Darktrace Threat Visualizer
Overview
Darktrace monitors all people and digital assets across your entire ecosystem.
- Vendor: Darktrace
- Supported environment: Cloud and On Premise versions 6.1 or above
- Detection based on: Alert, Telemetry
- Supported application or feature: Darktrace Threat Visualizer
Specification
Prerequisites
For On Premise version: - Resource: - Self-managed syslog forwarder - Network: - Outbound traffic allowed - Permissions: - Administrator privileges on the Darktrace appliance - Root access to the Linux server with the syslog forwarder
For Cloud version, only an dministrator privileges on the Darktrace appliance is mandatory.
Transport Protocol/Method
- Direct HTTP for Cloud
- Indirect syslog for On Premise
Logs details
- Supported functionalities: See section Overview
- Supported type(s) of structure: JSON
- Supported verbosity level: Informational, Alert
Note
Log levels are based on the taxonomy of RFC5424. Adapt according to the terminology used by the editor.
Step-by-Step Configuration Procedure
This setup guide describes how to forward logs from Darktrace Threat visualizer to Sekoia.io.
Instruction on Sekoia
Configure Your Intake
This section will guide you through creating the intake object in Sekoia, which provides a unique identifier called the "Intake key." The Intake key is essential for later configuration, as it references the Community, Entity, and Parser (Intake Format) used when receiving raw events on Sekoia.
- Go to the Sekoia Intake page.
- Click on the
+ New Intake
button at the top right of the page. - Search for your Intake by the product name in the search bar.
- Give it a Name and associate it with an Entity (and a Community if using multi-tenant mode).
- Click on
Create
.
Note
For more details on how to use the Intake page and to find the Intake key you just created, refer to this documentation.
For Cloud verion only
Configure Your Playbook
This section will assist you in pulling remote logs from Sekoia and sending them to the intake you previously created.
- Go to the Sekoia playbook page.
- Click on the
+ New playbook
button at the top right of the page. - Select
Create a playbook from scratch
, and clickNext
. - Give it a Name and a Description, and click
Next
. - Choose a trigger from the list by searching for the name of the product, and click
Create
. - A new Playbook page will be displayed. Click on the module in the center of the page, then click on the Configure icon.
- On the right panel, click on the
Configuration
tab. - Select an existing Trigger Configuration (from the account menu) or create a new one by clicking on
+ Create new configuration
. - Configure the Trigger based on the Actions Library (for instance, see here for AWS modules), then click
Save
. - Click on
Save
at the top right of the playbook page. - Activate the playbook by clicking on the "On / Off" toggle button at the top right corner of the page.
Instructions on the 3rd party solution
For Cloud verion - Acquire your public and private key
As a prerequisite, you need a Darktrace Threat Visualizer API tenant url.
See the Darktrace documentation for intructions to acquire your public and private key.
For On Premise verion - Send logs to a syslog server
- Open the Threat Visualizer and navigate to the System Config page (Main menu › Admin).
- From the left-side menu, select Modules, then navigate to the Workflow Integrations section and choose Syslog. A window with four tabs will open, a Status tab that lists existing configurations per-Syslog server and an individual tab for each Syslog format. The Status tab may not be present if there are no existing configurations.
- If the instance is not a Unified View, proceed to Step 3.
- If the instance where configuration is being performed is a Darktrace Unified View instance, choose which Darktrace master instance will send alerts at the top of the page.
- If a a subordinate master (submaster) is selected, the master will be the instance to emit alerts but will only generate alerts originating from itself.
- If the UV instance is selected, an additional field - Master - will appear further down the page. This field is used to control the source of alerts sent by the Unified View for this configuration.
- Syslog MUST be sent in JSON format.
- Scroll past any existing configurations and click New to set up forwarding Darktrace alerts to a new server via syslog.
- Enter the IP address of the syslog server in the Server field and optionally modify the communication port.
- If the instance is not a Unified View, proceed to Step 7.
- If the instance where configuration is being performed is a Darktrace Unified View instance, and the Unified View has been selected to send alerts from, an additional field - Master - will appear. This field is used to control the source of alerts sent by the Unified View for this configuration.
- If a submaster is selected, the UV will only send alerts from that submaster for this configuration.
- If “all” is selected, alerts sourced from all submasters will be sent.
- Select the appropriate source.
- Turn on Show Advanced Options. All options and settings are covered in Optional Filters and Settings.
- Select TCP-format alerting setting
- Select which alert types should be sent via Syslog. Alerts will not be sent until the master Send Alerts toggle is turned on.
- Within the same configuration, click Add to save the changes. Observe a confirmation message.
- Scroll to the top of the entry and click Verify alert settings to send a test alert to the specified Syslog server.
- Finally, turn on Send Alerts and save changes.
Configure a forwarder
To forward events using syslog to Sekoia.io, you need to update the syslog header with the intake key you previously created. Here is an example of your message before the forwarder
<%pri%>1 %timestamp:::date-rfc3339% %hostname% %app-name% %procid% LOG RAW_MESSAGE
<%pri%>1 %timestamp:::date-rfc3339% %hostname% %app-name% %procid% LOG [SEKOIA@53288 intake_key=\"YOUR_INTAKE_KEY\"] RAW_MESSAGE
To achieve this you can:
- Use the Sekoia.io forwarder which is the official supported way to collect data using the syslog protocol in Sekoia.io. In charge of centralizing data coming from many equipments/sources and forwarding them to Sekoia.io with the apporpriated format, it is a prepackaged option. You only have to provide your intake key as parameter.
- Use your own Syslog service instance. Maybe you already have an intance of one of these components on your side and want to reuse it in order to centralize data before forwarding them to Sekoia.io. When using this mode, you have to configure and maintain your component in order to respect the expected Sekoia.io format.
Warning
Only the Sekoia.io forwarder is officially supported. Other options are documented for reference purposes but do not have official support.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"summariser": "HttpAgentSummary",
"acknowledged": false,
"pinned": false,
"createdAt": 1697334832520,
"attackPhases": [
2
],
"mitreTactics": [
"command-and-control"
],
"title": "Possible HTTP Command and Control",
"id": "a400af0f-a297-478c-8fc6-c778a9558183",
"children": [
"a400af0f-a297-478c-8fc6-c778a9558183"
],
"category": "critical",
"currentGroup": "ga400af0f-a297-478c-8fc6-c778a9558183",
"groupCategory": "suspicious",
"groupScore": 2.449186624037094,
"groupPreviousGroups": [],
"activityId": "da39a3ee",
"groupingIds": [
"511a418e"
],
"groupByActivity": false,
"userTriggered": false,
"externalTriggered": false,
"aiaScore": 55.52733790170975,
"summary": "The device 10.0.0.#36859 was observed making multiple HTTP connections to the rare external endpoint themoneyfix.org, with the same user agent string.\n\nMoreover, this device only used this user agent for connections to a limited set of endpoints - suggesting that the activity was initiated by a standalone software process as opposed to a web browser.\n\nIf such behaviour is unexpected, further investigation may be required to determine if this activity represents malicious command and control as opposed to legitimate telemetry of some form.",
"periods": [
{
"start": 1697334679535,
"end": 1697334713852
}
],
"breachDevices": [
{
"identifier": null,
"hostname": null,
"ip": "10.0.0.#36859",
"mac": null,
"subnet": null,
"did": 62,
"sid": 25
}
],
"relatedBreaches": [
{
"modelName": "Device / New User Agent",
"pbid": 34952,
"threatScore": 31.0,
"timestamp": 1697334680000
}
],
"details": [
[
{
"header": "Device Making Suspicious Connections",
"contents": [
{
"key": null,
"type": "device",
"values": [
{
"identifier": null,
"hostname": null,
"ip": "10.0.0.#36859",
"mac": null,
"subnet": null,
"did": 62,
"sid": 25
}
]
}
]
}
],
[
{
"header": "Suspicious Application",
"contents": [
{
"key": "User agent",
"type": "string",
"values": [
"python-requests/2.25.1"
]
}
]
},
{
"header": "Suspicious Endpoints Contacted by Application",
"contents": [
{
"key": "Time",
"type": "timestampRange",
"values": [
{
"start": 1697334679535,
"end": 1697334713852
}
]
},
{
"key": "Hostname",
"type": "externalHost",
"values": [
{
"hostname": "themoneyfix.org",
"ip": null
}
]
},
{
"key": "Hostname rarity",
"type": "percentage",
"values": [
100.0
]
},
{
"key": "Hostname first observed",
"type": "timestamp",
"values": [
1697334687000
]
},
{
"key": "Most recent destination IP",
"type": "externalHost",
"values": [
{
"hostname": "45.56.79.23",
"ip": "45.56.79.23"
}
]
},
{
"key": "Most recent ASN",
"type": "string",
"values": [
"AS63949 Akamai Connected Cloud"
]
},
{
"key": "Total connections",
"type": "integer",
"values": [
2
]
},
{
"key": "URI",
"type": "string",
"values": [
"/login/username=adriano.lamo&password=il0v3cH33s3"
]
},
{
"key": "Port",
"type": "integer",
"values": [
80
]
},
{
"key": "HTTP method",
"type": "string",
"values": [
"GET"
]
},
{
"key": "Status code",
"type": "string",
"values": [
"200"
]
}
]
}
]
],
"log_type": "aianalyst/incidentevents"
}
{
"summariser": "SaasHijackSummary",
"acknowledged": false,
"pinned": false,
"createdAt": 1730023348884,
"attackPhases": [
3
],
"mitreTactics": [
"privilege-escalation"
],
"title": "Possible Hijack of Zoom Account",
"id": "204a3642-a6f1-4ac3-85d0-add7dd0c9f9b",
"children": [
"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b"
],
"category": "critical",
"currentGroup": "g204a3642-a6f1-4ac3-85d0-add7dd0c9f9b",
"groupCategory": "critical",
"groupScore": 21.063004966718992,
"groupPreviousGroups": [],
"activityId": "da39a3ee",
"groupingIds": [
"3d2a2fc6"
],
"groupByActivity": false,
"userTriggered": false,
"externalTriggered": false,
"aiaScore": 93.67343783378601,
"summary": "The SaaS actor john.doe@example.com was observed making suspicious requests over a configured Zoom service from the IP 1.2.3.4.\n\nThis included requests made from unusual locations compared to the previous access locations observed from this actor and from the configured service in general.\n\nThough this behaviour could be the result of legitimate service usage or administration, it could also be a sign of this actor's account being hijacked by a malicious actor.\n\nConsequently, the security team may wish to confirm that this activity was legitimate and expected.",
"periods": [
{
"start": 1730023230000,
"end": 1730023230000
}
],
"sender": null,
"breachDevices": [
{
"identifier": "SaaS::Zoom: john.doe@example.com",
"hostname": "SaaS::Zoom: john.doe@example.com",
"ip": null,
"mac": null,
"subnet": null,
"did": 3820,
"sid": -9
}
],
"relatedBreaches": [
{
"modelName": "SaaS / Access / Unusual External Source for SaaS Credential Use",
"pbid": 46769,
"threatScore": 63.0,
"timestamp": 1730023232000
}
],
"details": [
[
{
"header": "SaaS User Details",
"contents": [
{
"key": "SaaS account",
"type": "device",
"values": [
{
"identifier": "SaaS::Zoom: john.doe@example.com",
"hostname": "SaaS::Zoom: john.doe@example.com",
"ip": null,
"mac": null,
"subnet": null,
"did": 3820,
"sid": -9
}
]
},
{
"key": "Actor",
"type": "string",
"values": [
"john.doe@example.com"
]
}
]
}
],
[
{
"header": "Agent Carrying out Suspicious Activity",
"contents": [
{
"key": "Source IP",
"type": "externalHost",
"values": [
{
"hostname": "1.2.3.4",
"ip": "1.2.3.4"
}
]
},
{
"key": "ASN",
"type": "string",
"values": [
"AS2119 Telenor Norge AS"
]
},
{
"key": "City",
"type": "string",
"values": [
"Stockholm"
]
},
{
"key": "Country",
"type": "string",
"values": [
"Sweden"
]
}
]
},
{
"header": "Summary of Activity",
"contents": [
{
"key": "Time",
"type": "timestampRange",
"values": [
{
"start": 1730023230000,
"end": 1730023230000
}
]
},
{
"key": "Suspicious properties",
"type": "string",
"values": [
"Unusual time for activity",
"Unusual external source for activity"
]
}
]
},
{
"header": "Activity Details",
"contents": [
{
"key": "Event",
"type": "string",
"values": [
"Sign in"
]
},
{
"key": "Number of events",
"type": "integer",
"values": [
1
]
}
]
}
]
],
"log_type": "aianalyst/incidentevents"
}
{
"summariser": "SaasBruteforceSummary",
"acknowledged": false,
"pinned": false,
"createdAt": 1708649003457,
"attackPhases": [
2,
4
],
"mitreTactics": [
"credential-access"
],
"title": "Possible Distributed Bruteforce of AzureActiveDirectory Account",
"id": "dc5f69a5-ee78-4702-a999-ed64a9e873dc",
"incidentEventUrl": "https://darktrace-dt-32980-01/saas#aiaincidentevent/dc5f69a5-ee78-4702-a999-ed64a9e873dc",
"children": [
"dc5f69a5-ee78-4702-a999-ed64a9e873dc"
],
"category": "suspicious",
"currentGroup": "g7bd28910-7d7d-4971-9a20-48f12b8518e1",
"groupCategory": "suspicious",
"groupScore": 32.34820100820068,
"groupPreviousGroups": [],
"activityId": "da39a3ee",
"groupingIds": [
"6ae71ab6"
],
"groupByActivity": false,
"userTriggered": false,
"externalTriggered": false,
"aiaScore": 85.47036382887099,
"summary": "Repeated attempts to access the account test@test.fr over a configured AzureActiveDirectory service were observed from a range of external IP addresses.\n\nThis included login attempts made from unusual locations for the account, and for the configured service in general.\n\nSince these requests originated from a wide variety of external sources, this could indicate a distributed attempt by a malicious actor to gain illegitimate access to this account.\n\nThe security team may therefore wish to ensure that the relevant credentials are sufficiently robust, and that additional measures such as multi-factor authentication are enabled where possible.",
"periods": [
{
"start": 1708040149000,
"end": 1708648697000
}
],
"sender": null,
"breachDevices": [
{
"identifier": "SaaS::AzureActiveDirectory: test@test.fr",
"hostname": "SaaS::AzureActiveDirectory: test@test.fr",
"ip": null,
"mac": null,
"subnet": null,
"did": 2635,
"sid": -9
}
],
"relatedBreaches": [
{
"modelName": "SaaS / Access / Password Spray",
"pbid": 7130,
"threatScore": 47,
"timestamp": 1708648698000
}
],
"details": [
[
{
"header": "SaaS User Details",
"contents": [
{
"key": "SaaS account",
"type": "device",
"values": [
{
"identifier": "SaaS::AzureActiveDirectory: test@test.fr",
"hostname": "SaaS::AzureActiveDirectory: test@test.fr",
"ip": null,
"mac": null,
"subnet": null,
"did": 2635,
"sid": -9
}
]
},
{
"key": "Actor",
"type": "string",
"values": [
"test@test.fr"
]
}
]
}
],
[
{
"header": "Summary of Related Access Attempts",
"contents": [
{
"key": "Attempts grouped by",
"type": "string",
"values": [
"same targeted account"
]
},
{
"key": "Number of source ASNs",
"type": "integer",
"values": [
241
]
},
{
"key": "Suspicious properties",
"type": "string",
"values": [
"Unusual time for activity",
"Unusual external source for activity",
"Large number of login failures"
]
}
]
},
{
"header": "Details of Access Attempts",
"contents": [
{
"key": "Time",
"type": "timestampRange",
"values": [
{
"start": 1708040149000,
"end": 1708648697000
}
]
},
{
"key": "Targeted account",
"type": "string",
"values": [
"test@test.fr"
]
},
{
"key": "Total number of login failures",
"type": "integer",
"values": [
1136
]
},
{
"key": "Reasons for login failures",
"type": "string",
"values": [
"Sign-in was blocked because it came from an IP address with malicious activity",
"The account is locked, you've tried to sign in too many times with an incorrect user ID or password.",
"Error validating credentials due to invalid username or password."
