Skip to content

Darktrace Threat Visualizer

Overview

Darktrace monitors all people and digital assets across your entire ecosystem.

  • Vendor: Darktrace
  • Supported environment: Cloud and On Premise versions 6.1 or above
  • Detection based on: Alert, Telemetry
  • Supported application or feature: Darktrace Threat Visualizer

Specification

Prerequisites

For On Premise version: - Resource: - Self-managed syslog forwarder - Network: - Outbound traffic allowed - Permissions: - Administrator privileges on the Darktrace appliance - Root access to the Linux server with the syslog forwarder

For Cloud version, only an dministrator privileges on the Darktrace appliance is mandatory.

Transport Protocol/Method

  • Direct HTTP for Cloud
  • Indirect syslog for On Premise

Logs details

  • Supported functionalities: See section Overview
  • Supported type(s) of structure: JSON
  • Supported verbosity level: Informational, Alert

Note

Log levels are based on the taxonomy of RFC5424. Adapt according to the terminology used by the editor.

Step-by-Step Configuration Procedure

This setup guide describes how to forward logs from Darktrace Threat visualizer to Sekoia.io.

Instruction on Sekoia

Configure Your Intake

This section will guide you through creating the intake object in Sekoia, which provides a unique identifier called the "Intake key." The Intake key is essential for later configuration, as it references the Community, Entity, and Parser (Intake Format) used when receiving raw events on Sekoia.

  1. Go to the Sekoia Intake page.
  2. Click on the + New Intake button at the top right of the page.
  3. Search for your Intake by the product name in the search bar.
  4. Give it a Name and associate it with an Entity (and a Community if using multi-tenant mode).
  5. Click on Create.

Note

For more details on how to use the Intake page and to find the Intake key you just created, refer to this documentation.

For Cloud verion only

Configure Your Playbook

This section will assist you in pulling remote logs from Sekoia and sending them to the intake you previously created.

  1. Go to the Sekoia playbook page.
  2. Click on the + New playbook button at the top right of the page.
  3. Select Create a playbook from scratch, and click Next.
  4. Give it a Name and a Description, and click Next.
  5. Choose a trigger from the list by searching for the name of the product, and click Create.
  6. A new Playbook page will be displayed. Click on the module in the center of the page, then click on the Configure icon.
  7. On the right panel, click on the Configuration tab.
  8. Select an existing Trigger Configuration (from the account menu) or create a new one by clicking on + Create new configuration.
  9. Configure the Trigger based on the Actions Library (for instance, see here for AWS modules), then click Save.
  10. Click on Save at the top right of the playbook page.
  11. Activate the playbook by clicking on the "On / Off" toggle button at the top right corner of the page.

Instructions on the 3rd party solution

For Cloud verion - Acquire your public and private key

As a prerequisite, you need a Darktrace Threat Visualizer API tenant url.

See the Darktrace documentation for intructions to acquire your public and private key.

For On Premise verion - Send logs to a syslog server

  1. Open the Threat Visualizer and navigate to the System Config page (Main menu › Admin).
  2. From the left-side menu, select Modules, then navigate to the Workflow Integrations section and choose Syslog. A window with four tabs will open, a Status tab that lists existing configurations per-Syslog server and an individual tab for each Syslog format. The Status tab may not be present if there are no existing configurations.
  3. If the instance is not a Unified View, proceed to Step 3.
  4. If the instance where configuration is being performed is a Darktrace Unified View instance, choose which Darktrace master instance will send alerts at the top of the page.
  5. If a a subordinate master (submaster) is selected, the master will be the instance to emit alerts but will only generate alerts originating from itself.
  6. If the UV instance is selected, an additional field - Master - will appear further down the page. This field is used to control the source of alerts sent by the Unified View for this configuration.
  7. Syslog MUST be sent in JSON format.
  8. Scroll past any existing configurations and click New to set up forwarding Darktrace alerts to a new server via syslog.
  9. Enter the IP address of the syslog server in the Server field and optionally modify the communication port.
  10. If the instance is not a Unified View, proceed to Step 7.
  11. If the instance where configuration is being performed is a Darktrace Unified View instance, and the Unified View has been selected to send alerts from, an additional field - Master - will appear. This field is used to control the source of alerts sent by the Unified View for this configuration.
  12. If a submaster is selected, the UV will only send alerts from that submaster for this configuration.
  13. If “all” is selected, alerts sourced from all submasters will be sent.
  14. Select the appropriate source.
  15. Turn on Show Advanced Options. All options and settings are covered in Optional Filters and Settings.
  16. Select TCP-format alerting setting
  17. Select which alert types should be sent via Syslog. Alerts will not be sent until the master Send Alerts toggle is turned on.
  18. Within the same configuration, click Add to save the changes. Observe a confirmation message.
  19. Scroll to the top of the entry and click Verify alert settings to send a test alert to the specified Syslog server.
  20. Finally, turn on Send Alerts and save changes.

Configure a forwarder

To forward events using syslog to Sekoia.io, you need to update the syslog header with the intake key you previously created. Here is an example of your message before the forwarder

<%pri%>1 %timestamp:::date-rfc3339% %hostname% %app-name% %procid% LOG RAW_MESSAGE
and after
<%pri%>1 %timestamp:::date-rfc3339% %hostname% %app-name% %procid% LOG [SEKOIA@53288 intake_key=\"YOUR_INTAKE_KEY\"] RAW_MESSAGE

To achieve this you can:

  • Use the Sekoia.io forwarder which is the official supported way to collect data using the syslog protocol in Sekoia.io. In charge of centralizing data coming from many equipments/sources and forwarding them to Sekoia.io with the apporpriated format, it is a prepackaged option. You only have to provide your intake key as parameter.
  • Use your own Syslog service instance. Maybe you already have an intance of one of these components on your side and want to reuse it in order to centralize data before forwarding them to Sekoia.io. When using this mode, you have to configure and maintain your component in order to respect the expected Sekoia.io format.

Warning

Only the Sekoia.io forwarder is officially supported. Other options are documented for reference purposes but do not have official support.

Raw Events Samples

In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.

