
}
],
"relatedBreaches": [
{
"modelName": "Device / Suspicious Domain",
"pbid": 1777,
"threatScore": 33.0,
"timestamp": 1646158351000
}
],
"details": [
[
{
"header": "Device Making Suspicious Connections",
"contents": [
{
"key": null,
"type": "device",
"values": [
{
"identifier": “sample.windomain.local",
"hostname": “sample.windomain.local",
"ip": "192.168.1.3",
"mac": "06:7b:81:5d:4b:5c",
"subnet": null,
"did": 18,
"sid": 3
}
]
},
{
"key": "Username observed prior to activity",
"type": "string",
"values": [
"vagrant"
]
},
{
"key": "Source of username",
"type": "string",
"values": [
"NTLM login"
]
},
{
"key": "Time observed",
"type": "timestamp",
"values": [
1646155963000
]
},
{
"key": "Event UID",
"type": "string",
"values": [
"COA5nI1DSlb9fHeUYg02"
]
}
]
}
],
[
{
"header": "Suspicious Application",
"contents": [
{
"key": "JA3 client hash",
"type": "string",
"values": [
"598872011444709327b861ae817a4b60"
]
}
]
},
{
"header": "Suspicious Endpoint Contacted by Application",
"contents": [
{
"key": "Time",
"type": "timestampRange",
"values": [
{
"start": 1646158715797,
"end": 1646159346038
}
]
},
{
"key": "Endpoint",
"type": "externalHost",
"values": [
{
"hostname": “rare.com",
"ip": null
}
]
},
{
"key": "Hostname rarity",
"type": "percentage",
"values": [
76.0
]
},
{
"key": "Hostname first observed",
"type": "timestamp",
"values": [
1646158293000
]
},
{
"key": "Most recent destination IP",
"type": "externalHost",
"values": [
{
"hostname": "104.18.3.114",
"ip": "104.18.3.114"
}
]
},
{
"key": "Most recent ASN",
"type": "string",
"values": [
"AS13335 CLOUDFLARENET"
]
},
{
"key": "Destination port",
"type": "integer",
"values": [
443
]
},
{
"key": "Connection count",
"type": "integer",
"values": [
22
]
},
{
"key": "Total data in",
"type": "dataVolume",
"values": [
29838
]
},
{
"key": "Total data out",
"type": "dataVolume",
"values": [
88768
]
},
{
"key": "Validation Status",
"type": "string",
"values": [
"Unknown"
]
},
{
"key": "Issuer",
"type": "string",
"values": [
"Unknown"
]
}
]
}
]
]
}