]
}
]
},
{
"header": "Sources of Access Attempts",
"contents": [
{
"key": "Source ASNs include",
"type": "string",
"values": [
"AS4134 Chinanet",
"AS4837 CHINA UNICOM China169 Backbone",
"AS4766 Korea Telecom",
"AS9808 China Mobile Communications Group Co., Ltd.",
"AS24560 Bharti Airtel Ltd., Telemedia Services"
]
},
{
"key": "Source IPs include",
"type": "externalHost",
"values": [
{
"hostname": "122.4.70.38",
"ip": "122.4.70.38"
},
{
"hostname": "41.207.248.204",
"ip": "41.207.248.204"
},
{
"hostname": "124.89.116.178",
"ip": "124.89.116.178"
},
{
"hostname": "121.184.235.17",
"ip": "121.184.235.17"
},
{
"hostname": "61.153.208.38",
"ip": "61.153.208.38"
}
]
},
{
"key": "Countries include",
"type": "string",
"values": [
"China",
"South Korea",
"India",
"United States",
"Brazil"
]
},
{
"key": "User agent",
"type": "string",
"values": [
"Office 365 Exchange Online"
]
}
]
}
]
]
}
{
"commentCount": 0,
"pbid": 26316,
"time": 1687967502000,
"creationTime": 1687967508000,
"model": {
"then": {
"name": "AnomalousFile::ZiporGzipfromRareExternalLocation",
"pid": 619,
"phid": 9945,
"uuid": "80010119-6d7f-0000-0305-5e0000000172",
"logic": {
"data": [
19046
],
"type": "componentList",
"version": 1
},
"throttle": 3600,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [
"",
"AP:Tooling",
"OTEngineer"
],
"interval": 0,
"delay": 0,
"sequenced": false,
"active": true,
"modified": "2023-06-28 11:53:50",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\n\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.",
"behaviour": "decreasing",
"created": {
"by": "System"
},
"edited": {
"by": "System"
},
"version": 42,
"mitre": {
"tactics": [
"resource-development"
],
"techniques": [
"T1588.001"
]
},
"priority": 1,
"category": "Informational",
"compliance": false
},
"now": {
"name": "AnomalousFile::ZiporGzipfromRareExternalLocation",
"pid": 619,
"phid": 9945,
"uuid": "80010119-6d7f-0000-0305-5e0000000172",
"logic": {
"data": [
19046
],
"type": "componentList",
"version": 1
},
"throttle": 3600,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [
"",
"AP:Tooling",
"OTEngineer"
],
"interval": 0,
"delay": 0,
"sequenced": false,
"active": true,
"modified": "2023-06-28 11:53:50",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\n\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.",
"behaviour": "decreasing",
"created": {
"by": "System"
},
"edited": {
"by": "System"
},
"message": "Excludedcommonuseragents",
"version": 42,
"mitre": {
"tactics": [
"resource-development"
],
"techniques": [
"T1588.001"
]
},
"priority": 1,
"category": "Informational",
"compliance": false
}
},
"triggeredComponents": [
{
"time": 1687967501000,
"cbid": 26393,
"cid": 19046,
"chid": 30682,
"size": 1,
"threshold": 0,
"interval": 3600,
"logic": {
"data": {
"left": {
"left": "A",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "F",
"operator": "AND",
"right": {
"left": "I",
"operator": "AND",
"right": {
"left": "J",
"operator": "AND",
"right": {
"left": "M",
"operator": "AND",
"right": {
"left": "N",
"operator": "AND",
"right": {
"left": "O",
"operator": "AND",
"right": {
"left": "P",
"operator": "AND",
"right": {
"left": "Q",
"operator": "AND",
"right": {
"left": "R",
"operator": "AND",
"right": {
"left": "T",
"operator": "AND",
"right": {
"left": "V",
"operator": "AND",
"right": {
"left": "W",
"operator": "AND",
"right": {
"left": "Y",
"operator": "AND",
"right": "Z"
}
}
}
}
}
}
}
}
}
}
}
}
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "C",
"operator": "AND",
"right": {
"left": "E",
"operator": "AND",
"right": {
"left": "F",
"operator": "AND",
"right": {
"left": "I",
"operator": "AND",
"right": {
"left": "J",
"operator": "AND",
"right": {
"left": "M",
"operator": "AND",
"right": {
"left": "N",
"operator": "AND",
"right": {
"left": "O",
"operator": "AND",
"right": {
"left": "P",
"operator": "AND",
"right": {
"left": "Q",
"operator": "AND",
"right": {
"left": "R",
"operator": "AND",
"right": {
"left": "T",
"operator": "AND",
"right": {
"left": "V",
"operator": "AND",
"right": {
"left": "W",
"operator": "AND",
"right": {
"left": "Y",
"operator": "AND",
"right": "Z"
}
}
}
}
}
}
}
}
}
}
}
}
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "C",
"operator": "AND",
"right": {
"left": "F",
"operator": "AND",
"right": {
"left": "G",
"operator": "AND",
"right": {
"left": "I",
"operator": "AND",
"right": {
"left": "J",
"operator": "AND",
"right": {
"left": "M",
"operator": "AND",
"right": {
"left": "N",
"operator": "AND",
"right": {
"left": "O",
"operator": "AND",
"right": {
"left": "P",
"operator": "AND",
"right": {
"left": "Q",
"operator": "AND",
"right": {
"left": "R",
"operator": "AND",
"right": {
"left": "T",
"operator": "AND",
"right": {
"left": "V",
"operator": "AND",
"right": {
"left": "W",
"operator": "AND",
"right": {
"left": "Y",
"operator": "AND",
"right": "Z"
}
}
}
}
}
}
}
}
}
}
}
}
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "C",
"operator": "AND",
"right": {
"left": "F",
"operator": "AND",
"right": {
"left": "H",
"operator": "AND",
"right": {
"left": "I",
"operator": "AND",
"right": {
"left": "J",
"operator": "AND",
"right": {
"left": "M",
"operator": "AND",
"right": {
"left": "N",
"operator": "AND",
"right": {
"left": "O",
"operator": "AND",
"right": {
"left": "P",
"operator": "AND",
"right": {
"left": "Q",
"operator": "AND",
"right": {
"left": "R",
"operator": "AND",
"right": {
"left": "T",
"operator": "AND",
"right": {
"left": "V",
"operator": "AND",
"right": {
"left": "W",
"operator": "AND",
"right": {
"left": "Y",
"operator": "AND",
"right": "Z"
}
}
}
}
}
}
}
}
}
}
}
}
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "A",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "F",
"operator": "AND",
"right": {
"left": "K",
"operator": "AND",
"right": {
"left": "L",
"operator": "AND",
"right": {
"left": "M",
"operator": "AND",
"right": {
"left": "N",
"operator": "AND",
"right": {
"left": "O",
"operator": "AND",
"right": {
"left": "P",
"operator": "AND",
"right": {
"left": "Q",
"operator": "AND",
"right": {
"left": "S",
"operator": "AND",
"right": {
"left": "T",
"operator": "AND",
"right": {
"left": "U",
"operator": "AND",
"right": {
"left": "V",
"operator": "AND",
"right": {
"left": "W",
"operator": "AND",
"right": {
"left": "Y",
"operator": "AND",
"right": "Z"
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "C",
"operator": "AND",
"right": {
"left": "E",
"operator": "AND",
"right": {
"left": "F",
"operator": "AND",
"right": {
"left": "K",
"operator": "AND",
"right": {
"left": "L",
"operator": "AND",
"right": {
"left": "M",
"operator": "AND",
"right": {
"left": "N",
"operator": "AND",
"right": {
"left": "O",
"operator": "AND",
"right": {
"left": "P",
"operator": "AND",
"right": {
"left": "Q",
"operator": "AND",
"right": {
"left": "S",
"operator": "AND",
"right": {
"left": "T",
"operator": "AND",
"right": {
"left": "U",
"operator": "AND",
"right": {
"left": "V",
"operator": "AND",
"right": {
"left": "W",
"operator": "AND",
"right": {
"left": "Y",
"operator": "AND",
"right": "Z"
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "C",
"operator": "AND",
"right": {
"left": "F",
"operator": "AND",
"right": {
"left": "G",
"operator": "AND",
"right": {
"left": "K",
"operator": "AND",
"right": {
"left": "L",
"operator": "AND",
"right": {
"left": "M",
"operator": "AND",
"right": {
"left": "N",
"operator": "AND",
"right": {
"left": "O",
"operator": "AND",
"right": {
"left": "P",
"operator": "AND",
"right": {
"left": "Q",
"operator": "AND",
"right": {
"left": "S",
"operator": "AND",
"right": {
"left": "T",
"operator": "AND",
"right": {
"left": "U",
"operator": "AND",
"right": {
"left": "V",
"operator": "AND",
"right": {
"left": "W",
"operator": "AND",
"right": {
"left": "Y",
"operator": "AND",
"right": "Z"
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
},
"operator": "OR",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "F",
"operator": "AND",
"right": {
"left": "H",
"operator": "AND",
"right": {
"left": "K",
"operator": "AND",
"right": {
"left": "L",
"operator": "AND",
"right": {
"left": "M",
"operator": "AND",
"right": {
"left": "N",
"operator": "AND",
"right": {
"left": "O",
"operator": "AND",
"right": {
"left": "P",
"operator": "AND",
"right": {
"left": "Q",
"operator": "AND",
"right": {
"left": "S",
"operator": "AND",
"right": {
"left": "T",
"operator": "AND",
"right": {
"left": "U",
"operator": "AND",
"right": {
"left": "V",
"operator": "AND",
"right": {
"left": "W",
"operator": "AND",
"right": {
"left": "Y",
"operator": "AND",
"right": "Z"
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
},
"version": "v0.1"
},
"ip": "104.18.103.100/32",
"port": 80,
"metric": {
"mlid": 1,
"name": "externalconnections",
"label": "ExternalConnections"
},
"triggeredFilters": [
{
"cfid": 232424,
"id": "C",
"filterType": "Internalsourcedevicetype",
"arguments": {
"value": "3"
},
"comparatorType": "isnot",
"trigger": {
"value": "6"
}
},
{
"cfid": 232426,
"id": "F",
"filterType": "Direction",
"arguments": {
"value": "out"
},
"comparatorType": "is",
"trigger": {
"value": "out"
}
},
{
"cfid": 232428,
"id": "H",
"filterType": "HTTPcontenttype",
"arguments": {
"value": "application/x-gzip"
},
"comparatorType": "matches",
"trigger": {
"value": "application/x-gzip"
}
},
{
"cfid": 232430,
"id": "J",
"filterType": "RareexternalIP",
"arguments": {
"value": 98
},
"comparatorType": ">=",
"trigger": {
"value": "100"
}
},
{
"cfid": 232431,
"id": "K",
"filterType": "Raredomain",
"arguments": {
"value": 95
},
"comparatorType": ">=",
"trigger": {
"value": "100"
}
},
{
"cfid": 232432,
"id": "L",
"filterType": "Trustedhostname",
"arguments": {
"value": "false"
},
"comparatorType": "is",
"trigger": {
"value": "false"
}
},
{
"cfid": 232433,
"id": "M",
"filterType": "Internalsourcedevicetype",
"arguments": {
"value": "9"
},
"comparatorType": "isnot",
"trigger": {
"value": "6"
}
},
{
"cfid": 232434,
"id": "N",
"filterType": "Internalsourcedevicetype",
"arguments": {
"value": "4"
},
"comparatorType": "isnot",
"trigger": {
"value": "6"
}
},
{
"cfid": 232435,
"id": "O",
"filterType": "Internalsourcedevicetype",
"arguments": {
"value": "13"
},
"comparatorType": "isnot",
"trigger": {
"value": "6"
}
},
{
"cfid": 232436,
"id": "P",
"filterType": "Internalsourcedevicetype",
"arguments": {
"value": "17"
},
"comparatorType": "isnot",
"trigger": {
"value": "6"
}
},
{
"cfid": 232437,
"id": "Q",
"filterType": "Taggedinternalsource",
"arguments": {
"value": 15
},
"comparatorType": "doesnothavetag",
"trigger": {
"value": "15",
"tag": {
"tid": 15,
"expiry": 0,
"thid": 15,
"name": "ConflictingUser-Agents",
"restricted": false,
"data": {
"auto": false,
"color": 284,
"description": "",
"visibility": "Public"
},
"isReferenced": true
}
}
},
{
"cfid": 232438,
"id": "R",
"filterType": "DestinationIP",
"arguments": {
"value": "0.0.0.0"
},
"comparatorType": "doesnotmatch",
"trigger": {
"value": "104.18.103.100"
}
},
{
"cfid": 232439,
"id": "S",
"filterType": "Connectionhostname",
"arguments": {
"value": "(speed(test|check).+|.+speed(test|check).+)|.*((up(date|grade)|download|content|mirrors|weather|changes|quant|ctldl|avupdate).*\\.(carbonblack\\.io|nutanix\\.com|pandasoftware\\.com|ivanti\\.com|mit\\.edu|mastercam\\.com|rit\\.edu|knime\\.com|logicnow\\.us|oppomobile\\.com|trendmicro\\.com|panorama9\\.com|jiransecurity\\.com|refinitiv\\.com|jiran\\.com|loxtop\\.com|snoopwall\\.com|tumbleweed\\.com|sangfor\\.net|alyac\\.com|spamassassin\\.org|verein-clean\\.net|itsupport247\\.net|lsfilter\\.com|iboss\\.com|eeye\\.com|windowsupdate\\.com|fireeye\\.com)|definitionsbd\\.adaware\\.com|nasepm\\.aramark\\.com|(bdefs|hw|ec)\\.threattrack\\.com|upd\\.zonelabs\\.com|www\\.solutionsam\\.com|licensingservice\\.altarix\\.com|autoupdate\\.bradyid\\.com|iblocklist\\.com|clientservices\\.googleapis\\.com|mirror\\.centos\\..*\\.serverforge\\.org|sync\\.bigfix\\.com|catalog\\.kace\\.com)"
},
"comparatorType": "doesnotmatchregularexpression",
"trigger": {
"value": "kali.download"
}
},
{
"cfid": 232440,
"id": "T",
"filterType": "Useragent",
"arguments": {
"value": "/((libdnf|sa-update|Valve\\/Steam|itunesstored|pfSense|McAfee|DebianAPT-HTTP).*|Sylink|.*LANguard.*|Smc|SG\\_CTAVUpdater|NetpasUpdater|urlgrabber/[0-9.]+yum/[0-9.]+|ManageEngine(Endpoint|Desktop)Central).*/i"
},
"comparatorType": "doesnotmatchregularexpression",
"trigger": {
"value": ""
}
},
{
"cfid": 232441,
"id": "U",
"filterType": "Connectionhostname",
"arguments": {
"value": "(antivirus|rpm(s)?|sa-update|centos|fedora).*"
},
"comparatorType": "doesnotmatchregularexpression",
"trigger": {
"value": "kali.download"
}
},
{
"cfid": 232442,
"id": "V",
"filterType": "URI",
"arguments": {
"value": "/.*\\/centos\\/.*\\.xml\\.gz/i"
},
"comparatorType": "doesnotmatchregularexpression",
"trigger": {
"value": "/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz"
}
},
{
"cfid": 232443,
"id": "W",
"filterType": "URI",
"arguments": {
"value": "dl.delivery.mp.microsoft.com"
},
"comparatorType": "doesnotcontain",
"trigger": {
"value": "/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz"
}
},
{
"cfid": 232444,
"id": "Y",
"filterType": "HTTPresponsecode",
"arguments": {
"value": 400
},
"comparatorType": "<",
"trigger": {
"value": "200"
}
},
{
"cfid": 232445,
"id": "Z",
"filterType": "Individualsizedown",
"arguments": {
"value": 10000
},
"comparatorType": ">=",
"trigger": {
"value": "60493165"
}
},
{
"cfid": 232446,
"id": "d1",
"filterType": "Individualsizedown",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "60493165"
}
},
{
"cfid": 232447,
"id": "d10",
"filterType": "Individualsizeup",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "679"
}
},
{
"cfid": 232448,
"id": "d11",
"filterType": "HTTPreferrer",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 232449,
"id": "d12",
"filterType": "HTTPmethod",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 232450,
"id": "d13",
"filterType": "Dataratio",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "0"
}
},
{
"cfid": 232451,
"id": "d14",
"filterType": "Ageofdestination",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "43965774"
