Darktrace Threat Visualizer
Overview
Darktrace monitors all people and digital assets across your entire ecosystem.
- Vendor: Darktrace
- Supported environment: Cloud and On Premise versions 6.1 or above
- Detection based on: Alert, Telemetry
- Supported application or feature: Darktrace Threat Visualizer
Specification
Prerequisites
For On Premise version: - Resource: - Self-managed syslog forwarder - Network: - Outbound traffic allowed - Permissions: - Administrator privileges on the Darktrace appliance - Root access to the Linux server with the syslog forwarder
For Cloud version, only an dministrator privileges on the Darktrace appliance is mandatory.
Transport Protocol/Method
- Direct HTTP for Cloud
- Indirect syslog for On Premise
Logs details
- Supported functionalities: See section Overview
- Supported type(s) of structure: JSON
- Supported verbosity level: Informational, Alert
Note
Log levels are based on the taxonomy of RFC5424. Adapt according to the terminology used by the editor.
Step-by-Step Configuration Procedure
This setup guide describes how to forward logs from Darktrace Threat visualizer to Sekoia.io.
Instruction on Sekoia
Configure Your Intake
This section will guide you through creating the intake object in Sekoia, which provides a unique identifier called the "Intake key." The Intake key is essential for later configuration, as it references the Community, Entity, and Parser (Intake Format) used when receiving raw events on Sekoia.
- Go to the Sekoia Intake page.
- Click on the
+ New Intakebutton at the top right of the page. - Search for your Intake by the product name in the search bar.
- Give it a Name and associate it with an Entity (and a Community if using multi-tenant mode).
- Click on
Create.
Note
For more details on how to use the Intake page and to find the Intake key you just created, refer to this documentation.
For Cloud verion only
Configure Your Playbook
This section will assist you in pulling remote logs from Sekoia and sending them to the intake you previously created.
- Go to the Sekoia playbook page.
- Click on the
+ New playbookbutton at the top right of the page. - Select
Create a playbook from scratch, and clickNext. - Give it a Name and a Description, and click
Next. - Choose a trigger from the list by searching for the name of the product, and click
Create. - A new Playbook page will be displayed. Click on the module in the center of the page, then click on the Configure icon.
- On the right panel, click on the
Configurationtab. - Select an existing Trigger Configuration (from the account menu) or create a new one by clicking on
+ Create new configuration. - Configure the Trigger based on the Actions Library (for instance, see here for AWS modules), then click
Save. - Click on
Saveat the top right of the playbook page. - Activate the playbook by clicking on the "On / Off" toggle button at the top right corner of the page.
Instructions on the 3rd party solution
For Cloud verion - Acquire your public and private key
As a prerequisite, you need a Darktrace Threat Visualizer API tenant url.
See the Darktrace documentation for intructions to acquire your public and private key.
For On Premise verion - Send logs to a syslog server
- Open the Threat Visualizer and navigate to the System Config page (Main menu › Admin).
- From the left-side menu, select Modules, then navigate to the Workflow Integrations section and choose Syslog. A window with four tabs will open, a Status tab that lists existing configurations per-Syslog server and an individual tab for each Syslog format. The Status tab may not be present if there are no existing configurations.
- If the instance is not a Unified View, proceed to Step 3.
- If the instance where configuration is being performed is a Darktrace Unified View instance, choose which Darktrace master instance will send alerts at the top of the page.
- If a a subordinate master (submaster) is selected, the master will be the instance to emit alerts but will only generate alerts originating from itself.
- If the UV instance is selected, an additional field - Master - will appear further down the page. This field is used to control the source of alerts sent by the Unified View for this configuration.
- Syslog MUST be sent in JSON format.
- Scroll past any existing configurations and click New to set up forwarding Darktrace alerts to a new server via syslog.
- Enter the IP address of the syslog server in the Server field and optionally modify the communication port.
- If the instance is not a Unified View, proceed to Step 7.
- If the instance where configuration is being performed is a Darktrace Unified View instance, and the Unified View has been selected to send alerts from, an additional field - Master - will appear. This field is used to control the source of alerts sent by the Unified View for this configuration.
- If a submaster is selected, the UV will only send alerts from that submaster for this configuration.
- If “all” is selected, alerts sourced from all submasters will be sent.
- Select the appropriate source.
- Turn on Show Advanced Options. All options and settings are covered in Optional Filters and Settings.
- Select TCP-format alerting setting
- Select which alert types should be sent via Syslog. Alerts will not be sent until the master Send Alerts toggle is turned on.
- Within the same configuration, click Add to save the changes. Observe a confirmation message.
- Scroll to the top of the entry and click Verify alert settings to send a test alert to the specified Syslog server.
- Finally, turn on Send Alerts and save changes.
Configure a forwarder
To forward events using syslog to Sekoia.io, you need to update the syslog header with the intake key you previously created. Here is an example of your message before the forwarder
<%pri%>1 %timestamp:::date-rfc3339% %hostname% %app-name% %procid% LOG RAW_MESSAGE
<%pri%>1 %timestamp:::date-rfc3339% %hostname% %app-name% %procid% LOG [SEKOIA@53288 intake_key=\"YOUR_INTAKE_KEY\"] RAW_MESSAGE
To achieve this you can:
- Use the Sekoia.io forwarder which is the official supported way to collect data using the syslog protocol in Sekoia.io. In charge of centralizing data coming from many equipments/sources and forwarding them to Sekoia.io with the apporpriated format, it is a prepackaged option. You only have to provide your intake key as parameter.
- Use your own Syslog service instance. Maybe you already have an intance of one of these components on your side and want to reuse it in order to centralize data before forwarding them to Sekoia.io. When using this mode, you have to configure and maintain your component in order to respect the expected Sekoia.io format.
Warning
Only the Sekoia.io forwarder is officially supported. Other options are documented for reference purposes but do not have official support.
Raw Events Samples
In this section, you will find examples of raw logs as generated natively by the source. These examples are provided to help integrators understand the data format before ingestion into Sekoia.io. It is crucial for setting up the correct parsing stages and ensuring that all relevant information is captured.
{
"summariser": "HttpAgentSummary",
"acknowledged": false,
"pinned": false,
"createdAt": 1697334832520,
"attackPhases": [
2
],
"mitreTactics": [
"command-and-control"
],
"title": "Possible HTTP Command and Control",
"id": "a400af0f-a297-478c-8fc6-c778a9558183",
"children": [
"a400af0f-a297-478c-8fc6-c778a9558183"
],
"category": "critical",
"currentGroup": "ga400af0f-a297-478c-8fc6-c778a9558183",
"groupCategory": "suspicious",
"groupScore": 2.449186624037094,
"groupPreviousGroups": [],
"activityId": "da39a3ee",
"groupingIds": [
"511a418e"
],
"groupByActivity": false,
"userTriggered": false,
"externalTriggered": false,
"aiaScore": 55.52733790170975,
"summary": "The device 10.0.0.#36859 was observed making multiple HTTP connections to the rare external endpoint themoneyfix.org, with the same user agent string.\n\nMoreover, this device only used this user agent for connections to a limited set of endpoints - suggesting that the activity was initiated by a standalone software process as opposed to a web browser.\n\nIf such behaviour is unexpected, further investigation may be required to determine if this activity represents malicious command and control as opposed to legitimate telemetry of some form.",