{
    "summariser": "HttpAgentSummary",
    "acknowledged": false,
    "pinned": false,
    "createdAt": 1697334832520,
    "attackPhases": [
        2
    ],
    "mitreTactics": [
        "command-and-control"
    ],
    "title": "Possible HTTP Command and Control",
    "id": "a400af0f-a297-478c-8fc6-c778a9558183",
    "children": [
        "a400af0f-a297-478c-8fc6-c778a9558183"
    ],
    "category": "critical",
    "currentGroup": "ga400af0f-a297-478c-8fc6-c778a9558183",
    "groupCategory": "suspicious",
    "groupScore": 2.449186624037094,
    "groupPreviousGroups": [],
    "activityId": "da39a3ee",
    "groupingIds": [
        "511a418e"
    ],
    "groupByActivity": false,
    "userTriggered": false,
    "externalTriggered": false,
    "aiaScore": 55.52733790170975,
    "summary": "The device 10.0.0.#36859 was observed making multiple HTTP connections to the rare external endpoint themoneyfix.org, with the same user agent string.\n\nMoreover, this device only used this user agent for connections to a limited set of endpoints - suggesting that the activity was initiated by a standalone software process as opposed to a web browser.\n\nIf such behaviour is unexpected, further investigation may be required to determine if this activity represents malicious command and control as opposed to legitimate telemetry of some form.",
    "periods": [
        {
            "start": 1697334679535,
            "end": 1697334713852
        }
    ],
    "breachDevices": [
        {
            "identifier": null,
            "hostname": null,
            "ip": "10.0.0.#36859",
            "mac": null,
            "subnet": null,
            "did": 62,
            "sid": 25
        }
    ],
    "relatedBreaches": [
        {
            "modelName": "Device / New User Agent",
            "pbid": 34952,
            "threatScore": 31.0,
            "timestamp": 1697334680000
        }
    ],
    "details": [
        [
            {
                "header": "Device Making Suspicious Connections",
                "contents": [
                    {
                        "key": null,
                        "type": "device",
                        "values": [
                            {
                                "identifier": null,
                                "hostname": null,
                                "ip": "10.0.0.#36859",
                                "mac": null,
                                "subnet": null,
                                "did": 62,
                                "sid": 25
                            }
                        ]
                    }
                ]
            }
        ],
        [
            {
                "header": "Suspicious Application",
                "contents": [
                    {
                        "key": "User agent",
                        "type": "string",
                        "values": [
                            "python-requests/2.25.1"
                        ]
                    }
                ]
            },
            {
                "header": "Suspicious Endpoints Contacted by Application",
                "contents": [
                    {
                        "key": "Time",
                        "type": "timestampRange",
                        "values": [
                            {
                                "start": 1697334679535,
                                "end": 1697334713852
                            }
                        ]
                    },
                    {
                        "key": "Hostname",
                        "type": "externalHost",
                        "values": [
                            {
                                "hostname": "themoneyfix.org",
                                "ip": null
                            }
                        ]
                    },
                    {
                        "key": "Hostname rarity",
                        "type": "percentage",
                        "values": [
                            100.0
                        ]
                    },
                    {
                        "key": "Hostname first observed",
                        "type": "timestamp",
                        "values": [
                            1697334687000
                        ]
                    },
                    {
                        "key": "Most recent destination IP",
                        "type": "externalHost",
                        "values": [
                            {
                                "hostname": "45.56.79.23",
                                "ip": "45.56.79.23"
                            }
                        ]
                    },
                    {
                        "key": "Most recent ASN",
                        "type": "string",
                        "values": [
                            "AS63949 Akamai Connected Cloud"
                        ]
                    },
                    {
                        "key": "Total connections",
                        "type": "integer",
                        "values": [
                            2
                        ]
                    },
                    {
                        "key": "URI",
                        "type": "string",
                        "values": [
                            "/login/username=adriano.lamo&password=il0v3cH33s3"
                        ]
                    },
                    {
                        "key": "Port",
                        "type": "integer",
                        "values": [
                            80
                        ]
                    },
                    {
                        "key": "HTTP method",
                        "type": "string",
                        "values": [
                            "GET"
                        ]
                    },
                    {
                        "key": "Status code",
                        "type": "string",
                        "values": [
                            "200"
                        ]
                    }
                ]
            }
        ]
    ],
    "log_type": "aianalyst/incidentevents"
}
{
    "summariser": "SaasHijackSummary",
    "acknowledged": false,
    "pinned": false,
    "createdAt": 1730023348884,
    "attackPhases": [
        3
    ],
    "mitreTactics": [
        "privilege-escalation"
    ],
    "title": "Possible Hijack of Zoom Account",
    "id": "204a3642-a6f1-4ac3-85d0-add7dd0c9f9b",
    "children": [
        "204a3642-a6f1-4ac3-85d0-add7dd0c9f9b"
    ],
    "category": "critical",
    "currentGroup": "g204a3642-a6f1-4ac3-85d0-add7dd0c9f9b",
    "groupCategory": "critical",
    "groupScore": 21.063004966718992,
    "groupPreviousGroups": [],
    "activityId": "da39a3ee",
    "groupingIds": [
        "3d2a2fc6"
    ],
    "groupByActivity": false,
    "userTriggered": false,
    "externalTriggered": false,
    "aiaScore": 93.67343783378601,
    "summary": "The SaaS actor john.doe@example.com was observed making suspicious requests over a configured Zoom service from the IP 1.2.3.4.\n\nThis included requests made from unusual locations compared to the previous access locations observed from this actor and from the configured service in general.\n\nThough this behaviour could be the result of legitimate service usage or administration, it could also be a sign of this actor's account being hijacked by a malicious actor.\n\nConsequently, the security team may wish to confirm that this activity was legitimate and expected.",
    "periods": [
        {
            "start": 1730023230000,
            "end": 1730023230000
        }
    ],
    "sender": null,
    "breachDevices": [
        {
            "identifier": "SaaS::Zoom: john.doe@example.com",
            "hostname": "SaaS::Zoom: john.doe@example.com",
            "ip": null,
            "mac": null,
            "subnet": null,
            "did": 3820,
            "sid": -9
        }
    ],
    "relatedBreaches": [
        {
            "modelName": "SaaS / Access / Unusual External Source for SaaS Credential Use",
            "pbid": 46769,
            "threatScore": 63.0,
            "timestamp": 1730023232000
        }
    ],
    "details": [
        [
            {
                "header": "SaaS User Details",
                "contents": [
                    {
                        "key": "SaaS account",
                        "type": "device",
                        "values": [
                            {
                                "identifier": "SaaS::Zoom: john.doe@example.com",
                                "hostname": "SaaS::Zoom: john.doe@example.com",
                                "ip": null,
                                "mac": null,
                                "subnet": null,
                                "did": 3820,
                                "sid": -9
                            }
                        ]
                    },
                    {
                        "key": "Actor",
                        "type": "string",
                        "values": [
                            "john.doe@example.com"
                        ]
                    }
                ]
            }
        ],
        [
            {
                "header": "Agent Carrying out Suspicious Activity",
                "contents": [
                    {
                        "key": "Source IP",
                        "type": "externalHost",
                        "values": [
                            {
                                "hostname": "1.2.3.4",
                                "ip": "1.2.3.4"
                            }
                        ]
                    },
                    {
                        "key": "ASN",
                        "type": "string",
                        "values": [
                            "AS2119 Telenor Norge AS"
                        ]
                    },
                    {
                        "key": "City",
                        "type": "string",
                        "values": [
                            "Stockholm"
                        ]
                    },
                    {
                        "key": "Country",
                        "type": "string",
                        "values": [
                            "Sweden"
                        ]
                    }
                ]
            },
            {
                "header": "Summary of Activity",
                "contents": [
                    {
                        "key": "Time",
                        "type": "timestampRange",
                        "values": [
                            {
                                "start": 1730023230000,
                                "end": 1730023230000
                            }
                        ]
                    },
                    {
                        "key": "Suspicious properties",
                        "type": "string",
                        "values": [
                            "Unusual time for activity",
                            "Unusual external source for activity"
                        ]
                    }
                ]
            },
            {
                "header": "Activity Details",
                "contents": [
                    {
                        "key": "Event",
                        "type": "string",
                        "values": [
                            "Sign in"
                        ]
                    },
                    {
                        "key": "Number of events",
                        "type": "integer",
                        "values": [
                            1
                        ]
                    }
                ]
            }
        ]
    ],
    "log_type": "aianalyst/incidentevents"
}
{
    "summariser": "SaasBruteforceSummary",
    "acknowledged": false,
    "pinned": false,
    "createdAt": 1708649003457,
    "attackPhases": [
        2,
        4
    ],
    "mitreTactics": [
        "credential-access"
    ],
    "title": "Possible Distributed Bruteforce of AzureActiveDirectory Account",
    "id": "dc5f69a5-ee78-4702-a999-ed64a9e873dc",
    "incidentEventUrl": "https://darktrace-dt-32980-01/saas#aiaincidentevent/dc5f69a5-ee78-4702-a999-ed64a9e873dc",
    "children": [
        "dc5f69a5-ee78-4702-a999-ed64a9e873dc"
    ],
    "category": "suspicious",
    "currentGroup": "g7bd28910-7d7d-4971-9a20-48f12b8518e1",
    "groupCategory": "suspicious",
    "groupScore": 32.34820100820068,
    "groupPreviousGroups": [],
    "activityId": "da39a3ee",
    "groupingIds": [
        "6ae71ab6"
    ],
    "groupByActivity": false,
    "userTriggered": false,
    "externalTriggered": false,
    "aiaScore": 85.47036382887099,
    "summary": "Repeated attempts to access the account test@test.fr over a configured AzureActiveDirectory service were observed from a range of external IP addresses.\n\nThis included login attempts made from unusual locations for the account, and for the configured service in general.\n\nSince these requests originated from a wide variety of external sources, this could indicate a distributed attempt by a malicious actor to gain illegitimate access to this account.\n\nThe security team may therefore wish to ensure that the relevant credentials are sufficiently robust, and that additional measures such as multi-factor authentication are enabled where possible.",
    "periods": [
        {
            "start": 1708040149000,
            "end": 1708648697000
        }
    ],
    "sender": null,
    "breachDevices": [
        {
            "identifier": "SaaS::AzureActiveDirectory: test@test.fr",
            "hostname": "SaaS::AzureActiveDirectory: test@test.fr",
            "ip": null,
            "mac": null,
            "subnet": null,
            "did": 2635,
            "sid": -9
        }
    ],
    "relatedBreaches": [
        {
            "modelName": "SaaS / Access / Password Spray",
            "pbid": 7130,
            "threatScore": 47,
            "timestamp": 1708648698000
        }
    ],
    "details": [
        [
            {
                "header": "SaaS User Details",
                "contents": [
                    {
                        "key": "SaaS account",
                        "type": "device",
                        "values": [
                            {
                                "identifier": "SaaS::AzureActiveDirectory: test@test.fr",
                                "hostname": "SaaS::AzureActiveDirectory: test@test.fr",
                                "ip": null,
                                "mac": null,
                                "subnet": null,
                                "did": 2635,
                                "sid": -9
                            }
                        ]
                    },
                    {
                        "key": "Actor",
                        "type": "string",
                        "values": [
                            "test@test.fr"
                        ]
                    }
                ]
            }
        ],
        [
            {
                "header": "Summary of Related Access Attempts",
                "contents": [
                    {
                        "key": "Attempts grouped by",
                        "type": "string",
                        "values": [
                            "same targeted account"
                        ]
                    },
                    {
                        "key": "Number of source ASNs",
                        "type": "integer",
                        "values": [
                            241
                        ]
                    },
                    {
                        "key": "Suspicious properties",
                        "type": "string",
                        "values": [
                            "Unusual time for activity",
                            "Unusual external source for activity",
                            "Large number of login failures"
                        ]
                    }
                ]
            },
            {
                "header": "Details of Access Attempts",
                "contents": [
                    {
                        "key": "Time",
                        "type": "timestampRange",
                        "values": [
                            {
                                "start": 1708040149000,
                                "end": 1708648697000
                            }
                        ]
                    },
                    {
                        "key": "Targeted account",
                        "type": "string",
                        "values": [
                            "test@test.fr"
                        ]
                    },
                    {
                        "key": "Total number of login failures",
                        "type": "integer",
                        "values": [
                            1136
                        ]
                    },
                    {
                        "key": "Reasons for login failures",
                        "type": "string",
                        "values": [
                            "Sign-in was blocked because it came from an IP address with malicious activity",
                            "The account is locked, you've tried to sign in too many times with an incorrect user ID or password.",
                            "Error validating credentials due to invalid username or password."
                        ]
                    }
                ]
            },
            {
                "header": "Sources of Access Attempts",
                "contents": [
                    {
                        "key": "Source ASNs include",
                        "type": "string",
                        "values": [
                            "AS4134 Chinanet",
                            "AS4837 CHINA UNICOM China169 Backbone",
                            "AS4766 Korea Telecom",
                            "AS9808 China Mobile Communications Group Co., Ltd.",
                            "AS24560 Bharti Airtel Ltd., Telemedia Services"
                        ]
                    },
                    {
                        "key": "Source IPs include",
                        "type": "externalHost",
                        "values": [
                            {
                                "hostname": "122.4.70.38",
                                "ip": "122.4.70.38"
                            },
                            {
                                "hostname": "41.207.248.204",
                                "ip": "41.207.248.204"
                            },
                            {
                                "hostname": "124.89.116.178",
                                "ip": "124.89.116.178"
                            },
                            {
                                "hostname": "121.184.235.17",
                                "ip": "121.184.235.17"
                            },
                            {
                                "hostname": "61.153.208.38",
                                "ip": "61.153.208.38"
                            }
                        ]
                    },
                    {
                        "key": "Countries include",
                        "type": "string",
                        "values": [
                            "China",
                            "South Korea",
                            "India",
                            "United States",
                            "Brazil"
                        ]
                    },
                    {
                        "key": "User agent",
                        "type": "string",
                        "values": [
                            "Office 365 Exchange Online"
                        ]
                    }
                ]
            }
        ]
    ]
}
{
    "commentCount": 0,
    "pbid": 26316,
    "time": 1687967502000,
    "creationTime": 1687967508000,
    "model": {
        "then": {
            "name": "AnomalousFile::ZiporGzipfromRareExternalLocation",
            "pid": 619,
            "phid": 9945,
            "uuid": "80010119-6d7f-0000-0305-5e0000000172",
            "logic": {
                "data": [
                    19046
                ],
                "type": "componentList",
                "version": 1
            },
            "throttle": 3600,
            "sharedEndpoints": false,
            "actions": {
                "alert": true,
                "antigena": {},
                "breach": true,
                "model": true,
                "setPriority": false,
                "setTag": false,
                "setType": false
            },
            "tags": [
                "",
                "AP:Tooling",
                "OTEngineer"
            ],
            "interval": 0,
            "delay": 0,
            "sequenced": false,
            "active": true,
            "modified": "2023-06-28 11:53:50",
            "activeTimes": {
                "devices": {},
                "tags": {},
                "type": "exclusions",
                "version": 2
            },
            "autoUpdatable": true,
            "autoUpdate": true,
            "autoSuppress": true,
            "description": "AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\n\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.",
            "behaviour": "decreasing",
            "created": {
                "by": "System"
            },
            "edited": {
                "by": "System"
            },
            "version": 42,
            "mitre": {
                "tactics": [
                    "resource-development"
                ],
                "techniques": [
                    "T1588.001"
                ]
            },
            "priority": 1,
            "category": "Informational",
            "compliance": false
        },
        "now": {
            "name": "AnomalousFile::ZiporGzipfromRareExternalLocation",
            "pid": 619,
            "phid": 9945,
            "uuid": "80010119-6d7f-0000-0305-5e0000000172",
            "logic": {
                "data": [
                    19046
                ],
                "type": "componentList",
                "version": 1
            },
            "throttle": 3600,
            "sharedEndpoints": false,
            "actions": {
                "alert": true,
                "antigena": {},
                "breach": true,
                "model": true,
                "setPriority": false,
                "setTag": false,
                "setType": false
            },
            "tags": [
                "",
                "AP:Tooling",
                "OTEngineer"
            ],
            "interval": 0,
            "delay": 0,
            "sequenced": false,
            "active": true,
            "modified": "2023-06-28 11:53:50",
            "activeTimes": {
                "devices": {},
                "tags": {},
                "type": "exclusions",
                "version": 2
            },
            "autoUpdatable": true,
            "autoUpdate": true,
            "autoSuppress": true,
            "description": "AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\n\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.",
            "behaviour": "decreasing",
            "created": {
                "by": "System"
            },
            "edited": {
                "by": "System"
            },
            "message": "Excludedcommonuseragents",
            "version": 42,
            "mitre": {
                "tactics": [
                    "resource-development"
                ],
                "techniques": [
                    "T1588.001"
                ]
            },
            "priority": 1,
            "category": "Informational",
            "compliance": false
        }
    },
    "triggeredComponents": [
        {
            "time": 1687967501000,
            "cbid": 26393,
            "cid": 19046,
            "chid": 30682,
            "size": 1,
            "threshold": 0,
            "interval": 3600,
            "logic": {
                "data": {
                    "left": {
                        "left": "A",
                        "operator": "AND",
                        "right": {
                            "left": "C",
                            "operator": "AND",
                            "right": {
                                "left": "F",
                                "operator": "AND",
                                "right": {
                                    "left": "I",
                                    "operator": "AND",
                                    "right": {
                                        "left": "J",
                                        "operator": "AND",
                                        "right": {
                                            "left": "M",
                                            "operator": "AND",
                                            "right": {
                                                "left": "N",
                                                "operator": "AND",
                                                "right": {
                                                    "left": "O",
                                                    "operator": "AND",
                                                    "right": {
                                                        "left": "P",
                                                        "operator": "AND",
                                                        "right": {
                                                            "left": "Q",
                                                            "operator": "AND",
                                                            "right": {
                                                                "left": "R",
                                                                "operator": "AND",
                                                                "right": {
                                                                    "left": "T",
                                                                    "operator": "AND",
                                                                    "right": {
                                                                        "left": "V",
                                                                        "operator": "AND",
                                                                        "right": {
                                                                            "left": "W",
                                                                            "operator": "AND",
                                                                            "right": {
                                                                                "left": "Y",
                                                                                "operator": "AND",
                                                                                "right": "Z"
                                                                            }
                                                                        }
                                                                    }
                                                                }
                                                            }
                                                        }
                                                    }
                                                }
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    },
                    "operator": "OR",
                    "right": {
                        "left": {
                            "left": "C",
                            "operator": "AND",
                            "right": {
                                "left": "E",
                                "operator": "AND",
                                "right": {
                                    "left": "F",
                                    "operator": "AND",
                                    "right": {
                                        "left": "I",
                                        "operator": "AND",
                                        "right": {
                                            "left": "J",
                                            "operator": "AND",
                                            "right": {
                                                "left": "M",
                                                "operator": "AND",
                                                "right": {
                                                    "left": "N",
                                                    "operator": "AND",
                                                    "right": {
                                                        "left": "O",
                                                        "operator": "AND",
                                                        "right": {
                                                            "left": "P",
                                                            "operator": "AND",
                                                            "right": {
                                                                "left": "Q",
                                                                "operator": "AND",
                                                                "right": {
                                                                    "left": "R",
                                                                    "operator": "AND",
                                                                    "right": {
                                                                        "left": "T",
                                                                        "operator": "AND",
                                                                        "right": {
                                                                            "left": "V",
                                                                            "operator": "AND",
                                                                            "right": {
                                                                                "left": "W",
                                                                                "operator": "AND",
                                                                                "right": {
                                                                                    "left": "Y",
                                                                                    "operator": "AND",
                                                                                    "right": "Z"
                                                                                }
                                                                            }
                                                                        }
                                                                    }
                                                                }
                                                            }
                                                        }
                                                    }
                                                }
                                            }
                                        }
                                    }
                                }
                            }
                        },
                        "operator": "OR",
                        "right": {
                            "left": {
                                "left": "C",
                                "operator": "AND",
                                "right": {
                                    "left": "F",
                                    "operator": "AND",
                                    "right": {
                                        "left": "G",
                                        "operator": "AND",
                                        "right": {
                                            "left": "I",
                                            "operator": "AND",
                                            "right": {
                                                "left": "J",
                                                "operator": "AND",
                                                "right": {
                                                    "left": "M",
                                                    "operator": "AND",
                                                    "right": {
                                                        "left": "N",
                                                        "operator": "AND",
                                                        "right": {
                                                            "left": "O",
                                                            "operator": "AND",
                                                            "right": {
                                                                "left": "P",
                                                                "operator": "AND",
                                                                "right": {
                                                                    "left": "Q",
                                                                    "operator": "AND",
                                                                    "right": {
                                                                        "left": "R",
                                                                        "operator": "AND",
                                                                        "right": {
                                                                            "left": "T",
                                                                            "operator": "AND",
                                                                            "right": {
                                                                                "left": "V",
                                                                                "operator": "AND",
                                                                                "right": {
