Darktrace

integrations network Darktrace

The following instructions are for configuring Darktrace to facilitate log ingestion into Secureworks® Taegis™ XDR.

Connectivity Requirements ⫘

Source	Destination	Port/Protocol
Darktrace	Taegis™ XDR Collector (mgmt IP)	TCP/601

Data Provided from Integration ⫘

	Antivirus	Auth	DHCP	DNS	Email	Encrypt	Filemod	HTTP	Management	Netflow	NIDS	Process	Thirdparty
Darktrace													V

Y = Normalized | D = Out-of-the-Box Detections | V = Vendor-Specific Detections

Configure the Darktrace Platform ⫘

To configure syslog forwarding in Darktrace, follow these steps:

1. Log in to the Darktrace Portal.
2. Within the Threat Visualizer, navigate to Admin > System Config.
3. From the left-hand menu, select Modules and choose Syslog from the available Workflow Integrations.
4. In the configuration window, select Syslog JSON and click New to open the configuration settings.
5. Set the JSON Syslog Alerts field to true.
6. In the JSON Syslog Server field, specify the IP address of the XDR Collector.
7. In the JSON Syslog Server Port field, specify 601.
8. Set the JSON Syslog TCP Alerts field to true.

Example Query Language Searches ⫘

To search for thirdparty events from the last 24 hours:

FROM thirdparty WHERE sensor_type = 'DARKTRACE_SYSLOG' and EARLIEST=-24h

To search for thirdparty events with a source IP address of 10.1.1.10 :

FROM thirdparty WHERE sensor_type = 'DARKTRACE_SYSLOG' and source_address = '10.1.1.10'

To search for thirdparty "Unusual Activity" events:

FROM thirdparty WHERE sensor_type='DARKTRACE_SYSLOG' AND summary contains 'Unusual Activity::'

Event Details ⫘

Darktrace Event Details

Sample Logs ⫘

Alert ⫘

{"creationTime":1597314595000,"breachUrl":"https://dt.corp.internal/#modelbreach/99104","commentCount":0,"pbid":99104,"time":15972312590000,"model":{"name":"Anomalous File::Internal::Additional Extension Appended to SMB File","pid":6,"phid":1757,"uuid":"e9f0ca2b-fac5-abc3-b5e4-a0e70f0ff024","logic":{"data":[{"cid":3647,"weight":1},{"cid":3646,"weight":1}],"targetScore":1,"type":"weightedComponentList","version":1},"throttle":3600,"sharedEndpoints":false,"actions":{"alert":true,"antigena":{},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":["AP: Lateral Movement","AP: Exploit"],"interval":3600,"sequenced":false,"active":true,"modified":"2020-02-11 11:12:02","activeTimes":{"devices":{},"tags":{},"type":"exclusions","version":2},"priority":4,"autoUpdatable":true,"autoUpdate":true,"autoSuppress":true,"description":"A device is renaming files on a network share with an additional extension - for example file.doc to file.doc.crypted. This activity is commonly seen during ransomware encryption events.\\n\\nAction: Review the breach log and the device's event log to review the files being renamed and look for any suspicious file extensions being added.","behaviour":"decreasing","defeats":[],"created":{"by":"Unknown"},"edited":{"by":"System"},"version":48},"triggeredComponents":[{"time":1593214589000,"cbid":113208,"cid":3647,"chid":5349,"size":6,"threshold":5,"interval":300,"logic":{"data":{"left":"A","operator":"AND","right":{"left":"B","operator":"AND","right":"C"}},"version":"v0.1"},"metric":{"mlid":296,"name":"smbmovesuccess","label":"SMB Move Success"},"triggeredFilters":[{"cfid":34511,"id":"d3","filterType":"Unusual SMB usage","arguments":{},"comparatorType":"display","trigger":{"value":"0"}},{"cfid":34512,"id":"d2","filterType":"Message","arguments":{},"comparatorType":"display","trigger":{"value":"share=\\\\COMPANYSERVER\\DOCS file=Store\\PAS\\SALES_FORECAST.doc rename=Store\\PAS\\SALES_FORECAST.dat version=smb2"}},{"cfid":34513,"id":"d1","filterType":"Internal destination device name","arguments":{},"comparatorType":"display","trigger":{"value":"corpfs01.corp.internal"}},{"cfid":34514,"id":"C","filterType":"Message","arguments":{"value":"\\fstmp\\"},"comparatorType":"does not contain","trigger":{"value":"share=\\\\COMPANYSERVER\\DOCS file=Store\\PAS\\SALES_FORECAST.doc rename=Store\\PAS\\SALES_FORECAST.dat version=smb2"}},{"cfid":34515,"id":"B","filterType":"Direction","arguments":{"value":"out"},"comparatorType":"is","trigger":{"value":"out"}},{"cfid":34516,"id":"A","filterType":"Message","arguments":{"value":"/.*file=(.*)\\srename=\\1\\.(?!([^\\s]*\\.)?(~PSTMP|bak|_01_|sent|pslock|cvr|00|backup|old|tmp|delete|del\\d{0,3}|fnb\\d{5}|sb-[[:xdigit:]]{8}-[[:alnum:]]{6}(?:\\\\[A-F0-9]{8})?|wrk[0-9]*|utbak|tmp[0-9]*|tftp|saf|_rq|reada_processing|old[0-9]*|mssdel|in_dev|PROCESSING|20[12][0-9-]{5,}|done|orig|bak5[0-9a-z]{7}|SPCDL_Processing|PendingOverwrite|DeletePending|ii|IFP|processed)(\\s.*|$))[^\\s]+(\\sversion.*|$)/i"},"comparatorType":"matches regular expression","trigger":{"value":"share=\\\\COMPANYSERVER\\DOCS file=Store\\PAS\\SALES_FORECAST.doc rename=Store\\PAS\\SALES_FORECAST.dat version=smb2"}}]}],"score":0.809,"device":{"did":18752,"macaddress":"00:01:02:aa:bb:cc","vendor":"Dell Inc.","ip":"10.1.2.3","ips":[{"ip":"10.1.2.3","timems":1591048400000,"time":"2020-08-12 05:00:00","sid":350}],"sid":350,"hostname":"bobs-palm-pilot.corp.internal","firstSeen":1581315366000,"lastSeen":1595210105000,"typename":"laptop","typelabel":"Laptop","credentials":["bob"],"tags":[{"tid":21,"expiry":0,"thid":44,"name":"Domain Authenticated","restricted":false,"data":{"auto":false,"color":200,"description":""},"isReferenced":true}]}}