"periods": [
{
"start": 1697334679535,
"end": 1697334713852
}
],
"breachDevices": [
{
"identifier": null,
"hostname": null,
"ip": "10.0.0.#36859",
"mac": null,
"subnet": null,
"did": 62,
"sid": 25
}
],
"relatedBreaches": [
{
"modelName": "Device / New User Agent",
"pbid": 34952,
"threatScore": 31.0,
"timestamp": 1697334680000
}
],
"details": [
[
{
"header": "Device Making Suspicious Connections",
"contents": [
{
"key": null,
"type": "device",
"values": [
{
"identifier": null,
"hostname": null,
"ip": "10.0.0.#36859",
"mac": null,
"subnet": null,
"did": 62,
"sid": 25
}
]
}
]
}
],
[
{
"header": "Suspicious Application",
"contents": [
{
"key": "User agent",
"type": "string",
"values": [
"python-requests/2.25.1"
]
}
]
},
{
"header": "Suspicious Endpoints Contacted by Application",
"contents": [
{
"key": "Time",
"type": "timestampRange",
"values": [
{
"start": 1697334679535,
"end": 1697334713852
}
]
},
{
"key": "Hostname",
"type": "externalHost",
"values": [
{
"hostname": "themoneyfix.org",
"ip": null
}
]
},
{
"key": "Hostname rarity",
"type": "percentage",
"values": [
100.0
]
},
{
"key": "Hostname first observed",
"type": "timestamp",
"values": [
1697334687000
]
},
{
"key": "Most recent destination IP",
"type": "externalHost",
"values": [
{
"hostname": "45.56.79.23",
"ip": "45.56.79.23"
}
]
},
{
"key": "Most recent ASN",
"type": "string",
"values": [
"AS63949 Akamai Connected Cloud"
]
},
{
"key": "Total connections",
"type": "integer",
"values": [
2
]
},
{
"key": "URI",
"type": "string",
"values": [
"/login/username=adriano.lamo&password=il0v3cH33s3"
]
},
{
"key": "Port",
"type": "integer",
"values": [
80
]
},
{
"key": "HTTP method",
"type": "string",
"values": [
"GET"
]
},
{
"key": "Status code",
"type": "string",
"values": [
"200"
]
}
]
}
]
],
"log_type": "aianalyst/incidentevents"
}
{
"summariser": "SaasHijackSummary",
"acknowledged": false,
"pinned": false,
"createdAt": 1730023348884,
"attackPhases": [
3
],
"mitreTactics": [
"privilege-escalation"
],
"title": "Possible Hijack of Zoom Account",
"id": "204a3642-a6f1-4ac3-85d0-add7dd0c9f9b",
"children": [
"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b"
],
"category": "critical",
"currentGroup": "g204a3642-a6f1-4ac3-85d0-add7dd0c9f9b",
"groupCategory": "critical",
"groupScore": 21.063004966718992,
"groupPreviousGroups": [],
"activityId": "da39a3ee",
"groupingIds": [
"3d2a2fc6"
],
"groupByActivity": false,
"userTriggered": false,
"externalTriggered": false,
"aiaScore": 93.67343783378601,
"summary": "The SaaS actor john.doe@example.com was observed making suspicious requests over a configured Zoom service from the IP 1.2.3.4.\n\nThis included requests made from unusual locations compared to the previous access locations observed from this actor and from the configured service in general.\n\nThough this behaviour could be the result of legitimate service usage or administration, it could also be a sign of this actor's account being hijacked by a malicious actor.\n\nConsequently, the security team may wish to confirm that this activity was legitimate and expected.",
"periods": [
{
"start": 1730023230000,
"end": 1730023230000
}
],
"sender": null,
"breachDevices": [
{
"identifier": "SaaS::Zoom: john.doe@example.com",
"hostname": "SaaS::Zoom: john.doe@example.com",
"ip": null,
"mac": null,
"subnet": null,
"did": 3820,
"sid": -9
}
],
"relatedBreaches": [
{
"modelName": "SaaS / Access / Unusual External Source for SaaS Credential Use",
"pbid": 46769,
"threatScore": 63.0,
"timestamp": 1730023232000
}
],
"details": [
[
{
"header": "SaaS User Details",
"contents": [
{
"key": "SaaS account",
"type": "device",
"values": [
{
"identifier": "SaaS::Zoom: john.doe@example.com",
"hostname": "SaaS::Zoom: john.doe@example.com",
"ip": null,
"mac": null,
"subnet": null,
"did": 3820,
"sid": -9
}
]
},
{
"key": "Actor",
"type": "string",
"values": [
"john.doe@example.com"
]
}
]
}
],
[
{
"header": "Agent Carrying out Suspicious Activity",
"contents": [
{
"key": "Source IP",
"type": "externalHost",
"values": [
{
"hostname": "1.2.3.4",
"ip": "1.2.3.4"
}
]
},
{
"key": "ASN",
"type": "string",
"values": [
"AS2119 Telenor Norge AS"
]
},
{
"key": "City",
"type": "string",
"values": [
"Stockholm"
]
},
{
"key": "Country",
"type": "string",
"values": [
"Sweden"
]
}
]
},
{
"header": "Summary of Activity",
"contents": [
{
"key": "Time",
"type": "timestampRange",
"values": [
{
"start": 1730023230000,
"end": 1730023230000
}
]
},
{
"key": "Suspicious properties",
"type": "string",
"values": [
"Unusual time for activity",
"Unusual external source for activity"
]
}
]
},
{
"header": "Activity Details",
"contents": [
{
"key": "Event",
"type": "string",
"values": [
"Sign in"
]
},
{
"key": "Number of events",
"type": "integer",
"values": [
1
]
}
]
}
]
],
"log_type": "aianalyst/incidentevents"
}
{
"summariser": "SaasBruteforceSummary",
"acknowledged": false,
"pinned": false,
"createdAt": 1708649003457,
"attackPhases": [
2,
4
],
"mitreTactics": [
"credential-access"
],
"title": "Possible Distributed Bruteforce of AzureActiveDirectory Account",
"id": "dc5f69a5-ee78-4702-a999-ed64a9e873dc",
"incidentEventUrl": "https://darktrace-dt-32980-01/saas#aiaincidentevent/dc5f69a5-ee78-4702-a999-ed64a9e873dc",
"children": [
"dc5f69a5-ee78-4702-a999-ed64a9e873dc"
],
"category": "suspicious",
"currentGroup": "g7bd28910-7d7d-4971-9a20-48f12b8518e1",
"groupCategory": "suspicious",
"groupScore": 32.34820100820068,
"groupPreviousGroups": [],
"activityId": "da39a3ee",
"groupingIds": [
"6ae71ab6"
],
"groupByActivity": false,
"userTriggered": false,
"externalTriggered": false,
"aiaScore": 85.47036382887099,
"summary": "Repeated attempts to access the account test@test.fr over a configured AzureActiveDirectory service were observed from a range of external IP addresses.\n\nThis included login attempts made from unusual locations for the account, and for the configured service in general.\n\nSince these requests originated from a wide variety of external sources, this could indicate a distributed attempt by a malicious actor to gain illegitimate access to this account.\n\nThe security team may therefore wish to ensure that the relevant credentials are sufficiently robust, and that additional measures such as multi-factor authentication are enabled where possible.",
"periods": [
{
"start": 1708040149000,
"end": 1708648697000
}
],
"sender": null,
"breachDevices": [
{
"identifier": "SaaS::AzureActiveDirectory: test@test.fr",
"hostname": "SaaS::AzureActiveDirectory: test@test.fr",
"ip": null,
"mac": null,
"subnet": null,
"did": 2635,
"sid": -9
}
],
"relatedBreaches": [
{
"modelName": "SaaS / Access / Password Spray",
"pbid": 7130,
"threatScore": 47,
"timestamp": 1708648698000
}
],
"details": [
[
{
"header": "SaaS User Details",
"contents": [
{
"key": "SaaS account",
"type": "device",
"values": [
{
"identifier": "SaaS::AzureActiveDirectory: test@test.fr",
"hostname": "SaaS::AzureActiveDirectory: test@test.fr",
"ip": null,
"mac": null,
"subnet": null,
"did": 2635,
"sid": -9
}
]
},
{
"key": "Actor",
"type": "string",
"values": [
"test@test.fr"
]
}
]
}
],
[
{
"header": "Summary of Related Access Attempts",
"contents": [
{
"key": "Attempts grouped by",
"type": "string",
"values": [
"same targeted account"
]
},
{
"key": "Number of source ASNs",
"type": "integer",
"values": [
241
]
},
{
"key": "Suspicious properties",
"type": "string",
"values": [
"Unusual time for activity",
"Unusual external source for activity",
"Large number of login failures"
]
}
]
},
{
"header": "Details of Access Attempts",
"contents": [
{
"key": "Time",
"type": "timestampRange",
"values": [
{
"start": 1708040149000,
"end": 1708648697000
}
]
},
{
"key": "Targeted account",
"type": "string",
"values": [
"test@test.fr"
]
},
{
"key": "Total number of login failures",
"type": "integer",
"values": [
1136
]
},
{
"key": "Reasons for login failures",
"type": "string",
"values": [
"Sign-in was blocked because it came from an IP address with malicious activity",
"The account is locked, you've tried to sign in too many times with an incorrect user ID or password.",
"Error validating credentials due to invalid username or password."