                                                                                    "left": "W",
                                                                                    "operator": "AND",
                                                                                    "right": {
                                                                                        "left": "Y",
                                                                                        "operator": "AND",
                                                                                        "right": "Z"
                                                                                    }
                                                                                }
                                                                            }
                                                                        }
                                                                    }
                                                                }
                                                            }
                                                        }
                                                    }
                                                }
                                            }
                                        }
                                    }
                                }
                            },
                            "operator": "OR",
                            "right": {
                                "left": {
                                    "left": "C",
                                    "operator": "AND",
                                    "right": {
                                        "left": "F",
                                        "operator": "AND",
                                        "right": {
                                            "left": "H",
                                            "operator": "AND",
                                            "right": {
                                                "left": "I",
                                                "operator": "AND",
                                                "right": {
                                                    "left": "J",
                                                    "operator": "AND",
                                                    "right": {
                                                        "left": "M",
                                                        "operator": "AND",
                                                        "right": {
                                                            "left": "N",
                                                            "operator": "AND",
                                                            "right": {
                                                                "left": "O",
                                                                "operator": "AND",
                                                                "right": {
                                                                    "left": "P",
                                                                    "operator": "AND",
                                                                    "right": {
                                                                        "left": "Q",
                                                                        "operator": "AND",
                                                                        "right": {
                                                                            "left": "R",
                                                                            "operator": "AND",
                                                                            "right": {
                                                                                "left": "T",
                                                                                "operator": "AND",
                                                                                "right": {
                                                                                    "left": "V",
                                                                                    "operator": "AND",
                                                                                    "right": {
                                                                                        "left": "W",
                                                                                        "operator": "AND",
                                                                                        "right": {
                                                                                            "left": "Y",
                                                                                            "operator": "AND",
                                                                                            "right": "Z"
                                                                                        }
                                                                                    }
                                                                                }
                                                                            }
                                                                        }
                                                                    }
                                                                }
                                                            }
                                                        }
                                                    }
                                                }
                                            }
                                        }
                                    }
                                },
                                "operator": "OR",
                                "right": {
                                    "left": {
                                        "left": "A",
                                        "operator": "AND",
                                        "right": {
                                            "left": "C",
                                            "operator": "AND",
                                            "right": {
                                                "left": "F",
                                                "operator": "AND",
                                                "right": {
                                                    "left": "K",
                                                    "operator": "AND",
                                                    "right": {
                                                        "left": "L",
                                                        "operator": "AND",
                                                        "right": {
                                                            "left": "M",
                                                            "operator": "AND",
                                                            "right": {
                                                                "left": "N",
                                                                "operator": "AND",
                                                                "right": {
                                                                    "left": "O",
                                                                    "operator": "AND",
                                                                    "right": {
                                                                        "left": "P",
                                                                        "operator": "AND",
                                                                        "right": {
                                                                            "left": "Q",
                                                                            "operator": "AND",
                                                                            "right": {
                                                                                "left": "S",
                                                                                "operator": "AND",
                                                                                "right": {
                                                                                    "left": "T",
                                                                                    "operator": "AND",
                                                                                    "right": {
                                                                                        "left": "U",
                                                                                        "operator": "AND",
                                                                                        "right": {
                                                                                            "left": "V",
                                                                                            "operator": "AND",
                                                                                            "right": {
                                                                                                "left": "W",
                                                                                                "operator": "AND",
                                                                                                "right": {
                                                                                                    "left": "Y",
                                                                                                    "operator": "AND",
                                                                                                    "right": "Z"
                                                                                                }
                                                                                            }
                                                                                        }
                                                                                    }
                                                                                }
                                                                            }
                                                                        }
                                                                    }
                                                                }
                                                            }
                                                        }
                                                    }
                                                }
                                            }
                                        }
                                    },
                                    "operator": "OR",
                                    "right": {
                                        "left": {
                                            "left": "C",
                                            "operator": "AND",
                                            "right": {
                                                "left": "E",
                                                "operator": "AND",
                                                "right": {
                                                    "left": "F",
                                                    "operator": "AND",
                                                    "right": {
                                                        "left": "K",
                                                        "operator": "AND",
                                                        "right": {
                                                            "left": "L",
                                                            "operator": "AND",
                                                            "right": {
                                                                "left": "M",
                                                                "operator": "AND",
                                                                "right": {
                                                                    "left": "N",
                                                                    "operator": "AND",
                                                                    "right": {
                                                                        "left": "O",
                                                                        "operator": "AND",
                                                                        "right": {
                                                                            "left": "P",
                                                                            "operator": "AND",
                                                                            "right": {
                                                                                "left": "Q",
                                                                                "operator": "AND",
                                                                                "right": {
                                                                                    "left": "S",
                                                                                    "operator": "AND",
                                                                                    "right": {
                                                                                        "left": "T",
                                                                                        "operator": "AND",
                                                                                        "right": {
                                                                                            "left": "U",
                                                                                            "operator": "AND",
                                                                                            "right": {
                                                                                                "left": "V",
                                                                                                "operator": "AND",
                                                                                                "right": {
                                                                                                    "left": "W",
                                                                                                    "operator": "AND",
                                                                                                    "right": {
                                                                                                        "left": "Y",
                                                                                                        "operator": "AND",
                                                                                                        "right": "Z"
                                                                                                    }
                                                                                                }
                                                                                            }
                                                                                        }
                                                                                    }
                                                                                }
                                                                            }
                                                                        }
                                                                    }
                                                                }
                                                            }
                                                        }
                                                    }
                                                }
                                            }
                                        },
                                        "operator": "OR",
                                        "right": {
                                            "left": {
                                                "left": "C",
                                                "operator": "AND",
                                                "right": {
                                                    "left": "F",
                                                    "operator": "AND",
                                                    "right": {
                                                        "left": "G",
                                                        "operator": "AND",
                                                        "right": {
                                                            "left": "K",
                                                            "operator": "AND",
                                                            "right": {
                                                                "left": "L",
                                                                "operator": "AND",
                                                                "right": {
                                                                    "left": "M",
                                                                    "operator": "AND",
                                                                    "right": {
                                                                        "left": "N",
                                                                        "operator": "AND",
                                                                        "right": {
                                                                            "left": "O",
                                                                            "operator": "AND",
                                                                            "right": {
                                                                                "left": "P",
                                                                                "operator": "AND",
                                                                                "right": {
                                                                                    "left": "Q",
                                                                                    "operator": "AND",
                                                                                    "right": {
                                                                                        "left": "S",
                                                                                        "operator": "AND",
                                                                                        "right": {
                                                                                            "left": "T",
                                                                                            "operator": "AND",
                                                                                            "right": {
                                                                                                "left": "U",
                                                                                                "operator": "AND",
                                                                                                "right": {
                                                                                                    "left": "V",
                                                                                                    "operator": "AND",
                                                                                                    "right": {
                                                                                                        "left": "W",
                                                                                                        "operator": "AND",
                                                                                                        "right": {
                                                                                                            "left": "Y",
                                                                                                            "operator": "AND",
                                                                                                            "right": "Z"
                                                                                                        }
                                                                                                    }
                                                                                                }
                                                                                            }
                                                                                        }
                                                                                    }
                                                                                }
                                                                            }
                                                                        }
                                                                    }
                                                                }
                                                            }
                                                        }
                                                    }
                                                }
                                            },
                                            "operator": "OR",
                                            "right": {
                                                "left": "C",
                                                "operator": "AND",
                                                "right": {
                                                    "left": "F",
                                                    "operator": "AND",
                                                    "right": {
                                                        "left": "H",
                                                        "operator": "AND",
                                                        "right": {
                                                            "left": "K",
                                                            "operator": "AND",
                                                            "right": {
                                                                "left": "L",
                                                                "operator": "AND",
                                                                "right": {
                                                                    "left": "M",
                                                                    "operator": "AND",
                                                                    "right": {
                                                                        "left": "N",
                                                                        "operator": "AND",
                                                                        "right": {
                                                                            "left": "O",
                                                                            "operator": "AND",
                                                                            "right": {
                                                                                "left": "P",
                                                                                "operator": "AND",
                                                                                "right": {
                                                                                    "left": "Q",
                                                                                    "operator": "AND",
                                                                                    "right": {
                                                                                        "left": "S",
                                                                                        "operator": "AND",
                                                                                        "right": {
                                                                                            "left": "T",
                                                                                            "operator": "AND",
                                                                                            "right": {
                                                                                                "left": "U",
                                                                                                "operator": "AND",
                                                                                                "right": {
                                                                                                    "left": "V",
                                                                                                    "operator": "AND",
                                                                                                    "right": {
                                                                                                        "left": "W",
                                                                                                        "operator": "AND",
                                                                                                        "right": {
                                                                                                            "left": "Y",
                                                                                                            "operator": "AND",
                                                                                                            "right": "Z"
                                                                                                        }
                                                                                                    }
                                                                                                }
                                                                                            }
                                                                                        }
                                                                                    }
                                                                                }
                                                                            }
                                                                        }
                                                                    }
                                                                }
                                                            }
                                                        }
                                                    }
                                                }
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                },
                "version": "v0.1"
            },
            "ip": "104.18.103.100/32",
            "port": 80,
            "metric": {
                "mlid": 1,
                "name": "externalconnections",
                "label": "ExternalConnections"
            },
            "triggeredFilters": [
                {
                    "cfid": 232424,
                    "id": "C",
                    "filterType": "Internalsourcedevicetype",
                    "arguments": {
                        "value": "3"
                    },
                    "comparatorType": "isnot",
                    "trigger": {
                        "value": "6"
                    }
                },
                {
                    "cfid": 232426,
                    "id": "F",
                    "filterType": "Direction",
                    "arguments": {
                        "value": "out"
                    },
                    "comparatorType": "is",
                    "trigger": {
                        "value": "out"
                    }
                },
                {
                    "cfid": 232428,
                    "id": "H",
                    "filterType": "HTTPcontenttype",
                    "arguments": {
                        "value": "application/x-gzip"
                    },
                    "comparatorType": "matches",
                    "trigger": {
                        "value": "application/x-gzip"
                    }
                },
                {
                    "cfid": 232430,
                    "id": "J",
                    "filterType": "RareexternalIP",
                    "arguments": {
                        "value": 98
                    },
                    "comparatorType": ">=",
                    "trigger": {
                        "value": "100"
                    }
                },
                {
                    "cfid": 232431,
                    "id": "K",
                    "filterType": "Raredomain",
                    "arguments": {
                        "value": 95
                    },
                    "comparatorType": ">=",
                    "trigger": {
                        "value": "100"
                    }
                },
                {
                    "cfid": 232432,
                    "id": "L",
                    "filterType": "Trustedhostname",
                    "arguments": {
                        "value": "false"
                    },
                    "comparatorType": "is",
                    "trigger": {
                        "value": "false"
                    }
                },
                {
                    "cfid": 232433,
                    "id": "M",
                    "filterType": "Internalsourcedevicetype",
                    "arguments": {
                        "value": "9"
                    },
                    "comparatorType": "isnot",
                    "trigger": {
                        "value": "6"
                    }
                },
                {
                    "cfid": 232434,
                    "id": "N",
                    "filterType": "Internalsourcedevicetype",
                    "arguments": {
                        "value": "4"
                    },
                    "comparatorType": "isnot",
                    "trigger": {
                        "value": "6"
                    }
                },
                {
                    "cfid": 232435,
                    "id": "O",
                    "filterType": "Internalsourcedevicetype",
                    "arguments": {
                        "value": "13"
                    },
                    "comparatorType": "isnot",
                    "trigger": {
                        "value": "6"
                    }
                },
                {
                    "cfid": 232436,
                    "id": "P",
                    "filterType": "Internalsourcedevicetype",
                    "arguments": {
                        "value": "17"
                    },
                    "comparatorType": "isnot",
                    "trigger": {
                        "value": "6"
                    }
                },
                {
                    "cfid": 232437,
                    "id": "Q",
                    "filterType": "Taggedinternalsource",
                    "arguments": {
                        "value": 15
                    },
                    "comparatorType": "doesnothavetag",
                    "trigger": {
                        "value": "15",
                        "tag": {
                            "tid": 15,
                            "expiry": 0,
                            "thid": 15,
                            "name": "ConflictingUser-Agents",
                            "restricted": false,
                            "data": {
                                "auto": false,
                                "color": 284,
                                "description": "",
                                "visibility": "Public"
                            },
                            "isReferenced": true
                        }
                    }
                },
                {
                    "cfid": 232438,
                    "id": "R",
                    "filterType": "DestinationIP",
                    "arguments": {
                        "value": "0.0.0.0"
                    },
                    "comparatorType": "doesnotmatch",
                    "trigger": {
                        "value": "104.18.103.100"
                    }
                },
                {
                    "cfid": 232439,
                    "id": "S",
                    "filterType": "Connectionhostname",
                    "arguments": {
                        "value": "(speed(test|check).+|.+speed(test|check).+)|.*((up(date|grade)|download|content|mirrors|weather|changes|quant|ctldl|avupdate).*\\.(carbonblack\\.io|nutanix\\.com|pandasoftware\\.com|ivanti\\.com|mit\\.edu|mastercam\\.com|rit\\.edu|knime\\.com|logicnow\\.us|oppomobile\\.com|trendmicro\\.com|panorama9\\.com|jiransecurity\\.com|refinitiv\\.com|jiran\\.com|loxtop\\.com|snoopwall\\.com|tumbleweed\\.com|sangfor\\.net|alyac\\.com|spamassassin\\.org|verein-clean\\.net|itsupport247\\.net|lsfilter\\.com|iboss\\.com|eeye\\.com|windowsupdate\\.com|fireeye\\.com)|definitionsbd\\.adaware\\.com|nasepm\\.aramark\\.com|(bdefs|hw|ec)\\.threattrack\\.com|upd\\.zonelabs\\.com|www\\.solutionsam\\.com|licensingservice\\.altarix\\.com|autoupdate\\.bradyid\\.com|iblocklist\\.com|clientservices\\.googleapis\\.com|mirror\\.centos\\..*\\.serverforge\\.org|sync\\.bigfix\\.com|catalog\\.kace\\.com)"