}
},
{
"cfid": 232452,
"id": "d2",
"filterType": "HTTPresponsecode",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "200"
}
},
{
"cfid": 232453,
"id": "d3",
"filterType": "Useragent",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 232454,
"id": "d4",
"filterType": "ASN",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "AS13335CLOUDFLARENET"
}
},
{
"cfid": 232455,
"id": "d5",
"filterType": "URI",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz"
}
},
{
"cfid": 232456,
"id": "d6",
"filterType": "DestinationIP",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "104.18.103.100"
}
},
{
"cfid": 232457,
"id": "d7",
"filterType": "Connectionhostname",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "kali.download"
}
},
{
"cfid": 232458,
"id": "d8",
"filterType": "HTTPcontenttype",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "application/x-gzip"
}
},
{
"cfid": 232459,
"id": "d9",
"filterType": "Internalsourcedevicetype",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "6"
}
}
]
}
],
"score": 0.245,
"device": {
"did": 16,
"ip": "192.168.1.#18408",
"ips": [
{
"ip": "192.168.1.#18408",
"timems": 1688263200000,
"time": "2023-07-0202:00:00",
"sid": 3
}
],
"sid": 3,
"firstSeen": 1644001727000,
"lastSeen": 1688266122000,
"typename": "desktop",
"typelabel": "Desktop"
},
"log_type": "modelbreaches"
}
{
"commentCount": 0,
"pbid": 26368,
"time": 1687987886000,
"creationTime": 1687987892000,
"model": {
"then": {
"name": "Antigena::Network::Compliance::AntigenaConnectionSeen",
"pid": 2299,
"phid": 9961,
"uuid": "5f78deda-3ff9-445f-a88e-2137dca625d6",
"logic": {
"data": [
19083
],
"type": "componentList",
"version": 1
},
"throttle": 3600,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {
"action": "quarantine",
"confirm": true,
"connector_actions": {},
"duration": 1000,
"ignoreSchedule": true,
"threshold": "50"
},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [],
"interval": 3600,
"delay": 0,
"sequenced": true,
"active": true,
"modified": "2023-06-28 21:31:29",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": false,
"autoSuppress": false,
"description": "",
"behaviour": "decreasing",
"defeats": [],
"created": {
"by": "darktrace",
"userID": 2
},
"edited": {
"by": "darktrace",
"userID": 2
},
"version": 7,
"priority": 4,
"category": "Suspicious",
"compliance": true
},
"now": {
"name": "Antigena::Network::Compliance::AntigenaConnectionSeen",
"pid": 2299,
"phid": 9962,
"uuid": "5f78deda-3ff9-445f-a88e-2137dca625d6",
"logic": {
"data": [
19084
],
"type": "componentList",
"version": 1
},
"throttle": 3600,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {
"action": "quarantine",
"confirm": true,
"connector_actions": {},
"duration": 1000,
"ignoreSchedule": true,
"threshold": "50"
},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [],
"interval": 3600,
"delay": 0,
"sequenced": true,
"active": false,
"modified": "2023-06-28 21:32:10",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": false,
"autoSuppress": false,
"description": "",
"behaviour": "decreasing",
"defeats": [],
"created": {
"by": "darktrace",
"userID": 2
},
"edited": {
"by": "darktrace",
"userID": 2
},
"version": 8,
"priority": 4,
"category": "Suspicious",
"compliance": true
}
},
"triggeredComponents": [
{
"time": 1687987885000,
"cbid": 26445,
"cid": 19083,
"chid": 30726,
"size": 1,
"threshold": 0,
"interval": 3600,
"logic": {
"data": {},
"version": "v0.1"
},
"ip": "192.168.16.100/32",
"port": 443,
"metric": {
"mlid": 16,
"name": "connections",
"label": "Connections"
},
"triggeredFilters": []
}
],
"score": 0.871,
"device": {
"did": 31,
"hostname": "my_host",
"vendor": "",
"ip": "192.168.1.2",
"ips": [
{
"ip": "192.168.1.2",
"timems": 1688389200000,
"time": "2023-07-0313:00:00",
"sid": 3
}
],
"sid": 3,
"firstSeen": 1649669953000,
"lastSeen": 1688391406000,
"typename": "dnsserver",
"typelabel": "DNSServer"
},
"log_type": "modelbreaches"
}
{
"commentCount": 0,
"pbid": 27103,
"time": 1688266123000,
"creationTime": 1688266130000,
"model": {
"then": {
"name": "Device::AttackandReconTools",
"pid": 76,
"phid": 8953,
"uuid": "80010119-6d7f-0000-0305-5e0000000197",
"logic": {
"data": [
{
"cid": 17299,
"weight": 1
},
{
"cid": 17302,
"weight": 1
},
{
"cid": 17298,
"weight": 1
},
{
"cid": 17300,
"weight": 1
},
{
"cid": 17301,
"weight": 1
},
{
"cid": 17303,
"weight": 1
},
{
"cid": 17304,
"weight": 1
}
],
"targetScore": 1,
"type": "weightedComponentList",
"version": 1
},
"throttle": 604800,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [
"",
"AP:InternalRecon",
"OTEngineer"
],
"interval": 3600,
"delay": 0,
"sequenced": false,
"active": true,
"modified": "2023-03-14 12:53:21",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "Adeviceisusingcommonpenetrationtestingtools.\n\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.",
"behaviour": "decreasing",
"created": {
"by": "System"
},
"edited": {
"by": "System"
},
"version": 87,
"mitre": {
"tactics": [
"initial-access"
],
"techniques": [
"T1200"
]
},
"priority": 4,
"category": "Suspicious",
"compliance": false
},
"now": {
"name": "Device::AttackandReconTools",
"pid": 76,
"phid": 8953,
"uuid": "80010119-6d7f-0000-0305-5e0000000197",
"logic": {
"data": [
{
"cid": 17299,
"weight": 1
},
{
"cid": 17302,
"weight": 1
},
{
"cid": 17298,
"weight": 1
},
{
"cid": 17300,
"weight": 1
},
{
"cid": 17301,
"weight": 1
},
{
"cid": 17303,
"weight": 1
},
{
"cid": 17304,
"weight": 1
}
],
"targetScore": 1,
"type": "weightedComponentList",
"version": 1
},
"throttle": 604800,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [
"",
"AP:InternalRecon",
"OTEngineer"
],
"interval": 3600,
"delay": 0,
"sequenced": false,
"active": true,
"modified": "2023-03-14 12:53:21",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "Adeviceisusingcommonpenetrationtestingtools.\n\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.",
"behaviour": "decreasing",
"created": {
"by": "System"
},
"edited": {
"by": "System"
},
"message": "Addeddetectionforgobusteranddirbuster",
"version": 87,
"mitre": {
"tactics": [
"initial-access"
],
"techniques": [
"T1200"
]
},
"priority": 4,
"category": "Suspicious",
"compliance": false
}
},
"triggeredComponents": [
{
"time": 1688266122000,
"cbid": 27180,
"cid": 17302,
"chid": 27905,
"size": 1,
"threshold": 0,
"interval": 3600,
"logic": {
"data": {
"left": {
"left": "A",
"operator": "AND",
"right": {
"left": "B",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "D",
"operator": "AND",
"right": {
"left": "E",
"operator": "AND",
"right": {
"left": "H",
"operator": "AND",
"right": "J"
}
}
}
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "B",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "D",
"operator": "AND",
"right": {
"left": "E",
"operator": "AND",
"right": {
"left": "F",
"operator": "AND",
"right": "H"
}
}
}
}
},
"operator": "OR",
"right": {
"left": "B",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "D",
"operator": "AND",
"right": {
"left": "E",
"operator": "AND",
"right": {
"left": "G",
"operator": "AND",
"right": {
"left": "H",
"operator": "AND",
"right": "I"
}
}
}
}
}
}
}
},
"version": "v0.1"
},
"ip": "192.168.1.2/32",
"port": 53,
"metric": {
"mlid": 11,
"name": "dnsrequests",
"label": "DNSRequests"
},
"triggeredFilters": [
{
"cfid": 208828,
"id": "A",
"filterType": "DNShostlookup",
"arguments": {
"value": "kali(\\..+)?"
},
"comparatorType": "matchesregularexpression",
"trigger": {
"value": "kali.download"
}
},
{
"cfid": 208829,
"id": "B",
"filterType": "Internalsourcedevicetype",
"arguments": {
"value": "12"
},
"comparatorType": "isnot",
"trigger": {
"value": "6"
}
},
{
"cfid": 208830,
"id": "C",
"filterType": "Taggedinternalsource",
"arguments": {
"value": 18
},
"comparatorType": "doesnothavetag",
"trigger": {
"value": "18",
"tag": {
"tid": 18,
"expiry": 0,
"thid": 18,
"name": "DNSServer",
"restricted": false,
"data": {
"auto": false,
"color": 112,
"description": "DevicesreceivingandmakingDNSqueries",
"visibility": "Public"
},
"isReferenced": true
}
}
},
{
"cfid": 208831,
"id": "D",
"filterType": "Direction",
"arguments": {
"value": "out"
},
"comparatorType": "is",
"trigger": {
"value": "out"
}
},
{
"cfid": 208832,
"id": "E",
"filterType": "Taggedinternalsource",
"arguments": {
"value": 4
},
"comparatorType": "doesnothavetag",
"trigger": {
"value": "4",
"tag": {
"tid": 4,
"expiry": 0,
"thid": 4,
"name": "SecurityDevice",
"restricted": false,
"data": {
"auto": false,
"color": 55,
"description": "",
"visibility": "Public"
},
"isReferenced": true
}
}
},
{
"cfid": 208835,
"id": "H",
"filterType": "Taggedinternalsource",
"arguments": {
"value": 58
},
"comparatorType": "doesnothavetag",
"trigger": {
"value": "58",
"tag": {
"tid": 58,
"expiry": 0,
"thid": 58,
"name": "MailServer",
"restricted": false,
"data": {
"auto": false,
"color": 200,
"description": ""
},
"isReferenced": true
}
}
},
{
"cfid": 208836,
"id": "I",
"filterType": "DNShostlookup",
"arguments": {
"value": "backbox.com"
},
"comparatorType": "doesnotmatch",
"trigger": {
"value": "kali.download"
}
},
{
"cfid": 208837,
"id": "J",
"filterType": "DNShostlookup",
"arguments": {
"value": "^kali\\.(by|hu|hr|cheng-tsui\\.com|tradair\\.com)$"
},
"comparatorType": "doesnotmatchregularexpression",
"trigger": {
"value": "kali.download"
}
},
{
"cfid": 208838,
"id": "d1",
"filterType": "DNShostlookup",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "kali.download"
}
}
]
}
],
"score": 0.871,
"device": {
"did": 16,
"ip": "192.168.1.#18408",
"ips": [
{
"ip": "192.168.1.#18408",
"timems": 1688263200000,
"time": "2023-07-0202:00:00",
"sid": 3
}
],
"sid": 3,
"firstSeen": 1644001727000,
"lastSeen": 1688266122000,
"typename": "desktop",
"typelabel": "Desktop"
},
"log_type": "modelbreaches"
}
{
"commentCount": 0,
"pbid": 25808,
"time": 1687774142000,
"creationTime": 1687774148000,
"model": {
"then": {
"name": "Compromise::WatchedDomain",
"pid": 608,
"phid": 6768,
"uuid": "80010119-6d7f-0000-0305-5e0000000256",
"logic": {
"data": [
{
"cid": 13112,
"weight": 1
},
{
"cid": 13114,
"weight": 1
},
{
"cid": 13115,
"weight": 1
},
{
"cid": 13113,
"weight": 1
}
],
"targetScore": 1,
"type": "weightedComponentList",
"version": 1
},
"throttle": 3600,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [
"",
"AP:C2Comms"
],
"interval": 3600,
"delay": 0,
"sequenced": false,
"active": true,
"modified": "2022-06-22 15:56:27",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\n\nAction:ReviewthedomainandIPbeingconnectedto.",
"behaviour": "decreasing",
"defeats": [],
"created": {
"by": "System"
},
"edited": {
"by": "System"
},
"version": 31,
"priority": 5,
"category": "Critical",
"compliance": false
},
"now": {
"name": "Compromise::WatchedDomain",
"pid": 608,
"phid": 6768,
"uuid": "80010119-6d7f-0000-0305-5e0000000256",
"logic": {
"data": [
{
"cid": 13112,
"weight": 1
},
{
"cid": 13114,
"weight": 1
},
{
"cid": 13115,
"weight": 1
},
{
"cid": 13113,
"weight": 1
}
],
"targetScore": 1,
"type": "weightedComponentList",
"version": 1
},
"throttle": 3600,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [
"",
"AP:C2Comms"
],
"interval": 3600,
"delay": 0,
"sequenced": false,
"active": true,
"modified": "2022-06-22 15:56:27",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\n\nAction:ReviewthedomainandIPbeingconnectedto.",
"behaviour": "decreasing",
"defeats": [],
"created": {
"by": "System"
},
"edited": {
"by": "System"
},
"message": "Adjustingmodellogicforproxiedconnections",
"version": 31,
"priority": 5,
"category": "Critical",
"compliance": false
}
},
"triggeredComponents": [
{
"time": 1687774141000,
"cbid": 25885,
"cid": 13112,
"chid": 20980,
"size": 1,
"threshold": 0,
"interval": 3600,
"logic": {
"data": {
"left": {
"left": "A",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "D",
"operator": "AND",
"right": "F"
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "B",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "D",
"operator": "AND",
"right": "F"
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "A",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "E",
"operator": "AND",
"right": "G"
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "B",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "E",
"operator": "AND",
"right": "G"
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "A",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "D",
"operator": "AND",
"right": {
"left": "H",
"operator": "AND",
"right": "I"
}
}
}
},
"operator": "OR",
"right": {
"left": "B",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "D",
"operator": "AND",
"right": {
"left": "H",
"operator": "AND",
"right": "I"
}
}
}
}
}
}
}
}
},
"version": "v0.1"
},
"ip": "192.168.1.2/32",
"port": 53,
"metric": {
"mlid": 223,
"name": "dtwatcheddomain",
"label": "WatchedDomain"
},
"triggeredFilters": [
{
"cfid": 156173,
"id": "A",
"filterType": "Watchedendpointsource",
"arguments": {
"value": ".+"
},
"comparatorType": "doesnotmatchregularexpression",
"trigger": {
"value": ""
}
},
{
"cfid": 156175,
"id": "C",
"filterType": "Direction",
"arguments": {
"value": "out"
},
"comparatorType": "is",
"trigger": {
"value": "out"
}
},
{
"cfid": 156177,
"id": "E",
"filterType": "Internalsourcedevicetype",
"arguments": {
"value": "12"
},
"comparatorType": "isnot",
"trigger": {
"value": "6"
}
},
{
"cfid": 156179,
"id": "G",
"filterType": "Destinationport",
"arguments": {
"value": 53
},
"comparatorType": "=",
"trigger": {
"value": "53"
}
},
{
"cfid": 156180,
"id": "d1",
"filterType": "Internalsourcedevicetype",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "6"
}
},
{
"cfid": 156181,
"id": "d10",
"filterType": "Watchedendpointdescription",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 156182,
"id": "d2",
"filterType": "Connectionhostname",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 156183,
"id": "d3",
"filterType": "DestinationIP",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "192.168.1.2"
}
},
{
"cfid": 156184,
"id": "d4",
"filterType": "ASN",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 156185,
"id": "d5",