]
}
]
},
{
"header": "Sources of Access Attempts",
"contents": [
{
"key": "Source ASNs include",
"type": "string",
"values": [
"AS4134 Chinanet",
"AS4837 CHINA UNICOM China169 Backbone",
"AS4766 Korea Telecom",
"AS9808 China Mobile Communications Group Co., Ltd.",
"AS24560 Bharti Airtel Ltd., Telemedia Services"
]
},
{
"key": "Source IPs include",
"type": "externalHost",
"values": [
{
"hostname": "122.4.70.38",
"ip": "122.4.70.38"
},
{
"hostname": "41.207.248.204",
"ip": "41.207.248.204"
},
{
"hostname": "124.89.116.178",
"ip": "124.89.116.178"
},
{
"hostname": "121.184.235.17",
"ip": "121.184.235.17"
},
{
"hostname": "61.153.208.38",
"ip": "61.153.208.38"
}
]
},
{
"key": "Countries include",
"type": "string",
"values": [
"China",
"South Korea",
"India",
"United States",
"Brazil"
]
},
{
"key": "User agent",
"type": "string",
"values": [
"Office 365 Exchange Online"
]
}
]
}
]
]
}
{
"commentCount": 0,
"pbid": 26316,
"time": 1687967502000,
"creationTime": 1687967508000,
"model": {
"then": {
"name": "AnomalousFile::ZiporGzipfromRareExternalLocation",
"pid": 619,
"phid": 9945,
"uuid": "80010119-6d7f-0000-0305-5e0000000172",
"logic": {
"data": [
19046
],
"type": "componentList",
"version": 1
},
"throttle": 3600,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [
"",
"AP:Tooling",
"OTEngineer"
],
"interval": 0,
"delay": 0,
"sequenced": false,
"active": true,
"modified": "2023-06-28 11:53:50",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\n\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.",
"behaviour": "decreasing",
"created": {
"by": "System"
},
"edited": {
"by": "System"
},
"version": 42,
"mitre": {
"tactics": [
"resource-development"
],
"techniques": [
"T1588.001"
]
},
"priority": 1,
"category": "Informational",
"compliance": false
},
"now": {
"name": "AnomalousFile::ZiporGzipfromRareExternalLocation",
"pid": 619,
"phid": 9945,
"uuid": "80010119-6d7f-0000-0305-5e0000000172",
"logic": {
"data": [
19046
],
"type": "componentList",
"version": 1
},
"throttle": 3600,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [
"",
"AP:Tooling",
"OTEngineer"
],
"interval": 0,
"delay": 0,
"sequenced": false,
"active": true,
"modified": "2023-06-28 11:53:50",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\n\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.",
"behaviour": "decreasing",
"created": {
"by": "System"
},
"edited": {
"by": "System"
},
"message": "Excludedcommonuseragents",
"version": 42,
"mitre": {
"tactics": [
"resource-development"
],
"techniques": [
"T1588.001"
]
},
"priority": 1,
"category": "Informational",
"compliance": false
}
},
"triggeredComponents": [
{
"time": 1687967501000,
"cbid": 26393,
"cid": 19046,
"chid": 30682,
"size": 1,
"threshold": 0,
"interval": 3600,
"logic": {
"data": {
"left": {
"left": "A",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "F",
"operator": "AND",
"right": {
"left": "I",
"operator": "AND",
"right": {
"left": "J",
"operator": "AND",
"right": {
"left": "M",
"operator": "AND",
"right": {
"left": "N",
"operator": "AND",
"right": {
"left": "O",
"operator": "AND",
"right": {
"left": "P",
"operator": "AND",
"right": {
"left": "Q",
"operator": "AND",
"right": {
"left": "R",
"operator": "AND",
"right": {
"left": "T",
"operator": "AND",
"right": {
"left": "V",
"operator": "AND",
"right": {
"left": "W",
"operator": "AND",
"right": {
"left": "Y",
"operator": "AND",
"right": "Z"
}
}
}
}
}
}
}
}
}
}
}
}
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "C",
"operator": "AND",
"right": {
"left": "E",
"operator": "AND",
"right": {
"left": "F",
"operator": "AND",
"right": {
"left": "I",
"operator": "AND",
"right": {
"left": "J",
"operator": "AND",
"right": {
"left": "M",
"operator": "AND",
"right": {
"left": "N",
"operator": "AND",
"right": {
"left": "O",
"operator": "AND",
"right": {
"left": "P",
"operator": "AND",
"right": {
"left": "Q",
"operator": "AND",
"right": {
"left": "R",
"operator": "AND",
"right": {
"left": "T",
"operator": "AND",
"right": {
"left": "V",
"operator": "AND",
"right": {
"left": "W",
"operator": "AND",
"right": {
"left": "Y",
"operator": "AND",
"right": "Z"
}
}
}
}
}
}
}
}
}
}
}
}
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "C",
"operator": "AND",
"right": {
"left": "F",
"operator": "AND",
"right": {
"left": "G",
"operator": "AND",
"right": {
"left": "I",
"operator": "AND",
"right": {
"left": "J",
"operator": "AND",
"right": {
"left": "M",
"operator": "AND",
"right": {
"left": "N",
"operator": "AND",
"right": {
"left": "O",
"operator": "AND",
"right": {
"left": "P",
"operator": "AND",
"right": {
"left": "Q",
"operator": "AND",
"right": {
"left": "R",
"operator": "AND",
"right": {
"left": "T",
"operator": "AND",
"right": {
"left": "V",
"operator": "AND",
"right": {
"left": "W",
"operator": "AND",
"right": {
"left": "Y",
"operator": "AND",
"right": "Z"
}
}
}
}
}
}
}
}
}
}
}
}
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "C",
"operator": "AND",
"right": {
"left": "F",
"operator": "AND",
"right": {
"left": "H",
"operator": "AND",
"right": {
"left": "I",
"operator": "AND",
"right": {
"left": "J",
"operator": "AND",
"right": {
"left": "M",
"operator": "AND",
"right": {
"left": "N",
"operator": "AND",
"right": {
"left": "O",
"operator": "AND",
"right": {
"left": "P",
"operator": "AND",
"right": {
"left": "Q",
"operator": "AND",
"right": {
"left": "R",
"operator": "AND",
"right": {
"left": "T",
"operator": "AND",
"right": {
"left": "V",
"operator": "AND",
"right": {
"left": "W",
"operator": "AND",
"right": {
"left": "Y",
"operator": "AND",
"right": "Z"
}
}
}
}
}
}
}
}
}
}
}
}
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "A",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "F",
"operator": "AND",
"right": {
"left": "K",
"operator": "AND",
"right": {
"left": "L",
"operator": "AND",
"right": {
"left": "M",
"operator": "AND",
"right": {
"left": "N",
"operator": "AND",
"right": {
"left": "O",
"operator": "AND",
"right": {
"left": "P",
"operator": "AND",
"right": {
"left": "Q",
"operator": "AND",
"right": {
"left": "S",
"operator": "AND",
"right": {
"left": "T",
"operator": "AND",
"right": {
"left": "U",
"operator": "AND",
"right": {
"left": "V",
"operator": "AND",
"right": {
"left": "W",
"operator": "AND",
"right": {
"left": "Y",
"operator": "AND",
"right": "Z"
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "C",
"operator": "AND",
"right": {
"left": "E",
"operator": "AND",
"right": {
"left": "F",
"operator": "AND",
"right": {
"left": "K",
"operator": "AND",
"right": {
"left": "L",
"operator": "AND",
"right": {
"left": "M",
"operator": "AND",
"right": {
"left": "N",
"operator": "AND",
"right": {
"left": "O",
"operator": "AND",
"right": {
"left": "P",
"operator": "AND",
"right": {
"left": "Q",
"operator": "AND",
"right": {
"left": "S",
"operator": "AND",
"right": {
"left": "T",
"operator": "AND",
"right": {
"left": "U",
"operator": "AND",
"right": {
"left": "V",
"operator": "AND",
"right": {
"left": "W",
"operator": "AND",
"right": {
"left": "Y",
"operator": "AND",
"right": "Z"
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "C",
"operator": "AND",
"right": {
"left": "F",
"operator": "AND",
"right": {
"left": "G",
"operator": "AND",
"right": {
"left": "K",
"operator": "AND",
"right": {
"left": "L",
"operator": "AND",
"right": {
"left": "M",
"operator": "AND",
"right": {
"left": "N",
"operator": "AND",
"right": {
"left": "O",
"operator": "AND",
"right": {
"left": "P",
"operator": "AND",
"right": {
"left": "Q",
"operator": "AND",
"right": {
"left": "S",
"operator": "AND",
"right": {
"left": "T",
"operator": "AND",
"right": {
"left": "U",
"operator": "AND",
"right": {
"left": "V",
"operator": "AND",
"right": {
"left": "W",
"operator": "AND",
"right": {
"left": "Y",
"operator": "AND",
"right": "Z"
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
},
"operator": "OR",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "F",
"operator": "AND",