                    },
                    "comparatorType": "doesnotmatchregularexpression",
                    "trigger": {
                        "value": "kali.download"
                    }
                },
                {
                    "cfid": 232440,
                    "id": "T",
                    "filterType": "Useragent",
                    "arguments": {
                        "value": "/((libdnf|sa-update|Valve\\/Steam|itunesstored|pfSense|McAfee|DebianAPT-HTTP).*|Sylink|.*LANguard.*|Smc|SG\\_CTAVUpdater|NetpasUpdater|urlgrabber/[0-9.]+yum/[0-9.]+|ManageEngine(Endpoint|Desktop)Central).*/i"
                    },
                    "comparatorType": "doesnotmatchregularexpression",
                    "trigger": {
                        "value": ""
                    }
                },
                {
                    "cfid": 232441,
                    "id": "U",
                    "filterType": "Connectionhostname",
                    "arguments": {
                        "value": "(antivirus|rpm(s)?|sa-update|centos|fedora).*"
                    },
                    "comparatorType": "doesnotmatchregularexpression",
                    "trigger": {
                        "value": "kali.download"
                    }
                },
                {
                    "cfid": 232442,
                    "id": "V",
                    "filterType": "URI",
                    "arguments": {
                        "value": "/.*\\/centos\\/.*\\.xml\\.gz/i"
                    },
                    "comparatorType": "doesnotmatchregularexpression",
                    "trigger": {
                        "value": "/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz"
                    }
                },
                {
                    "cfid": 232443,
                    "id": "W",
                    "filterType": "URI",
                    "arguments": {
                        "value": "dl.delivery.mp.microsoft.com"
                    },
                    "comparatorType": "doesnotcontain",
                    "trigger": {
                        "value": "/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz"
                    }
                },
                {
                    "cfid": 232444,
                    "id": "Y",
                    "filterType": "HTTPresponsecode",
                    "arguments": {
                        "value": 400
                    },
                    "comparatorType": "<",
                    "trigger": {
                        "value": "200"
                    }
                },
                {
                    "cfid": 232445,
                    "id": "Z",
                    "filterType": "Individualsizedown",
                    "arguments": {
                        "value": 10000
                    },
                    "comparatorType": ">=",
                    "trigger": {
                        "value": "60493165"
                    }
                },
                {
                    "cfid": 232446,
                    "id": "d1",
                    "filterType": "Individualsizedown",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "60493165"
                    }
                },
                {
                    "cfid": 232447,
                    "id": "d10",
                    "filterType": "Individualsizeup",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "679"
                    }
                },
                {
                    "cfid": 232448,
                    "id": "d11",
                    "filterType": "HTTPreferrer",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": ""
                    }
                },
                {
                    "cfid": 232449,
                    "id": "d12",
                    "filterType": "HTTPmethod",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": ""
                    }
                },
                {
                    "cfid": 232450,
                    "id": "d13",
                    "filterType": "Dataratio",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "0"
                    }
                },
                {
                    "cfid": 232451,
                    "id": "d14",
                    "filterType": "Ageofdestination",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "43965774"
                    }
                },
                {
                    "cfid": 232452,
                    "id": "d2",
                    "filterType": "HTTPresponsecode",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "200"
                    }
                },
                {
                    "cfid": 232453,
                    "id": "d3",
                    "filterType": "Useragent",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": ""
                    }
                },
                {
                    "cfid": 232454,
                    "id": "d4",
                    "filterType": "ASN",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "AS13335CLOUDFLARENET"
                    }
                },
                {
                    "cfid": 232455,
                    "id": "d5",
                    "filterType": "URI",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz"
                    }
                },
                {
                    "cfid": 232456,
                    "id": "d6",
                    "filterType": "DestinationIP",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "104.18.103.100"
                    }
                },
                {
                    "cfid": 232457,
                    "id": "d7",
                    "filterType": "Connectionhostname",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "kali.download"
                    }
                },
                {
                    "cfid": 232458,
                    "id": "d8",
                    "filterType": "HTTPcontenttype",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "application/x-gzip"
                    }
                },
                {
                    "cfid": 232459,
                    "id": "d9",
                    "filterType": "Internalsourcedevicetype",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "6"
                    }
                }
            ]
        }
    ],
    "score": 0.245,
    "device": {
        "did": 16,
        "ip": "192.168.1.#18408",
        "ips": [
            {
                "ip": "192.168.1.#18408",
                "timems": 1688263200000,
                "time": "2023-07-0202:00:00",
                "sid": 3
            }
        ],
        "sid": 3,
        "firstSeen": 1644001727000,
        "lastSeen": 1688266122000,
        "typename": "desktop",
        "typelabel": "Desktop"
    },
    "log_type": "modelbreaches"
}
{
    "commentCount": 0,
    "pbid": 26368,
    "time": 1687987886000,
    "creationTime": 1687987892000,
    "model": {
        "then": {
            "name": "Antigena::Network::Compliance::AntigenaConnectionSeen",
            "pid": 2299,
            "phid": 9961,
            "uuid": "5f78deda-3ff9-445f-a88e-2137dca625d6",
            "logic": {
                "data": [
                    19083
                ],
                "type": "componentList",
                "version": 1
            },
            "throttle": 3600,
            "sharedEndpoints": false,
            "actions": {
                "alert": true,
                "antigena": {
                    "action": "quarantine",
                    "confirm": true,
                    "connector_actions": {},
                    "duration": 1000,
                    "ignoreSchedule": true,
                    "threshold": "50"
                },
                "breach": true,
                "model": true,
                "setPriority": false,
                "setTag": false,
                "setType": false
            },
            "tags": [],
            "interval": 3600,
            "delay": 0,
            "sequenced": true,
            "active": true,
            "modified": "2023-06-28 21:31:29",
            "activeTimes": {
                "devices": {},
                "tags": {},
                "type": "exclusions",
                "version": 2
            },
            "autoUpdatable": true,
            "autoUpdate": false,
            "autoSuppress": false,
            "description": "",
            "behaviour": "decreasing",
            "defeats": [],
            "created": {
                "by": "darktrace",
                "userID": 2
            },
            "edited": {
                "by": "darktrace",
                "userID": 2
            },
            "version": 7,
            "priority": 4,
            "category": "Suspicious",
            "compliance": true
        },
        "now": {
            "name": "Antigena::Network::Compliance::AntigenaConnectionSeen",
            "pid": 2299,
            "phid": 9962,
            "uuid": "5f78deda-3ff9-445f-a88e-2137dca625d6",
            "logic": {
                "data": [
                    19084
                ],
                "type": "componentList",
                "version": 1
            },
            "throttle": 3600,
            "sharedEndpoints": false,
            "actions": {
                "alert": true,
                "antigena": {
                    "action": "quarantine",
                    "confirm": true,
                    "connector_actions": {},
                    "duration": 1000,
                    "ignoreSchedule": true,
                    "threshold": "50"
                },
                "breach": true,
                "model": true,
                "setPriority": false,
                "setTag": false,
                "setType": false
            },
            "tags": [],
            "interval": 3600,
            "delay": 0,
            "sequenced": true,
            "active": false,
            "modified": "2023-06-28 21:32:10",
            "activeTimes": {
                "devices": {},
                "tags": {},
                "type": "exclusions",
                "version": 2
            },
            "autoUpdatable": true,
            "autoUpdate": false,
            "autoSuppress": false,
            "description": "",
            "behaviour": "decreasing",
            "defeats": [],
            "created": {
                "by": "darktrace",
                "userID": 2
            },
            "edited": {
                "by": "darktrace",
                "userID": 2
            },
            "version": 8,
            "priority": 4,
            "category": "Suspicious",
            "compliance": true
        }
    },
    "triggeredComponents": [
        {
            "time": 1687987885000,
            "cbid": 26445,
            "cid": 19083,
            "chid": 30726,
            "size": 1,
            "threshold": 0,
            "interval": 3600,
            "logic": {
                "data": {},
                "version": "v0.1"
            },
            "ip": "192.168.16.100/32",
            "port": 443,
            "metric": {
                "mlid": 16,
                "name": "connections",
                "label": "Connections"
            },
            "triggeredFilters": []
        }
    ],
    "score": 0.871,
    "device": {
        "did": 31,
        "hostname": "my_host",
        "vendor": "",
        "ip": "192.168.1.2",
        "ips": [
            {
                "ip": "192.168.1.2",
                "timems": 1688389200000,
                "time": "2023-07-0313:00:00",
                "sid": 3
            }
        ],
        "sid": 3,
        "firstSeen": 1649669953000,
        "lastSeen": 1688391406000,
        "typename": "dnsserver",
        "typelabel": "DNSServer"
    },
    "log_type": "modelbreaches"
}
{
    "commentCount": 0,
    "pbid": 27103,
    "time": 1688266123000,
    "creationTime": 1688266130000,
    "model": {
        "then": {
            "name": "Device::AttackandReconTools",
            "pid": 76,
            "phid": 8953,
            "uuid": "80010119-6d7f-0000-0305-5e0000000197",
            "logic": {
                "data": [
                    {
                        "cid": 17299,
                        "weight": 1
                    },
                    {
                        "cid": 17302,
                        "weight": 1
                    },
                    {
                        "cid": 17298,
                        "weight": 1
                    },
                    {
                        "cid": 17300,
                        "weight": 1
                    },
                    {
                        "cid": 17301,
                        "weight": 1
                    },
                    {
                        "cid": 17303,
                        "weight": 1
                    },
                    {
                        "cid": 17304,
                        "weight": 1
                    }
                ],
                "targetScore": 1,
                "type": "weightedComponentList",
                "version": 1
            },
            "throttle": 604800,
            "sharedEndpoints": false,
            "actions": {
                "alert": true,
                "antigena": {},
                "breach": true,
                "model": true,
                "setPriority": false,
                "setTag": false,
                "setType": false
            },
            "tags": [
                "",
                "AP:InternalRecon",
                "OTEngineer"
            ],
            "interval": 3600,
            "delay": 0,
            "sequenced": false,
            "active": true,
            "modified": "2023-03-14 12:53:21",
            "activeTimes": {
                "devices": {},
                "tags": {},
                "type": "exclusions",
                "version": 2
            },
            "autoUpdatable": true,
            "autoUpdate": true,
            "autoSuppress": true,
            "description": "Adeviceisusingcommonpenetrationtestingtools.\n\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.",
            "behaviour": "decreasing",
            "created": {
                "by": "System"
            },
            "edited": {
                "by": "System"
            },
            "version": 87,
            "mitre": {
                "tactics": [
                    "initial-access"
                ],
                "techniques": [
                    "T1200"
                ]
            },
            "priority": 4,
            "category": "Suspicious",
            "compliance": false
        },
        "now": {
            "name": "Device::AttackandReconTools",
            "pid": 76,
            "phid": 8953,
            "uuid": "80010119-6d7f-0000-0305-5e0000000197",
            "logic": {
                "data": [
                    {
                        "cid": 17299,
                        "weight": 1
                    },
                    {
                        "cid": 17302,
                        "weight": 1
                    },
                    {
                        "cid": 17298,
                        "weight": 1
                    },
                    {
                        "cid": 17300,
                        "weight": 1
                    },
                    {
                        "cid": 17301,
                        "weight": 1
                    },
                    {
                        "cid": 17303,
                        "weight": 1
                    },
                    {
                        "cid": 17304,
                        "weight": 1
                    }
                ],
                "targetScore": 1,
                "type": "weightedComponentList",
                "version": 1
            },
            "throttle": 604800,
            "sharedEndpoints": false,
            "actions": {
                "alert": true,
                "antigena": {},
                "breach": true,
                "model": true,
                "setPriority": false,
                "setTag": false,
                "setType": false
            },
            "tags": [
                "",
                "AP:InternalRecon",
                "OTEngineer"
            ],
            "interval": 3600,
            "delay": 0,
            "sequenced": false,
            "active": true,
            "modified": "2023-03-14 12:53:21",
            "activeTimes": {
                "devices": {},
                "tags": {},
                "type": "exclusions",
                "version": 2
            },
            "autoUpdatable": true,
            "autoUpdate": true,
            "autoSuppress": true,
            "description": "Adeviceisusingcommonpenetrationtestingtools.\n\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.",
            "behaviour": "decreasing",
            "created": {
                "by": "System"
            },
            "edited": {
                "by": "System"
            },
            "message": "Addeddetectionforgobusteranddirbuster",
            "version": 87,
            "mitre": {
                "tactics": [
                    "initial-access"
                ],
                "techniques": [
                    "T1200"
                ]
            },
            "priority": 4,
            "category": "Suspicious",
            "compliance": false
        }
    },
    "triggeredComponents": [
        {
            "time": 1688266122000,
            "cbid": 27180,
            "cid": 17302,
            "chid": 27905,
            "size": 1,
            "threshold": 0,
            "interval": 3600,
            "logic": {
                "data": {
                    "left": {
                        "left": "A",
                        "operator": "AND",
                        "right": {
                            "left": "B",
                            "operator": "AND",
                            "right": {
                                "left": "C",
                                "operator": "AND",
                                "right": {
                                    "left": "D",
                                    "operator": "AND",
                                    "right": {
                                        "left": "E",
                                        "operator": "AND",
                                        "right": {
                                            "left": "H",
                                            "operator": "AND",
                                            "right": "J"
                                        }
                                    }
                                }
                            }
                        }
                    },
                    "operator": "OR",
                    "right": {
                        "left": {
                            "left": "B",
                            "operator": "AND",
                            "right": {
                                "left": "C",
                                "operator": "AND",
                                "right": {
                                    "left": "D",
                                    "operator": "AND",
                                    "right": {
                                        "left": "E",
                                        "operator": "AND",
                                        "right": {
                                            "left": "F",
                                            "operator": "AND",
                                            "right": "H"
                                        }
                                    }
                                }
                            }
                        },
                        "operator": "OR",
                        "right": {
                            "left": "B",
                            "operator": "AND",
                            "right": {
                                "left": "C",
                                "operator": "AND",
                                "right": {
                                    "left": "D",
                                    "operator": "AND",
                                    "right": {
                                        "left": "E",
                                        "operator": "AND",
                                        "right": {
                                            "left": "G",
                                            "operator": "AND",
                                            "right": {
                                                "left": "H",
                                                "operator": "AND",
                                                "right": "I"
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                },
                "version": "v0.1"
            },
            "ip": "192.168.1.2/32",
            "port": 53,
            "metric": {
                "mlid": 11,
                "name": "dnsrequests",
                "label": "DNSRequests"
            },
            "triggeredFilters": [
                {
                    "cfid": 208828,
                    "id": "A",
                    "filterType": "DNShostlookup",
                    "arguments": {
                        "value": "kali(\\..+)?"
                    },
                    "comparatorType": "matchesregularexpression",
                    "trigger": {
                        "value": "kali.download"
                    }
                },
                {
                    "cfid": 208829,
                    "id": "B",
                    "filterType": "Internalsourcedevicetype",
                    "arguments": {
                        "value": "12"
                    },
                    "comparatorType": "isnot",
                    "trigger": {
                        "value": "6"
                    }
                },
                {
                    "cfid": 208830,
                    "id": "C",
                    "filterType": "Taggedinternalsource",
                    "arguments": {
                        "value": 18
                    },
                    "comparatorType": "doesnothavetag",
                    "trigger": {
                        "value": "18",
                        "tag": {
                            "tid": 18,
                            "expiry": 0,
                            "thid": 18,
                            "name": "DNSServer",
                            "restricted": false,
                            "data": {
                                "auto": false,
                                "color": 112,
                                "description": "DevicesreceivingandmakingDNSqueries",
                                "visibility": "Public"
                            },
                            "isReferenced": true
                        }
                    }
                },
                {
                    "cfid": 208831,
                    "id": "D",
                    "filterType": "Direction",
                    "arguments": {
                        "value": "out"
                    },
                    "comparatorType": "is",
                    "trigger": {
                        "value": "out"
                    }
                },
                {
                    "cfid": 208832,
                    "id": "E",
                    "filterType": "Taggedinternalsource",
                    "arguments": {
                        "value": 4
                    },
                    "comparatorType": "doesnothavetag",
                    "trigger": {
                        "value": "4",
                        "tag": {
                            "tid": 4,
                            "expiry": 0,
                            "thid": 4,
                            "name": "SecurityDevice",
                            "restricted": false,
                            "data": {
                                "auto": false,
                                "color": 55,
                                "description": "",
                                "visibility": "Public"
                            },
                            "isReferenced": true
                        }
                    }
                },
                {
                    "cfid": 208835,
                    "id": "H",
                    "filterType": "Taggedinternalsource",
                    "arguments": {
                        "value": 58
                    },
                    "comparatorType": "doesnothavetag",
                    "trigger": {
                        "value": "58",
                        "tag": {
                            "tid": 58,
                            "expiry": 0,
                            "thid": 58,
                            "name": "MailServer",
                            "restricted": false,
                            "data": {
                                "auto": false,
                                "color": 200,
                                "description": ""
                            },
                            "isReferenced": true
                        }
                    }
                },
                {
                    "cfid": 208836,
                    "id": "I",
                    "filterType": "DNShostlookup",
                    "arguments": {
                        "value": "backbox.com"
                    },
                    "comparatorType": "doesnotmatch",
                    "trigger": {
                        "value": "kali.download"
                    }
                },
                {
                    "cfid": 208837,
                    "id": "J",
                    "filterType": "DNShostlookup",
                    "arguments": {
                        "value": "^kali\\.(by|hu|hr|cheng-tsui\\.com|tradair\\.com)$"
                    },
                    "comparatorType": "doesnotmatchregularexpression",
                    "trigger": {
                        "value": "kali.download"
                    }
                },
                {
                    "cfid": 208838,
                    "id": "d1",
                    "filterType": "DNShostlookup",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "kali.download"
                    }
                }
            ]
        }
    ],
    "score": 0.871,
    "device": {
        "did": 16,
        "ip": "192.168.1.#18408",
        "ips": [
            {
                "ip": "192.168.1.#18408",
                "timems": 1688263200000,
                "time": "2023-07-0202:00:00",
                "sid": 3
            }
        ],
        "sid": 3,
        "firstSeen": 1644001727000,
        "lastSeen": 1688266122000,
        "typename": "desktop",
        "typelabel": "Desktop"
    },
    "log_type": "modelbreaches"
}
{
    "commentCount": 0,
    "pbid": 25808,
    "time": 1687774142000,
    "creationTime": 1687774148000,
    "model": {
        "then": {
            "name": "Compromise::WatchedDomain",
            "pid": 608,
            "phid": 6768,
            "uuid": "80010119-6d7f-0000-0305-5e0000000256",
            "logic": {
                "data": [
                    {
                        "cid": 13112,
                        "weight": 1
                    },
                    {
                        "cid": 13114,
                        "weight": 1
                    },
                    {
                        "cid": 13115,
                        "weight": 1
                    },
                    {
                        "cid": 13113,
                        "weight": 1
                    }
                ],
                "targetScore": 1,
                "type": "weightedComponentList",
                "version": 1
            },
            "throttle": 3600,
            "sharedEndpoints": false,
            "actions": {
                "alert": true,
                "antigena": {},
                "breach": true,
                "model": true,
                "setPriority": false,
                "setTag": false,
                "setType": false
            },
            "tags": [
                "",
                "AP:C2Comms"
            ],
            "interval": 3600,
            "delay": 0,
            "sequenced": false,
            "active": true,
            "modified": "2022-06-22 15:56:27",
            "activeTimes": {
                "devices": {},
                "tags": {},
                "type": "exclusions",
                "version": 2
            },
            "autoUpdatable": true,
            "autoUpdate": true,
            "autoSuppress": true,
            "description": "AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\n\nAction:ReviewthedomainandIPbeingconnectedto.",
            "behaviour": "decreasing",
            "defeats": [],
            "created": {
                "by": "System"
            },
            "edited": {
                "by": "System"
            },
            "version": 31,
            "priority": 5,
            "category": "Critical",
            "compliance": false
        },
        "now": {
            "name": "Compromise::WatchedDomain",
            "pid": 608,
            "phid": 6768,
            "uuid": "80010119-6d7f-0000-0305-5e0000000256",
            "logic": {
                "data": [
                    {
                        "cid": 13112,
                        "weight": 1
                    },
                    {
                        "cid": 13114,
                        "weight": 1
                    },
                    {
                        "cid": 13115,
                        "weight": 1
                    },
                    {
                        "cid": 13113,
                        "weight": 1
                    }
                ],
                "targetScore": 1,
                "type": "weightedComponentList",
                "version": 1
            },
            "throttle": 3600,
            "sharedEndpoints": false,
            "actions": {
                "alert": true,
                "antigena": {},
                "breach": true,
                "model": true,
                "setPriority": false,
                "setTag": false,
                "setType": false
            },
            "tags": [
                "",
                "AP:C2Comms"
            ],
            "interval": 3600,
            "delay": 0,
            "sequenced": false,
            "active": true,
            "modified": "2022-06-22 15:56:27",
            "activeTimes": {
                "devices": {},
                "tags": {},
                "type": "exclusions",
                "version": 2
            },
            "autoUpdatable": true,
            "autoUpdate": true,
            "autoSuppress": true,
            "description": "AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\n\nAction:ReviewthedomainandIPbeingconnectedto.",
            "behaviour": "decreasing",
            "defeats": [],
            "created": {
                "by": "System"
            },
            "edited": {
                "by": "System"
            },
            "message": "Adjustingmodellogicforproxiedconnections",
            "version": 31,
            "priority": 5,
            "category": "Critical",
            "compliance": false
        }
    },
    "triggeredComponents": [
        {
            "time": 1687774141000,
            "cbid": 25885,
            "cid": 13112,
            "chid": 20980,
            "size": 1,
            "threshold": 0,
            "interval": 3600,
            "logic": {
                "data": {
                    "left": {
                        "left": "A",
                        "operator": "AND",
                        "right": {
                            "left": "C",
                            "operator": "AND",
                            "right": {
                                "left": "D",
                                "operator": "AND",
                                "right": "F"
                            }
                        }
                    },
                    "operator": "OR",
                    "right": {
                        "left": {
                            "left": "B",
                            "operator": "AND",
                            "right": {
                                "left": "C",
                                "operator": "AND",
                                "right": {
                                    "left": "D",
                                    "operator": "AND",
                                    "right": "F"
                                }
                            }
                        },
                        "operator": "OR",
                        "right": {
                            "left": {
                                "left": "A",
                                "operator": "AND",
                                "right": {
                                    "left": "C",
                                    "operator": "AND",
                                    "right": {
                                        "left": "E",
                                        "operator": "AND",
                                        "right": "G"
                                    }
                                }
                            },
                            "operator": "OR",
                            "right": {
                                "left": {
                                    "left": "B",
                                    "operator": "AND",
                                    "right": {
                                        "left": "C",
                                        "operator": "AND",
                                        "right": {
                                            "left": "E",
                                            "operator": "AND",
                                            "right": "G"
                                        }
                                    }
                                },
                                "operator": "OR",
                                "right": {
                                    "left": {
                                        "left": "A",
                                        "operator": "AND",
                                        "right": {
                                            "left": "C",
                                            "operator": "AND",
                                            "right": {
                                                "left": "D",