"filterType": "Country",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 156186,
"id": "d6",
"filterType": "Message",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "amazonlinux-2-repos-eu-west-2.s3.eu-west-2.amazonaws.com"
}
},
{
"cfid": 156187,
"id": "d7",
"filterType": "Watchedendpoint",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "true"
}
},
{
"cfid": 156188,
"id": "d8",
"filterType": "Watchedendpointsource",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 156189,
"id": "d9",
"filterType": "Watchedendpointstrength",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "100"
}
},
{
"cfid": 156190,
"id": "H",
"filterType": "Internaldestination",
"arguments": {},
"comparatorType": "is",
"trigger": {
"value": "true"
}
},
{
"cfid": 156191,
"id": "I",
"filterType": "Internaldestinationdevicetype",
"arguments": {
"value": "11"
},
"comparatorType": "isnot",
"trigger": {
"value": "12"
}
}
]
}
],
"score": 0.541,
"device": {
"did": 6,
"hostname": "SaaS::Slack: john.doe@company.com",
"ip": "192.168.16.#54818",
"ips": [
{
"ip": "192.168.16.#54818",
"timems": 1688385600000,
"time": "2023-07-0312:00:00",
"sid": 4
}
],
"sid": 4,
"firstSeen": 1639068361000,
"lastSeen": 1688385853000,
"typename": "desktop",
"typelabel": "Desktop"
},
"log_type": "modelbreaches"
}
{
"commentCount": 0,
"pbid": 25860,
"time": 1687793533000,
"creationTime": 1687793540000,
"model": {
"then": {
"name": "Device::ThreatIndicator",
"pid": 540,
"phid": 6656,
"uuid": "84c92ea6-36b9-402f-9df1-3c5bfaee9176",
"logic": {
"data": [
{
"cid": 12878,
"weight": 1
},
{
"cid": 12876,
"weight": 1
},
{
"cid": 12877,
"weight": 1
}
],
"targetScore": 1,
"type": "weightedComponentList",
"version": 1
},
"throttle": 3600,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false,
"tagTTL": 604800
},
"tags": [
"",
"RequiresConfiguration"
],
"interval": 1,
"delay": 0,
"sequenced": false,
"active": true,
"modified": "2022-06-15 12:01:36",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.\n\nAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.,behaviour:decreasing,created:{by:System},edited:{by:System},version:39,priority:5,category:Critical,compliance:false},now:{name:Device::ThreatIndicator,pid:540,phid:6656,uuid:84c92ea6-36b9-402f-9df1-3c5bfaee9176,logic:{data:[{cid:12878,weight:1},{cid:12876,weight:1},{cid:12877,weight:1}],targetScore:1,type:weightedComponentList,version:1},throttle:3600,sharedEndpoints:false,actions:{alert:true,antigena:{},breach:true,model:true,setPriority:false,setTag:false,setType:false,tagTTL:604800},tags:[,RequiresConfiguration],interval:1,delay:0,sequenced:false,active:true,modified:2022-06-15 12:01:36,activeTimes:{devices:{},tags:{},type:exclusions,version:2},autoUpdatable:true,autoUpdate:true,autoSuppress:true,description:AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.nnAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.",
"behaviour": "decreasing",
"created": {
"by": "System"
},
"edited": {
"by": "System"
},
"message": "UpdatedWatchedendpointsourceregextoexcludeAttackSurfaceManagement",
"version": 39,
"priority": 5,
"category": "Critical",
"compliance": false
}
},
"triggeredComponents": [
{
"time": 1687793532000,
"cbid": 25937,
"cid": 12876,
"chid": 20545,
"size": 1,
"threshold": 0,
"interval": 3600,
"logic": {
"data": {
"left": "A",
"operator": "AND",
"right": {
"left": "F",
"operator": "AND",
"right": {
"left": "G",
"operator": "AND",
"right": {
"left": "H",
"operator": "AND",
"right": {
"left": "I",
"operator": "AND",
"right": {
"left": "J",
"operator": "AND",
"right": "K"
}
}
}
}
}
},
"version": "v0.1"
},
"ip": "192.168.1.2/32",
"port": 53,
"metric": {
"mlid": 223,
"name": "dtwatcheddomain",
"label": "WatchedDomain"
},
"triggeredFilters": [
{
"cfid": 153437,
"id": "A",
"filterType": "Watchedendpointsource",
"arguments": {
"value": "^(\\_?Darktrace.*|AttackSurfaceManagement)"
},
"comparatorType": "doesnotmatchregularexpression",
"trigger": {
"value": "ThreatIntel"
}
},
{
"cfid": 153437,
"id": "A",
"filterType": "Watchedendpointsource",
"arguments": {
"value": "^(\\_?Darktrace.*|AttackSurfaceManagement)"
},
"comparatorType": "doesnotmatchregularexpression",
"trigger": {
"value": ""
}
},
{
"cfid": 153438,
"id": "F",
"filterType": "Watchedendpointsource",
"arguments": {
"value": ".+"
},
"comparatorType": "matchesregularexpression",
"trigger": {
"value": "ThreatIntel"
}
},
{
"cfid": 153439,
"id": "G",
"filterType": "Watchedendpointsource",
"arguments": {
"value": "Default"
},
"comparatorType": "doesnotmatch",
"trigger": {
"value": "ThreatIntel"
}
},
{
"cfid": 153439,
"id": "G",
"filterType": "Watchedendpointsource",
"arguments": {
"value": "Default"
},
"comparatorType": "doesnotmatch",
"trigger": {
"value": ""
}
},
{
"cfid": 153440,
"id": "H",
"filterType": "Taggedinternalsource",
"arguments": {
"value": 4
},
"comparatorType": "doesnothavetag",
"trigger": {
"value": "4",
"tag": {
"tid": 4,
"expiry": 0,
"thid": 4,
"name": "SecurityDevice",
"restricted": false,
"data": {
"auto": false,
"color": 55,
"description": "",
"visibility": "Public"
},
"isReferenced": true
}
}
},
{
"cfid": 153441,
"id": "I",
"filterType": "Internalsourcedevicetype",
"arguments": {
"value": "12"
},
"comparatorType": "isnot",
"trigger": {
"value": "7"
}
},
{
"cfid": 153442,
"id": "J",
"filterType": "Taggedinternalsource",
"arguments": {
"value": 18
},
"comparatorType": "doesnothavetag",
"trigger": {
"value": "18",
"tag": {
"tid": 18,
"expiry": 0,
"thid": 18,
"name": "DNSServer",
"restricted": false,
"data": {
"auto": false,
"color": 112,
"description": "DevicesreceivingandmakingDNSqueries",
"visibility": "Public"
},
"isReferenced": true
}
}
},
{
"cfid": 153443,
"id": "K",
"filterType": "Direction",
"arguments": {
"value": "out"
},
"comparatorType": "is",
"trigger": {
"value": "out"
}
},
{
"cfid": 153444,
"id": "d1",
"filterType": "Ageofdestination",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "38123579"
}
},
{
"cfid": 153445,
"id": "d2",
"filterType": "Country",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 153446,
"id": "d3",
"filterType": "DestinationIP",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "192.168.1.2"
}
},
{
"cfid": 153447,
"id": "d4",
"filterType": "ASN",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 153448,
"id": "d5",
"filterType": "Destinationport",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "53"
}
},
{
"cfid": 153449,
"id": "d6",
"filterType": "Rareexternalendpoint",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "0"
}
},
{
"cfid": 153450,
"id": "d7",
"filterType": "Watchedendpointsource",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "ThreatIntel"
}
},
{
"cfid": 153450,
"id": "d7",
"filterType": "Watchedendpointsource",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 153451,
"id": "d8",
"filterType": "Message",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "clients2.google.com"
}
}
]
}
],
"score": 0.612,
"device": {
"did": 39,
"vendor": "",
"ip": "192.168.1.3",
"ips": [
{
"ip": "192.168.1.3",
"timems": 1688389200000,
"time": "2023-07-0313:00:00",
"sid": 3
}
],
"sid": 3,
"firstSeen": 1666276905000,
"lastSeen": 1688391268000,
"os": "Windows(10.0)",
"typename": "server",
"typelabel": "Server"
},
"log_type": "modelbreaches"
}
{
"commentCount": 0,
"pbid": 25908,
"time": 1687811707000,
"creationTime": 1687811713000,
"model": {
"then": {
"name": "PenTest",
"pid": 2721,
"phid": 9287,
"uuid": "8b3d5e73-0cf0-4c32-8451-a6919b9978f8",
"logic": {
"data": [
18021
],
"type": "componentList",
"version": 1
},
"throttle": 1000,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [],
"interval": 3600,
"delay": 0,
"sequenced": true,
"active": true,
"modified": "2023-04-17 11:34:25",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "",
"behaviour": "flat",
"defeats": [],
"created": {
"by": "sam.gorse",
"userID": 22
},
"edited": {
"by": "sam.gorse",
"userID": 22
},
"version": 7,
"priority": 5,
"category": "Critical",
"compliance": false
},
"now": {
"name": "PenTest",
"pid": 2721,
"phid": 9287,
"uuid": "8b3d5e73-0cf0-4c32-8451-a6919b9978f8",
"logic": {
"data": [
18021
],
"type": "componentList",
"version": 1
},
"throttle": 1000,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [],
"interval": 3600,
"delay": 0,
"sequenced": true,
"active": true,
"modified": "2023-04-17 11:34:25",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": false,
"autoUpdate": true,
"autoSuppress": true,
"description": "",
"behaviour": "flat",
"defeats": [],
"created": {
"by": "sam.gorse",
"userID": 22
},
"edited": {
"by": "sam.gorse",
"userID": 22
},
"version": 7,
"priority": 5,
"category": "Critical",
"compliance": false
}
},
"triggeredComponents": [
{
"time": 1687811706000,
"cbid": 25985,
"cid": 18021,
"chid": 29073,
"size": 1,
"threshold": 0,
"interval": 3600,
"logic": {
"data": {
"left": "A",
"operator": "OR",
"right": {
"left": "B",
"operator": "OR",
"right": {
"left": "C",
"operator": "OR",
"right": {
"left": {
"left": "A",
"operator": "AND",
"right": {
"left": "B",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": "D"
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "A",
"operator": "AND",
"right": "B"
},
"operator": "OR",
"right": {
"left": {
"left": "B",
"operator": "AND",
"right": "C"
},
"operator": "OR",
"right": {
"left": "D",
"operator": "OR",
"right": {
"left": {
"left": "A",
"operator": "AND",
"right": {
"left": "B",
"operator": "AND",
"right": "C"
}
},
"operator": "OR",
"right": {
"left": {
"left": "B",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": "D"
}
},
"operator": "OR",
"right": {
"left": {
"left": "C",
"operator": "AND",
"right": "D"
},
"operator": "OR",
"right": {
"left": "A",
"operator": "AND",
"right": "D"
}
}
}
}
}
}
}
}
}
}
},
"version": "v0.1"
},
"ip": "192.168.16.100/32",
"port": 80,
"metric": {
"mlid": 16,
"name": "connections",
"label": "Connections"
},
"triggeredFilters": [
{
"cfid": 217209,
"id": "C",
"filterType": "Destinationport",
"arguments": {
"value": 80
},
"comparatorType": "=",
"trigger": {
"value": "80"
}
}
]
}
],
"score": 1.0,
"device": {
"did": 31,
"vendor": "",
"ip": "192.168.1.2",
"ips": [
{
"ip": "192.168.1.2",
"timems": 1688389200000,
"time": "2023-07-0313:00:00",
"sid": 3
}
],
"sid": 3,
"firstSeen": 1649669953000,
"lastSeen": 1688391406000,
"typename": "dnsserver",
"typelabel": "DNSServer"
},
"log_type": "modelbreaches"
}
{
"commentCount": 0,
"pbid": 36586,
"time": 1700634482000,
"creationTime": 1700634481000,
"model": {
"name": "System::System",
"pid": 530,
"phid": 4861,
"uuid": "1c3f429b-ccb9-46a2-b864-868653bc780a",
"logic": {
"data": [
9686
],
"type": "componentList",
"version": 1
},
"throttle": 10,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [],
"interval": 0,
"delay": 0,
"sequenced": true,
"active": true,
"modified": "2021-11-24 18:04:19",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "An issue with the system has been detected. This system alert is generated for system information that may merit further investigation. This may be due to things like probes failing to connect.\n\nAction: Review the system message. Use the status page to see additional system information that may help with diagnostics.",
"behaviour": "decreasing",
"defeats": [],
"created": {
"by": "System"
},
"edited": {
"by": "System"
},
"version": 16,
"priority": 3,
"category": "Informational",
"compliance": false
},
"triggeredComponents": [
{
"time": 1700634481000,
"cbid": 36900,
"cid": 9686,
"chid": 15251,
"size": 1,
"threshold": 0,
"interval": 3600,
"logic": {
"data": {
"left": {
"left": "A",
"operator": "AND",
"right": "B"
},
"operator": "OR",
"right": {
"left": {
"left": "A",
"operator": "AND",
"right": "C"
},
"operator": "OR",
"right": {
"left": {
"left": "A",
"operator": "AND",
"right": "D"
},
"operator": "OR",
"right": {
"left": {
"left": "A",
"operator": "AND",
"right": "E"
},
"operator": "OR",
"right": {
"left": "A",
"operator": "AND",
"right": "F"
}
}
}
}
},
"version": "v0.1"
},
"metric": {
"mlid": 206,
"name": "dtsystem",
"label": "System"
},
"triggeredFilters": [
{
"cfid": 111299,
"id": "A",
"filterType": "Event details",
"arguments": {
"value": "analyze credential ignore list"
},
"comparatorType": "does not contain",
"trigger": {
"value": "Probe erebus-pull-mode-vsensor (54.155.33.146) last contact was 50 hours ago"
}
},
{
"cfid": 111300,
"id": "B",
"filterType": "System message",
"arguments": {
"value": "Probe error"
},
"comparatorType": "is",
"trigger": {
"value": "Probe error"
}
},
{
"cfid": 111305,
"id": "d1",
"filterType": "Event details",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "Probe erebus-pull-mode-vsensor (54.155.33.146) last contact was 50 hours ago"
}
},
{
"cfid": 111306,
"id": "d2",
"filterType": "System message",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "Probe error"
}
}
]
}
],
"score": 0.674,
"device": {
"did": -1
},
"log_type": "modelbreaches"
}
{
"url": "https://darktrace-dt/#actions/000/111",
"iris-event-type": "antigena_state_change",
"codeuuid": "",
"codeid": 537,
"action_family": "NETWORK",
"action": "CREATE_NEEDSCONFIRMATION",
"username": "JDOE",
"reason": "",
"start": 1702896511,
"end": 1702903711,
"did": 901,
"pbid": 0,
"action_creator": "",
"model": "test_model_network",
"inhibitor": "Enforce pattern of life",
"device": {
"did": 901,
"macaddress": "00:11:22:33:44:55",
"vendor": "test_vendor",
"ip": "1.2.3.4",
"ips": [
{
"ip": "1.2.3.4",
"timems": 1702893600000,
"time": "2023-12-18 10:00:00",
"sid": 69,
"vlan": 0
}
],
"sid": 69,
"hostname": "test_hostname",
"firstSeen": 1671027693000,
"lastSeen": 1702896182000,
"os": "Windows",
"typename": "desktop",
"typelabel": "Desktop"
}
}
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Event Categories
The following table lists the data source offered by this integration.
Data Source | Description |
---|---|
DNS records |
Darktrace monitors DNS requests or connections from devices to watched domains or IP addresses. |
Web logs |
Darktrace monitors accesses to watched domains. |
In details, the following table denotes the type of events produced by this integration.