"right": {
"left": "H",
"operator": "AND",
"right": {
"left": "K",
"operator": "AND",
"right": {
"left": "L",
"operator": "AND",
"right": {
"left": "M",
"operator": "AND",
"right": {
"left": "N",
"operator": "AND",
"right": {
"left": "O",
"operator": "AND",
"right": {
"left": "P",
"operator": "AND",
"right": {
"left": "Q",
"operator": "AND",
"right": {
"left": "S",
"operator": "AND",
"right": {
"left": "T",
"operator": "AND",
"right": {
"left": "U",
"operator": "AND",
"right": {
"left": "V",
"operator": "AND",
"right": {
"left": "W",
"operator": "AND",
"right": {
"left": "Y",
"operator": "AND",
"right": "Z"
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
}
},
"version": "v0.1"
},
"ip": "104.18.103.100/32",
"port": 80,
"metric": {
"mlid": 1,
"name": "externalconnections",
"label": "ExternalConnections"
},
"triggeredFilters": [
{
"cfid": 232424,
"id": "C",
"filterType": "Internalsourcedevicetype",
"arguments": {
"value": "3"
},
"comparatorType": "isnot",
"trigger": {
"value": "6"
}
},
{
"cfid": 232426,
"id": "F",
"filterType": "Direction",
"arguments": {
"value": "out"
},
"comparatorType": "is",
"trigger": {
"value": "out"
}
},
{
"cfid": 232428,
"id": "H",
"filterType": "HTTPcontenttype",
"arguments": {
"value": "application/x-gzip"
},
"comparatorType": "matches",
"trigger": {
"value": "application/x-gzip"
}
},
{
"cfid": 232430,
"id": "J",
"filterType": "RareexternalIP",
"arguments": {
"value": 98
},
"comparatorType": ">=",
"trigger": {
"value": "100"
}
},
{
"cfid": 232431,
"id": "K",
"filterType": "Raredomain",
"arguments": {
"value": 95
},
"comparatorType": ">=",
"trigger": {
"value": "100"
}
},
{
"cfid": 232432,
"id": "L",
"filterType": "Trustedhostname",
"arguments": {
"value": "false"
},
"comparatorType": "is",
"trigger": {
"value": "false"
}
},
{
"cfid": 232433,
"id": "M",
"filterType": "Internalsourcedevicetype",
"arguments": {
"value": "9"
},
"comparatorType": "isnot",
"trigger": {
"value": "6"
}
},
{
"cfid": 232434,
"id": "N",
"filterType": "Internalsourcedevicetype",
"arguments": {
"value": "4"
},
"comparatorType": "isnot",
"trigger": {
"value": "6"
}
},
{
"cfid": 232435,
"id": "O",
"filterType": "Internalsourcedevicetype",
"arguments": {
"value": "13"
},
"comparatorType": "isnot",
"trigger": {
"value": "6"
}
},
{
"cfid": 232436,
"id": "P",
"filterType": "Internalsourcedevicetype",
"arguments": {
"value": "17"
},
"comparatorType": "isnot",
"trigger": {
"value": "6"
}
},
{
"cfid": 232437,
"id": "Q",
"filterType": "Taggedinternalsource",
"arguments": {
"value": 15
},
"comparatorType": "doesnothavetag",
"trigger": {
"value": "15",
"tag": {
"tid": 15,
"expiry": 0,
"thid": 15,
"name": "ConflictingUser-Agents",
"restricted": false,
"data": {
"auto": false,
"color": 284,
"description": "",
"visibility": "Public"
},
"isReferenced": true
}
}
},
{
"cfid": 232438,
"id": "R",
"filterType": "DestinationIP",
"arguments": {
"value": "0.0.0.0"
},
"comparatorType": "doesnotmatch",
"trigger": {
"value": "104.18.103.100"
}
},
{
"cfid": 232439,
"id": "S",
"filterType": "Connectionhostname",
"arguments": {
"value": "(speed(test|check).+|.+speed(test|check).+)|.*((up(date|grade)|download|content|mirrors|weather|changes|quant|ctldl|avupdate).*\\.(carbonblack\\.io|nutanix\\.com|pandasoftware\\.com|ivanti\\.com|mit\\.edu|mastercam\\.com|rit\\.edu|knime\\.com|logicnow\\.us|oppomobile\\.com|trendmicro\\.com|panorama9\\.com|jiransecurity\\.com|refinitiv\\.com|jiran\\.com|loxtop\\.com|snoopwall\\.com|tumbleweed\\.com|sangfor\\.net|alyac\\.com|spamassassin\\.org|verein-clean\\.net|itsupport247\\.net|lsfilter\\.com|iboss\\.com|eeye\\.com|windowsupdate\\.com|fireeye\\.com)|definitionsbd\\.adaware\\.com|nasepm\\.aramark\\.com|(bdefs|hw|ec)\\.threattrack\\.com|upd\\.zonelabs\\.com|www\\.solutionsam\\.com|licensingservice\\.altarix\\.com|autoupdate\\.bradyid\\.com|iblocklist\\.com|clientservices\\.googleapis\\.com|mirror\\.centos\\..*\\.serverforge\\.org|sync\\.bigfix\\.com|catalog\\.kace\\.com)"
},
"comparatorType": "doesnotmatchregularexpression",
"trigger": {
"value": "kali.download"
}
},
{
"cfid": 232440,
"id": "T",
"filterType": "Useragent",
"arguments": {
"value": "/((libdnf|sa-update|Valve\\/Steam|itunesstored|pfSense|McAfee|DebianAPT-HTTP).*|Sylink|.*LANguard.*|Smc|SG\\_CTAVUpdater|NetpasUpdater|urlgrabber/[0-9.]+yum/[0-9.]+|ManageEngine(Endpoint|Desktop)Central).*/i"
},
"comparatorType": "doesnotmatchregularexpression",
"trigger": {
"value": ""
}
},
{
"cfid": 232441,
"id": "U",
"filterType": "Connectionhostname",
"arguments": {
"value": "(antivirus|rpm(s)?|sa-update|centos|fedora).*"
},
"comparatorType": "doesnotmatchregularexpression",
"trigger": {
"value": "kali.download"
}
},
{
"cfid": 232442,
"id": "V",
"filterType": "URI",
"arguments": {
"value": "/.*\\/centos\\/.*\\.xml\\.gz/i"
},
"comparatorType": "doesnotmatchregularexpression",
"trigger": {
"value": "/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz"
}
},
{
"cfid": 232443,
"id": "W",
"filterType": "URI",
"arguments": {
"value": "dl.delivery.mp.microsoft.com"
},
"comparatorType": "doesnotcontain",
"trigger": {
"value": "/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz"
}
},
{
"cfid": 232444,
"id": "Y",
"filterType": "HTTPresponsecode",
"arguments": {
"value": 400
},
"comparatorType": "<",
"trigger": {
"value": "200"
}
},
{
"cfid": 232445,
"id": "Z",
"filterType": "Individualsizedown",
"arguments": {
"value": 10000
},
"comparatorType": ">=",
"trigger": {
"value": "60493165"
}
},
{
"cfid": 232446,
"id": "d1",
"filterType": "Individualsizedown",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "60493165"
}
},
{
"cfid": 232447,
"id": "d10",
"filterType": "Individualsizeup",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "679"
}
},
{
"cfid": 232448,
"id": "d11",
"filterType": "HTTPreferrer",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 232449,
"id": "d12",
"filterType": "HTTPmethod",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 232450,
"id": "d13",
"filterType": "Dataratio",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "0"
}
},
{
"cfid": 232451,
"id": "d14",
"filterType": "Ageofdestination",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "43965774"
}
},
{
"cfid": 232452,
"id": "d2",
"filterType": "HTTPresponsecode",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "200"
}
},
{
"cfid": 232453,
"id": "d3",
"filterType": "Useragent",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 232454,
"id": "d4",
"filterType": "ASN",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "AS13335CLOUDFLARENET"
}
},
{
"cfid": 232455,
"id": "d5",
"filterType": "URI",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz"
}
},
{
"cfid": 232456,
"id": "d6",
"filterType": "DestinationIP",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "104.18.103.100"
}
},
{
"cfid": 232457,
"id": "d7",
"filterType": "Connectionhostname",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "kali.download"
}
},
{
"cfid": 232458,
"id": "d8",
"filterType": "HTTPcontenttype",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "application/x-gzip"
}
},
{
"cfid": 232459,
"id": "d9",
"filterType": "Internalsourcedevicetype",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "6"
}
}
]
}
],
"score": 0.245,
"device": {
"did": 16,
"ip": "192.168.1.#18408",
"ips": [
{
"ip": "192.168.1.#18408",
"timems": 1688263200000,
"time": "2023-07-0202:00:00",
"sid": 3
}
],
"sid": 3,
"firstSeen": 1644001727000,
"lastSeen": 1688266122000,
"typename": "desktop",
"typelabel": "Desktop"
},
"log_type": "modelbreaches"
}
{
"commentCount": 0,
"pbid": 26368,
"time": 1687987886000,
"creationTime": 1687987892000,
"model": {
"then": {
"name": "Antigena::Network::Compliance::AntigenaConnectionSeen",
"pid": 2299,
"phid": 9961,
"uuid": "5f78deda-3ff9-445f-a88e-2137dca625d6",
"logic": {
"data": [
19083
],
"type": "componentList",
"version": 1
},
"throttle": 3600,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {
"action": "quarantine",
"confirm": true,
"connector_actions": {},
"duration": 1000,
"ignoreSchedule": true,
"threshold": "50"
},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [],
"interval": 3600,
"delay": 0,
"sequenced": true,
"active": true,
"modified": "2023-06-28 21:31:29",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": false,
"autoSuppress": false,
"description": "",
"behaviour": "decreasing",
"defeats": [],
"created": {
"by": "darktrace",
"userID": 2
},
"edited": {
"by": "darktrace",
"userID": 2
},
"version": 7,
"priority": 4,
"category": "Suspicious",
"compliance": true
},
"now": {
"name": "Antigena::Network::Compliance::AntigenaConnectionSeen",
"pid": 2299,
"phid": 9962,
"uuid": "5f78deda-3ff9-445f-a88e-2137dca625d6",
"logic": {
"data": [
19084
],
"type": "componentList",
"version": 1
},
"throttle": 3600,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {
"action": "quarantine",
"confirm": true,
"connector_actions": {},
"duration": 1000,
"ignoreSchedule": true,
"threshold": "50"
},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [],
"interval": 3600,
"delay": 0,
"sequenced": true,
"active": false,
"modified": "2023-06-28 21:32:10",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": false,
"autoSuppress": false,
"description": "",
"behaviour": "decreasing",
"defeats": [],
"created": {
"by": "darktrace",
"userID": 2
},
"edited": {
"by": "darktrace",
"userID": 2
},
"version": 8,
"priority": 4,
"category": "Suspicious",
"compliance": true
}
},
"triggeredComponents": [
{
"time": 1687987885000,
"cbid": 26445,
"cid": 19083,
"chid": 30726,
"size": 1,
"threshold": 0,
"interval": 3600,
"logic": {
"data": {},
"version": "v0.1"
},
"ip": "192.168.16.100/32",
"port": 443,
"metric": {
"mlid": 16,
"name": "connections",
"label": "Connections"
},
"triggeredFilters": []
}
],
"score": 0.871,
"device": {
"did": 31,
"hostname": "my_host",
"vendor": "",
"ip": "192.168.1.2",
"ips": [
{
"ip": "192.168.1.2",
"timems": 1688389200000,
"time": "2023-07-0313:00:00",
"sid": 3
}
],
"sid": 3,
"firstSeen": 1649669953000,
"lastSeen": 1688391406000,
"typename": "dnsserver",
"typelabel": "DNSServer"
},
"log_type": "modelbreaches"
}
{
"commentCount": 0,
"pbid": 27103,
"time": 1688266123000,
"creationTime": 1688266130000,
"model": {
"then": {
"name": "Device::AttackandReconTools",
"pid": 76,
"phid": 8953,
"uuid": "80010119-6d7f-0000-0305-5e0000000197",
"logic": {
"data": [
{
"cid": 17299,
"weight": 1
},
{
"cid": 17302,
"weight": 1
},
{
"cid": 17298,
"weight": 1
},
{
"cid": 17300,
"weight": 1
},
{
"cid": 17301,
"weight": 1
},
{
"cid": 17303,
"weight": 1
},
{
"cid": 17304,
"weight": 1
}
],
"targetScore": 1,
"type": "weightedComponentList",
"version": 1
},
"throttle": 604800,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [
"",
"AP:InternalRecon",
"OTEngineer"
],
"interval": 3600,
"delay": 0,
"sequenced": false,
"active": true,
"modified": "2023-03-14 12:53:21",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "Adeviceisusingcommonpenetrationtestingtools.\n\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.",
"behaviour": "decreasing",
"created": {
"by": "System"
},
"edited": {
"by": "System"
},
"version": 87,
"mitre": {
"tactics": [
"initial-access"
],
"techniques": [
"T1200"
]
},
"priority": 4,
"category": "Suspicious",
"compliance": false
},
"now": {
"name": "Device::AttackandReconTools",
"pid": 76,
"phid": 8953,
"uuid": "80010119-6d7f-0000-0305-5e0000000197",
"logic": {
"data": [
{
"cid": 17299,
"weight": 1
},
{
"cid": 17302,
"weight": 1
},
{
"cid": 17298,
"weight": 1
},
{
"cid": 17300,
"weight": 1
},
{
"cid": 17301,
"weight": 1
},
{
"cid": 17303,
"weight": 1
},
{
"cid": 17304,
"weight": 1
}
],
"targetScore": 1,
"type": "weightedComponentList",
"version": 1
},
"throttle": 604800,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [
"",
"AP:InternalRecon",
"OTEngineer"
],
"interval": 3600,
"delay": 0,
"sequenced": false,
"active": true,
"modified": "2023-03-14 12:53:21",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "Adeviceisusingcommonpenetrationtestingtools.\n\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.",
"behaviour": "decreasing",
"created": {
"by": "System"
},
"edited": {
"by": "System"
},
"message": "Addeddetectionforgobusteranddirbuster",
"version": 87,
"mitre": {
"tactics": [
"initial-access"
],
"techniques": [
"T1200"
]
},
"priority": 4,
"category": "Suspicious",
"compliance": false
}
},
"triggeredComponents": [
{
"time": 1688266122000,
"cbid": 27180,
"cid": 17302,
"chid": 27905,
"size": 1,
"threshold": 0,
"interval": 3600,
"logic": {
"data": {
"left": {
"left": "A",
"operator": "AND",
"right": {
"left": "B",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "D",
"operator": "AND",
"right": {
"left": "E",
"operator": "AND",
"right": {
"left": "H",
"operator": "AND",
"right": "J"
}
}
}
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "B",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "D",
"operator": "AND",
"right": {
"left": "E",
"operator": "AND",
"right": {
"left": "F",
"operator": "AND",
"right": "H"
}
}
}
}
},
"operator": "OR",
"right": {
"left": "B",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "D",
"operator": "AND",
"right": {
"left": "E",
"operator": "AND",
"right": {
"left": "G",
"operator": "AND",
"right": {
"left": "H",
"operator": "AND",
"right": "I"
}
}
}
}
}
}
}
},
"version": "v0.1"
},
"ip": "192.168.1.2/32",
"port": 53,
"metric": {
"mlid": 11,
"name": "dnsrequests",
"label": "DNSRequests"
},
"triggeredFilters": [
{
"cfid": 208828,
"id": "A",
"filterType": "DNShostlookup",
"arguments": {
"value": "kali(\\..+)?"
},
"comparatorType": "matchesregularexpression",
"trigger": {
"value": "kali.download"
}
},
{
"cfid": 208829,
"id": "B",
"filterType": "Internalsourcedevicetype",
"arguments": {
"value": "12"
},
"comparatorType": "isnot",
"trigger": {
"value": "6"
}
},
{
"cfid": 208830,
"id": "C",
"filterType": "Taggedinternalsource",
"arguments": {
"value": 18
},
"comparatorType": "doesnothavetag",
"trigger": {
"value": "18",
"tag": {
"tid": 18,
"expiry": 0,
"thid": 18,
"name": "DNSServer",
"restricted": false,
"data": {
"auto": false,
"color": 112,
"description": "DevicesreceivingandmakingDNSqueries",
"visibility": "Public"
},
"isReferenced": true
}
}
},
{
"cfid": 208831,
"id": "D",
"filterType": "Direction",
"arguments": {
"value": "out"
},
"comparatorType": "is",
"trigger": {
"value": "out"
}
},
{
"cfid": 208832,
"id": "E",
"filterType": "Taggedinternalsource",
"arguments": {
"value": 4
},
"comparatorType": "doesnothavetag",
"trigger": {
"value": "4",
"tag": {
"tid": 4,
"expiry": 0,
"thid": 4,
"name": "SecurityDevice",
"restricted": false,
"data": {
"auto": false,
"color": 55,
"description": "",
"visibility": "Public"
},
"isReferenced": true
}
}
},
{
"cfid": 208835,
"id": "H",
"filterType": "Taggedinternalsource",
"arguments": {
"value": 58
},
"comparatorType": "doesnothavetag",
"trigger": {
"value": "58",
"tag": {
"tid": 58,
"expiry": 0,
"thid": 58,
"name": "MailServer",
"restricted": false,
"data": {
"auto": false,
"color": 200,
"description": ""
},
"isReferenced": true
}
}
},
{
"cfid": 208836,
"id": "I",
"filterType": "DNShostlookup",
"arguments": {
"value": "backbox.com"
},
"comparatorType": "doesnotmatch",
"trigger": {
"value": "kali.download"
}
},
{
"cfid": 208837,
"id": "J",
"filterType": "DNShostlookup",
"arguments": {
"value": "^kali\\.(by|hu|hr|cheng-tsui\\.com|tradair\\.com)$"
},
"comparatorType": "doesnotmatchregularexpression",
"trigger": {
"value": "kali.download"
}
},
{
"cfid": 208838,
"id": "d1",
"filterType": "DNShostlookup",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "kali.download"
}
}
]
}
],
"score": 0.871,
"device": {
"did": 16,
"ip": "192.168.1.#18408",
"ips": [
{
"ip": "192.168.1.#18408",
"timems": 1688263200000,
"time": "2023-07-0202:00:00",
"sid": 3
}
],
"sid": 3,
"firstSeen": 1644001727000,
"lastSeen": 1688266122000,
"typename": "desktop",
"typelabel": "Desktop"