                                                "operator": "AND",
                                                "right": {
                                                    "left": "H",
                                                    "operator": "AND",
                                                    "right": "I"
                                                }
                                            }
                                        }
                                    },
                                    "operator": "OR",
                                    "right": {
                                        "left": "B",
                                        "operator": "AND",
                                        "right": {
                                            "left": "C",
                                            "operator": "AND",
                                            "right": {
                                                "left": "D",
                                                "operator": "AND",
                                                "right": {
                                                    "left": "H",
                                                    "operator": "AND",
                                                    "right": "I"
                                                }
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                },
                "version": "v0.1"
            },
            "ip": "192.168.1.2/32",
            "port": 53,
            "metric": {
                "mlid": 223,
                "name": "dtwatcheddomain",
                "label": "WatchedDomain"
            },
            "triggeredFilters": [
                {
                    "cfid": 156173,
                    "id": "A",
                    "filterType": "Watchedendpointsource",
                    "arguments": {
                        "value": ".+"
                    },
                    "comparatorType": "doesnotmatchregularexpression",
                    "trigger": {
                        "value": ""
                    }
                },
                {
                    "cfid": 156175,
                    "id": "C",
                    "filterType": "Direction",
                    "arguments": {
                        "value": "out"
                    },
                    "comparatorType": "is",
                    "trigger": {
                        "value": "out"
                    }
                },
                {
                    "cfid": 156177,
                    "id": "E",
                    "filterType": "Internalsourcedevicetype",
                    "arguments": {
                        "value": "12"
                    },
                    "comparatorType": "isnot",
                    "trigger": {
                        "value": "6"
                    }
                },
                {
                    "cfid": 156179,
                    "id": "G",
                    "filterType": "Destinationport",
                    "arguments": {
                        "value": 53
                    },
                    "comparatorType": "=",
                    "trigger": {
                        "value": "53"
                    }
                },
                {
                    "cfid": 156180,
                    "id": "d1",
                    "filterType": "Internalsourcedevicetype",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "6"
                    }
                },
                {
                    "cfid": 156181,
                    "id": "d10",
                    "filterType": "Watchedendpointdescription",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": ""
                    }
                },
                {
                    "cfid": 156182,
                    "id": "d2",
                    "filterType": "Connectionhostname",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": ""
                    }
                },
                {
                    "cfid": 156183,
                    "id": "d3",
                    "filterType": "DestinationIP",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "192.168.1.2"
                    }
                },
                {
                    "cfid": 156184,
                    "id": "d4",
                    "filterType": "ASN",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": ""
                    }
                },
                {
                    "cfid": 156185,
                    "id": "d5",
                    "filterType": "Country",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": ""
                    }
                },
                {
                    "cfid": 156186,
                    "id": "d6",
                    "filterType": "Message",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "amazonlinux-2-repos-eu-west-2.s3.eu-west-2.amazonaws.com"
                    }
                },
                {
                    "cfid": 156187,
                    "id": "d7",
                    "filterType": "Watchedendpoint",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "true"
                    }
                },
                {
                    "cfid": 156188,
                    "id": "d8",
                    "filterType": "Watchedendpointsource",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": ""
                    }
                },
                {
                    "cfid": 156189,
                    "id": "d9",
                    "filterType": "Watchedendpointstrength",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "100"
                    }
                },
                {
                    "cfid": 156190,
                    "id": "H",
                    "filterType": "Internaldestination",
                    "arguments": {},
                    "comparatorType": "is",
                    "trigger": {
                        "value": "true"
                    }
                },
                {
                    "cfid": 156191,
                    "id": "I",
                    "filterType": "Internaldestinationdevicetype",
                    "arguments": {
                        "value": "11"
                    },
                    "comparatorType": "isnot",
                    "trigger": {
                        "value": "12"
                    }
                }
            ]
        }
    ],
    "score": 0.541,
    "device": {
        "did": 6,
        "hostname": "SaaS::Slack: john.doe@company.com",
        "ip": "192.168.16.#54818",
        "ips": [
            {
                "ip": "192.168.16.#54818",
                "timems": 1688385600000,
                "time": "2023-07-0312:00:00",
                "sid": 4
            }
        ],
        "sid": 4,
        "firstSeen": 1639068361000,
        "lastSeen": 1688385853000,
        "typename": "desktop",
        "typelabel": "Desktop"
    },
    "log_type": "modelbreaches"
}
{
    "commentCount": 0,
    "pbid": 25860,
    "time": 1687793533000,
    "creationTime": 1687793540000,
    "model": {
        "then": {
            "name": "Device::ThreatIndicator",
            "pid": 540,
            "phid": 6656,
            "uuid": "84c92ea6-36b9-402f-9df1-3c5bfaee9176",
            "logic": {
                "data": [
                    {
                        "cid": 12878,
                        "weight": 1
                    },
                    {
                        "cid": 12876,
                        "weight": 1
                    },
                    {
                        "cid": 12877,
                        "weight": 1
                    }
                ],
                "targetScore": 1,
                "type": "weightedComponentList",
                "version": 1
            },
            "throttle": 3600,
            "sharedEndpoints": false,
            "actions": {
                "alert": true,
                "antigena": {},
                "breach": true,
                "model": true,
                "setPriority": false,
                "setTag": false,
                "setType": false,
                "tagTTL": 604800
            },
            "tags": [
                "",
                "RequiresConfiguration"
            ],
            "interval": 1,
            "delay": 0,
            "sequenced": false,
            "active": true,
            "modified": "2022-06-15 12:01:36",
            "activeTimes": {
                "devices": {},
                "tags": {},
                "type": "exclusions",
                "version": 2
            },
            "autoUpdatable": true,
            "autoUpdate": true,
            "autoSuppress": true,
            "description": "AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.\n\nAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.,behaviour:decreasing,created:{by:System},edited:{by:System},version:39,priority:5,category:Critical,compliance:false},now:{name:Device::ThreatIndicator,pid:540,phid:6656,uuid:84c92ea6-36b9-402f-9df1-3c5bfaee9176,logic:{data:[{cid:12878,weight:1},{cid:12876,weight:1},{cid:12877,weight:1}],targetScore:1,type:weightedComponentList,version:1},throttle:3600,sharedEndpoints:false,actions:{alert:true,antigena:{},breach:true,model:true,setPriority:false,setTag:false,setType:false,tagTTL:604800},tags:[,RequiresConfiguration],interval:1,delay:0,sequenced:false,active:true,modified:2022-06-15 12:01:36,activeTimes:{devices:{},tags:{},type:exclusions,version:2},autoUpdatable:true,autoUpdate:true,autoSuppress:true,description:AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.nnAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.",
            "behaviour": "decreasing",
            "created": {
                "by": "System"
            },
            "edited": {
                "by": "System"
            },
            "message": "UpdatedWatchedendpointsourceregextoexcludeAttackSurfaceManagement",
            "version": 39,
            "priority": 5,
            "category": "Critical",
            "compliance": false
        }
    },
    "triggeredComponents": [
        {
            "time": 1687793532000,
            "cbid": 25937,
            "cid": 12876,
            "chid": 20545,
            "size": 1,
            "threshold": 0,
            "interval": 3600,
            "logic": {
                "data": {
                    "left": "A",
                    "operator": "AND",
                    "right": {
                        "left": "F",
                        "operator": "AND",
                        "right": {
                            "left": "G",
                            "operator": "AND",
                            "right": {
                                "left": "H",
                                "operator": "AND",
                                "right": {
                                    "left": "I",
                                    "operator": "AND",
                                    "right": {
                                        "left": "J",
                                        "operator": "AND",
                                        "right": "K"
                                    }
                                }
                            }
                        }
                    }
                },
                "version": "v0.1"
            },
            "ip": "192.168.1.2/32",
            "port": 53,
            "metric": {
                "mlid": 223,
                "name": "dtwatcheddomain",
                "label": "WatchedDomain"
            },
            "triggeredFilters": [
                {
                    "cfid": 153437,
                    "id": "A",
                    "filterType": "Watchedendpointsource",
                    "arguments": {
                        "value": "^(\\_?Darktrace.*|AttackSurfaceManagement)"
                    },
                    "comparatorType": "doesnotmatchregularexpression",
                    "trigger": {
                        "value": "ThreatIntel"
                    }
                },
                {
                    "cfid": 153437,
                    "id": "A",
                    "filterType": "Watchedendpointsource",
                    "arguments": {
                        "value": "^(\\_?Darktrace.*|AttackSurfaceManagement)"
                    },
                    "comparatorType": "doesnotmatchregularexpression",
                    "trigger": {
                        "value": ""
                    }
                },
                {
                    "cfid": 153438,
                    "id": "F",
                    "filterType": "Watchedendpointsource",
                    "arguments": {
                        "value": ".+"
                    },
                    "comparatorType": "matchesregularexpression",
                    "trigger": {
                        "value": "ThreatIntel"
                    }
                },
                {
                    "cfid": 153439,
                    "id": "G",
                    "filterType": "Watchedendpointsource",
                    "arguments": {
                        "value": "Default"
                    },
                    "comparatorType": "doesnotmatch",
                    "trigger": {
                        "value": "ThreatIntel"
                    }
                },
                {
                    "cfid": 153439,
                    "id": "G",
                    "filterType": "Watchedendpointsource",
                    "arguments": {
                        "value": "Default"
                    },
                    "comparatorType": "doesnotmatch",
                    "trigger": {
                        "value": ""
                    }
                },
                {
                    "cfid": 153440,
                    "id": "H",
                    "filterType": "Taggedinternalsource",
                    "arguments": {
                        "value": 4
                    },
                    "comparatorType": "doesnothavetag",
                    "trigger": {
                        "value": "4",
                        "tag": {
                            "tid": 4,
                            "expiry": 0,
                            "thid": 4,
                            "name": "SecurityDevice",
                            "restricted": false,
                            "data": {
                                "auto": false,
                                "color": 55,
                                "description": "",
                                "visibility": "Public"
                            },
                            "isReferenced": true
                        }
                    }
                },
                {
                    "cfid": 153441,
                    "id": "I",
                    "filterType": "Internalsourcedevicetype",
                    "arguments": {
                        "value": "12"
                    },
                    "comparatorType": "isnot",
                    "trigger": {
                        "value": "7"
                    }
                },
                {
                    "cfid": 153442,
                    "id": "J",
                    "filterType": "Taggedinternalsource",
                    "arguments": {
                        "value": 18
                    },
                    "comparatorType": "doesnothavetag",
                    "trigger": {
                        "value": "18",
                        "tag": {
                            "tid": 18,
                            "expiry": 0,
                            "thid": 18,
                            "name": "DNSServer",
                            "restricted": false,
                            "data": {
                                "auto": false,
                                "color": 112,
                                "description": "DevicesreceivingandmakingDNSqueries",
                                "visibility": "Public"
                            },
                            "isReferenced": true
                        }
                    }
                },
                {
                    "cfid": 153443,
                    "id": "K",
                    "filterType": "Direction",
                    "arguments": {
                        "value": "out"
                    },
                    "comparatorType": "is",
                    "trigger": {
                        "value": "out"
                    }
                },
                {
                    "cfid": 153444,
                    "id": "d1",
                    "filterType": "Ageofdestination",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "38123579"
                    }
                },
                {
                    "cfid": 153445,
                    "id": "d2",
                    "filterType": "Country",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": ""
                    }
                },
                {
                    "cfid": 153446,
                    "id": "d3",
                    "filterType": "DestinationIP",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "192.168.1.2"
                    }
                },
                {
                    "cfid": 153447,
                    "id": "d4",
                    "filterType": "ASN",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": ""
                    }
                },
                {
                    "cfid": 153448,
                    "id": "d5",
                    "filterType": "Destinationport",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "53"
                    }
                },
                {
                    "cfid": 153449,
                    "id": "d6",
                    "filterType": "Rareexternalendpoint",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "0"
                    }
                },
                {
                    "cfid": 153450,
                    "id": "d7",
                    "filterType": "Watchedendpointsource",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "ThreatIntel"
                    }
                },
                {
                    "cfid": 153450,
                    "id": "d7",
                    "filterType": "Watchedendpointsource",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": ""
                    }
                },
                {
                    "cfid": 153451,
                    "id": "d8",
                    "filterType": "Message",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "clients2.google.com"
                    }
                }
            ]
        }
    ],
    "score": 0.612,
    "device": {
        "did": 39,
        "vendor": "",
        "ip": "192.168.1.3",
        "ips": [
            {
                "ip": "192.168.1.3",
                "timems": 1688389200000,
                "time": "2023-07-0313:00:00",
                "sid": 3
            }
        ],
        "sid": 3,
        "firstSeen": 1666276905000,
        "lastSeen": 1688391268000,
        "os": "Windows(10.0)",
        "typename": "server",
        "typelabel": "Server"
    },
    "log_type": "modelbreaches"
}
{
    "commentCount": 0,
    "pbid": 25908,
    "time": 1687811707000,
    "creationTime": 1687811713000,
    "model": {
        "then": {
            "name": "PenTest",
            "pid": 2721,
            "phid": 9287,
            "uuid": "8b3d5e73-0cf0-4c32-8451-a6919b9978f8",
            "logic": {
                "data": [
                    18021
                ],
                "type": "componentList",
                "version": 1
            },
            "throttle": 1000,
            "sharedEndpoints": false,
            "actions": {
                "alert": true,
                "antigena": {},
                "breach": true,
                "model": true,
                "setPriority": false,
                "setTag": false,
                "setType": false
            },
            "tags": [],
            "interval": 3600,
            "delay": 0,
            "sequenced": true,
            "active": true,
            "modified": "2023-04-17 11:34:25",
            "activeTimes": {
                "devices": {},
                "tags": {},
                "type": "exclusions",
                "version": 2
            },
            "autoUpdatable": true,
            "autoUpdate": true,
            "autoSuppress": true,
            "description": "",
            "behaviour": "flat",
            "defeats": [],
            "created": {
                "by": "sam.gorse",
                "userID": 22
            },
            "edited": {
                "by": "sam.gorse",
                "userID": 22
            },
            "version": 7,
            "priority": 5,
            "category": "Critical",
            "compliance": false
        },
        "now": {
            "name": "PenTest",
            "pid": 2721,
            "phid": 9287,
            "uuid": "8b3d5e73-0cf0-4c32-8451-a6919b9978f8",
            "logic": {
                "data": [
                    18021
                ],
                "type": "componentList",
                "version": 1
            },
            "throttle": 1000,
            "sharedEndpoints": false,
            "actions": {
                "alert": true,
                "antigena": {},
                "breach": true,
                "model": true,
                "setPriority": false,
                "setTag": false,
                "setType": false
            },
            "tags": [],
            "interval": 3600,
            "delay": 0,
            "sequenced": true,
            "active": true,
            "modified": "2023-04-17 11:34:25",
            "activeTimes": {
                "devices": {},
                "tags": {},
                "type": "exclusions",
                "version": 2
            },
            "autoUpdatable": false,
            "autoUpdate": true,
            "autoSuppress": true,
            "description": "",
            "behaviour": "flat",
            "defeats": [],
            "created": {
                "by": "sam.gorse",
                "userID": 22
            },
            "edited": {
                "by": "sam.gorse",
                "userID": 22
            },
            "version": 7,
            "priority": 5,
            "category": "Critical",
            "compliance": false
        }
    },
    "triggeredComponents": [
        {
            "time": 1687811706000,
            "cbid": 25985,
            "cid": 18021,
            "chid": 29073,
            "size": 1,
            "threshold": 0,
            "interval": 3600,
            "logic": {
                "data": {
                    "left": "A",
                    "operator": "OR",
                    "right": {
                        "left": "B",
                        "operator": "OR",
                        "right": {
                            "left": "C",
                            "operator": "OR",
                            "right": {
                                "left": {
                                    "left": "A",
                                    "operator": "AND",
                                    "right": {
                                        "left": "B",
                                        "operator": "AND",
                                        "right": {
                                            "left": "C",
                                            "operator": "AND",
                                            "right": "D"
                                        }
                                    }
                                },
                                "operator": "OR",
                                "right": {
                                    "left": {
                                        "left": "A",
                                        "operator": "AND",
                                        "right": "B"
                                    },
                                    "operator": "OR",
                                    "right": {
                                        "left": {
                                            "left": "B",
                                            "operator": "AND",
                                            "right": "C"
                                        },
                                        "operator": "OR",
                                        "right": {
                                            "left": "D",
                                            "operator": "OR",
                                            "right": {
                                                "left": {
                                                    "left": "A",
                                                    "operator": "AND",
                                                    "right": {
                                                        "left": "B",
                                                        "operator": "AND",
                                                        "right": "C"
                                                    }
                                                },
                                                "operator": "OR",
                                                "right": {
                                                    "left": {
                                                        "left": "B",
                                                        "operator": "AND",
                                                        "right": {
                                                            "left": "C",
                                                            "operator": "AND",
                                                            "right": "D"
                                                        }
                                                    },
                                                    "operator": "OR",
                                                    "right": {
                                                        "left": {
                                                            "left": "C",
                                                            "operator": "AND",
                                                            "right": "D"
                                                        },
                                                        "operator": "OR",
                                                        "right": {
                                                            "left": "A",
                                                            "operator": "AND",
                                                            "right": "D"
                                                        }
                                                    }
                                                }
                                            }
                                        }
                                    }
                                }
                            }
                        }
                    }
                },
                "version": "v0.1"
            },
            "ip": "192.168.16.100/32",
            "port": 80,
            "metric": {
                "mlid": 16,
                "name": "connections",
                "label": "Connections"
            },
            "triggeredFilters": [
                {
                    "cfid": 217209,
                    "id": "C",
                    "filterType": "Destinationport",
                    "arguments": {
                        "value": 80
                    },
                    "comparatorType": "=",
                    "trigger": {
                        "value": "80"
                    }
                }
            ]
        }
    ],
    "score": 1.0,
    "device": {
        "did": 31,
        "vendor": "",
        "ip": "192.168.1.2",
        "ips": [
            {
                "ip": "192.168.1.2",
                "timems": 1688389200000,
                "time": "2023-07-0313:00:00",
                "sid": 3
            }
        ],
        "sid": 3,
        "firstSeen": 1649669953000,
        "lastSeen": 1688391406000,
        "typename": "dnsserver",
        "typelabel": "DNSServer"
    },
    "log_type": "modelbreaches"
}
{
    "commentCount": 0,
    "pbid": 36586,
    "time": 1700634482000,
    "creationTime": 1700634481000,
    "model": {
        "name": "System::System",
        "pid": 530,
        "phid": 4861,
        "uuid": "1c3f429b-ccb9-46a2-b864-868653bc780a",
        "logic": {
            "data": [
                9686
            ],
            "type": "componentList",
            "version": 1
        },
        "throttle": 10,
        "sharedEndpoints": false,
        "actions": {
            "alert": true,
            "antigena": {},
            "breach": true,
            "model": true,
            "setPriority": false,
            "setTag": false,
            "setType": false
        },
        "tags": [],
        "interval": 0,
        "delay": 0,
        "sequenced": true,
        "active": true,
        "modified": "2021-11-24 18:04:19",
        "activeTimes": {
            "devices": {},
            "tags": {},
            "type": "exclusions",
            "version": 2
        },
        "autoUpdatable": true,
        "autoUpdate": true,
        "autoSuppress": true,
        "description": "An issue with the system has been detected. This system alert is generated for system information that may merit further investigation. This may be due to things like probes failing to connect.\n\nAction: Review the system message. Use the status page to see additional system information that may help with diagnostics.",
        "behaviour": "decreasing",
        "defeats": [],
        "created": {
            "by": "System"
        },
        "edited": {
            "by": "System"
        },
        "version": 16,
        "priority": 3,
        "category": "Informational",
        "compliance": false
    },
    "triggeredComponents": [
        {
            "time": 1700634481000,
            "cbid": 36900,
            "cid": 9686,
            "chid": 15251,
            "size": 1,
            "threshold": 0,
            "interval": 3600,
            "logic": {
                "data": {
                    "left": {
                        "left": "A",
                        "operator": "AND",
                        "right": "B"
                    },
                    "operator": "OR",
                    "right": {
                        "left": {
                            "left": "A",
                            "operator": "AND",
                            "right": "C"
                        },
                        "operator": "OR",
                        "right": {
                            "left": {
                                "left": "A",
                                "operator": "AND",
                                "right": "D"
                            },
                            "operator": "OR",
                            "right": {
                                "left": {
                                    "left": "A",
                                    "operator": "AND",
                                    "right": "E"
                                },
                                "operator": "OR",
                                "right": {
                                    "left": "A",
                                    "operator": "AND",
                                    "right": "F"
                                }
                            }
                        }
                    }
                },
                "version": "v0.1"
            },
            "metric": {
                "mlid": 206,
                "name": "dtsystem",
                "label": "System"
            },
            "triggeredFilters": [
                {
                    "cfid": 111299,
                    "id": "A",
                    "filterType": "Event details",
                    "arguments": {
                        "value": "analyze credential ignore list"
                    },
                    "comparatorType": "does not contain",
                    "trigger": {
                        "value": "Probe erebus-pull-mode-vsensor (54.155.33.146) last contact was 50 hours ago"
                    }
                },
                {
                    "cfid": 111300,
                    "id": "B",
                    "filterType": "System message",
                    "arguments": {
                        "value": "Probe error"
                    },
                    "comparatorType": "is",
                    "trigger": {
                        "value": "Probe error"
                    }
                },
                {
                    "cfid": 111305,
                    "id": "d1",
                    "filterType": "Event details",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "Probe erebus-pull-mode-vsensor (54.155.33.146) last contact was 50 hours ago"
                    }
                },
                {
                    "cfid": 111306,
                    "id": "d2",
                    "filterType": "System message",
                    "arguments": {},
                    "comparatorType": "display",
                    "trigger": {
                        "value": "Probe error"
                    }
                }
            ]
        }
    ],
    "score": 0.674,
    "device": {
        "did": -1
    },
    "log_type": "modelbreaches"
}
{
    "url": "https://darktrace-dt/#actions/000/111",
    "iris-event-type": "antigena_state_change",
    "codeuuid": "",
    "codeid": 537,
    "action_family": "NETWORK",
    "action": "CREATE_NEEDSCONFIRMATION",
    "username": "JDOE",
    "reason": "",
    "start": 1702896511,
    "end": 1702903711,
    "did": 901,
    "pbid": 0,
    "action_creator": "",
    "model": "test_model_network",
    "inhibitor": "Enforce pattern of life",
    "device": {
        "did": 901,
        "macaddress": "00:11:22:33:44:55",
        "vendor": "test_vendor",
        "ip": "1.2.3.4",
        "ips": [
            {
                "ip": "1.2.3.4",
                "timems": 1702893600000,
                "time": "2023-12-18 10:00:00",
                "sid": 69,
                "vlan": 0
            }
        ],
        "sid": 69,
        "hostname": "test_hostname",
        "firstSeen": 1671027693000,
        "lastSeen": 1702896182000,
        "os": "Windows",
        "typename": "desktop",
        "typelabel": "Desktop"
    }
}