Name | Values |
---|---|
Kind | alert |
Category | network , threat |
Type | info |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"summariser\":\"HttpAgentSummary\",\"acknowledged\":false,\"pinned\":false,\"createdAt\":1697334832520,\"attackPhases\":[2],\"mitreTactics\":[\"command-and-control\"],\"title\":\"Possible HTTP Command and Control\",\"id\":\"a400af0f-a297-478c-8fc6-c778a9558183\",\"children\":[\"a400af0f-a297-478c-8fc6-c778a9558183\"],\"category\":\"critical\",\"currentGroup\":\"ga400af0f-a297-478c-8fc6-c778a9558183\",\"groupCategory\":\"suspicious\",\"groupScore\":2.449186624037094,\"groupPreviousGroups\":[],\"activityId\":\"da39a3ee\",\"groupingIds\":[\"511a418e\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":55.52733790170975,\"summary\":\"The device 10.0.0.#36859 was observed making multiple HTTP connections to the rare external endpoint themoneyfix.org, with the same user agent string.\\n\\nMoreover, this device only used this user agent for connections to a limited set of endpoints - suggesting that the activity was initiated by a standalone software process as opposed to a web browser.\\n\\nIf such behaviour is unexpected, further investigation may be required to determine if this activity represents malicious command and control as opposed to legitimate telemetry of some form.\",\"periods\":[{\"start\":1697334679535,\"end\":1697334713852}],\"breachDevices\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"10.0.0.#36859\",\"mac\":null,\"subnet\":null,\"did\":62,\"sid\":25}],\"relatedBreaches\":[{\"modelName\":\"Device / New User Agent\",\"pbid\":34952,\"threatScore\":31.0,\"timestamp\":1697334680000}],\"details\":[[{\"header\":\"Device Making Suspicious Connections\",\"contents\":[{\"key\":null,\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"10.0.0.#36859\",\"mac\":null,\"subnet\":null,\"did\":62,\"sid\":25}]}]}],[{\"header\":\"Suspicious Application\",\"contents\":[{\"key\":\"User agent\",\"type\":\"string\",\"values\":[\"python-requests/2.25.1\"]}]},{\"header\":\"Suspicious Endpoints Contacted by Application\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1697334679535,\"end\":1697334713852}]},{\"key\":\"Hostname\",\"type\":\"externalHost\",\"values\":[{\"hostname\":\"themoneyfix.org\",\"ip\":null}]},{\"key\":\"Hostname rarity\",\"type\":\"percentage\",\"values\":[100.0]},{\"key\":\"Hostname first observed\",\"type\":\"timestamp\",\"values\":[1697334687000]},{\"key\":\"Most recent destination IP\",\"type\":\"externalHost\",\"values\":[{\"hostname\":\"45.56.79.23\",\"ip\":\"45.56.79.23\"}]},{\"key\":\"Most recent ASN\",\"type\":\"string\",\"values\":[\"AS63949 Akamai Connected Cloud\"]},{\"key\":\"Total connections\",\"type\":\"integer\",\"values\":[2]},{\"key\":\"URI\",\"type\":\"string\",\"values\":[\"/login/username=adriano.lamo&password=il0v3cH33s3\"]},{\"key\":\"Port\",\"type\":\"integer\",\"values\":[80]},{\"key\":\"HTTP method\",\"type\":\"string\",\"values\":[\"GET\"]},{\"key\":\"Status code\",\"type\":\"string\",\"values\":[\"200\"]}]}]],\"log_type\":\"aianalyst/incidentevents\"}",
"event": {
"category": "threat",
"kind": "alert",
"type": [
"info"
]
},
"@timestamp": "2023-10-15T01:53:52.520000Z",
"darktrace": {
"threat_visualizer": {
"acknowledged": false,
"activityId": "da39a3ee",
"aiaScore": 55.52733790170975,
"attackPhases": [
2
],
"breachDevices": [
{
"did": 62,
"hostname": null,
"identifier": null,
"ip": "10.0.0.#36859",
"mac": null,
"sid": 25,
"subnet": null
}
],
"category": "critical",
"children": [
"a400af0f-a297-478c-8fc6-c778a9558183"
],
"currentGroup": "ga400af0f-a297-478c-8fc6-c778a9558183",
"externalTriggered": false,
"groupCategory": "suspicious",
"groupScore": 2.449186624037094,
"groupingIds": [
"511a418e"
],
"mitreTactics": [
"command-and-control"
],
"periods": [
{
"end": 1697334713852,
"start": 1697334679535
}
],
"relatedBreaches": [
{
"modelName": "Device / New User Agent",
"pbid": 34952,
"threatScore": 31.0,
"timestamp": 1697334680000
}
],
"userTriggered": false
}
},
"device": {
"id": "62"
},
"host": {
"id": "62"
},
"observer": {
"name": "Darktrace",
"product": "Threat visualizer"
}
}
{
"message": "{\"summariser\": \"SaasHijackSummary\", \"acknowledged\": false, \"pinned\": false, \"createdAt\": 1730023348884, \"attackPhases\": [3], \"mitreTactics\": [\"privilege-escalation\"], \"title\": \"Possible Hijack of Zoom Account\", \"id\": \"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\", \"children\": [\"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\"], \"category\": \"critical\", \"currentGroup\": \"g204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\", \"groupCategory\": \"critical\", \"groupScore\": 21.063004966718992, \"groupPreviousGroups\": [], \"activityId\": \"da39a3ee\", \"groupingIds\": [\"3d2a2fc6\"], \"groupByActivity\": false, \"userTriggered\": false, \"externalTriggered\": false, \"aiaScore\": 93.67343783378601, \"summary\": \"The SaaS actor john.doe@example.com was observed making suspicious requests over a configured Zoom service from the IP 1.2.3.4.\\n\\nThis included requests made from unusual locations compared to the previous access locations observed from this actor and from the configured service in general.\\n\\nThough this behaviour could be the result of legitimate service usage or administration, it could also be a sign of this actor's account being hijacked by a malicious actor.\\n\\nConsequently, the security team may wish to confirm that this activity was legitimate and expected.\", \"periods\": [{\"start\": 1730023230000, \"end\": 1730023230000}], \"sender\": null, \"breachDevices\": [{\"identifier\": \"SaaS::Zoom: john.doe@example.com\", \"hostname\": \"SaaS::Zoom: john.doe@example.com\", \"ip\": null, \"mac\": null, \"subnet\": null, \"did\": 3820, \"sid\": -9}], \"relatedBreaches\": [{\"modelName\": \"SaaS / Access / Unusual External Source for SaaS Credential Use\", \"pbid\": 46769, \"threatScore\": 63.0, \"timestamp\": 1730023232000}], \"details\": [[{\"header\": \"SaaS User Details\", \"contents\": [{\"key\": \"SaaS account\", \"type\": \"device\", \"values\": [{\"identifier\": \"SaaS::Zoom: john.doe@example.com\", \"hostname\": \"SaaS::Zoom: john.doe@example.com\", \"ip\": null, \"mac\": null, \"subnet\": null, \"did\": 3820, \"sid\": -9}]}, {\"key\": \"Actor\", \"type\": \"string\", \"values\": [\"john.doe@example.com\"]}]}], [{\"header\": \"Agent Carrying out Suspicious Activity\", \"contents\": [{\"key\": \"Source IP\", \"type\": \"externalHost\", \"values\": [{\"hostname\": \"1.2.3.4\", \"ip\": \"1.2.3.4\"}]}, {\"key\": \"ASN\", \"type\": \"string\", \"values\": [\"AS2119 Telenor Norge AS\"]}, {\"key\": \"City\", \"type\": \"string\", \"values\": [\"Stockholm\"]}, {\"key\": \"Country\", \"type\": \"string\", \"values\": [\"Sweden\"]}]}, {\"header\": \"Summary of Activity\", \"contents\": [{\"key\": \"Time\", \"type\": \"timestampRange\", \"values\": [{\"start\": 1730023230000, \"end\": 1730023230000}]}, {\"key\": \"Suspicious properties\", \"type\": \"string\", \"values\": [\"Unusual time for activity\", \"Unusual external source for activity\"]}]}, {\"header\": \"Activity Details\", \"contents\": [{\"key\": \"Event\", \"type\": \"string\", \"values\": [\"Sign in\"]}, {\"key\": \"Number of events\", \"type\": \"integer\", \"values\": [1]}]}]], \"log_type\": \"aianalyst/incidentevents\"}",
"event": {
"category": "threat",
"kind": "alert",
"type": [
"info"
]
},
"@timestamp": "2024-10-27T10:02:28.884000Z",
"darktrace": {
"threat_visualizer": {
"acknowledged": false,
"activityId": "da39a3ee",
"aiaScore": 93.67343783378601,
"attackPhases": [
3
],
"breachDevices": [
{
"did": 3820,
"hostname": "SaaS::Zoom: john.doe@example.com",
"identifier": "SaaS::Zoom: john.doe@example.com",
"ip": null,
"mac": null,
"sid": -9,
"subnet": null
}
],
"category": "critical",
"children": [
"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b"
],
"currentGroup": "g204a3642-a6f1-4ac3-85d0-add7dd0c9f9b",
"externalTriggered": false,
"groupCategory": "critical",
"groupScore": 21.063004966718992,
"groupingIds": [
"3d2a2fc6"
],
"mitreTactics": [
"privilege-escalation"
],
"periods": [
{
"end": 1730023230000,
"start": 1730023230000
}
],
"relatedBreaches": [
{
"modelName": "SaaS / Access / Unusual External Source for SaaS Credential Use",
"pbid": 46769,
"threatScore": 63.0,
"timestamp": 1730023232000
}
],
"userTriggered": false
}
},
"device": {
"id": "3820"
},
"host": {
"id": "3820"
},
"observer": {
"name": "Darktrace",
"product": "Threat visualizer"
},
"user": {
"email": "john.doe@example.com"
}
}
{
"message": "{\"summariser\":\"SaasBruteforceSummary\",\"acknowledged\":false,\"pinned\":false,\"createdAt\":1708649003457,\"attackPhases\":[2,4],\"mitreTactics\":[\"credential-access\"],\"title\":\"Possible Distributed Bruteforce of AzureActiveDirectory Account\",\"id\":\"dc5f69a5-ee78-4702-a999-ed64a9e873dc\",\"incidentEventUrl\":\"https://darktrace-dt-32980-01/saas#aiaincidentevent/dc5f69a5-ee78-4702-a999-ed64a9e873dc\",\"children\":[\"dc5f69a5-ee78-4702-a999-ed64a9e873dc\"],\"category\":\"suspicious\",\"currentGroup\":\"g7bd28910-7d7d-4971-9a20-48f12b8518e1\",\"groupCategory\":\"suspicious\",\"groupScore\":32.34820100820068,\"groupPreviousGroups\":[],\"activityId\":\"da39a3ee\",\"groupingIds\":[\"6ae71ab6\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":85.47036382887099,\"summary\":\"Repeated attempts to access the account test@test.fr over a configured AzureActiveDirectory service were observed from a range of external IP addresses.\\n\\nThis included login attempts made from unusual locations for the account, and for the configured service in general.\\n\\nSince these requests originated from a wide variety of external sources, this could indicate a distributed attempt by a malicious actor to gain illegitimate access to this account.\\n\\nThe security team may therefore wish to ensure that the relevant credentials are sufficiently robust, and that additional measures such as multi-factor authentication are enabled where possible.\",\"periods\":[{\"start\":1708040149000,\"end\":1708648697000}],\"sender\":null,\"breachDevices\":[{\"identifier\":\"SaaS::AzureActiveDirectory: test@test.fr\",\"hostname\":\"SaaS::AzureActiveDirectory: test@test.fr\",\"ip\":null,\"mac\":null,\"subnet\":null,\"did\":2635,\"sid\":-9}],\"relatedBreaches\":[{\"modelName\":\"SaaS / Access / Password Spray\",\"pbid\":7130,\"threatScore\":47,\"timestamp\":1708648698000}],\"details\":[[{\"header\":\"SaaS User Details\",\"contents\":[{\"key\":\"SaaS account\",\"type\":\"device\",\"values\":[{\"identifier\":\"SaaS::AzureActiveDirectory: test@test.fr\",\"hostname\":\"SaaS::AzureActiveDirectory: test@test.fr\",\"ip\":null,\"mac\":null,\"subnet\":null,\"did\":2635,\"sid\":-9}]},{\"key\":\"Actor\",\"type\":\"string\",\"values\":[\"test@test.fr\"]}]}],[{\"header\":\"Summary of Related Access Attempts\",\"contents\":[{\"key\":\"Attempts grouped by\",\"type\":\"string\",\"values\":[\"same targeted account\"]},{\"key\":\"Number of source ASNs\",\"type\":\"integer\",\"values\":[241]},{\"key\":\"Suspicious properties\",\"type\":\"string\",\"values\":[\"Unusual time for activity\",\"Unusual external source for activity\",\"Large number of login failures\"]}]},{\"header\":\"Details of Access Attempts\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1708040149000,\"end\":1708648697000}]},{\"key\":\"Targeted account\",\"type\":\"string\",\"values\":[\"test@test.fr\"]},{\"key\":\"Total number of login failures\",\"type\":\"integer\",\"values\":[1136]},{\"key\":\"Reasons for login failures\",\"type\":\"string\",\"values\":[\"Sign-in was blocked because it came from an IP address with malicious activity\",\"The account is locked, you've tried to sign in too many times with an incorrect user ID or password.\",\"Error validating credentials due to invalid username or password.\"]}]},{\"header\":\"Sources of Access Attempts\",\"contents\":[{\"key\":\"Source ASNs include\",\"type\":\"string\",\"values\":[\"AS4134 Chinanet\",\"AS4837 CHINA UNICOM China169 Backbone\",\"AS4766 Korea Telecom\",\"AS9808 China Mobile Communications Group Co., Ltd.\",\"AS24560 Bharti Airtel Ltd., Telemedia Services\"]},{\"key\":\"Source IPs include\",\"type\":\"externalHost\",\"values\":[{\"hostname\":\"122.4.70.38\",\"ip\":\"122.4.70.38\"},{\"hostname\":\"41.207.248.204\",\"ip\":\"41.207.248.204\"},{\"hostname\":\"124.89.116.178\",\"ip\":\"124.89.116.178\"},{\"hostname\":\"121.184.235.17\",\"ip\":\"121.184.235.17\"},{\"hostname\":\"61.153.208.38\",\"ip\":\"61.153.208.38\"}]},{\"key\":\"Countries include\",\"type\":\"string\",\"values\":[\"China\",\"South Korea\",\"India\",\"United States\",\"Brazil\"]},{\"key\":\"User agent\",\"type\":\"string\",\"values\":[\"Office 365 Exchange Online\"]}]}]]}\n",
"event": {
"category": "network",
"type": [
"info"
]
},
"@timestamp": "2024-02-23T00:43:23.457000Z",
"darktrace": {
"threat_visualizer": {
"acknowledged": false,
"activityId": "da39a3ee",
"aiaScore": 85.47036382887099,
"attackPhases": [
2,
4
],
"breachDevices": [
{
"did": 2635,
"hostname": "SaaS::AzureActiveDirectory: test@test.fr",
"identifier": "SaaS::AzureActiveDirectory: test@test.fr",
"ip": null,
"mac": null,
"sid": -9,
"subnet": null
}
],
"category": "suspicious",
"children": [
"dc5f69a5-ee78-4702-a999-ed64a9e873dc"
],
"currentGroup": "g7bd28910-7d7d-4971-9a20-48f12b8518e1",
"externalTriggered": false,
"groupCategory": "suspicious",
"groupScore": 32.34820100820068,
"groupingIds": [
"6ae71ab6"
],
"mitreTactics": [
"credential-access"
],
"periods": [
{
"end": 1708648697000,
"start": 1708040149000
}
],
"relatedBreaches": [
{
"modelName": "SaaS / Access / Password Spray",
"pbid": 7130,
"threatScore": 47,
"timestamp": 1708648698000
}
],
"userTriggered": false
}
},
"device": {
"id": "2635"
},
"host": {
"id": "2635"
},
"observer": {
"name": "Darktrace",
"product": "Threat visualizer"
},
"user": {
"email": "test@test.fr"
}
}
{
"message": "{\"commentCount\":0,\"pbid\":26316,\"time\":1687967502000,\"creationTime\":1687967508000,\"model\":{\"then\":{\"name\":\"AnomalousFile::ZiporGzipfromRareExternalLocation\",\"pid\":619,\"phid\":9945,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000172\",\"logic\":{\"data\":[19046],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:Tooling\",\"OTEngineer\"],\"interval\":0,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-06-28 11:53:50\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\\n\\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":42,\"mitre\":{\"tactics\":[\"resource-development\"],\"techniques\":[\"T1588.001\"]},\"priority\":1,\"category\":\"Informational\",\"compliance\":false},\"now\":{\"name\":\"AnomalousFile::ZiporGzipfromRareExternalLocation\",\"pid\":619,\"phid\":9945,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000172\",\"logic\":{\"data\":[19046],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:Tooling\",\"OTEngineer\"],\"interval\":0,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-06-28 11:53:50\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\\n\\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"Excludedcommonuseragents\",\"version\":42,\"mitre\":{\"tactics\":[\"resource-development\"],\"techniques\":[\"T1588.001\"]},\"priority\":1,\"category\":\"Informational\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687967501000,\"cbid\":26393,\"cid\":19046,\"chid\":30682,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"104.18.103.100/32\",\"port\":80,\"metric\":{\"mlid\":1,\"name\":\"externalconnections\",\"label\":\"ExternalConnections\"},\"triggeredFilters\":[{\"cfid\":232424,\"id\":\"C\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"3\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232426,\"id\":\"F\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":232428,\"id\":\"H\",\"filterType\":\"HTTPcontenttype\",\"arguments\":{\"value\":\"application/x-gzip\"},\"comparatorType\":\"matches\",\"trigger\":{\"value\":\"application/x-gzip\"}},{\"cfid\":232430,\"id\":\"J\",\"filterType\":\"RareexternalIP\",\"arguments\":{\"value\":98},\"comparatorType\":\">=\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":232431,\"id\":\"K\",\"filterType\":\"Raredomain\",\"arguments\":{\"value\":95},\"comparatorType\":\">=\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":232432,\"id\":\"L\",\"filterType\":\"Trustedhostname\",\"arguments\":{\"value\":\"false\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"false\"}},{\"cfid\":232433,\"id\":\"M\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"9\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232434,\"id\":\"N\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"4\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232435,\"id\":\"O\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"13\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232436,\"id\":\"P\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"17\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232437,\"id\":\"Q\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":15},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"15\",\"tag\":{\"tid\":15,\"expiry\":0,\"thid\":15,\"name\":\"ConflictingUser-Agents\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":284,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":232438,\"id\":\"R\",\"filterType\":\"DestinationIP\",\"arguments\":{\"value\":\"0.0.0.0\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"104.18.103.100\"}},{\"cfid\":232439,\"id\":\"S\",\"filterType\":\"Connectionhostname\",\"arguments\":{\"value\":\"(speed(test|check).