},
"log_type": "modelbreaches"
}
{
"commentCount": 0,
"pbid": 25808,
"time": 1687774142000,
"creationTime": 1687774148000,
"model": {
"then": {
"name": "Compromise::WatchedDomain",
"pid": 608,
"phid": 6768,
"uuid": "80010119-6d7f-0000-0305-5e0000000256",
"logic": {
"data": [
{
"cid": 13112,
"weight": 1
},
{
"cid": 13114,
"weight": 1
},
{
"cid": 13115,
"weight": 1
},
{
"cid": 13113,
"weight": 1
}
],
"targetScore": 1,
"type": "weightedComponentList",
"version": 1
},
"throttle": 3600,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [
"",
"AP:C2Comms"
],
"interval": 3600,
"delay": 0,
"sequenced": false,
"active": true,
"modified": "2022-06-22 15:56:27",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\n\nAction:ReviewthedomainandIPbeingconnectedto.",
"behaviour": "decreasing",
"defeats": [],
"created": {
"by": "System"
},
"edited": {
"by": "System"
},
"version": 31,
"priority": 5,
"category": "Critical",
"compliance": false
},
"now": {
"name": "Compromise::WatchedDomain",
"pid": 608,
"phid": 6768,
"uuid": "80010119-6d7f-0000-0305-5e0000000256",
"logic": {
"data": [
{
"cid": 13112,
"weight": 1
},
{
"cid": 13114,
"weight": 1
},
{
"cid": 13115,
"weight": 1
},
{
"cid": 13113,
"weight": 1
}
],
"targetScore": 1,
"type": "weightedComponentList",
"version": 1
},
"throttle": 3600,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [
"",
"AP:C2Comms"
],
"interval": 3600,
"delay": 0,
"sequenced": false,
"active": true,
"modified": "2022-06-22 15:56:27",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\n\nAction:ReviewthedomainandIPbeingconnectedto.",
"behaviour": "decreasing",
"defeats": [],
"created": {
"by": "System"
},
"edited": {
"by": "System"
},
"message": "Adjustingmodellogicforproxiedconnections",
"version": 31,
"priority": 5,
"category": "Critical",
"compliance": false
}
},
"triggeredComponents": [
{
"time": 1687774141000,
"cbid": 25885,
"cid": 13112,
"chid": 20980,
"size": 1,
"threshold": 0,
"interval": 3600,
"logic": {
"data": {
"left": {
"left": "A",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "D",
"operator": "AND",
"right": "F"
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "B",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "D",
"operator": "AND",
"right": "F"
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "A",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "E",
"operator": "AND",
"right": "G"
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "B",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "E",
"operator": "AND",
"right": "G"
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "A",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "D",
"operator": "AND",
"right": {
"left": "H",
"operator": "AND",
"right": "I"
}
}
}
},
"operator": "OR",
"right": {
"left": "B",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": {
"left": "D",
"operator": "AND",
"right": {
"left": "H",
"operator": "AND",
"right": "I"
}
}
}
}
}
}
}
}
},
"version": "v0.1"
},
"ip": "192.168.1.2/32",
"port": 53,
"metric": {
"mlid": 223,
"name": "dtwatcheddomain",
"label": "WatchedDomain"
},
"triggeredFilters": [
{
"cfid": 156173,
"id": "A",
"filterType": "Watchedendpointsource",
"arguments": {
"value": ".+"
},
"comparatorType": "doesnotmatchregularexpression",
"trigger": {
"value": ""
}
},
{
"cfid": 156175,
"id": "C",
"filterType": "Direction",
"arguments": {
"value": "out"
},
"comparatorType": "is",
"trigger": {
"value": "out"
}
},
{
"cfid": 156177,
"id": "E",
"filterType": "Internalsourcedevicetype",
"arguments": {
"value": "12"
},
"comparatorType": "isnot",
"trigger": {
"value": "6"
}
},
{
"cfid": 156179,
"id": "G",
"filterType": "Destinationport",
"arguments": {
"value": 53
},
"comparatorType": "=",
"trigger": {
"value": "53"
}
},
{
"cfid": 156180,
"id": "d1",
"filterType": "Internalsourcedevicetype",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "6"
}
},
{
"cfid": 156181,
"id": "d10",
"filterType": "Watchedendpointdescription",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 156182,
"id": "d2",
"filterType": "Connectionhostname",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 156183,
"id": "d3",
"filterType": "DestinationIP",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "192.168.1.2"
}
},
{
"cfid": 156184,
"id": "d4",
"filterType": "ASN",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 156185,
"id": "d5",
"filterType": "Country",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 156186,
"id": "d6",
"filterType": "Message",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "amazonlinux-2-repos-eu-west-2.s3.eu-west-2.amazonaws.com"
}
},
{
"cfid": 156187,
"id": "d7",
"filterType": "Watchedendpoint",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "true"
}
},
{
"cfid": 156188,
"id": "d8",
"filterType": "Watchedendpointsource",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 156189,
"id": "d9",
"filterType": "Watchedendpointstrength",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "100"
}
},
{
"cfid": 156190,
"id": "H",
"filterType": "Internaldestination",
"arguments": {},
"comparatorType": "is",
"trigger": {
"value": "true"
}
},
{
"cfid": 156191,
"id": "I",
"filterType": "Internaldestinationdevicetype",
"arguments": {
"value": "11"
},
"comparatorType": "isnot",
"trigger": {
"value": "12"
}
}
]
}
],
"score": 0.541,
"device": {
"did": 6,
"hostname": "SaaS::Slack: john.doe@company.com",
"ip": "192.168.16.#54818",
"ips": [
{
"ip": "192.168.16.#54818",
"timems": 1688385600000,
"time": "2023-07-0312:00:00",
"sid": 4
}
],
"sid": 4,
"firstSeen": 1639068361000,
"lastSeen": 1688385853000,
"typename": "desktop",
"typelabel": "Desktop"
},
"log_type": "modelbreaches"
}
{
"commentCount": 0,
"pbid": 25860,
"time": 1687793533000,
"creationTime": 1687793540000,
"model": {
"then": {
"name": "Device::ThreatIndicator",
"pid": 540,
"phid": 6656,
"uuid": "84c92ea6-36b9-402f-9df1-3c5bfaee9176",
"logic": {
"data": [
{
"cid": 12878,
"weight": 1
},
{
"cid": 12876,
"weight": 1
},
{
"cid": 12877,
"weight": 1
}
],
"targetScore": 1,
"type": "weightedComponentList",
"version": 1
},
"throttle": 3600,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false,
"tagTTL": 604800
},
"tags": [
"",
"RequiresConfiguration"
],
"interval": 1,
"delay": 0,
"sequenced": false,
"active": true,
"modified": "2022-06-15 12:01:36",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.\n\nAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.,behaviour:decreasing,created:{by:System},edited:{by:System},version:39,priority:5,category:Critical,compliance:false},now:{name:Device::ThreatIndicator,pid:540,phid:6656,uuid:84c92ea6-36b9-402f-9df1-3c5bfaee9176,logic:{data:[{cid:12878,weight:1},{cid:12876,weight:1},{cid:12877,weight:1}],targetScore:1,type:weightedComponentList,version:1},throttle:3600,sharedEndpoints:false,actions:{alert:true,antigena:{},breach:true,model:true,setPriority:false,setTag:false,setType:false,tagTTL:604800},tags:[,RequiresConfiguration],interval:1,delay:0,sequenced:false,active:true,modified:2022-06-15 12:01:36,activeTimes:{devices:{},tags:{},type:exclusions,version:2},autoUpdatable:true,autoUpdate:true,autoSuppress:true,description:AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.nnAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.",
"behaviour": "decreasing",
"created": {
"by": "System"
},
"edited": {
"by": "System"
},
"message": "UpdatedWatchedendpointsourceregextoexcludeAttackSurfaceManagement",
"version": 39,
"priority": 5,
"category": "Critical",
"compliance": false
}
},
"triggeredComponents": [
{
"time": 1687793532000,
"cbid": 25937,
"cid": 12876,
"chid": 20545,
"size": 1,
"threshold": 0,
"interval": 3600,
"logic": {
"data": {
"left": "A",
"operator": "AND",
"right": {
"left": "F",
"operator": "AND",
"right": {
"left": "G",
"operator": "AND",
"right": {
"left": "H",
"operator": "AND",
"right": {
"left": "I",
"operator": "AND",
"right": {
"left": "J",
"operator": "AND",
"right": "K"