Detection section

The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
DNS records Darktrace monitors DNS requests or connections from devices to watched domains or IP addresses.
Web logs Darktrace monitors accesses to watched domains.

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind alert
Category network, threat
Type info

Transformed Events Samples after Ingestion

This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.

{
    "message": "{\"summariser\":\"HttpAgentSummary\",\"acknowledged\":false,\"pinned\":false,\"createdAt\":1697334832520,\"attackPhases\":[2],\"mitreTactics\":[\"command-and-control\"],\"title\":\"Possible HTTP Command and Control\",\"id\":\"a400af0f-a297-478c-8fc6-c778a9558183\",\"children\":[\"a400af0f-a297-478c-8fc6-c778a9558183\"],\"category\":\"critical\",\"currentGroup\":\"ga400af0f-a297-478c-8fc6-c778a9558183\",\"groupCategory\":\"suspicious\",\"groupScore\":2.449186624037094,\"groupPreviousGroups\":[],\"activityId\":\"da39a3ee\",\"groupingIds\":[\"511a418e\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":55.52733790170975,\"summary\":\"The device 10.0.0.#36859 was observed making multiple HTTP connections to the rare external endpoint themoneyfix.org, with the same user agent string.\\n\\nMoreover, this device only used this user agent for connections to a limited set of endpoints - suggesting that the activity was initiated by a standalone software process as opposed to a web browser.\\n\\nIf such behaviour is unexpected, further investigation may be required to determine if this activity represents malicious command and control as opposed to legitimate telemetry of some form.\",\"periods\":[{\"start\":1697334679535,\"end\":1697334713852}],\"breachDevices\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"10.0.0.#36859\",\"mac\":null,\"subnet\":null,\"did\":62,\"sid\":25}],\"relatedBreaches\":[{\"modelName\":\"Device / New User Agent\",\"pbid\":34952,\"threatScore\":31.0,\"timestamp\":1697334680000}],\"details\":[[{\"header\":\"Device Making Suspicious Connections\",\"contents\":[{\"key\":null,\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"10.0.0.#36859\",\"mac\":null,\"subnet\":null,\"did\":62,\"sid\":25}]}]}],[{\"header\":\"Suspicious Application\",\"contents\":[{\"key\":\"User agent\",\"type\":\"string\",\"values\":[\"python-requests/2.25.1\"]}]},{\"header\":\"Suspicious Endpoints Contacted by Application\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1697334679535,\"end\":1697334713852}]},{\"key\":\"Hostname\",\"type\":\"externalHost\",\"values\":[{\"hostname\":\"themoneyfix.org\",\"ip\":null}]},{\"key\":\"Hostname rarity\",\"type\":\"percentage\",\"values\":[100.0]},{\"key\":\"Hostname first observed\",\"type\":\"timestamp\",\"values\":[1697334687000]},{\"key\":\"Most recent destination IP\",\"type\":\"externalHost\",\"values\":[{\"hostname\":\"45.56.79.23\",\"ip\":\"45.56.79.23\"}]},{\"key\":\"Most recent ASN\",\"type\":\"string\",\"values\":[\"AS63949 Akamai Connected Cloud\"]},{\"key\":\"Total connections\",\"type\":\"integer\",\"values\":[2]},{\"key\":\"URI\",\"type\":\"string\",\"values\":[\"/login/username=adriano.lamo&password=il0v3cH33s3\"]},{\"key\":\"Port\",\"type\":\"integer\",\"values\":[80]},{\"key\":\"HTTP method\",\"type\":\"string\",\"values\":[\"GET\"]},{\"key\":\"Status code\",\"type\":\"string\",\"values\":[\"200\"]}]}]],\"log_type\":\"aianalyst/incidentevents\"}",
    "event": {
        "category": "threat",
        "kind": "alert",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-15T01:53:52.520000Z",
    "darktrace": {
        "threat_visualizer": {
            "acknowledged": false,
            "activityId": "da39a3ee",
            "aiaScore": 55.52733790170975,
            "attackPhases": [
                2
            ],
            "breachDevices": [
                {
                    "did": 62,
                    "hostname": null,
                    "identifier": null,
                    "ip": "10.0.0.#36859",
                    "mac": null,
                    "sid": 25,
                    "subnet": null
                }
            ],
            "category": "critical",
            "children": [
                "a400af0f-a297-478c-8fc6-c778a9558183"
            ],
            "currentGroup": "ga400af0f-a297-478c-8fc6-c778a9558183",
            "externalTriggered": false,
            "groupCategory": "suspicious",
            "groupScore": 2.449186624037094,
            "groupingIds": [
                "511a418e"
            ],
            "mitreTactics": [
                "command-and-control"
            ],
            "periods": [
                {
                    "end": 1697334713852,
                    "start": 1697334679535
                }
            ],
            "relatedBreaches": [
                {
                    "modelName": "Device / New User Agent",
                    "pbid": 34952,
                    "threatScore": 31.0,
                    "timestamp": 1697334680000
                }
            ],
            "userTriggered": false
        }
    },
    "device": {
        "id": "62"
    },
    "host": {
        "id": "62"
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    }
}
{
    "message": "{\"summariser\": \"SaasHijackSummary\", \"acknowledged\": false, \"pinned\": false, \"createdAt\": 1730023348884, \"attackPhases\": [3], \"mitreTactics\": [\"privilege-escalation\"], \"title\": \"Possible Hijack of Zoom Account\", \"id\": \"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\", \"children\": [\"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\"], \"category\": \"critical\", \"currentGroup\": \"g204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\", \"groupCategory\": \"critical\", \"groupScore\": 21.063004966718992, \"groupPreviousGroups\": [], \"activityId\": \"da39a3ee\", \"groupingIds\": [\"3d2a2fc6\"], \"groupByActivity\": false, \"userTriggered\": false, \"externalTriggered\": false, \"aiaScore\": 93.67343783378601, \"summary\": \"The SaaS actor john.doe@example.com was observed making suspicious requests over a configured Zoom service from the IP 1.2.3.4.\\n\\nThis included requests made from unusual locations compared to the previous access locations observed from this actor and from the configured service in general.\\n\\nThough this behaviour could be the result of legitimate service usage or administration, it could also be a sign of this actor's account being hijacked by a malicious actor.\\n\\nConsequently, the security team may wish to confirm that this activity was legitimate and expected.\", \"periods\": [{\"start\": 1730023230000, \"end\": 1730023230000}], \"sender\": null, \"breachDevices\": [{\"identifier\": \"SaaS::Zoom: john.doe@example.com\", \"hostname\": \"SaaS::Zoom: john.doe@example.com\", \"ip\": null, \"mac\": null, \"subnet\": null, \"did\": 3820, \"sid\": -9}], \"relatedBreaches\": [{\"modelName\": \"SaaS / Access / Unusual External Source for SaaS Credential Use\", \"pbid\": 46769, \"threatScore\": 63.0, \"timestamp\": 1730023232000}], \"details\": [[{\"header\": \"SaaS User Details\", \"contents\": [{\"key\": \"SaaS account\", \"type\": \"device\", \"values\": [{\"identifier\": \"SaaS::Zoom: john.doe@example.com\", \"hostname\": \"SaaS::Zoom: john.doe@example.com\", \"ip\": null, \"mac\": null, \"subnet\": null, \"did\": 3820, \"sid\": -9}]}, {\"key\": \"Actor\", \"type\": \"string\", \"values\": [\"john.doe@example.com\"]}]}], [{\"header\": \"Agent Carrying out Suspicious Activity\", \"contents\": [{\"key\": \"Source IP\", \"type\": \"externalHost\", \"values\": [{\"hostname\": \"1.2.3.4\", \"ip\": \"1.2.3.4\"}]}, {\"key\": \"ASN\", \"type\": \"string\", \"values\": [\"AS2119 Telenor Norge AS\"]}, {\"key\": \"City\", \"type\": \"string\", \"values\": [\"Stockholm\"]}, {\"key\": \"Country\", \"type\": \"string\", \"values\": [\"Sweden\"]}]}, {\"header\": \"Summary of Activity\", \"contents\": [{\"key\": \"Time\", \"type\": \"timestampRange\", \"values\": [{\"start\": 1730023230000, \"end\": 1730023230000}]}, {\"key\": \"Suspicious properties\", \"type\": \"string\", \"values\": [\"Unusual time for activity\", \"Unusual external source for activity\"]}]}, {\"header\": \"Activity Details\", \"contents\": [{\"key\": \"Event\", \"type\": \"string\", \"values\": [\"Sign in\"]}, {\"key\": \"Number of events\", \"type\": \"integer\", \"values\": [1]}]}]], \"log_type\": \"aianalyst/incidentevents\"}",
    "event": {
        "category": "threat",
        "kind": "alert",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-10-27T10:02:28.884000Z",
    "darktrace": {
        "threat_visualizer": {
            "acknowledged": false,
            "activityId": "da39a3ee",
            "aiaScore": 93.67343783378601,
            "attackPhases": [
                3
            ],
            "breachDevices": [
                {
                    "did": 3820,
                    "hostname": "SaaS::Zoom: john.doe@example.com",
                    "identifier": "SaaS::Zoom: john.doe@example.com",
                    "ip": null,
                    "mac": null,
                    "sid": -9,
                    "subnet": null
                }
            ],
            "category": "critical",
            "children": [
                "204a3642-a6f1-4ac3-85d0-add7dd0c9f9b"
            ],
            "currentGroup": "g204a3642-a6f1-4ac3-85d0-add7dd0c9f9b",
            "externalTriggered": false,
            "groupCategory": "critical",
            "groupScore": 21.063004966718992,
            "groupingIds": [
                "3d2a2fc6"
            ],
            "mitreTactics": [
                "privilege-escalation"
            ],
            "periods": [
                {
                    "end": 1730023230000,
                    "start": 1730023230000
                }
            ],
            "relatedBreaches": [
                {
                    "modelName": "SaaS / Access / Unusual External Source for SaaS Credential Use",
                    "pbid": 46769,
                    "threatScore": 63.0,
                    "timestamp": 1730023232000
                }
            ],
            "userTriggered": false
        }
    },
    "device": {
        "id": "3820"
    },
    "host": {
        "id": "3820"
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    },
    "user": {
        "email": "john.doe@example.com"
    }
}
{
    "message": "{\"summariser\":\"SaasBruteforceSummary\",\"acknowledged\":false,\"pinned\":false,\"createdAt\":1708649003457,\"attackPhases\":[2,4],\"mitreTactics\":[\"credential-access\"],\"title\":\"Possible Distributed Bruteforce of AzureActiveDirectory Account\",\"id\":\"dc5f69a5-ee78-4702-a999-ed64a9e873dc\",\"incidentEventUrl\":\"https://darktrace-dt-32980-01/saas#aiaincidentevent/dc5f69a5-ee78-4702-a999-ed64a9e873dc\",\"children\":[\"dc5f69a5-ee78-4702-a999-ed64a9e873dc\"],\"category\":\"suspicious\",\"currentGroup\":\"g7bd28910-7d7d-4971-9a20-48f12b8518e1\",\"groupCategory\":\"suspicious\",\"groupScore\":32.34820100820068,\"groupPreviousGroups\":[],\"activityId\":\"da39a3ee\",\"groupingIds\":[\"6ae71ab6\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":85.47036382887099,\"summary\":\"Repeated attempts to access the account test@test.fr over a configured AzureActiveDirectory service were observed from a range of external IP addresses.\\n\\nThis included login attempts made from unusual locations for the account, and for the configured service in general.\\n\\nSince these requests originated from a wide variety of external sources, this could indicate a distributed attempt by a malicious actor to gain illegitimate access to this account.\\n\\nThe security team may therefore wish to ensure that the relevant credentials are sufficiently robust, and that additional measures such as multi-factor authentication are enabled where possible.\",\"periods\":[{\"start\":1708040149000,\"end\":1708648697000}],\"sender\":null,\"breachDevices\":[{\"identifier\":\"SaaS::AzureActiveDirectory: test@test.fr\",\"hostname\":\"SaaS::AzureActiveDirectory: test@test.fr\",\"ip\":null,\"mac\":null,\"subnet\":null,\"did\":2635,\"sid\":-9}],\"relatedBreaches\":[{\"modelName\":\"SaaS / Access / Password Spray\",\"pbid\":7130,\"threatScore\":47,\"timestamp\":1708648698000}],\"details\":[[{\"header\":\"SaaS User Details\",\"contents\":[{\"key\":\"SaaS account\",\"type\":\"device\",\"values\":[{\"identifier\":\"SaaS::AzureActiveDirectory: test@test.fr\",\"hostname\":\"SaaS::AzureActiveDirectory: test@test.fr\",\"ip\":null,\"mac\":null,\"subnet\":null,\"did\":2635,\"sid\":-9}]},{\"key\":\"Actor\",\"type\":\"string\",\"values\":[\"test@test.fr\"]}]}],[{\"header\":\"Summary of Related Access Attempts\",\"contents\":[{\"key\":\"Attempts grouped by\",\"type\":\"string\",\"values\":[\"same targeted account\"]},{\"key\":\"Number of source ASNs\",\"type\":\"integer\",\"values\":[241]},{\"key\":\"Suspicious properties\",\"type\":\"string\",\"values\":[\"Unusual time for activity\",\"Unusual external source for activity\",\"Large number of login failures\"]}]},{\"header\":\"Details of Access Attempts\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1708040149000,\"end\":1708648697000}]},{\"key\":\"Targeted account\",\"type\":\"string\",\"values\":[\"test@test.fr\"]},{\"key\":\"Total number of login failures\",\"type\":\"integer\",\"values\":[1136]},{\"key\":\"Reasons for login failures\",\"type\":\"string\",\"values\":[\"Sign-in was blocked because it came from an IP address with malicious activity\",\"The account is locked, you've tried to sign in too many times with an incorrect user ID or password.\",\"Error validating credentials due to invalid username or password.\"]}]},{\"header\":\"Sources of Access Attempts\",\"contents\":[{\"key\":\"Source ASNs include\",\"type\":\"string\",\"values\":[\"AS4134 Chinanet\",\"AS4837 CHINA UNICOM China169 Backbone\",\"AS4766 Korea Telecom\",\"AS9808 China Mobile Communications Group Co., Ltd.\",\"AS24560 Bharti Airtel Ltd., Telemedia Services\"]},{\"key\":\"Source IPs include\",\"type\":\"externalHost\",\"values\":[{\"hostname\":\"122.4.70.38\",\"ip\":\"122.4.70.38\"},{\"hostname\":\"41.207.248.204\",\"ip\":\"41.207.248.204\"},{\"hostname\":\"124.89.116.178\",\"ip\":\"124.89.116.178\"},{\"hostname\":\"121.184.235.17\",\"ip\":\"121.184.235.17\"},{\"hostname\":\"61.153.208.38\",\"ip\":\"61.153.208.38\"}]},{\"key\":\"Countries include\",\"type\":\"string\",\"values\":[\"China\",\"South Korea\",\"India\",\"United States\",\"Brazil\"]},{\"key\":\"User agent\",\"type\":\"string\",\"values\":[\"Office 365 Exchange Online\"]}]}]]}\n",
    "event": {
        "category": "network",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2024-02-23T00:43:23.457000Z",
    "darktrace": {
        "threat_visualizer": {
            "acknowledged": false,
            "activityId": "da39a3ee",
            "aiaScore": 85.47036382887099,
            "attackPhases": [
                2,
                4
            ],
            "breachDevices": [
                {
                    "did": 2635,
                    "hostname": "SaaS::AzureActiveDirectory: test@test.fr",
                    "identifier": "SaaS::AzureActiveDirectory: test@test.fr",
                    "ip": null,
                    "mac": null,
                    "sid": -9,
                    "subnet": null
                }
            ],
            "category": "suspicious",
            "children": [
                "dc5f69a5-ee78-4702-a999-ed64a9e873dc"
            ],
            "currentGroup": "g7bd28910-7d7d-4971-9a20-48f12b8518e1",
            "externalTriggered": false,
            "groupCategory": "suspicious",
            "groupScore": 32.34820100820068,
            "groupingIds": [
                "6ae71ab6"
            ],
            "mitreTactics": [
                "credential-access"
            ],
            "periods": [
                {
                    "end": 1708648697000,
                    "start": 1708040149000
                }
            ],
            "relatedBreaches": [
                {
                    "modelName": "SaaS / Access / Password Spray",
                    "pbid": 7130,
                    "threatScore": 47,
                    "timestamp": 1708648698000
                }
            ],
            "userTriggered": false
        }
    },
    "device": {
        "id": "2635"
    },
    "host": {
        "id": "2635"
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    },
    "user": {
        "email": "test@test.fr"
    }
}
{
    "message": "{\"commentCount\":0,\"pbid\":26316,\"time\":1687967502000,\"creationTime\":1687967508000,\"model\":{\"then\":{\"name\":\"AnomalousFile::ZiporGzipfromRareExternalLocation\",\"pid\":619,\"phid\":9945,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000172\",\"logic\":{\"data\":[19046],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:Tooling\",\"OTEngineer\"],\"interval\":0,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-06-28 11:53:50\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\\n\\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":42,\"mitre\":{\"tactics\":[\"resource-development\"],\"techniques\":[\"T1588.001\"]},\"priority\":1,\"category\":\"Informational\",\"compliance\":false},\"now\":{\"name\":\"AnomalousFile::ZiporGzipfromRareExternalLocation\",\"pid\":619,\"phid\":9945,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000172\",\"logic\":{\"data\":[19046],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:Tooling\",\"OTEngineer\"],\"interval\":0,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-06-28 11:53:50\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\\n\\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"Excludedcommonuseragents\",\"version\":42,\"mitre\":{\"tactics\":[\"resource-development\"],\"techniques\":[\"T1588.001\"]},\"priority\":1,\"category\":\"Informational\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687967501000,\"cbid\":26393,\"cid\":19046,\"chid\":30682,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"104.18.103.100/32\",\"port\":80,\"metric\":{\"mlid\":1,\"name\":\"externalconnections\",\"label\":\"ExternalConnections\"},\"triggeredFilters\":[{\"cfid\":232424,\"id\":\"C\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"3\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232426,\"id\":\"F\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":232428,\"id\":\"H\",\"filterType\":\"HTTPcontenttype\",\"arguments\":{\"value\":\"application/x-gzip\"},\"comparatorType\":\"matches\",\"trigger\":{\"value\":\"application/x-gzip\"}},{\"cfid\":232430,\"id\":\"J\",\"filterType\":\"RareexternalIP\",\"arguments\":{\"value\":98},\"comparatorType\":\">=\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":232431,\"id\":\"K\",\"filterType\":\"Raredomain\",\"arguments\":{\"value\":95},\"comparatorType\":\">=\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":232432,\"id\":\"L\",\"filterType\":\"Trustedhostname\",\"arguments\":{\"value\":\"false\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"false\"}},{\"cfid\":232433,\"id\":\"M\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"9\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232434,\"id\":\"N\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"4\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232435,\"id\":\"O\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"13\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232436,\"id\":\"P\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"17\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232437,\"id\":\"Q\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":15},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"15\",\"tag\":{\"tid\":15,\"expiry\":0,\"thid\":15,\"name\":\"ConflictingUser-Agents\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":284,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":232438,\"id\":\"R\",\"filterType\":\"DestinationIP\",\"arguments\":{\"value\":\"0.0.0.0\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"104.18.103.100\"}},{\"cfid\":232439,\"id\":\"S\",\"filterType\":\"Connectionhostname\",\"arguments\":{\"value\":\"(speed(test|check).+|.+speed(test|check).+)|.*((up(date|grade)|download|content|mirrors|weather|changes|quant|ctldl|avupdate).*\\\\.(carbonblack\\\\.io|nutanix\\\\.com|pandasoftware\\\\.com|ivanti\\\\.com|mit\\\\.edu|mastercam\\\\.com|rit\\\\.edu|knime\\\\.com|logicnow\\\\.us|oppomobile\\\\.com|trendmicro\\\\.com|panorama9\\\\.com|jiransecurity\\\\.com|refinitiv\\\\.com|jiran\\\\.com|loxtop\\\\.com|snoopwall\\\\.com|tumbleweed\\\\.com|sangfor\\\\.net|alyac\\\\.com|spamassassin\\\\.org|verein-clean\\\\.net|itsupport247\\\\.net|lsfilter\\\\.com|iboss\\\\.com|eeye\\\\.com|windowsupdate\\\\.com|fireeye\\\\.com)|definitionsbd\\\\.adaware\\\\.com|nasepm\\\\.aramark\\\\.com|(bdefs|hw|ec)\\\\.threattrack\\\\.com|upd\\\\.zonelabs\\\\.com|www\\\\.solutionsam\\\\.com|licensingservice\\\\.altarix\\\\.com|autoupdate\\\\.bradyid\\\\.com|iblocklist\\\\.com|clientservices\\\\.googleapis\\\\.com|mirror\\\\.centos\\\\..*\\\\.serverforge\\\\.org|sync\\\\.bigfix\\\\.com|catalog\\\\.kace\\\\.com)\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":232440,\"id\":\"T\",\"filterType\":\"Useragent\",\"arguments\":{\"value\":\"/((libdnf|sa-update|Valve\\\\/Steam|itunesstored|pfSense|McAfee|DebianAPT-HTTP).*|Sylink|.*LANguard.*|Smc|SG\\\\_CTAVUpdater|NetpasUpdater|urlgrabber/[0-9.]+yum/[0-9.]+|ManageEngine(Endpoint|Desktop)Central).*/i\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232441,\"id\":\"U\",\"filterType\":\"Connectionhostname\",\"arguments\":{\"value\":\"(antivirus|rpm(s)?|sa-update|centos|fedora).*\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":232442,\"id\":\"V\",\"filterType\":\"URI\",\"arguments\":{\"value\":\"/.*\\\\/centos\\\\/.*\\\\.xml\\\\.gz/i\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz\"}},{\"cfid\":232443,\"id\":\"W\",\"filterType\":\"URI\",\"arguments\":{\"value\":\"dl.delivery.mp.microsoft.com\"},\"comparatorType\":\"doesnotcontain\",\"trigger\":{\"value\":\"/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz\"}},{\"cfid\":232444,\"id\":\"Y\",\"filterType\":\"HTTPresponsecode\",\"arguments\":{\"value\":400},\"comparatorType\":\"<\",\"trigger\":{\"value\":\"200\"}},{\"cfid\":232445,\"id\":\"Z\",\"filterType\":\"Individualsizedown\",\"arguments\":{\"value\":10000},\"comparatorType\":\">=\",\"trigger\":{\"value\":\"60493165\"}},{\"cfid\":232446,\"id\":\"d1\",\"filterType\":\"Individualsizedown\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"60493165\"}},{\"cfid\":232447,\"id\":\"d10\",\"filterType\":\"Individualsizeup\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"679\"}},{\"cfid\":232448,\"id\":\"d11\",\"filterType\":\"HTTPreferrer\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232449,\"id\":\"d12\",\"filterType\":\"HTTPmethod\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232450,\"id\":\"d13\",\"filterType\":\"Dataratio\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"0\"}},{\"cfid\":232451,\"id\":\"d14\",\"filterType\":\"Ageofdestination\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"43965774\"}},{\"cfid\":232452,\"id\":\"d2\",\"filterType\":\"HTTPresponsecode\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"200\"}},{\"cfid\":232453,\"id\":\"d3\",\"filterType\":\"Useragent\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232454,\"id\":\"d4\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"AS13335CLOUDFLARENET\"}},{\"cfid\":232455,\"id\":\"d5\",\"filterType\":\"URI\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz\"}},{\"cfid\":232456,\"id\":\"d6\",\"filterType\":\"DestinationIP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"104.18.103.100\"}},{\"cfid\":232457,\"id\":\"d7\",\"filterType\":\"Connectionhostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":232458,\"id\":\"d8\",\"filterType\":\"HTTPcontenttype\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"application/x-gzip\"}},{\"cfid\":232459,\"id\":\"d9\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"6\"}}]}],\"score\":0.245,\"device\":{\"did\":16,\"ip\":\"192.168.1.#18408\",\"ips\":[{\"ip\":\"192.168.1.#18408\",\"timems\":1688263200000,\"time\":\"2023-07-0202:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1644001727000,\"lastSeen\":1688266122000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"},\"log_type\":\"modelbreaches\"}",
    "event": {
        "category": "network",
        "end": "2023-06-28T11:53:50Z",
        "kind": "alert",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-06-28T15:51:42Z",
    "darktrace": {
        "threat_visualizer": {
            "commentCount": 0,
            "components": {
                "filters": [
                    {
                        "trigger_value": "6",
                        "type": "Internalsourcedevicetype"
                    },
                    {
                        "trigger_value": "out",
                        "type": "Direction"
                    },
                    {
                        "trigger_value": "application/x-gzip",
                        "type": "HTTPcontenttype"
                    },
                    {
                        "trigger_value": "100",
                        "type": "RareexternalIP"
                    },
                    {
                        "trigger_value": "100",
                        "type": "Raredomain"
                    },
                    {
                        "trigger_value": "false",
                        "type": "Trustedhostname"
                    },
                    {
                        "trigger_value": "15",
                        "type": "Taggedinternalsource"
                    },
                    {
                        "trigger_value": "104.18.103.100",
                        "type": "DestinationIP"
                    },
                    {
                        "trigger_value": "kali.download",
                        "type": "Connectionhostname"
                    },
                    {
                        "trigger_value": "/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz",
                        "type": "URI"
                    },
                    {
                        "trigger_value": "200",
                        "type": "HTTPresponsecode"
                    },
                    {
                        "trigger_value": "60493165",
                        "type": "Individualsizedown"
                    },
                    {
                        "trigger_value": "679",
                        "type": "Individualsizeup"
                    },
                    {
                        "trigger_value": "0",
                        "type": "Dataratio"
                    },
                    {
                        "trigger_value": "43965774",
                        "type": "Ageofdestination"
                    },
                    {
                        "trigger_value": "AS13335CLOUDFLARENET",
                        "type": "ASN"
                    }
                ]
            },
            "creationTime": 1687967508000,
            "device": {
                "firstSeen": 1644001727000,
                "ip": "192.168.1.#18408",
                "ips": [
                    {
                        "ip": "192.168.1.#18408",
                        "sid": 3,
                        "time": "2023-07-0202:00:00",
                        "timems": 1688263200000