AI Analyst ⫘

{"userTriggered":false,"relatedBreaches":[{"modelName":"Compromise / Fast Beaconing to DGA","pbid":83856,"timestamp":1647581599000,"threatScore":69}],"summariser":"HttpAgentSummary","details":[[{"contents":[{"key":"Source device","values":[{"mac":"00:23:63:aa:bb:cc","did":3333,"ip":"172.16.1.25","subnet":"Allen","identifier":null,"sid":35,"hostname":null}],"type":"device"}],"header":"Device Making Suspicious Connections"}],[{"contents":[{"key":"User agent","values":["Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5"],"type":"string"}],"header":"Suspicious Application"},{"contents":[{"key":"Time","values":[{"start":1646660731572,"end":1647584551989}],"type":"timestampRange"},{"key":"Hostname","values":[{"ip":null,"hostname":"host.domain.com"}],"type":"externalHost"},{"key":"Hostname rarity","values":[100],"type":"percentage"},{"key":"Hostname first observed","values":[1572162214000],"type":"timestamp"},{"key":"Most recent destination IP","values":[{"ip":"1.2.3.4","hostname":"1.2.3.4"}],"type":"externalHost"},{"key":"Most recent ASN","values":["AS12309 BNBAPO-02"],"type":"string"},{"key":"Total connections","values":[8174],"type":"integer"},{"key":"URI","values":["/uqot/aqoy.php?cmd=reg_server&uid=MZXSD353R66RB3AE111A"],"type":"string"},{"key":"Port","values":[80],"type":"integer"},{"key":"HTTP method","values":["GET"],"type":"string"},{"key":"Status codes","values":["200","504"],"type":"string"}],"header":"Suspicious Endpoints Contacted by Application"}]],"aiaScore":59.42524877702945,"children":["bc9ee386-33ec-4061-b923-964dca2e5190"],"externalTriggered":false,"groupByActivity":false,"attackPhases":[2],"summary":"The device 172.16.1.25 was observed making multiple HTTP connections to the rare external endpoint host.domain.com, with the same user agent string.\n\nMoreover, this device only used this user agent for connections to a limited set of endpoints - suggesting that the activity was initiated by a standalone software process as opposed to a web browser.\n\nIf such behaviour is unexpected, further investigation may be required to determine if this activity represents malicious command and control as opposed to legitimate telemetry of some form.","acknowledged":false,"activityId":"cd604490","breachDevices":[{"mac":"00:23:63:aa:bb:cc","did":3333,"ip":"172.16.1.25","subnet":"Allen","identifier":null,"sid":35,"hostname":null}],"id":"bc9ee386-33ec-4061-b923-964dca2e5190","title":"Possible HTTP Command and Control","groupingIds":["f56d6351"],"pinned":false,"periods":[{"start":1646660731572,"end":1647584551989}]}