}
}
}
}
}
},
"version": "v0.1"
},
"ip": "192.168.1.2/32",
"port": 53,
"metric": {
"mlid": 223,
"name": "dtwatcheddomain",
"label": "WatchedDomain"
},
"triggeredFilters": [
{
"cfid": 153437,
"id": "A",
"filterType": "Watchedendpointsource",
"arguments": {
"value": "^(\\_?Darktrace.*|AttackSurfaceManagement)"
},
"comparatorType": "doesnotmatchregularexpression",
"trigger": {
"value": "ThreatIntel"
}
},
{
"cfid": 153437,
"id": "A",
"filterType": "Watchedendpointsource",
"arguments": {
"value": "^(\\_?Darktrace.*|AttackSurfaceManagement)"
},
"comparatorType": "doesnotmatchregularexpression",
"trigger": {
"value": ""
}
},
{
"cfid": 153438,
"id": "F",
"filterType": "Watchedendpointsource",
"arguments": {
"value": ".+"
},
"comparatorType": "matchesregularexpression",
"trigger": {
"value": "ThreatIntel"
}
},
{
"cfid": 153439,
"id": "G",
"filterType": "Watchedendpointsource",
"arguments": {
"value": "Default"
},
"comparatorType": "doesnotmatch",
"trigger": {
"value": "ThreatIntel"
}
},
{
"cfid": 153439,
"id": "G",
"filterType": "Watchedendpointsource",
"arguments": {
"value": "Default"
},
"comparatorType": "doesnotmatch",
"trigger": {
"value": ""
}
},
{
"cfid": 153440,
"id": "H",
"filterType": "Taggedinternalsource",
"arguments": {
"value": 4
},
"comparatorType": "doesnothavetag",
"trigger": {
"value": "4",
"tag": {
"tid": 4,
"expiry": 0,
"thid": 4,
"name": "SecurityDevice",
"restricted": false,
"data": {
"auto": false,
"color": 55,
"description": "",
"visibility": "Public"
},
"isReferenced": true
}
}
},
{
"cfid": 153441,
"id": "I",
"filterType": "Internalsourcedevicetype",
"arguments": {
"value": "12"
},
"comparatorType": "isnot",
"trigger": {
"value": "7"
}
},
{
"cfid": 153442,
"id": "J",
"filterType": "Taggedinternalsource",
"arguments": {
"value": 18
},
"comparatorType": "doesnothavetag",
"trigger": {
"value": "18",
"tag": {
"tid": 18,
"expiry": 0,
"thid": 18,
"name": "DNSServer",
"restricted": false,
"data": {
"auto": false,
"color": 112,
"description": "DevicesreceivingandmakingDNSqueries",
"visibility": "Public"
},
"isReferenced": true
}
}
},
{
"cfid": 153443,
"id": "K",
"filterType": "Direction",
"arguments": {
"value": "out"
},
"comparatorType": "is",
"trigger": {
"value": "out"
}
},
{
"cfid": 153444,
"id": "d1",
"filterType": "Ageofdestination",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "38123579"
}
},
{
"cfid": 153445,
"id": "d2",
"filterType": "Country",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 153446,
"id": "d3",
"filterType": "DestinationIP",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "192.168.1.2"
}
},
{
"cfid": 153447,
"id": "d4",
"filterType": "ASN",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 153448,
"id": "d5",
"filterType": "Destinationport",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "53"
}
},
{
"cfid": 153449,
"id": "d6",
"filterType": "Rareexternalendpoint",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "0"
}
},
{
"cfid": 153450,
"id": "d7",
"filterType": "Watchedendpointsource",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "ThreatIntel"
}
},
{
"cfid": 153450,
"id": "d7",
"filterType": "Watchedendpointsource",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": ""
}
},
{
"cfid": 153451,
"id": "d8",
"filterType": "Message",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "clients2.google.com"
}
}
]
}
],
"score": 0.612,
"device": {
"did": 39,
"vendor": "",
"ip": "192.168.1.3",
"ips": [
{
"ip": "192.168.1.3",
"timems": 1688389200000,
"time": "2023-07-0313:00:00",
"sid": 3
}
],
"sid": 3,
"firstSeen": 1666276905000,
"lastSeen": 1688391268000,
"os": "Windows(10.0)",
"typename": "server",
"typelabel": "Server"
},
"log_type": "modelbreaches"
}
{
"commentCount": 0,
"pbid": 25908,
"time": 1687811707000,
"creationTime": 1687811713000,
"model": {
"then": {
"name": "PenTest",
"pid": 2721,
"phid": 9287,
"uuid": "8b3d5e73-0cf0-4c32-8451-a6919b9978f8",
"logic": {
"data": [
18021
],
"type": "componentList",
"version": 1
},
"throttle": 1000,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [],
"interval": 3600,
"delay": 0,
"sequenced": true,
"active": true,
"modified": "2023-04-17 11:34:25",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "",
"behaviour": "flat",
"defeats": [],
"created": {
"by": "sam.gorse",
"userID": 22
},
"edited": {
"by": "sam.gorse",
"userID": 22
},
"version": 7,
"priority": 5,
"category": "Critical",
"compliance": false
},
"now": {
"name": "PenTest",
"pid": 2721,
"phid": 9287,
"uuid": "8b3d5e73-0cf0-4c32-8451-a6919b9978f8",
"logic": {
"data": [
18021
],
"type": "componentList",
"version": 1
},
"throttle": 1000,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [],
"interval": 3600,
"delay": 0,
"sequenced": true,
"active": true,
"modified": "2023-04-17 11:34:25",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": false,
"autoUpdate": true,
"autoSuppress": true,
"description": "",
"behaviour": "flat",
"defeats": [],
"created": {
"by": "sam.gorse",
"userID": 22
},
"edited": {
"by": "sam.gorse",
"userID": 22
},
"version": 7,
"priority": 5,
"category": "Critical",
"compliance": false
}
},
"triggeredComponents": [
{
"time": 1687811706000,
"cbid": 25985,
"cid": 18021,
"chid": 29073,
"size": 1,
"threshold": 0,
"interval": 3600,
"logic": {
"data": {
"left": "A",
"operator": "OR",
"right": {
"left": "B",
"operator": "OR",
"right": {
"left": "C",
"operator": "OR",
"right": {
"left": {
"left": "A",
"operator": "AND",
"right": {
"left": "B",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": "D"
}
}
},
"operator": "OR",
"right": {
"left": {
"left": "A",
"operator": "AND",
"right": "B"
},
"operator": "OR",
"right": {
"left": {
"left": "B",
"operator": "AND",
"right": "C"
},
"operator": "OR",
"right": {
"left": "D",
"operator": "OR",
"right": {
"left": {
"left": "A",
"operator": "AND",
"right": {
"left": "B",
"operator": "AND",
"right": "C"
}
},
"operator": "OR",
"right": {
"left": {
"left": "B",
"operator": "AND",
"right": {
"left": "C",
"operator": "AND",
"right": "D"
}
},
"operator": "OR",
"right": {
"left": {
"left": "C",
"operator": "AND",
"right": "D"
},
"operator": "OR",
"right": {
"left": "A",
"operator": "AND",
"right": "D"
}
}
}
}
}
}
}
}
}
}
},
"version": "v0.1"
},
"ip": "192.168.16.100/32",
"port": 80,
"metric": {
"mlid": 16,
"name": "connections",
"label": "Connections"
},
"triggeredFilters": [
{
"cfid": 217209,
"id": "C",
"filterType": "Destinationport",
"arguments": {
"value": 80
},
"comparatorType": "=",
"trigger": {
"value": "80"
}
}
]
}
],
"score": 1.0,
"device": {
"did": 31,
"vendor": "",
"ip": "192.168.1.2",
"ips": [
{
"ip": "192.168.1.2",
"timems": 1688389200000,
"time": "2023-07-0313:00:00",
"sid": 3
}
],
"sid": 3,
"firstSeen": 1649669953000,
"lastSeen": 1688391406000,
"typename": "dnsserver",
"typelabel": "DNSServer"
},
"log_type": "modelbreaches"
}
{
"commentCount": 0,
"pbid": 36586,
"time": 1700634482000,
"creationTime": 1700634481000,
"model": {
"name": "System::System",
"pid": 530,
"phid": 4861,
"uuid": "1c3f429b-ccb9-46a2-b864-868653bc780a",
"logic": {
"data": [
9686
],
"type": "componentList",
"version": 1
},
"throttle": 10,
"sharedEndpoints": false,
"actions": {
"alert": true,
"antigena": {},
"breach": true,
"model": true,
"setPriority": false,
"setTag": false,
"setType": false
},
"tags": [],
"interval": 0,
"delay": 0,
"sequenced": true,
"active": true,
"modified": "2021-11-24 18:04:19",
"activeTimes": {
"devices": {},
"tags": {},
"type": "exclusions",
"version": 2
},
"autoUpdatable": true,
"autoUpdate": true,
"autoSuppress": true,
"description": "An issue with the system has been detected. This system alert is generated for system information that may merit further investigation. This may be due to things like probes failing to connect.\n\nAction: Review the system message. Use the status page to see additional system information that may help with diagnostics.",
"behaviour": "decreasing",
"defeats": [],
"created": {
"by": "System"