                    }
                ],
                "lastSeen": 1688266122000,
                "sid": 3,
                "typelabel": "Desktop",
                "typename": "desktop"
            },
            "model": {
                "now": {
                    "behaviour": "decreasing",
                    "category": "Informational",
                    "description": "AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\n\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.",
                    "message": "Excludedcommonuseragents",
                    "mitre": {
                        "tactics": [
                            "resource-development"
                        ],
                        "techniques": [
                            "T1588.001"
                        ]
                    },
                    "name": "AnomalousFile::ZiporGzipfromRareExternalLocation",
                    "phid": 9945,
                    "pid": 619,
                    "priority": 1,
                    "tags": [
                        "",
                        "AP:Tooling",
                        "OTEngineer"
                    ],
                    "uuid": "80010119-6d7f-0000-0305-5e0000000172",
                    "version": 42
                },
                "then": {
                    "behaviour": "decreasing",
                    "category": "Informational",
                    "description": "AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\n\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.",
                    "mitre": {
                        "tactics": [
                            "resource-development"
                        ],
                        "techniques": [
                            "T1588.001"
                        ]
                    },
                    "name": "AnomalousFile::ZiporGzipfromRareExternalLocation",
                    "phid": 9945,
                    "pid": 619,
                    "priority": 1,
                    "tags": [
                        "",
                        "AP:Tooling",
                        "OTEngineer"
                    ],
                    "uuid": "80010119-6d7f-0000-0305-5e0000000172",
                    "version": 42
                }
            },
            "pbid": 26316,
            "score": 0.245,
            "time": 1687967502000
        }
    },
    "host": {
        "id": "16"
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    }
}
{
    "message": "{\"commentCount\":0,\"pbid\":26368,\"time\":1687987886000,\"creationTime\":1687987892000,\"model\":{\"then\":{\"name\":\"Antigena::Network::Compliance::AntigenaConnectionSeen\",\"pid\":2299,\"phid\":9961,\"uuid\":\"5f78deda-3ff9-445f-a88e-2137dca625d6\",\"logic\":{\"data\":[19083],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{\"action\":\"quarantine\",\"confirm\":true,\"connector_actions\":{},\"duration\":1000,\"ignoreSchedule\":true,\"threshold\":\"50\"},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":true,\"modified\":\"2023-06-28 21:31:29\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":false,\"autoSuppress\":false,\"description\":\"\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"darktrace\",\"userID\":2},\"edited\":{\"by\":\"darktrace\",\"userID\":2},\"version\":7,\"priority\":4,\"category\":\"Suspicious\",\"compliance\":true},\"now\":{\"name\":\"Antigena::Network::Compliance::AntigenaConnectionSeen\",\"pid\":2299,\"phid\":9962,\"uuid\":\"5f78deda-3ff9-445f-a88e-2137dca625d6\",\"logic\":{\"data\":[19084],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{\"action\":\"quarantine\",\"confirm\":true,\"connector_actions\":{},\"duration\":1000,\"ignoreSchedule\":true,\"threshold\":\"50\"},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":false,\"modified\":\"2023-06-28 21:32:10\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":false,\"autoSuppress\":false,\"description\":\"\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"darktrace\",\"userID\":2},\"edited\":{\"by\":\"darktrace\",\"userID\":2},\"version\":8,\"priority\":4,\"category\":\"Suspicious\",\"compliance\":true}},\"triggeredComponents\":[{\"time\":1687987885000,\"cbid\":26445,\"cid\":19083,\"chid\":30726,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{},\"version\":\"v0.1\"},\"ip\":\"192.168.16.100/32\",\"port\":443,\"metric\":{\"mlid\":16,\"name\":\"connections\",\"label\":\"Connections\"},\"triggeredFilters\":[]}],\"score\":0.871,\"device\":{\"did\":31,\"hostname\":\"my_host\",\"vendor\":\"\",\"ip\":\"192.168.1.2\",\"ips\":[{\"ip\":\"192.168.1.2\",\"timems\":1688389200000,\"time\":\"2023-07-0313:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1649669953000,\"lastSeen\":1688391406000,\"typename\":\"dnsserver\",\"typelabel\":\"DNSServer\"},\"log_type\":\"modelbreaches\"}",
    "event": {
        "category": "network",
        "end": "2023-06-28T21:31:29Z",
        "kind": "alert",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-06-28T21:31:26Z",
    "darktrace": {
        "threat_visualizer": {
            "commentCount": 0,
            "components": {
                "filters": []
            },
            "creationTime": 1687987892000,
            "device": {
                "firstSeen": 1649669953000,
                "ip": "192.168.1.2",
                "ips": [
                    {
                        "ip": "192.168.1.2",
                        "sid": 3,
                        "time": "2023-07-0313:00:00",
                        "timems": 1688389200000
                    }
                ],
                "lastSeen": 1688391406000,
                "sid": 3,
                "typelabel": "DNSServer",
                "typename": "dnsserver"
            },
            "model": {
                "now": {
                    "behaviour": "decreasing",
                    "category": "Suspicious",
                    "defeats": [],
                    "edited": {
                        "userID": 2
                    },
                    "name": "Antigena::Network::Compliance::AntigenaConnectionSeen",
                    "phid": 9962,
                    "pid": 2299,
                    "priority": 4,
                    "tags": [],
                    "uuid": "5f78deda-3ff9-445f-a88e-2137dca625d6",
                    "version": 8
                },
                "then": {
                    "behaviour": "decreasing",
                    "category": "Suspicious",
                    "defeats": [],
                    "name": "Antigena::Network::Compliance::AntigenaConnectionSeen",
                    "phid": 9961,
                    "pid": 2299,
                    "priority": 4,
                    "tags": [],
                    "uuid": "5f78deda-3ff9-445f-a88e-2137dca625d6",
                    "version": 7
                }
            },
            "pbid": 26368,
            "score": 0.871,
            "time": 1687987886000
        }
    },
    "host": {
        "hostname": "my_host",
        "id": "31",
        "ip": [
            "192.168.1.2"
        ],
        "name": "my_host"
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    },
    "related": {
        "hosts": [
            "my_host"
        ],
        "ip": [
            "192.168.1.2"
        ]
    }
}
{
    "message": "{\"commentCount\":0,\"pbid\":27103,\"time\":1688266123000,\"creationTime\":1688266130000,\"model\":{\"then\":{\"name\":\"Device::AttackandReconTools\",\"pid\":76,\"phid\":8953,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000197\",\"logic\":{\"data\":[{\"cid\":17299,\"weight\":1},{\"cid\":17302,\"weight\":1},{\"cid\":17298,\"weight\":1},{\"cid\":17300,\"weight\":1},{\"cid\":17301,\"weight\":1},{\"cid\":17303,\"weight\":1},{\"cid\":17304,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":604800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:InternalRecon\",\"OTEngineer\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-03-14 12:53:21\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"Adeviceisusingcommonpenetrationtestingtools.\\n\\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":87,\"mitre\":{\"tactics\":[\"initial-access\"],\"techniques\":[\"T1200\"]},\"priority\":4,\"category\":\"Suspicious\",\"compliance\":false},\"now\":{\"name\":\"Device::AttackandReconTools\",\"pid\":76,\"phid\":8953,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000197\",\"logic\":{\"data\":[{\"cid\":17299,\"weight\":1},{\"cid\":17302,\"weight\":1},{\"cid\":17298,\"weight\":1},{\"cid\":17300,\"weight\":1},{\"cid\":17301,\"weight\":1},{\"cid\":17303,\"weight\":1},{\"cid\":17304,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":604800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:InternalRecon\",\"OTEngineer\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-03-14 12:53:21\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"Adeviceisusingcommonpenetrationtestingtools.\\n\\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"Addeddetectionforgobusteranddirbuster\",\"version\":87,\"mitre\":{\"tactics\":[\"initial-access\"],\"techniques\":[\"T1200\"]},\"priority\":4,\"category\":\"Suspicious\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1688266122000,\"cbid\":27180,\"cid\":17302,\"chid\":27905,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"J\"}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":\"H\"}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"I\"}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.1.2/32\",\"port\":53,\"metric\":{\"mlid\":11,\"name\":\"dnsrequests\",\"label\":\"DNSRequests\"},\"triggeredFilters\":[{\"cfid\":208828,\"id\":\"A\",\"filterType\":\"DNShostlookup\",\"arguments\":{\"value\":\"kali(\\\\..+)?\"},\"comparatorType\":\"matchesregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":208829,\"id\":\"B\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":208830,\"id\":\"C\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":18},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"18\",\"tag\":{\"tid\":18,\"expiry\":0,\"thid\":18,\"name\":\"DNSServer\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":112,\"description\":\"DevicesreceivingandmakingDNSqueries\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":208831,\"id\":\"D\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":208832,\"id\":\"E\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":4},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"4\",\"tag\":{\"tid\":4,\"expiry\":0,\"thid\":4,\"name\":\"SecurityDevice\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":55,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":208835,\"id\":\"H\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":58},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"58\",\"tag\":{\"tid\":58,\"expiry\":0,\"thid\":58,\"name\":\"MailServer\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":200,\"description\":\"\"},\"isReferenced\":true}}},{\"cfid\":208836,\"id\":\"I\",\"filterType\":\"DNShostlookup\",\"arguments\":{\"value\":\"backbox.com\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":208837,\"id\":\"J\",\"filterType\":\"DNShostlookup\",\"arguments\":{\"value\":\"^kali\\\\.(by|hu|hr|cheng-tsui\\\\.com|tradair\\\\.com)$\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":208838,\"id\":\"d1\",\"filterType\":\"DNShostlookup\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"kali.download\"}}]}],\"score\":0.871,\"device\":{\"did\":16,\"ip\":\"192.168.1.#18408\",\"ips\":[{\"ip\":\"192.168.1.#18408\",\"timems\":1688263200000,\"time\":\"2023-07-0202:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1644001727000,\"lastSeen\":1688266122000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"},\"log_type\":\"modelbreaches\"}",
    "event": {
        "category": "network",
        "end": "2023-03-14T12:53:21Z",
        "kind": "alert",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-07-02T02:48:43Z",
    "darktrace": {
        "threat_visualizer": {
            "commentCount": 0,
            "components": {
                "filters": [
                    {
                        "trigger_value": "kali.download",
                        "type": "DNShostlookup"
                    },
                    {
                        "trigger_value": "6",
                        "type": "Internalsourcedevicetype"
                    },
                    {
                        "trigger_value": "18",
                        "type": "Taggedinternalsource"
                    },
                    {
                        "trigger_value": "out",
                        "type": "Direction"
                    },
                    {
                        "trigger_value": "4",
                        "type": "Taggedinternalsource"
                    },
                    {
                        "trigger_value": "58",
                        "type": "Taggedinternalsource"
                    }
                ]
            },
            "creationTime": 1688266130000,
            "device": {
                "firstSeen": 1644001727000,
                "ip": "192.168.1.#18408",
                "ips": [
                    {
                        "ip": "192.168.1.#18408",
                        "sid": 3,
                        "time": "2023-07-0202:00:00",
                        "timems": 1688263200000
                    }
                ],
                "lastSeen": 1688266122000,
                "sid": 3,
                "typelabel": "Desktop",
                "typename": "desktop"
            },
            "model": {
                "now": {
                    "behaviour": "decreasing",
                    "category": "Suspicious",
                    "description": "Adeviceisusingcommonpenetrationtestingtools.\n\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.",
                    "message": "Addeddetectionforgobusteranddirbuster",
                    "mitre": {
                        "tactics": [
                            "initial-access"
                        ],
                        "techniques": [
                            "T1200"
                        ]
                    },
                    "name": "Device::AttackandReconTools",
                    "phid": 8953,
                    "pid": 76,
                    "priority": 4,
                    "tags": [
                        "",
                        "AP:InternalRecon",
                        "OTEngineer"
                    ],
                    "uuid": "80010119-6d7f-0000-0305-5e0000000197",
                    "version": 87
                },
                "then": {
                    "behaviour": "decreasing",
                    "category": "Suspicious",
                    "description": "Adeviceisusingcommonpenetrationtestingtools.\n\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.",
                    "mitre": {
                        "tactics": [
                            "initial-access"
                        ],
                        "techniques": [
                            "T1200"
                        ]
                    },
                    "name": "Device::AttackandReconTools",
                    "phid": 8953,
                    "pid": 76,
                    "priority": 4,
                    "tags": [
                        "",
                        "AP:InternalRecon",
                        "OTEngineer"
                    ],
                    "uuid": "80010119-6d7f-0000-0305-5e0000000197",
                    "version": 87
                }
            },
            "pbid": 27103,
            "score": 0.871,
            "time": 1688266123000
        }
    },
    "host": {
        "id": "16"
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    }
}
{
    "message": "{\"commentCount\":0,\"pbid\":25808,\"time\":1687774142000,\"creationTime\":1687774148000,\"model\":{\"then\":{\"name\":\"Compromise::WatchedDomain\",\"pid\":608,\"phid\":6768,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000256\",\"logic\":{\"data\":[{\"cid\":13112,\"weight\":1},{\"cid\":13114,\"weight\":1},{\"cid\":13115,\"weight\":1},{\"cid\":13113,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:C2Comms\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-06-22 15:56:27\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\\n\\nAction:ReviewthedomainandIPbeingconnectedto.\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":31,\"priority\":5,\"category\":\"Critical\",\"compliance\":false},\"now\":{\"name\":\"Compromise::WatchedDomain\",\"pid\":608,\"phid\":6768,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000256\",\"logic\":{\"data\":[{\"cid\":13112,\"weight\":1},{\"cid\":13114,\"weight\":1},{\"cid\":13115,\"weight\":1},{\"cid\":13113,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:C2Comms\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-06-22 15:56:27\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\\n\\nAction:ReviewthedomainandIPbeingconnectedto.\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"Adjustingmodellogicforproxiedconnections\",\"version\":31,\"priority\":5,\"category\":\"Critical\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687774141000,\"cbid\":25885,\"cid\":13112,\"chid\":20980,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":\"F\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":\"F\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":\"G\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":\"G\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"I\"}}}},\"operator\":\"OR\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"I\"}}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.1.2/32\",\"port\":53,\"metric\":{\"mlid\":223,\"name\":\"dtwatcheddomain\",\"label\":\"WatchedDomain\"},\"triggeredFilters\":[{\"cfid\":156173,\"id\":\"A\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\".+\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156175,\"id\":\"C\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":156177,\"id\":\"E\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":156179,\"id\":\"G\",\"filterType\":\"Destinationport\",\"arguments\":{\"value\":53},\"comparatorType\":\"=\",\"trigger\":{\"value\":\"53\"}},{\"cfid\":156180,\"id\":\"d1\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":156181,\"id\":\"d10\",\"filterType\":\"Watchedendpointdescription\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156182,\"id\":\"d2\",\"filterType\":\"Connectionhostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156183,\"id\":\"d3\",\"filterType\":\"DestinationIP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"192.168.1.2\"}},{\"cfid\":156184,\"id\":\"d4\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156185,\"id\":\"d5\",\"filterType\":\"Country\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156186,\"id\":\"d6\",\"filterType\":\"Message\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"amazonlinux-2-repos-eu-west-2.s3.eu-west-2.amazonaws.com\"}},{\"cfid\":156187,\"id\":\"d7\",\"filterType\":\"Watchedendpoint\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"true\"}},{\"cfid\":156188,\"id\":\"d8\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156189,\"id\":\"d9\",\"filterType\":\"Watchedendpointstrength\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":156190,\"id\":\"H\",\"filterType\":\"Internaldestination\",\"arguments\":{},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"true\"}},{\"cfid\":156191,\"id\":\"I\",\"filterType\":\"Internaldestinationdevicetype\",\"arguments\":{\"value\":\"11\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"12\"}}]}],\"score\":0.541,\"device\":{\"did\":6,\"hostname\":\"SaaS::Slack: john.doe@company.com\",\"ip\":\"192.168.16.#54818\",\"ips\":[{\"ip\":\"192.168.16.#54818\",\"timems\":1688385600000,\"time\":\"2023-07-0312:00:00\",\"sid\":4}],\"sid\":4,\"firstSeen\":1639068361000,\"lastSeen\":1688385853000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"},\"log_type\":\"modelbreaches\"}",
    "event": {
        "category": "network",
        "end": "2022-06-22T15:56:27Z",
        "kind": "alert",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-06-26T10:09:02Z",
    "darktrace": {
        "threat_visualizer": {
            "commentCount": 0,
            "components": {
                "filters": [
                    {
                        "trigger_value": "out",
                        "type": "Direction"
                    },
                    {
                        "trigger_value": "6",
                        "type": "Internalsourcedevicetype"
                    },
                    {
                        "trigger_value": "53",
                        "type": "Destinationport"
                    },
                    {
                        "trigger_value": "192.168.1.2",
                        "type": "DestinationIP"
                    },
                    {
                        "trigger_value": "amazonlinux-2-repos-eu-west-2.s3.eu-west-2.amazonaws.com",
                        "type": "Message"
                    },
                    {
                        "trigger_value": "true",
                        "type": "Watchedendpoint"
                    },
                    {
                        "trigger_value": "100",
                        "type": "Watchedendpointstrength"
                    },
                    {
                        "trigger_value": "true",
                        "type": "Internaldestination"
                    },
                    {
                        "trigger_value": "12",
                        "type": "Internaldestinationdevicetype"
                    }
                ]
            },
            "creationTime": 1687774148000,
            "device": {
                "firstSeen": 1639068361000,
                "ip": "192.168.16.#54818",
                "ips": [
                    {
                        "ip": "192.168.16.#54818",
                        "sid": 4,
                        "time": "2023-07-0312:00:00",
                        "timems": 1688385600000
                    }
                ],
                "lastSeen": 1688385853000,
                "sid": 4,
                "typelabel": "Desktop",
                "typename": "desktop"
            },
            "model": {
                "now": {
                    "behaviour": "decreasing",
                    "category": "Critical",
                    "defeats": [],
                    "description": "AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\n\nAction:ReviewthedomainandIPbeingconnectedto.",
                    "message": "Adjustingmodellogicforproxiedconnections",
                    "name": "Compromise::WatchedDomain",
                    "phid": 6768,
                    "pid": 608,
                    "priority": 5,
                    "tags": [
                        "",
                        "AP:C2Comms"
                    ],
                    "uuid": "80010119-6d7f-0000-0305-5e0000000256",
                    "version": 31
                },
                "then": {
                    "behaviour": "decreasing",
                    "category": "Critical",
                    "defeats": [],
                    "description": "AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\n\nAction:ReviewthedomainandIPbeingconnectedto.",
                    "name": "Compromise::WatchedDomain",
                    "phid": 6768,
                    "pid": 608,
                    "priority": 5,
                    "tags": [
                        "",
                        "AP:C2Comms"
                    ],
                    "uuid": "80010119-6d7f-0000-0305-5e0000000256",
                    "version": 31
                }
            },
            "pbid": 25808,
            "score": 0.541,
            "time": 1687774142000
        }
    },
    "host": {
        "id": "6"
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    },
    "service": {
        "name": "Slack"
    },
    "user": {
        "email": "john.doe@company.com"
    }
}
{
    "message": "{\"commentCount\":0,\"pbid\":25860,\"time\":1687793533000,\"creationTime\":1687793540000,\"model\":{\"then\":{\"name\":\"Device::ThreatIndicator\",\"pid\":540,\"phid\":6656,\"uuid\":\"84c92ea6-36b9-402f-9df1-3c5bfaee9176\",\"logic\":{\"data\":[{\"cid\":12878,\"weight\":1},{\"cid\":12876,\"weight\":1},{\"cid\":12877,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false,\"tagTTL\":604800},\"tags\":[\"\",\"RequiresConfiguration\"],\"interval\":1,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-06-15 12:01:36\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.\\n\\nAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.,behaviour:decreasing,created:{by:System},edited:{by:System},version:39,priority:5,category:Critical,compliance:false},now:{name:Device::ThreatIndicator,pid:540,phid:6656,uuid:84c92ea6-36b9-402f-9df1-3c5bfaee9176,logic:{data:[{cid:12878,weight:1},{cid:12876,weight:1},{cid:12877,weight:1}],targetScore:1,type:weightedComponentList,version:1},throttle:3600,sharedEndpoints:false,actions:{alert:true,antigena:{},breach:true,model:true,setPriority:false,setTag:false,setType:false,tagTTL:604800},tags:[,RequiresConfiguration],interval:1,delay:0,sequenced:false,active:true,modified:2022-06-15 12:01:36,activeTimes:{devices:{},tags:{},type:exclusions,version:2},autoUpdatable:true,autoUpdate:true,autoSuppress:true,description:AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.nnAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"UpdatedWatchedendpointsourceregextoexcludeAttackSurfaceManagement\",\"version\":39,\"priority\":5,\"category\":\"Critical\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687793532000,\"cbid\":25937,\"cid\":12876,\"chid\":20545,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":\"K\"}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.1.2/32\",\"port\":53,\"metric\":{\"mlid\":223,\"name\":\"dtwatcheddomain\",\"label\":\"WatchedDomain\"},\"triggeredFilters\":[{\"cfid\":153437,\"id\":\"A\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"^(\\\\_?Darktrace.*|AttackSurfaceManagement)\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153437,\"id\":\"A\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"^(\\\\_?Darktrace.*|AttackSurfaceManagement)\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153438,\"id\":\"F\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\".+\"},\"comparatorType\":\"matchesregularexpression\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153439,\"id\":\"G\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"Default\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153439,\"id\":\"G\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"Default\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153440,\"id\":\"H\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":4},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"4\",\"tag\":{\"tid\":4,\"expiry\":0,\"thid\":4,\"name\":\"SecurityDevice\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":55,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":153441,\"id\":\"I\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"7\"}},{\"cfid\":153442,\"id\":\"J\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":18},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"18\",\"tag\":{\"tid\":18,\"expiry\":0,\"thid\":18,\"name\":\"DNSServer\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":112,\"description\":\"DevicesreceivingandmakingDNSqueries\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":153443,\"id\":\"K\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":153444,\"id\":\"d1\",\"filterType\":\"Ageofdestination\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"38123579\"}},{\"cfid\":153445,\"id\":\"d2\",\"filterType\":\"Country\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153446,\"id\":\"d3\",\"filterType\":\"DestinationIP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"192.168.1.2\"}},{\"cfid\":153447,\"id\":\"d4\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153448,\"id\":\"d5\",\"filterType\":\"Destinationport\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"53\"}},{\"cfid\":153449,\"id\":\"d6\",\"filterType\":\"Rareexternalendpoint\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"0\"}},{\"cfid\":153450,\"id\":\"d7\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153450,\"id\":\"d7\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153451,\"id\":\"d8\",\"filterType\":\"Message\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"clients2.google.com\"}}]}],\"score\":0.612,\"device\":{\"did\":39,\"vendor\":\"\",\"ip\":\"192.168.1.3\",\"ips\":[{\"ip\":\"192.168.1.3\",\"timems\":1688389200000,\"time\":\"2023-07-0313:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1666276905000,\"lastSeen\":1688391268000,\"os\":\"Windows(10.0)\",\"typename\":\"server\",\"typelabel\":\"Server\"},\"log_type\":\"modelbreaches\"}",