+|.+speed(test|check).+)|.*((up(date|grade)|download|content|mirrors|weather|changes|quant|ctldl|avupdate).*\\\\.(carbonblack\\\\.io|nutanix\\\\.com|pandasoftware\\\\.com|ivanti\\\\.com|mit\\\\.edu|mastercam\\\\.com|rit\\\\.edu|knime\\\\.com|logicnow\\\\.us|oppomobile\\\\.com|trendmicro\\\\.com|panorama9\\\\.com|jiransecurity\\\\.com|refinitiv\\\\.com|jiran\\\\.com|loxtop\\\\.com|snoopwall\\\\.com|tumbleweed\\\\.com|sangfor\\\\.net|alyac\\\\.com|spamassassin\\\\.org|verein-clean\\\\.net|itsupport247\\\\.net|lsfilter\\\\.com|iboss\\\\.com|eeye\\\\.com|windowsupdate\\\\.com|fireeye\\\\.com)|definitionsbd\\\\.adaware\\\\.com|nasepm\\\\.aramark\\\\.com|(bdefs|hw|ec)\\\\.threattrack\\\\.com|upd\\\\.zonelabs\\\\.com|www\\\\.solutionsam\\\\.com|licensingservice\\\\.altarix\\\\.com|autoupdate\\\\.bradyid\\\\.com|iblocklist\\\\.com|clientservices\\\\.googleapis\\\\.com|mirror\\\\.centos\\\\..*\\\\.serverforge\\\\.org|sync\\\\.bigfix\\\\.com|catalog\\\\.kace\\\\.com)\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":232440,\"id\":\"T\",\"filterType\":\"Useragent\",\"arguments\":{\"value\":\"/((libdnf|sa-update|Valve\\\\/Steam|itunesstored|pfSense|McAfee|DebianAPT-HTTP).*|Sylink|.*LANguard.*|Smc|SG\\\\_CTAVUpdater|NetpasUpdater|urlgrabber/[0-9.]+yum/[0-9.]+|ManageEngine(Endpoint|Desktop)Central).*/i\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232441,\"id\":\"U\",\"filterType\":\"Connectionhostname\",\"arguments\":{\"value\":\"(antivirus|rpm(s)?|sa-update|centos|fedora).*\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":232442,\"id\":\"V\",\"filterType\":\"URI\",\"arguments\":{\"value\":\"/.*\\\\/centos\\\\/.*\\\\.xml\\\\.gz/i\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz\"}},{\"cfid\":232443,\"id\":\"W\",\"filterType\":\"URI\",\"arguments\":{\"value\":\"dl.delivery.mp.microsoft.com\"},\"comparatorType\":\"doesnotcontain\",\"trigger\":{\"value\":\"/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz\"}},{\"cfid\":232444,\"id\":\"Y\",\"filterType\":\"HTTPresponsecode\",\"arguments\":{\"value\":400},\"comparatorType\":\"<\",\"trigger\":{\"value\":\"200\"}},{\"cfid\":232445,\"id\":\"Z\",\"filterType\":\"Individualsizedown\",\"arguments\":{\"value\":10000},\"comparatorType\":\">=\",\"trigger\":{\"value\":\"60493165\"}},{\"cfid\":232446,\"id\":\"d1\",\"filterType\":\"Individualsizedown\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"60493165\"}},{\"cfid\":232447,\"id\":\"d10\",\"filterType\":\"Individualsizeup\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"679\"}},{\"cfid\":232448,\"id\":\"d11\",\"filterType\":\"HTTPreferrer\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232449,\"id\":\"d12\",\"filterType\":\"HTTPmethod\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232450,\"id\":\"d13\",\"filterType\":\"Dataratio\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"0\"}},{\"cfid\":232451,\"id\":\"d14\",\"filterType\":\"Ageofdestination\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"43965774\"}},{\"cfid\":232452,\"id\":\"d2\",\"filterType\":\"HTTPresponsecode\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"200\"}},{\"cfid\":232453,\"id\":\"d3\",\"filterType\":\"Useragent\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232454,\"id\":\"d4\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"AS13335CLOUDFLARENET\"}},{\"cfid\":232455,\"id\":\"d5\",\"filterType\":\"URI\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz\"}},{\"cfid\":232456,\"id\":\"d6\",\"filterType\":\"DestinationIP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"104.18.103.100\"}},{\"cfid\":232457,\"id\":\"d7\",\"filterType\":\"Connectionhostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":232458,\"id\":\"d8\",\"filterType\":\"HTTPcontenttype\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"application/x-gzip\"}},{\"cfid\":232459,\"id\":\"d9\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"6\"}}]}],\"score\":0.245,\"device\":{\"did\":16,\"ip\":\"192.168.1.#18408\",\"ips\":[{\"ip\":\"192.168.1.#18408\",\"timems\":1688263200000,\"time\":\"2023-07-0202:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1644001727000,\"lastSeen\":1688266122000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"},\"log_type\":\"modelbreaches\"}",
"event": {
"category": "network",
"end": "2023-06-28T11:53:50Z",
"kind": "alert",
"type": [
"info"
]
},
"@timestamp": "2023-06-28T15:51:42Z",
"darktrace": {
"threat_visualizer": {
"commentCount": 0,
"components": {
"filters": [
{
"trigger_value": "6",
"type": "Internalsourcedevicetype"
},
{
"trigger_value": "out",
"type": "Direction"
},
{
"trigger_value": "application/x-gzip",
"type": "HTTPcontenttype"
},
{
"trigger_value": "100",
"type": "RareexternalIP"
},
{
"trigger_value": "100",
"type": "Raredomain"
},
{
"trigger_value": "false",
"type": "Trustedhostname"
},
{
"trigger_value": "15",
"type": "Taggedinternalsource"
},
{
"trigger_value": "104.18.103.100",
"type": "DestinationIP"
},
{
"trigger_value": "kali.download",
"type": "Connectionhostname"
},
{
"trigger_value": "/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz",
"type": "URI"
},
{
"trigger_value": "200",
"type": "HTTPresponsecode"
},
{
"trigger_value": "60493165",
"type": "Individualsizedown"
},
{
"trigger_value": "679",
"type": "Individualsizeup"
},
{
"trigger_value": "0",
"type": "Dataratio"
},
{
"trigger_value": "43965774",
"type": "Ageofdestination"
},
{
"trigger_value": "AS13335CLOUDFLARENET",
"type": "ASN"
}
]
},
"creationTime": 1687967508000,
"device": {
"firstSeen": 1644001727000,
"ip": "192.168.1.#18408",
"ips": [
{
"ip": "192.168.1.#18408",
"sid": 3,
"time": "2023-07-0202:00:00",
"timems": 1688263200000
}
],
"lastSeen": 1688266122000,
"sid": 3,
"typelabel": "Desktop",
"typename": "desktop"
},
"model": {
"now": {
"behaviour": "decreasing",
"category": "Informational",
"description": "AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\n\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.",
"message": "Excludedcommonuseragents",
"mitre": {
"tactics": [
"resource-development"
],
"techniques": [
"T1588.001"
]
},
"name": "AnomalousFile::ZiporGzipfromRareExternalLocation",
"phid": 9945,
"pid": 619,
"priority": 1,
"tags": [
"",
"AP:Tooling",
"OTEngineer"
],
"uuid": "80010119-6d7f-0000-0305-5e0000000172",
"version": 42
},
"then": {
"behaviour": "decreasing",
"category": "Informational",
"description": "AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\n\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.",
"mitre": {
"tactics": [
"resource-development"
],
"techniques": [
"T1588.001"
]
},
"name": "AnomalousFile::ZiporGzipfromRareExternalLocation",
"phid": 9945,
"pid": 619,
"priority": 1,
"tags": [
"",
"AP:Tooling",
"OTEngineer"
],
"uuid": "80010119-6d7f-0000-0305-5e0000000172",
"version": 42
}
},
"pbid": 26316,
"score": 0.245,
"time": 1687967502000
}
},
"host": {
"id": "16"
},
"observer": {
"name": "Darktrace",
"product": "Threat visualizer"
}
}
{
"message": "{\"commentCount\":0,\"pbid\":26368,\"time\":1687987886000,\"creationTime\":1687987892000,\"model\":{\"then\":{\"name\":\"Antigena::Network::Compliance::AntigenaConnectionSeen\",\"pid\":2299,\"phid\":9961,\"uuid\":\"5f78deda-3ff9-445f-a88e-2137dca625d6\",\"logic\":{\"data\":[19083],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{\"action\":\"quarantine\",\"confirm\":true,\"connector_actions\":{},\"duration\":1000,\"ignoreSchedule\":true,\"threshold\":\"50\"},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":true,\"modified\":\"2023-06-28 21:31:29\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":false,\"autoSuppress\":false,\"description\":\"\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"darktrace\",\"userID\":2},\"edited\":{\"by\":\"darktrace\",\"userID\":2},\"version\":7,\"priority\":4,\"category\":\"Suspicious\",\"compliance\":true},\"now\":{\"name\":\"Antigena::Network::Compliance::AntigenaConnectionSeen\",\"pid\":2299,\"phid\":9962,\"uuid\":\"5f78deda-3ff9-445f-a88e-2137dca625d6\",\"logic\":{\"data\":[19084],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{\"action\":\"quarantine\",\"confirm\":true,\"connector_actions\":{},\"duration\":1000,\"ignoreSchedule\":true,\"threshold\":\"50\"},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":false,\"modified\":\"2023-06-28 21:32:10\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":false,\"autoSuppress\":false,\"description\":\"\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"darktrace\",\"userID\":2},\"edited\":{\"by\":\"darktrace\",\"userID\":2},\"version\":8,\"priority\":4,\"category\":\"Suspicious\",\"compliance\":true}},\"triggeredComponents\":[{\"time\":1687987885000,\"cbid\":26445,\"cid\":19083,\"chid\":30726,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{},\"version\":\"v0.1\"},\"ip\":\"192.168.16.100/32\",\"port\":443,\"metric\":{\"mlid\":16,\"name\":\"connections\",\"label\":\"Connections\"},\"triggeredFilters\":[]}],\"score\":0.871,\"device\":{\"did\":31,\"hostname\":\"my_host\",\"vendor\":\"\",\"ip\":\"192.168.1.2\",\"ips\":[{\"ip\":\"192.168.1.2\",\"timems\":1688389200000,\"time\":\"2023-07-0313:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1649669953000,\"lastSeen\":1688391406000,\"typename\":\"dnsserver\",\"typelabel\":\"DNSServer\"},\"log_type\":\"modelbreaches\"}",
"event": {
"category": "network",
"end": "2023-06-28T21:31:29Z",
"kind": "alert",
"type": [
"info"
]
},
"@timestamp": "2023-06-28T21:31:26Z",
"darktrace": {
"threat_visualizer": {
"commentCount": 0,
"components": {
"filters": []
},
"creationTime": 1687987892000,
"device": {
"firstSeen": 1649669953000,
"ip": "192.168.1.2",
"ips": [
{
"ip": "192.168.1.2",
"sid": 3,
"time": "2023-07-0313:00:00",
"timems": 1688389200000
}
],
"lastSeen": 1688391406000,
"sid": 3,
"typelabel": "DNSServer",
"typename": "dnsserver"
},
"model": {
"now": {
"behaviour": "decreasing",
"category": "Suspicious",
"defeats": [],
"edited": {
"userID": 2
},
"name": "Antigena::Network::Compliance::AntigenaConnectionSeen",
"phid": 9962,
"pid": 2299,
"priority": 4,
"tags": [],
"uuid": "5f78deda-3ff9-445f-a88e-2137dca625d6",
"version": 8
},
"then": {
"behaviour": "decreasing",
"category": "Suspicious",
"defeats": [],
"name": "Antigena::Network::Compliance::AntigenaConnectionSeen",
"phid": 9961,
"pid": 2299,
"priority": 4,
"tags": [],
"uuid": "5f78deda-3ff9-445f-a88e-2137dca625d6",
"version": 7
}
},
"pbid": 26368,
"score": 0.871,
"time": 1687987886000
}
},
"host": {
"hostname": "my_host",
"id": "31",
"ip": [
"192.168.1.2"
],
"name": "my_host"
},
"observer": {
"name": "Darktrace",
"product": "Threat visualizer"
},
"related": {
"hosts": [
"my_host"
],
"ip": [
"192.168.1.2"
]
}
}
{
"message": "{\"commentCount\":0,\"pbid\":27103,\"time\":1688266123000,\"creationTime\":1688266130000,\"model\":{\"then\":{\"name\":\"Device::AttackandReconTools\",\"pid\":76,\"phid\":8953,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000197\",\"logic\":{\"data\":[{\"cid\":17299,\"weight\":1},{\"cid\":17302,\"weight\":1},{\"cid\":17298,\"weight\":1},{\"cid\":17300,\"weight\":1},{\"cid\":17301,\"weight\":1},{\"cid\":17303,\"weight\":1},{\"cid\":17304,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":604800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:InternalRecon\",\"OTEngineer\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-03-14 12:53:21\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"Adeviceisusingcommonpenetrationtestingtools.\\n\\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":87,\"mitre\":{\"tactics\":[\"initial-access\"],\"techniques\":[\"T1200\"]},\"priority\":4,\"category\":\"Suspicious\",\"compliance\":false},\"now\":{\"name\":\"Device::AttackandReconTools\",\"pid\":76,\"phid\":8953,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000197\",\"logic\":{\"data\":[{\"cid\":17299,\"weight\":1},{\"cid\":17302,\"weight\":1},{\"cid\":17298,\"weight\":1},{\"cid\":17300,\"weight\":1},{\"cid\":17301,\"weight\":1},{\"cid\":17303,\"weight\":1},{\"cid\":17304,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":604800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:InternalRecon\",\"OTEngineer\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-03-14 12:53:21\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"Adeviceisusingcommonpenetrationtestingtools.\\n\\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"Addeddetectionforgobusteranddirbuster\",\"version\":87,\"mitre\":{\"tactics\":[\"initial-access\"],\"techniques\":[\"T1200\"]},\"priority\":4,\"category\":\"Suspicious\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1688266122000,\"cbid\":27180,\"cid\":17302,\"chid\":27905,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"J\"}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":\"H\"}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"I\"}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.1.2/32\",\"port\":53,\"metric\":{\"mlid\":11,\"name\":\"dnsrequests\",\"label\":\"DNSRequests\"},\"triggeredFilters\":[{\"cfid\":208828,\"id\":\"A\",\"filterType\":\"DNShostlookup\",\"arguments\":{\"value\":\"kali(\\\\..+)?\"},\"comparatorType\":\"matchesregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":208829,\"id\":\"B\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":208830,\"id\":\"C\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":18},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"18\",\"tag\":{\"tid\":18,\"expiry\":0,\"thid\":18,\"name\":\"DNSServer\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":112,\"description\":\"DevicesreceivingandmakingDNSqueries\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":208831,\"id\":\"D\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":208832,\"id\":\"E\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":4},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"4\",\"tag\":{\"tid\":4,\"expiry\":0,\"thid\":4,\"name\":\"SecurityDevice\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":55,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":208835,\"id\":\"H\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":58},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"58\",\"tag\":{\"tid\":58,\"expiry\":0,\"thid\":58,\"name\":\"MailServer\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":200,\"description\":\"\"},\"isReferenced\":true}}},{\"cfid\":208836,\"id\":\"I\",\"filterType\":\"DNShostlookup\",\"arguments\":{\"value\":\"backbox.com\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":208837,\"id\":\"J\",\"filterType\":\"DNShostlookup\",\"arguments\":{\"value\":\"^kali\\\\.(by|hu|hr|cheng-tsui\\\\.com|tradair\\\\.com)$\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":208838,\"id\":\"d1\",\"filterType\":\"DNShostlookup\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"kali.download\"}}]}],\"score\":0.871,\"device\":{\"did\":16,\"ip\":\"192.168.1.#18408\",\"ips\":[{\"ip\":\"192.168.1.#18408\",\"timems\":1688263200000,\"time\":\"2023-07-0202:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1644001727000,\"lastSeen\":1688266122000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"},\"log_type\":\"modelbreaches\"}",
"event": {
"category": "network",
"end": "2023-03-14T12:53:21Z",
"kind": "alert",
"type": [
"info"
]
},
"@timestamp": "2023-07-02T02:48:43Z",
"darktrace": {
"threat_visualizer": {
"commentCount": 0,
"components": {
"filters": [
{
"trigger_value": "kali.download",
"type": "DNShostlookup"
},
{
"trigger_value": "6",
"type": "Internalsourcedevicetype"
},
{
"trigger_value": "18",
"type": "Taggedinternalsource"
},
{
"trigger_value": "out",
"type": "Direction"
},
{
"trigger_value": "4",
"type": "Taggedinternalsource"
},
{
"trigger_value": "58",
"type": "Taggedinternalsource"
}
]
},
"creationTime": 1688266130000,
"device": {
"firstSeen": 1644001727000,
"ip": "192.168.1.#18408",
"ips": [
{
"ip": "192.168.1.#18408",
"sid": 3,
"time": "2023-07-0202:00:00",
"timems": 1688263200000
}
],
"lastSeen": 1688266122000,
"sid": 3,
"typelabel": "Desktop",
"typename": "desktop"
},
"model": {
"now": {
"behaviour": "decreasing",
"category": "Suspicious",
"description": "Adeviceisusingcommonpenetrationtestingtools.\n\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.",
"message": "Addeddetectionforgobusteranddirbuster",
"mitre": {
"tactics": [
"initial-access"
],
"techniques": [
"T1200"
]
},
"name": "Device::AttackandReconTools",
"phid": 8953,
"pid": 76,
"priority": 4,
"tags": [
"",
"AP:InternalRecon",
"OTEngineer"
],
"uuid": "80010119-6d7f-0000-0305-5e0000000197",
"version": 87
},
"then": {
"behaviour": "decreasing",
"category": "Suspicious",
"description": "Adeviceisusingcommonpenetrationtestingtools.\n\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.",
"mitre": {
"tactics": [
"initial-access"
],
"techniques": [
"T1200"
]
},
"name": "Device::AttackandReconTools",
"phid": 8953,
"pid": 76,
"priority": 4,
"tags": [
"",
"AP:InternalRecon",
"OTEngineer"
],
"uuid": "80010119-6d7f-0000-0305-5e0000000197",
"version": 87
}
},
"pbid": 27103,
"score": 0.871,
"time": 1688266123000
}
},
"host": {
"id": "16"
},
"observer": {
"name": "Darktrace",
"product": "Threat visualizer"
}
}
{
"message": "{\"commentCount\":0,\"pbid\":25808,\"time\":1687774142000,\"creationTime\":1687774148000,\"model\":{\"then\":{\"name\":\"Compromise::WatchedDomain\",\"pid\":608,\"phid\":6768,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000256\",\"logic\":{\"data\":[{\"cid\":13112,\"weight\":1},{\"cid\":13114,\"weight\":1},{\"cid\":13115,\"weight\":1},{\"cid\":13113,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:C2Comms\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-06-22 15:56:27\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\\n\\nAction:ReviewthedomainandIPbeingconnectedto.\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":31,\"priority\":5,\"category\":\"Critical\",\"compliance\":false},\"now\":{\"name\":\"Compromise::WatchedDomain\",\"pid\":608,\"phid\":6768,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000256\",\"logic\":{\"data\":[{\"cid\":13112,\"weight\":1},{\"cid\":13114,\"weight\":1},{\"cid\":13115,\"weight\":1},{\"cid\":13113,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:C2Comms\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-06-22 15:56:27\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\\n\\nAction:ReviewthedomainandIPbeingconnectedto.\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"Adjustingmodellogicforproxiedconnections\",\"version\":31,\"priority\":5,\"category\":\"Critical\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687774141000,\"cbid\":25885,\"cid\":13112,\"chid\":20980,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":\"F\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":\"F\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":\"G\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":\"G\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"I\"}}}},\"operator\":\"OR\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"I\"}}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.1.2/32\",\"port\":53,\"metric\":{\"mlid\":223,\"name\":\"dtwatcheddomain\",\"label\":\"WatchedDomain\"},\"triggeredFilters\":[{\"cfid\":156173,\"id\":\"A\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\".+\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156175,\"id\":\"C\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":156177,\"id\":\"E\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":156179,\"id\":\"G\",\"filterType\":\"Destinationport\",\"arguments\":{\"value\":53},\"comparatorType\":\"=\",\"trigger\":{\"value\":\"53\"}},{\"cfid\":156180,\"id\":\"d1\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":156181,\"id\":\"d10\",\"filterType\":\"Watchedendpointdescription\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156182,\"id\":\"d2\",\"filterType\":\"Connectionhostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156183,\"id\":\"d3\",\"filterType\":\"DestinationIP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"192.168.1.2\"}},{\"cfid\":156184,\"id\":\"d4\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156185,\"id\":\"d5\",\"filterType\":\"Country\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156186,\"id\":\"d6\",\"filterType\":\"Message\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"amazonlinux-2-repos-eu-west-2.s3.eu-west-2.amazonaws.com\"}},{\"cfid\":156187,\"id\":\"d7\",\"filterType\":\"Watchedendpoint\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"true\"}},{\"cfid\":156188,\"id\":\"d8\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156189,\"id\":\"d9\",\"filterType\":\"Watchedendpointstrength\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":156190,\"id\":\"H\",\"filterType\":\"Internaldestination\",\"arguments\":{},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"true\"}},{\"cfid\":156191,\"id\":\"I\",\"filterType\":\"Internaldestinationdevicetype\",\"arguments\":{\"value\":\"11\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"12\"}}]}],\"score\":0.541,\"device\":{\"did\":6,\"hostname\":\"SaaS::Slack: john.doe@company.com\",\"ip\":\"192.168.16.#54818\",\"ips\":[{\"ip\":\"192.168.16.#54818\",\"timems\":1688385600000,\"time\":\"2023-07-0312:00:00\",\"sid\":4}],\"sid\":4,\"firstSeen\":1639068361000,\"lastSeen\":1688385853000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"},\"log_type\":\"modelbreaches\"}",
"event": {
"category": "network",
"end": "2022-06-22T15:56:27Z",
"kind": "alert",
"type": [
"info"
]
},
"@timestamp": "2023-06-26T10:09:02Z",
"darktrace": {
"threat_visualizer": {
"commentCount": 0,
"components": {
"filters": [
{
"trigger_value": "out",
"type": "Direction"
},
{
"trigger_value": "6",
"type": "Internalsourcedevicetype"
},
{
"trigger_value": "53",
"type": "Destinationport"
},
{
"trigger_value": "192.168.1.2",
"type": "DestinationIP"
},
{
"trigger_value": "amazonlinux-2-repos-eu-west-2.s3.eu-west-2.amazonaws.com",
"type": "Message"
},
{
"trigger_value": "true",
"type": "Watchedendpoint"
},
{
"trigger_value": "100",
"type": "Watchedendpointstrength"
},
{
"trigger_value": "true",
"type": "Internaldestination"
},
{
"trigger_value": "12",
"type": "Internaldestinationdevicetype"
}
]
},
"creationTime": 1687774148000,
"device": {
"firstSeen": 1639068361000,
"ip": "192.168.16.#54818",
"ips": [
{
"ip": "192.168.16.#54818",
"sid": 4,
"time": "2023-07-0312:00:00",
"timems": 1688385600000
}
],
"lastSeen": 1688385853000,
"sid": 4,
"typelabel": "Desktop",
"typename": "desktop"
},
"model": {
"now": {
"behaviour": "decreasing",
"category": "Critical",
"defeats": [],
"description": "AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\n\nAction:ReviewthedomainandIPbeingconnectedto.",
"message": "Adjustingmodellogicforproxiedconnections",
"name": "Compromise::WatchedDomain",
"phid": 6768,
"pid": 608,
"priority": 5,
"tags": [
"",
"AP:C2Comms"
],
"uuid": "80010119-6d7f-0000-0305-5e0000000256",
"version": 31
},
"then": {
"behaviour": "decreasing",
"category": "Critical",
"defeats": [],
"description": "AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\n\nAction:ReviewthedomainandIPbeingconnectedto.",
"name": "Compromise::WatchedDomain",
"phid": 6768,
"pid": 608,
"priority": 5,
"tags": [
"",
"AP:C2Comms"
],
"uuid": "80010119-6d7f-0000-0305-5e0000000256",
"version": 31
}
},
"pbid": 25808,
"score": 0.541,
"time": 1687774142000
}
},
"host": {
"id": "6"
},
"observer": {
"name": "Darktrace",
"product": "Threat visualizer"
},
"service": {
"name": "Slack"
},
"user": {
"email": "john.doe@company.com"
}
}
{
"message": "{\"commentCount\":0,\"pbid\":25860,\"time\":1687793533000,\"creationTime\":1687793540000,\"model\":{\"then\":{\"name\":\"Device::ThreatIndicator\",\"pid\":540,\"phid\":6656,\"uuid\":\"84c92ea6-36b9-402f-9df1-3c5bfaee9176\",\"logic\":{\"data\":[{\"cid\":12878,\"weight\":1},{\"cid\":12876,\"weight\":1},{\"cid\":12877,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false,\"tagTTL\":604800},\"tags\":[\"\",\"RequiresConfiguration\"],\"interval\":1,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-06-15 12:01:36\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.\\n\\nAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.,behaviour:decreasing,created:{by:System},edited:{by:System},version:39,priority:5,category:Critical,compliance:false},now:{name:Device::ThreatIndicator,pid:540,phid:6656,uuid:84c92ea6-36b9-402f-9df1-3c5bfaee9176,logic:{data:[{cid:12878,weight:1},{cid:12876,weight:1},{cid:12877,weight:1}],targetScore:1,type:weightedComponentList,version:1},throttle:3600,sharedEndpoints:false,actions:{alert:true,antigena:{},breach:true,model:true,setPriority:false,setTag:false,setType:false,tagTTL:604800},tags:[,RequiresConfiguration],interval:1,delay:0,sequenced:false,active:true,modified:2022-06-15 12:01:36,activeTimes:{devices:{},tags:{},type:exclusions,version:2},autoUpdatable:true,autoUpdate:true,autoSuppress:true,description:AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.nnAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"UpdatedWatchedendpointsourceregextoexcludeAttackSurfaceManagement\",\"version\":39,\"priority\":5,\"category\":\"Critical\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687793532000,\"cbid\":25937,\"cid\":12876,\"chid\":20545,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":\"K\"}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.1.2/32\",\"port\":53,\"metric\":{\"mlid\":223,\"name\":\"dtwatcheddomain\",\"label\":\"WatchedDomain\"},\"triggeredFilters\":[{\"cfid\":153437,\"id\":\"A\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"^(\\\\_?Darktrace.*|AttackSurfaceManagement)\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153437,\"id\":\"A\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"^(\\\\_?Darktrace.*|AttackSurfaceManagement)\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153438,\"id\":\"F\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\".+\"},\"comparatorType\":\"matchesregularexpression\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153439,\"id\":\"G\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"Default\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153439,\"id\":\"G\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"Default\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153440,\"id\":\"H\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":4},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"4\",\"tag\":{\"tid\":4,\"expiry\":0,\"thid\":4,\"name\":\"SecurityDevice\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":55,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":153441,\"id\":\"I\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"7\"}},{\"cfid\":153442,\"id\":\"J\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":18},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"18\",\"tag\":{\"tid\":18,\"expiry\":0,\"thid\":18,\"name\":\"DNSServer\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":112,\"description\":\"DevicesreceivingandmakingDNSqueries\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":153443,\"id\":\"K\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":153444,\"id\":\"d1\",\"filterType\":\"Ageofdestination\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"38123579\"}},{\"cfid\":153445,\"id\":\"d2\",\"filterType\":\"Country\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153446,\"id\":\"d3\",\"filterType\":\"DestinationIP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"192.168.1.2\"}},{\"cfid\":153447,\"id\":\"d4\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153448,\"id\":\"d5\",\"filterType\":\"Destinationport\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"53\"}},{\"cfid\":153449,\"id\":\"d6\",\"filterType\":\"Rareexternalendpoint\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"0\"}},{\"cfid\":153450,\"id\":\"d7\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153450,\"id\":\"d7\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153451,\"id\":\"d8\",\"filterType\":\"Message\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"clients2.google.com\"}}]}],\"score\":0.612,\"device\":{\"did\":39,\"vendor\":\"\",\"ip\":\"192.168.1.3\",\"ips\":[{\"ip\":\"192.168.1.3\",\"timems\":1688389200000,\"time\":\"2023-07-0313:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1666276905000,\"lastSeen\":1688391268000,\"os\":\"Windows(10.0)\",\"typename\":\"server\",\"typelabel\":\"Server\"},\"log_type\":\"modelbreaches\"}",
"event": {
"category": "network",
"end": "2022-06-15T12:01:36Z",
"kind": "alert",
"type": [
"info"
]
},
"@timestamp": "2023-06-26T15:32:13Z",
"darktrace": {
"threat_visualizer": {
"commentCount": 0,
"components": {
"filters": [
{
"trigger_value": "ThreatIntel",
"type": "Watchedendpointsource"
},
{
"trigger_value": "4",
"type": "Taggedinternalsource"
},
{
"trigger_value": "7",
"type": "Internalsourcedevicetype"
},
{
"trigger_value": "18",
"type": "Taggedinternalsource"
},
{
"trigger_value": "out",
"type": "Direction"
},
{
"trigger_value": "38123579",
"type": "Ageofdestination"
},
{
"trigger_value": "192.168.1.2",
"type": "DestinationIP"
},
{
"trigger_value": "53",
"type": "Destinationport"
},
{
"trigger_value": "0",
"type": "Rareexternalendpoint"
},
{
"trigger_value": "clients2.google.com",
"type": "Message"
}
]
},
"creationTime": 1687793540000,
"device": {
"firstSeen": 1666276905000,
"ip": "192.168.1.3",
"ips": [
{
"ip": "192.168.1.3",
"sid": 3,
"time": "2023-07-0313:00:00",
"timems": 1688389200000
}
],
"lastSeen": 1688391268000,
"sid": 3,
"typelabel": "Server",
"typename": "server"
},
"model": {
"then": {
"behaviour": "decreasing",
"category": "Critical",
"description": "AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.\n\nAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.,behaviour:decreasing,created:{by:System},edited:{by:System},version:39,priority:5,category:Critical,compliance:false},now:{name:Device::ThreatIndicator,pid:540,phid:6656,uuid:84c92ea6-36b9-402f-9df1-3c5bfaee9176,logic:{data:[{cid:12878,weight:1},{cid:12876,weight:1},{cid:12877,weight:1}],targetScore:1,type:weightedComponentList,version:1},throttle:3600,sharedEndpoints:false,actions:{alert:true,antigena:{},breach:true,model:true,setPriority:false,setTag:false,setType:false,tagTTL:604800},tags:[,RequiresConfiguration],interval:1,delay:0,sequenced:false,active:true,modified:2022-06-15 12:01:36,activeTimes:{devices:{},tags:{},type:exclusions,version:2},autoUpdatable:true,autoUpdate:true,autoSuppress:true,description:AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.nnAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.",
"name": "Device::ThreatIndicator",
"phid": 6656,
"pid": 540,
"priority": 5,
"tags": [
"",
"RequiresConfiguration"
],
"uuid": "84c92ea6-36b9-402f-9df1-3c5bfaee9176",
"version": 39
}
},
"pbid": 25860,
"score": 0.612,
"time": 1687793533000
}
},
"host": {
"id": "39",
"ip": [
"192.168.1.3"
],
"os": {
"name": "Windows(10.0)"
}
},
"observer": {
"name": "Darktrace",
"product": "Threat visualizer"
},
"related": {
"ip": [
"192.168.1.3"
]
}
}
{
"message": "{\"commentCount\":0,\"pbid\":25908,\"time\":1687811707000,\"creationTime\":1687811713000,\"model\":{\"then\":{\"name\":\"PenTest\",\"pid\":2721,\"phid\":9287,\"uuid\":\"8b3d5e73-0cf0-4c32-8451-a6919b9978f8\",\"logic\":{\"data\":[18021],\"type\":\"componentList\",\"version\":1},\"throttle\":1000,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":true,\"modified\":\"2023-04-17 11:34:25\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"\",\"behaviour\":\"flat\",\"defeats\":[],\"created\":{\"by\":\"sam.gorse\",\"userID\":22},\"edited\":{\"by\":\"sam.gorse\",\"userID\":22},\"version\":7,\"priority\":5,\"category\":\"Critical\",\"compliance\":false},\"now\":{\"name\":\"PenTest\",\"pid\":2721,\"phid\":9287,\"uuid\":\"8b3d5e73-0cf0-4c32-8451-a6919b9978f8\",\"logic\":{\"data\":[18021],\"type\":\"componentList\",\"version\":1},\"throttle\":1000,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":true,\"modified\":\"2023-04-17 11:34:25\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":false,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"\",\"behaviour\":\"flat\",\"defeats\":[],\"created\":{\"by\":\"sam.gorse\",\"userID\":22},\"edited\":{\"by\":\"sam.gorse\",\"userID\":22},\"version\":7,\"priority\":5,\"category\":\"Critical\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687811706000,\"cbid\":25985,\"cid\":18021,\"chid\":29073,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":\"A\",\"operator\":\"OR\",\"right\":{\"left\":\"B\",\"operator\":\"OR\",\"right\":{\"left\":\"C\",\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":\"D\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":\"B\"},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":\"C\"},\"operator\":\"OR\",\"right\":{\"left\":\"D\",\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":\"C\"}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":\"D\"}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":\"D\"},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":\"D\"}}}}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.16.100/32\",\"port\":80,\"metric\":{\"mlid\":16,\"name\":\"connections\",\"label\":\"Connections\"},\"triggeredFilters\":[{\"cfid\":217209,\"id\":\"C\",\"filterType\":\"Destinationport\",\"arguments\":{\"value\":80},\"comparatorType\":\"=\",\"trigger\":{\"value\":\"80\"}}]}],\"score\":1.0,\"device\":{\"did\":31,\"vendor\":\"\",\"ip\":\"192.168.1.2\",\"ips\":[{\"ip\":\"192.168.1.2\",\"timems\":1688389200000,\"time\":\"2023-07-0313:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1649669953000,\"lastSeen\":1688391406000,\"typename\":\"dnsserver\",\"typelabel\":\"DNSServer\"},\"log_type\":\"modelbreaches\"}",
"event": {
"category": "network",
"end": "2023-04-17T11:34:25Z",
"kind": "alert",
"type": [
"info"
]
},
"@timestamp": "2023-06-26T20:35:07Z",
"darktrace": {
"threat_visualizer": {
"commentCount": 0,
"components": {
"filters": [
{
"trigger_value": "80",
"type": "Destinationport"
}
]
},
"creationTime": 1687811713000,
"device": {
"firstSeen": 1649669953000,