    "event": {
        "category": "network",
        "end": "2022-06-15T12:01:36Z",
        "kind": "alert",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-06-26T15:32:13Z",
    "darktrace": {
        "threat_visualizer": {
            "commentCount": 0,
            "components": {
                "filters": [
                    {
                        "trigger_value": "ThreatIntel",
                        "type": "Watchedendpointsource"
                    },
                    {
                        "trigger_value": "4",
                        "type": "Taggedinternalsource"
                    },
                    {
                        "trigger_value": "7",
                        "type": "Internalsourcedevicetype"
                    },
                    {
                        "trigger_value": "18",
                        "type": "Taggedinternalsource"
                    },
                    {
                        "trigger_value": "out",
                        "type": "Direction"
                    },
                    {
                        "trigger_value": "38123579",
                        "type": "Ageofdestination"
                    },
                    {
                        "trigger_value": "192.168.1.2",
                        "type": "DestinationIP"
                    },
                    {
                        "trigger_value": "53",
                        "type": "Destinationport"
                    },
                    {
                        "trigger_value": "0",
                        "type": "Rareexternalendpoint"
                    },
                    {
                        "trigger_value": "clients2.google.com",
                        "type": "Message"
                    }
                ]
            },
            "creationTime": 1687793540000,
            "device": {
                "firstSeen": 1666276905000,
                "ip": "192.168.1.3",
                "ips": [
                    {
                        "ip": "192.168.1.3",
                        "sid": 3,
                        "time": "2023-07-0313:00:00",
                        "timems": 1688389200000
                    }
                ],
                "lastSeen": 1688391268000,
                "sid": 3,
                "typelabel": "Server",
                "typename": "server"
            },
            "model": {
                "then": {
                    "behaviour": "decreasing",
                    "category": "Critical",
                    "description": "AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.\n\nAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.,behaviour:decreasing,created:{by:System},edited:{by:System},version:39,priority:5,category:Critical,compliance:false},now:{name:Device::ThreatIndicator,pid:540,phid:6656,uuid:84c92ea6-36b9-402f-9df1-3c5bfaee9176,logic:{data:[{cid:12878,weight:1},{cid:12876,weight:1},{cid:12877,weight:1}],targetScore:1,type:weightedComponentList,version:1},throttle:3600,sharedEndpoints:false,actions:{alert:true,antigena:{},breach:true,model:true,setPriority:false,setTag:false,setType:false,tagTTL:604800},tags:[,RequiresConfiguration],interval:1,delay:0,sequenced:false,active:true,modified:2022-06-15 12:01:36,activeTimes:{devices:{},tags:{},type:exclusions,version:2},autoUpdatable:true,autoUpdate:true,autoSuppress:true,description:AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.nnAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.",
                    "name": "Device::ThreatIndicator",
                    "phid": 6656,
                    "pid": 540,
                    "priority": 5,
                    "tags": [
                        "",
                        "RequiresConfiguration"
                    ],
                    "uuid": "84c92ea6-36b9-402f-9df1-3c5bfaee9176",
                    "version": 39
                }
            },
            "pbid": 25860,
            "score": 0.612,
            "time": 1687793533000
        }
    },
    "host": {
        "id": "39",
        "ip": [
            "192.168.1.3"
        ],
        "os": {
            "name": "Windows(10.0)"
        }
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    },
    "related": {
        "ip": [
            "192.168.1.3"
        ]
    }
}
{
    "message": "{\"commentCount\":0,\"pbid\":25908,\"time\":1687811707000,\"creationTime\":1687811713000,\"model\":{\"then\":{\"name\":\"PenTest\",\"pid\":2721,\"phid\":9287,\"uuid\":\"8b3d5e73-0cf0-4c32-8451-a6919b9978f8\",\"logic\":{\"data\":[18021],\"type\":\"componentList\",\"version\":1},\"throttle\":1000,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":true,\"modified\":\"2023-04-17 11:34:25\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"\",\"behaviour\":\"flat\",\"defeats\":[],\"created\":{\"by\":\"sam.gorse\",\"userID\":22},\"edited\":{\"by\":\"sam.gorse\",\"userID\":22},\"version\":7,\"priority\":5,\"category\":\"Critical\",\"compliance\":false},\"now\":{\"name\":\"PenTest\",\"pid\":2721,\"phid\":9287,\"uuid\":\"8b3d5e73-0cf0-4c32-8451-a6919b9978f8\",\"logic\":{\"data\":[18021],\"type\":\"componentList\",\"version\":1},\"throttle\":1000,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":true,\"modified\":\"2023-04-17 11:34:25\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":false,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"\",\"behaviour\":\"flat\",\"defeats\":[],\"created\":{\"by\":\"sam.gorse\",\"userID\":22},\"edited\":{\"by\":\"sam.gorse\",\"userID\":22},\"version\":7,\"priority\":5,\"category\":\"Critical\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687811706000,\"cbid\":25985,\"cid\":18021,\"chid\":29073,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":\"A\",\"operator\":\"OR\",\"right\":{\"left\":\"B\",\"operator\":\"OR\",\"right\":{\"left\":\"C\",\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":\"D\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":\"B\"},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":\"C\"},\"operator\":\"OR\",\"right\":{\"left\":\"D\",\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":\"C\"}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":\"D\"}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":\"D\"},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":\"D\"}}}}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.16.100/32\",\"port\":80,\"metric\":{\"mlid\":16,\"name\":\"connections\",\"label\":\"Connections\"},\"triggeredFilters\":[{\"cfid\":217209,\"id\":\"C\",\"filterType\":\"Destinationport\",\"arguments\":{\"value\":80},\"comparatorType\":\"=\",\"trigger\":{\"value\":\"80\"}}]}],\"score\":1.0,\"device\":{\"did\":31,\"vendor\":\"\",\"ip\":\"192.168.1.2\",\"ips\":[{\"ip\":\"192.168.1.2\",\"timems\":1688389200000,\"time\":\"2023-07-0313:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1649669953000,\"lastSeen\":1688391406000,\"typename\":\"dnsserver\",\"typelabel\":\"DNSServer\"},\"log_type\":\"modelbreaches\"}",
    "event": {
        "category": "network",
        "end": "2023-04-17T11:34:25Z",
        "kind": "alert",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-06-26T20:35:07Z",
    "darktrace": {
        "threat_visualizer": {
            "commentCount": 0,
            "components": {
                "filters": [
                    {
                        "trigger_value": "80",
                        "type": "Destinationport"
                    }
                ]
            },
            "creationTime": 1687811713000,
            "device": {
                "firstSeen": 1649669953000,
                "ip": "192.168.1.2",
                "ips": [
                    {
                        "ip": "192.168.1.2",
                        "sid": 3,
                        "time": "2023-07-0313:00:00",
                        "timems": 1688389200000
                    }
                ],
                "lastSeen": 1688391406000,
                "sid": 3,
                "typelabel": "DNSServer",
                "typename": "dnsserver"
            },
            "model": {
                "now": {
                    "behaviour": "flat",
                    "category": "Critical",
                    "defeats": [],
                    "edited": {
                        "userID": 22
                    },
                    "name": "PenTest",
                    "phid": 9287,
                    "pid": 2721,
                    "priority": 5,
                    "tags": [],
                    "uuid": "8b3d5e73-0cf0-4c32-8451-a6919b9978f8",
                    "version": 7
                },
                "then": {
                    "behaviour": "flat",
                    "category": "Critical",
                    "defeats": [],
                    "name": "PenTest",
                    "phid": 9287,
                    "pid": 2721,
                    "priority": 5,
                    "tags": [],
                    "uuid": "8b3d5e73-0cf0-4c32-8451-a6919b9978f8",
                    "version": 7
                }
            },
            "pbid": 25908,
            "score": 1.0,
            "time": 1687811707000
        }
    },
    "host": {
        "id": "31",
        "ip": [
            "192.168.1.2"
        ]
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    },
    "related": {
        "ip": [
            "192.168.1.2"
        ]
    }
}
{
    "message": "{\"commentCount\": 0, \"pbid\": 36586, \"time\": 1700634482000, \"creationTime\": 1700634481000, \"model\": {\"name\": \"System::System\", \"pid\": 530, \"phid\": 4861, \"uuid\": \"1c3f429b-ccb9-46a2-b864-868653bc780a\", \"logic\": {\"data\": [9686], \"type\": \"componentList\", \"version\": 1}, \"throttle\": 10, \"sharedEndpoints\": false, \"actions\": {\"alert\": true, \"antigena\": {}, \"breach\": true, \"model\": true, \"setPriority\": false, \"setTag\": false, \"setType\": false}, \"tags\": [], \"interval\": 0, \"delay\": 0, \"sequenced\": true, \"active\": true, \"modified\": \"2021-11-24 18:04:19\", \"activeTimes\": {\"devices\": {}, \"tags\": {}, \"type\": \"exclusions\", \"version\": 2}, \"autoUpdatable\": true, \"autoUpdate\": true, \"autoSuppress\": true, \"description\": \"An issue with the system has been detected. This system alert is generated for system information that may merit further investigation. This may be due to things like probes failing to connect.\\n\\nAction: Review the system message. Use the status page to see additional system information that may help with diagnostics.\", \"behaviour\": \"decreasing\", \"defeats\": [], \"created\": {\"by\": \"System\"}, \"edited\": {\"by\": \"System\"}, \"version\": 16, \"priority\": 3, \"category\": \"Informational\", \"compliance\": false}, \"triggeredComponents\": [{\"time\": 1700634481000, \"cbid\": 36900, \"cid\": 9686, \"chid\": 15251, \"size\": 1, \"threshold\": 0, \"interval\": 3600, \"logic\": {\"data\": {\"left\": {\"left\": \"A\", \"operator\": \"AND\", \"right\": \"B\"}, \"operator\": \"OR\", \"right\": {\"left\": {\"left\": \"A\", \"operator\": \"AND\", \"right\": \"C\"}, \"operator\": \"OR\", \"right\": {\"left\": {\"left\": \"A\", \"operator\": \"AND\", \"right\": \"D\"}, \"operator\": \"OR\", \"right\": {\"left\": {\"left\": \"A\", \"operator\": \"AND\", \"right\": \"E\"}, \"operator\": \"OR\", \"right\": {\"left\": \"A\", \"operator\": \"AND\", \"right\": \"F\"}}}}}, \"version\": \"v0.1\"}, \"metric\": {\"mlid\": 206, \"name\": \"dtsystem\", \"label\": \"System\"}, \"triggeredFilters\": [{\"cfid\": 111299, \"id\": \"A\", \"filterType\": \"Event details\", \"arguments\": {\"value\": \"analyze credential ignore list\"}, \"comparatorType\": \"does not contain\", \"trigger\": {\"value\": \"Probe erebus-pull-mode-vsensor (54.155.33.146) last contact was 50 hours ago\"}}, {\"cfid\": 111300, \"id\": \"B\", \"filterType\": \"System message\", \"arguments\": {\"value\": \"Probe error\"}, \"comparatorType\": \"is\", \"trigger\": {\"value\": \"Probe error\"}}, {\"cfid\": 111305, \"id\": \"d1\", \"filterType\": \"Event details\", \"arguments\": {}, \"comparatorType\": \"display\", \"trigger\": {\"value\": \"Probe erebus-pull-mode-vsensor (54.155.33.146) last contact was 50 hours ago\"}}, {\"cfid\": 111306, \"id\": \"d2\", \"filterType\": \"System message\", \"arguments\": {}, \"comparatorType\": \"display\", \"trigger\": {\"value\": \"Probe error\"}}]}], \"score\": 0.674, \"device\": {\"did\": -1},\"log_type\":\"modelbreaches\"}",
    "event": {
        "category": "network",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-11-22T06:28:02Z",
    "darktrace": {
        "threat_visualizer": {
            "commentCount": 0,
            "components": {
                "filters": [
                    {
                        "trigger_value": "Probe erebus-pull-mode-vsensor (54.155.33.146) last contact was 50 hours ago",
                        "type": "Event details"
                    },
                    {
                        "trigger_value": "Probe error",
                        "type": "System message"
                    }
                ]
            },
            "creationTime": 1700634481000,
            "model": {
                "then": {
                    "behaviour": "decreasing",
                    "category": "Informational",
                    "description": "An issue with the system has been detected. This system alert is generated for system information that may merit further investigation. This may be due to things like probes failing to connect.\n\nAction: Review the system message. Use the status page to see additional system information that may help with diagnostics.",
                    "name": "System::System",
                    "phid": 4861,
                    "pid": 530,
                    "priority": 3,
                    "uuid": "1c3f429b-ccb9-46a2-b864-868653bc780a",
                    "version": 16
                }
            },
            "pbid": 36586,
            "score": 0.674,
            "time": 1700634482000
        }
    },
    "host": {
        "id": "-1"
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    }
}
{
    "message": "{\"url\":\"https://darktrace-dt/#actions/000/111\",\"iris-event-type\":\"antigena_state_change\",\"codeuuid\":\"\",\"codeid\":537,\"action_family\":\"NETWORK\",\"action\":\"CREATE_NEEDSCONFIRMATION\",\"username\":\"JDOE\",\"reason\":\"\",\"start\":1702896511,\"end\":1702903711,\"did\":901,\"pbid\":0,\"action_creator\":\"\",\"model\":\"test_model_network\",\"inhibitor\":\"Enforce pattern of life\",\"device\":{\"did\":901,\"macaddress\":\"00:11:22:33:44:55\",\"vendor\":\"test_vendor\",\"ip\":\"1.2.3.4\",\"ips\":[{\"ip\":\"1.2.3.4\",\"timems\":1702893600000,\"time\":\"2023-12-18 10:00:00\",\"sid\":69,\"vlan\":0}],\"sid\":69,\"hostname\":\"test_hostname\",\"firstSeen\":1671027693000,\"lastSeen\":1702896182000,\"os\":\"Windows\",\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}",
    "event": {
        "action": "CREATE_NEEDSCONFIRMATION",
        "category": "network",
        "type": [
            "info"
        ]
    },
    "darktrace": {
        "threat_visualizer": {
            "device": {
                "firstSeen": 1671027693000,
                "ip": "1.2.3.4",
                "ips": [
                    {
                        "ip": "1.2.3.4",
                        "sid": 69,
                        "time": "2023-12-18 10:00:00",
                        "timems": 1702893600000,
                        "vlan": 0
                    }
                ],
                "lastSeen": 1702896182000,
                "sid": 69,
                "typelabel": "Desktop",
                "typename": "desktop"
            },
            "pbid": 0
        }
    },
    "host": {
        "hostname": "test_hostname",
        "id": "901",
        "ip": [
            "1.2.3.4"
        ],
        "name": "test_hostname",
        "os": {
            "name": "Windows"
        }
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    },
    "related": {
        "hosts": [
            "test_hostname"
        ],
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "JDOE"
        ]
    },
    "source": {
        "user": {
            "name": "JDOE"
        }
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
darktrace.threat_visualizer.acknowledged boolean Whether the event has been acknowledged. (example value: 'FALSE')
darktrace.threat_visualizer.activityId keyword Used by pre-v5.2 legacy incident construction. An identifier for the specific activity detected by AI Analyst. If groupByActivity=true, this field should be used to group events together into an incident. (example value: 'da39a3ee')
darktrace.threat_visualizer.aiaScore number The anomalousness of the event as classified by AI Analyst - out of 100. (example value: '98')
darktrace.threat_visualizer.attackPhases array Of the six attack phases, which phases are applicable to the activity. (example value: '5')
darktrace.threat_visualizer.breachDevices array An array of devices involved in the related model breach(es).
darktrace.threat_visualizer.category keyword The behavior category associated with the incident event. Relevant for v5.2+ incident construction only. (example value: 'critical')
darktrace.threat_visualizer.children array A unique identifier that can be used to request this AI Analyst event. This array will only contain one entry as of v5.2 and above. (example value: '04a3f36e-4u8w-v9dh-x6lb-894778cf9633')
darktrace.threat_visualizer.commentCount number The number of comments made against this breach.
darktrace.threat_visualizer.components.filters array
darktrace.threat_visualizer.creationTime number The timestamp that the record of the breach was created. This is distinct from the time field.
darktrace.threat_visualizer.currentGroup keyword The UUID of the current incident this event belongs to. Used for v5.2+ incident construction. (example value: 'g04a3f36e-4u8w-v9dh-x6lb-894778cf9633')
darktrace.threat_visualizer.device.firstSeen number The first time the device was seen on the network.
darktrace.threat_visualizer.device.ip keyword The current IP associated with the device.
darktrace.threat_visualizer.device.ips array IPs associated with the device historically.
darktrace.threat_visualizer.device.ips.ip keyword A historic IP associated with the device.
darktrace.threat_visualizer.device.ips.sid number The subnet id for the subnet the IP belongs to.
darktrace.threat_visualizer.device.ips.time keyword The time the IP was last seen associated with that device in readable format.
darktrace.threat_visualizer.device.ips.timems number The time the IP was last seen associated with that device in epoch time.
darktrace.threat_visualizer.device.lastSeen number The last time the device was seen on the network.
darktrace.threat_visualizer.device.sid number The subnet id for the subnet the device is currently located in.
darktrace.threat_visualizer.device.typelabel keyword The device type in readable format.
darktrace.threat_visualizer.device.typename keyword The device type in system format.
darktrace.threat_visualizer.externalTriggered boolean Whether the event was created as a result of an externally triggered AI Analyst investigation. (example value: 'FALSE')
darktrace.threat_visualizer.groupCategory keyword The behavior category associated with the incident overall. Relevant for v5.2+ incident construction only. (example value: 'critical')
darktrace.threat_visualizer.groupScore number The current overall score of the incident this event is part of. Relevant for v5.2+ incident construction only. (example value: '72.9174234')
darktrace.threat_visualizer.groupingIds array Used by pre-v5.2 legacy incident construction. Each entry in the groupingIDs array refers to a device that triggered the activity detection. In single events, should only contain one ID. If groupByActivity=false, this field should be used to group events together into an incident. (example value: '268d2b8c')
darktrace.threat_visualizer.mitreTactics array An array of MITRE ATT&CK Framework tactics that have been mapped to this event. (example value: 'lateral-movement')
darktrace.threat_visualizer.model.now.behaviour keyword The score modulation function as set in the model editor.
darktrace.threat_visualizer.model.now.category keyword The behavior category associated with the model at the time of request.
darktrace.threat_visualizer.model.now.defeats array An array of model defeats - AND conditions - which if met, prevent the model from breaching.
darktrace.threat_visualizer.model.now.defeats.arguments.value keyword
darktrace.threat_visualizer.model.now.defeats.comparator keyword The comparator that the value is compared against the create the defeat.
darktrace.threat_visualizer.model.now.defeats.defeatID number A unique ID for the defeat.
darktrace.threat_visualizer.model.now.defeats.filtertype keyword The filter the defeat is made from.
darktrace.threat_visualizer.model.now.description keyword The optional description of the model.
darktrace.threat_visualizer.model.now.edited.userID number Username that last edited the model.
darktrace.threat_visualizer.model.now.message keyword The commit message for the change.
darktrace.threat_visualizer.model.now.mitre.tactics array An array of MITRE ATT&CK framework tactics the model has been mapped to.
darktrace.threat_visualizer.model.now.mitre.techniques array An array of MITRE ATT&CK framework techniques the model has been mapped to.
darktrace.threat_visualizer.model.now.name keyword Name of the model that was breached.
darktrace.threat_visualizer.model.now.phid number The model policy history id. Increments when the model is modified.
darktrace.threat_visualizer.model.now.pid number The policy id of the model that was breached.
darktrace.threat_visualizer.model.now.priority number The numeric behavior category associated with the model at the time of request: 0-3 equates to informational, 4 equates to suspicious and 5 equates to critical.
darktrace.threat_visualizer.model.now.tags array AP: Bruteforce
darktrace.threat_visualizer.model.now.uuid keyword A unique ID that is generated on creation of the model.
darktrace.threat_visualizer.model.now.version number The version of the model. Increments on each edit.
darktrace.threat_visualizer.model.then.behaviour keyword The score modulation function as set in the model editor.
darktrace.threat_visualizer.model.then.category keyword The behavior category associated with the model at the time of the breach.
darktrace.threat_visualizer.model.then.defeats array An array of model defeats - AND conditions - which if met, prevent the model from breaching.
darktrace.threat_visualizer.model.then.defeats.arguments.value keyword
darktrace.threat_visualizer.model.then.defeats.comparator keyword The comparator that the value is compared against the create the defeat.
darktrace.threat_visualizer.model.then.defeats.defeatID number A unique ID for the defeat.
darktrace.threat_visualizer.model.then.defeats.filtertype keyword The filter the defeat is made from.
darktrace.threat_visualizer.model.then.description keyword The optional description of the model.
darktrace.threat_visualizer.model.then.mitre.tactics array An array of MITRE ATT&CK framework tactics the model has been mapped to.
darktrace.threat_visualizer.model.then.mitre.techniques array An array of MITRE ATT&CK framework techniques the model has been mapped to.
darktrace.threat_visualizer.model.then.name keyword Name of the model that was breached.
darktrace.threat_visualizer.model.then.phid number The model policy history id. Increments when the model is modified.
darktrace.threat_visualizer.model.then.pid number The policy id of the model that was breached.
darktrace.threat_visualizer.model.then.priority number The numeric behavior category associated with the model at the time of the breach: 0-3 equates to informational, 4 equates to suspicious and 5 equates to critical.
darktrace.threat_visualizer.model.then.tags array A list of tags that have been applied to this model in the Threat Visualizer model editor.
darktrace.threat_visualizer.model.then.uuid keyword A unique ID that is generated on creation of the model.
darktrace.threat_visualizer.model.then.version number The version of the model. Increments on each edit.
darktrace.threat_visualizer.pbid number The policy breach ID of the model breach.
darktrace.threat_visualizer.periods array An array of one or more periods of time where anomalous activity occurred that AI Analyst investigated.
darktrace.threat_visualizer.relatedBreaches array An array of model breaches related to the activity investigated by AI analyst.
darktrace.threat_visualizer.score number The model breach score, represented by a value between 0 and 1.
darktrace.threat_visualizer.time number The timestamp when the record was created in epoch time.
darktrace.threat_visualizer.userTriggered boolean Whether the event was created as a result of a user-triggered AI Analyst investigation. (example value: 'FALSE')
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.end date event.end contains the date when the event ended or when the activity was last observed.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.reason keyword Reason why this event happened, according to the source
event.type keyword Event type. The third categorization field in the hierarchy.
host.hostname keyword Hostname of the host.
host.id keyword Unique host id.
host.ip ip Host ip addresses.
host.mac keyword Host MAC addresses.
host.name keyword Name of the host.
host.os.name keyword Operating system name, without the version.
observer.name keyword Custom name of the observer.
observer.product keyword The product name of the observer.
service.name keyword Name of the service.
source.user.name keyword Short name or login of the user.
user.email keyword User email address.
user.name keyword Short name or login of the user.

For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.