"ip": "192.168.1.2",
"ips": [
{
"ip": "192.168.1.2",
"sid": 3,
"time": "2023-07-0313:00:00",
"timems": 1688389200000
}
],
"lastSeen": 1688391406000,
"sid": 3,
"typelabel": "DNSServer",
"typename": "dnsserver"
},
"model": {
"now": {
"behaviour": "flat",
"category": "Critical",
"defeats": [],
"edited": {
"userID": 22
},
"name": "PenTest",
"phid": 9287,
"pid": 2721,
"priority": 5,
"tags": [],
"uuid": "8b3d5e73-0cf0-4c32-8451-a6919b9978f8",
"version": 7
},
"then": {
"behaviour": "flat",
"category": "Critical",
"defeats": [],
"name": "PenTest",
"phid": 9287,
"pid": 2721,
"priority": 5,
"tags": [],
"uuid": "8b3d5e73-0cf0-4c32-8451-a6919b9978f8",
"version": 7
}
},
"pbid": 25908,
"score": 1.0,
"time": 1687811707000
}
},
"host": {
"id": "31",
"ip": [
"192.168.1.2"
]
},
"observer": {
"name": "Darktrace",
"product": "Threat visualizer"
},
"related": {
"ip": [
"192.168.1.2"
]
}
}
{
"message": "{\"commentCount\": 0, \"pbid\": 36586, \"time\": 1700634482000, \"creationTime\": 1700634481000, \"model\": {\"name\": \"System::System\", \"pid\": 530, \"phid\": 4861, \"uuid\": \"1c3f429b-ccb9-46a2-b864-868653bc780a\", \"logic\": {\"data\": [9686], \"type\": \"componentList\", \"version\": 1}, \"throttle\": 10, \"sharedEndpoints\": false, \"actions\": {\"alert\": true, \"antigena\": {}, \"breach\": true, \"model\": true, \"setPriority\": false, \"setTag\": false, \"setType\": false}, \"tags\": [], \"interval\": 0, \"delay\": 0, \"sequenced\": true, \"active\": true, \"modified\": \"2021-11-24 18:04:19\", \"activeTimes\": {\"devices\": {}, \"tags\": {}, \"type\": \"exclusions\", \"version\": 2}, \"autoUpdatable\": true, \"autoUpdate\": true, \"autoSuppress\": true, \"description\": \"An issue with the system has been detected. This system alert is generated for system information that may merit further investigation. This may be due to things like probes failing to connect.\\n\\nAction: Review the system message. Use the status page to see additional system information that may help with diagnostics.\", \"behaviour\": \"decreasing\", \"defeats\": [], \"created\": {\"by\": \"System\"}, \"edited\": {\"by\": \"System\"}, \"version\": 16, \"priority\": 3, \"category\": \"Informational\", \"compliance\": false}, \"triggeredComponents\": [{\"time\": 1700634481000, \"cbid\": 36900, \"cid\": 9686, \"chid\": 15251, \"size\": 1, \"threshold\": 0, \"interval\": 3600, \"logic\": {\"data\": {\"left\": {\"left\": \"A\", \"operator\": \"AND\", \"right\": \"B\"}, \"operator\": \"OR\", \"right\": {\"left\": {\"left\": \"A\", \"operator\": \"AND\", \"right\": \"C\"}, \"operator\": \"OR\", \"right\": {\"left\": {\"left\": \"A\", \"operator\": \"AND\", \"right\": \"D\"}, \"operator\": \"OR\", \"right\": {\"left\": {\"left\": \"A\", \"operator\": \"AND\", \"right\": \"E\"}, \"operator\": \"OR\", \"right\": {\"left\": \"A\", \"operator\": \"AND\", \"right\": \"F\"}}}}}, \"version\": \"v0.1\"}, \"metric\": {\"mlid\": 206, \"name\": \"dtsystem\", \"label\": \"System\"}, \"triggeredFilters\": [{\"cfid\": 111299, \"id\": \"A\", \"filterType\": \"Event details\", \"arguments\": {\"value\": \"analyze credential ignore list\"}, \"comparatorType\": \"does not contain\", \"trigger\": {\"value\": \"Probe erebus-pull-mode-vsensor (54.155.33.146) last contact was 50 hours ago\"}}, {\"cfid\": 111300, \"id\": \"B\", \"filterType\": \"System message\", \"arguments\": {\"value\": \"Probe error\"}, \"comparatorType\": \"is\", \"trigger\": {\"value\": \"Probe error\"}}, {\"cfid\": 111305, \"id\": \"d1\", \"filterType\": \"Event details\", \"arguments\": {}, \"comparatorType\": \"display\", \"trigger\": {\"value\": \"Probe erebus-pull-mode-vsensor (54.155.33.146) last contact was 50 hours ago\"}}, {\"cfid\": 111306, \"id\": \"d2\", \"filterType\": \"System message\", \"arguments\": {}, \"comparatorType\": \"display\", \"trigger\": {\"value\": \"Probe error\"}}]}], \"score\": 0.674, \"device\": {\"did\": -1},\"log_type\":\"modelbreaches\"}",
"event": {
"category": "network",
"type": [
"info"
]
},
"@timestamp": "2023-11-22T06:28:02Z",
"darktrace": {
"threat_visualizer": {
"commentCount": 0,
"components": {
"filters": [
{
"trigger_value": "Probe erebus-pull-mode-vsensor (54.155.33.146) last contact was 50 hours ago",
"type": "Event details"
},
{
"trigger_value": "Probe error",
"type": "System message"
}
]
},
"creationTime": 1700634481000,
"model": {
"then": {
"behaviour": "decreasing",
"category": "Informational",
"description": "An issue with the system has been detected. This system alert is generated for system information that may merit further investigation. This may be due to things like probes failing to connect.\n\nAction: Review the system message. Use the status page to see additional system information that may help with diagnostics.",
"name": "System::System",
"phid": 4861,
"pid": 530,
"priority": 3,
"uuid": "1c3f429b-ccb9-46a2-b864-868653bc780a",
"version": 16
}
},
"pbid": 36586,
"score": 0.674,
"time": 1700634482000
}
},
"host": {
"id": "-1"
},
"observer": {
"name": "Darktrace",
"product": "Threat visualizer"
}
}
{
"message": "{\"url\":\"https://darktrace-dt/#actions/000/111\",\"iris-event-type\":\"antigena_state_change\",\"codeuuid\":\"\",\"codeid\":537,\"action_family\":\"NETWORK\",\"action\":\"CREATE_NEEDSCONFIRMATION\",\"username\":\"JDOE\",\"reason\":\"\",\"start\":1702896511,\"end\":1702903711,\"did\":901,\"pbid\":0,\"action_creator\":\"\",\"model\":\"test_model_network\",\"inhibitor\":\"Enforce pattern of life\",\"device\":{\"did\":901,\"macaddress\":\"00:11:22:33:44:55\",\"vendor\":\"test_vendor\",\"ip\":\"1.2.3.4\",\"ips\":[{\"ip\":\"1.2.3.4\",\"timems\":1702893600000,\"time\":\"2023-12-18 10:00:00\",\"sid\":69,\"vlan\":0}],\"sid\":69,\"hostname\":\"test_hostname\",\"firstSeen\":1671027693000,\"lastSeen\":1702896182000,\"os\":\"Windows\",\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}",
"event": {
"action": "CREATE_NEEDSCONFIRMATION",
"category": "network",
"type": [
"info"
]
},
"darktrace": {
"threat_visualizer": {
"device": {
"firstSeen": 1671027693000,
"ip": "1.2.3.4",
"ips": [
{
"ip": "1.2.3.4",
"sid": 69,
"time": "2023-12-18 10:00:00",
"timems": 1702893600000,
"vlan": 0
}
],
"lastSeen": 1702896182000,
"sid": 69,
"typelabel": "Desktop",
"typename": "desktop"
},
"pbid": 0
}
},
"host": {
"hostname": "test_hostname",
"id": "901",
"ip": [
"1.2.3.4"
],
"name": "test_hostname",
"os": {
"name": "Windows"
}
},
"observer": {
"name": "Darktrace",
"product": "Threat visualizer"
},
"related": {
"hosts": [
"test_hostname"
],
"ip": [
"1.2.3.4"
],
"user": [
"JDOE"
]
},
"source": {
"user": {
"name": "JDOE"
}
}
}
Extracted Fields
The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.
Name | Type | Description |
---|---|---|
@timestamp |
date |
Date/time when the event originated. |
darktrace.threat_visualizer.acknowledged |
boolean |
Whether the event has been acknowledged. (example value: 'FALSE') |
darktrace.threat_visualizer.activityId |
keyword |
Used by pre-v5.2 legacy incident construction. An identifier for the specific activity detected by AI Analyst. If groupByActivity=true, this field should be used to group events together into an incident. (example value: 'da39a3ee') |
darktrace.threat_visualizer.aiaScore |
number |
The anomalousness of the event as classified by AI Analyst - out of 100. (example value: '98') |
darktrace.threat_visualizer.attackPhases |
array |
Of the six attack phases, which phases are applicable to the activity. (example value: '5') |
darktrace.threat_visualizer.breachDevices |
array |
An array of devices involved in the related model breach(es). |
darktrace.threat_visualizer.category |
keyword |
The behavior category associated with the incident event. Relevant for v5.2+ incident construction only. (example value: 'critical') |
darktrace.threat_visualizer.children |
array |
A unique identifier that can be used to request this AI Analyst event. This array will only contain one entry as of v5.2 and above. (example value: '04a3f36e-4u8w-v9dh-x6lb-894778cf9633') |
darktrace.threat_visualizer.commentCount |
number |
The number of comments made against this breach. |
darktrace.threat_visualizer.components.filters |
array |
|
darktrace.threat_visualizer.creationTime |
number |
The timestamp that the record of the breach was created. This is distinct from the time field. |
darktrace.threat_visualizer.currentGroup |
keyword |
The UUID of the current incident this event belongs to. Used for v5.2+ incident construction. (example value: 'g04a3f36e-4u8w-v9dh-x6lb-894778cf9633') |
darktrace.threat_visualizer.device.firstSeen |
number |
The first time the device was seen on the network. |
darktrace.threat_visualizer.device.ip |
keyword |
The current IP associated with the device. |
darktrace.threat_visualizer.device.ips |
array |
IPs associated with the device historically. |
darktrace.threat_visualizer.device.ips.ip |
keyword |
A historic IP associated with the device. |
darktrace.threat_visualizer.device.ips.sid |
number |
The subnet id for the subnet the IP belongs to. |
darktrace.threat_visualizer.device.ips.time |
keyword |
The time the IP was last seen associated with that device in readable format. |
darktrace.threat_visualizer.device.ips.timems |
number |
The time the IP was last seen associated with that device in epoch time. |
darktrace.threat_visualizer.device.lastSeen |
number |
The last time the device was seen on the network. |
darktrace.threat_visualizer.device.sid |
number |
The subnet id for the subnet the device is currently located in. |
darktrace.threat_visualizer.device.typelabel |
keyword |
The device type in readable format. |
darktrace.threat_visualizer.device.typename |
keyword |
The device type in system format. |
darktrace.threat_visualizer.externalTriggered |
boolean |
Whether the event was created as a result of an externally triggered AI Analyst investigation. (example value: 'FALSE') |
darktrace.threat_visualizer.groupCategory |
keyword |
The behavior category associated with the incident overall. Relevant for v5.2+ incident construction only. (example value: 'critical') |
darktrace.threat_visualizer.groupScore |
number |
The current overall score of the incident this event is part of. Relevant for v5.2+ incident construction only. (example value: '72.9174234') |
darktrace.threat_visualizer.groupingIds |
array |
Used by pre-v5.2 legacy incident construction. Each entry in the groupingIDs array refers to a device that triggered the activity detection. In single events, should only contain one ID. If groupByActivity=false, this field should be used to group events together into an incident. (example value: '268d2b8c') |
darktrace.threat_visualizer.mitreTactics |
array |
An array of MITRE ATT&CK Framework tactics that have been mapped to this event. (example value: 'lateral-movement') |
darktrace.threat_visualizer.model.now.behaviour |
keyword |
The score modulation function as set in the model editor. |
darktrace.threat_visualizer.model.now.category |
keyword |
The behavior category associated with the model at the time of request. |
darktrace.threat_visualizer.model.now.defeats |
array |
An array of model defeats - AND conditions - which if met, prevent the model from breaching. |
darktrace.threat_visualizer.model.now.defeats.arguments.value |
keyword |
|
darktrace.threat_visualizer.model.now.defeats.comparator |
keyword |
The comparator that the value is compared against the create the defeat. |
darktrace.threat_visualizer.model.now.defeats.defeatID |
number |
A unique ID for the defeat. |
darktrace.threat_visualizer.model.now.defeats.filtertype |
keyword |
The filter the defeat is made from. |
darktrace.threat_visualizer.model.now.description |
keyword |
The optional description of the model. |
darktrace.threat_visualizer.model.now.edited.userID |
number |
Username that last edited the model. |
darktrace.threat_visualizer.model.now.message |
keyword |
The commit message for the change. |
darktrace.threat_visualizer.model.now.mitre.tactics |
array |
An array of MITRE ATT&CK framework tactics the model has been mapped to. |
darktrace.threat_visualizer.model.now.mitre.techniques |
array |
An array of MITRE ATT&CK framework techniques the model has been mapped to. |
darktrace.threat_visualizer.model.now.name |
keyword |
Name of the model that was breached. |
darktrace.threat_visualizer.model.now.phid |
number |
The model policy history id. Increments when the model is modified. |
darktrace.threat_visualizer.model.now.pid |
number |
The policy id of the model that was breached. |
darktrace.threat_visualizer.model.now.priority |
number |
The numeric behavior category associated with the model at the time of request: 0-3 equates to informational, 4 equates to suspicious and 5 equates to critical. |
darktrace.threat_visualizer.model.now.tags |
array |
AP: Bruteforce |
darktrace.threat_visualizer.model.now.uuid |
keyword |
A unique ID that is generated on creation of the model. |
darktrace.threat_visualizer.model.now.version |
number |
The version of the model. Increments on each edit. |
darktrace.threat_visualizer.model.then.behaviour |
keyword |
The score modulation function as set in the model editor. |
darktrace.threat_visualizer.model.then.category |
keyword |
The behavior category associated with the model at the time of the breach. |
darktrace.threat_visualizer.model.then.defeats |
array |
An array of model defeats - AND conditions - which if met, prevent the model from breaching. |
darktrace.threat_visualizer.model.then.defeats.arguments.value |
keyword |
|
darktrace.threat_visualizer.model.then.defeats.comparator |
keyword |
The comparator that the value is compared against the create the defeat. |
darktrace.threat_visualizer.model.then.defeats.defeatID |
number |
A unique ID for the defeat. |
darktrace.threat_visualizer.model.then.defeats.filtertype |
keyword |
The filter the defeat is made from. |
darktrace.threat_visualizer.model.then.description |
keyword |
The optional description of the model. |
darktrace.threat_visualizer.model.then.mitre.tactics |
array |
An array of MITRE ATT&CK framework tactics the model has been mapped to. |
darktrace.threat_visualizer.model.then.mitre.techniques |
array |
An array of MITRE ATT&CK framework techniques the model has been mapped to. |
darktrace.threat_visualizer.model.then.name |
keyword |
Name of the model that was breached. |
darktrace.threat_visualizer.model.then.phid |
number |
The model policy history id. Increments when the model is modified. |
darktrace.threat_visualizer.model.then.pid |
number |
The policy id of the model that was breached. |
darktrace.threat_visualizer.model.then.priority |
number |
The numeric behavior category associated with the model at the time of the breach: 0-3 equates to informational, 4 equates to suspicious and 5 equates to critical. |
darktrace.threat_visualizer.model.then.tags |
array |
A list of tags that have been applied to this model in the Threat Visualizer model editor. |
darktrace.threat_visualizer.model.then.uuid |
keyword |
A unique ID that is generated on creation of the model. |
darktrace.threat_visualizer.model.then.version |
number |
The version of the model. Increments on each edit. |
darktrace.threat_visualizer.pbid |
number |
The policy breach ID of the model breach. |
darktrace.threat_visualizer.periods |
array |
An array of one or more periods of time where anomalous activity occurred that AI Analyst investigated. |
darktrace.threat_visualizer.relatedBreaches |
array |
An array of model breaches related to the activity investigated by AI analyst. |
darktrace.threat_visualizer.score |
number |
The model breach score, represented by a value between 0 and 1. |
darktrace.threat_visualizer.time |
number |
The timestamp when the record was created in epoch time. |
darktrace.threat_visualizer.userTriggered |
boolean |
Whether the event was created as a result of a user-triggered AI Analyst investigation. (example value: 'FALSE') |
event.action |
keyword |
The action captured by the event. |
event.category |
keyword |
Event category. The second categorization field in the hierarchy. |
event.end |
date |
event.end contains the date when the event ended or when the activity was last observed. |
event.kind |
keyword |
The kind of the event. The highest categorization field in the hierarchy. |
event.reason |
keyword |
Reason why this event happened, according to the source |
event.type |
keyword |
Event type. The third categorization field in the hierarchy. |
host.hostname |
keyword |
Hostname of the host. |
host.id |
keyword |
Unique host id. |
host.ip |
ip |
Host ip addresses. |
host.mac |
keyword |
Host MAC addresses. |
host.name |
keyword |
Name of the host. |
host.os.name |
keyword |
Operating system name, without the version. |
observer.name |
keyword |
Custom name of the observer. |
observer.product |
keyword |
The product name of the observer. |
service.name |
keyword |
Name of the service. |
source.user.name |
keyword |
Short name or login of the user. |
user.email |
keyword |
User email address. |
user.name |
keyword |
Short name or login of the user. |
For more information on the Intake Format, please find the code of the Parser, Smart Descriptions, and Supported Events here.