},
"edited": {
"by": "System"
},
"version": 16,
"priority": 3,
"category": "Informational",
"compliance": false
},
"triggeredComponents": [
{
"time": 1700634481000,
"cbid": 36900,
"cid": 9686,
"chid": 15251,
"size": 1,
"threshold": 0,
"interval": 3600,
"logic": {
"data": {
"left": {
"left": "A",
"operator": "AND",
"right": "B"
},
"operator": "OR",
"right": {
"left": {
"left": "A",
"operator": "AND",
"right": "C"
},
"operator": "OR",
"right": {
"left": {
"left": "A",
"operator": "AND",
"right": "D"
},
"operator": "OR",
"right": {
"left": {
"left": "A",
"operator": "AND",
"right": "E"
},
"operator": "OR",
"right": {
"left": "A",
"operator": "AND",
"right": "F"
}
}
}
}
},
"version": "v0.1"
},
"metric": {
"mlid": 206,
"name": "dtsystem",
"label": "System"
},
"triggeredFilters": [
{
"cfid": 111299,
"id": "A",
"filterType": "Event details",
"arguments": {
"value": "analyze credential ignore list"
},
"comparatorType": "does not contain",
"trigger": {
"value": "Probe erebus-pull-mode-vsensor (54.155.33.146) last contact was 50 hours ago"
}
},
{
"cfid": 111300,
"id": "B",
"filterType": "System message",
"arguments": {
"value": "Probe error"
},
"comparatorType": "is",
"trigger": {
"value": "Probe error"
}
},
{
"cfid": 111305,
"id": "d1",
"filterType": "Event details",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "Probe erebus-pull-mode-vsensor (54.155.33.146) last contact was 50 hours ago"
}
},
{
"cfid": 111306,
"id": "d2",
"filterType": "System message",
"arguments": {},
"comparatorType": "display",
"trigger": {
"value": "Probe error"
}
}
]
}
],
"score": 0.674,
"device": {
"did": -1
},
"log_type": "modelbreaches"
}
{
"url": "https://darktrace-dt/#actions/000/111",
"iris-event-type": "antigena_state_change",
"codeuuid": "",
"codeid": 537,
"action_family": "NETWORK",
"action": "CREATE_NEEDSCONFIRMATION",
"username": "JDOE",
"reason": "",
"start": 1702896511,
"end": 1702903711,
"did": 901,
"pbid": 0,
"action_creator": "",
"model": "test_model_network",
"inhibitor": "Enforce pattern of life",
"device": {
"did": 901,
"macaddress": "00:11:22:33:44:55",
"vendor": "test_vendor",
"ip": "1.2.3.4",
"ips": [
{
"ip": "1.2.3.4",
"timems": 1702893600000,
"time": "2023-12-18 10:00:00",
"sid": 69,
"vlan": 0
}
],
"sid": 69,
"hostname": "test_hostname",
"firstSeen": 1671027693000,
"lastSeen": 1702896182000,
"os": "Windows",
"typename": "desktop",
"typelabel": "Desktop"
}
}
Detection section
The following section provides information for those who wish to learn more about the detection capabilities enabled by collecting this intake. It includes details about the built-in rule catalog, event categories, and ECS fields extracted from raw events. This is essential for users aiming to create custom detection rules, perform hunting activities, or pivot in the events page.
Event Categories
The following table lists the data source offered by this integration.
| Data Source | Description |
|---|---|
DNS records |
Darktrace monitors DNS requests or connections from devices to watched domains or IP addresses. |
Web logs |
Darktrace monitors accesses to watched domains. |
In details, the following table denotes the type of events produced by this integration.
| Name | Values |
|---|---|
| Kind | alert |
| Category | network, threat |
| Type | info |
Transformed Events Samples after Ingestion
This section demonstrates how the raw logs will be transformed by our parsers. It shows the extracted fields that will be available for use in the built-in detection rules and hunting activities in the events page. Understanding these transformations is essential for analysts to create effective detection mechanisms with custom detection rules and to leverage the full potential of the collected data.
{
"message": "{\"summariser\":\"HttpAgentSummary\",\"acknowledged\":false,\"pinned\":false,\"createdAt\":1697334832520,\"attackPhases\":[2],\"mitreTactics\":[\"command-and-control\"],\"title\":\"Possible HTTP Command and Control\",\"id\":\"a400af0f-a297-478c-8fc6-c778a9558183\",\"children\":[\"a400af0f-a297-478c-8fc6-c778a9558183\"],\"category\":\"critical\",\"currentGroup\":\"ga400af0f-a297-478c-8fc6-c778a9558183\",\"groupCategory\":\"suspicious\",\"groupScore\":2.449186624037094,\"groupPreviousGroups\":[],\"activityId\":\"da39a3ee\",\"groupingIds\":[\"511a418e\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":55.52733790170975,\"summary\":\"The device 10.0.0.#36859 was observed making multiple HTTP connections to the rare external endpoint themoneyfix.org, with the same user agent string.\\n\\nMoreover, this device only used this user agent for connections to a limited set of endpoints - suggesting that the activity was initiated by a standalone software process as opposed to a web browser.\\n\\nIf such behaviour is unexpected, further investigation may be required to determine if this activity represents malicious command and control as opposed to legitimate telemetry of some form.\",\"periods\":[{\"start\":1697334679535,\"end\":1697334713852}],\"breachDevices\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"10.0.0.#36859\",\"mac\":null,\"subnet\":null,\"did\":62,\"sid\":25}],\"relatedBreaches\":[{\"modelName\":\"Device / New User Agent\",\"pbid\":34952,\"threatScore\":31.0,\"timestamp\":1697334680000}],\"details\":[[{\"header\":\"Device Making Suspicious Connections\",\"contents\":[{\"key\":null,\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"10.0.0.#36859\",\"mac\":null,\"subnet\":null,\"did\":62,\"sid\":25}]}]}],[{\"header\":\"Suspicious Application\",\"contents\":[{\"key\":\"User agent\",\"type\":\"string\",\"values\":[\"python-requests/2.25.1\"]}]},{\"header\":\"Suspicious Endpoints Contacted by Application\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1697334679535,\"end\":1697334713852}]},{\"key\":\"Hostname\",\"type\":\"externalHost\",\"values\":[{\"hostname\":\"themoneyfix.org\",\"ip\":null}]},{\"key\":\"Hostname rarity\",\"type\":\"percentage\",\"values\":[100.0]},{\"key\":\"Hostname first observed\",\"type\":\"timestamp\",\"values\":[1697334687000]},{\"key\":\"Most recent destination IP\",\"type\":\"externalHost\",\"values\":[{\"hostname\":\"45.56.79.23\",\"ip\":\"45.56.79.23\"}]},{\"key\":\"Most recent ASN\",\"type\":\"string\",\"values\":[\"AS63949 Akamai Connected Cloud\"]},{\"key\":\"Total connections\",\"type\":\"integer\",\"values\":[2]},{\"key\":\"URI\",\"type\":\"string\",\"values\":[\"/login/username=adriano.lamo&password=il0v3cH33s3\"]},{\"key\":\"Port\",\"type\":\"integer\",\"values\":[80]},{\"key\":\"HTTP method\",\"type\":\"string\",\"values\":[\"GET\"]},{\"key\":\"Status code\",\"type\":\"string\",\"values\":[\"200\"]}]}]],\"log_type\":\"aianalyst/incidentevents\"}",
"event": {
"category": "threat",
"kind": "alert",
"type": [
"info"
]
},
"@timestamp": "2023-10-15T01:53:52.520000Z",
"darktrace": {
"threat_visualizer": {
"acknowledged": false,
"activityId": "da39a3ee",
"aiaScore": 55.52733790170975,
"attackPhases": [
2
],
"breachDevices": [
{
"did": 62,
"hostname": null,
"identifier": null,
"ip": "10.0.0.#36859",
"mac": null,
"sid": 25,
"subnet": null
}
],
"category": "critical",
"children": [
"a400af0f-a297-478c-8fc6-c778a9558183"
],
"currentGroup": "ga400af0f-a297-478c-8fc6-c778a9558183",
"externalTriggered": false,
"groupCategory": "suspicious",
"groupScore": 2.449186624037094,
"groupingIds": [
"511a418e"
],
"mitreTactics": [
"command-and-control"
],
"periods": [
{
"end": 1697334713852,
"start": 1697334679535
}
],
"relatedBreaches": [
{
"modelName": "Device / New User Agent",
"pbid": 34952,
"threatScore": 31.0,
"timestamp": 1697334680000
}
],
"userTriggered": false
}
},
"device": {
"id": "62"
},
"host": {
"id": "62"
},
"observer": {
"name": "Darktrace",
"product": "Threat visualizer"
}
}
{
"message": "{\"summariser\": \"SaasHijackSummary\", \"acknowledged\": false, \"pinned\": false, \"createdAt\": 1730023348884, \"attackPhases\": [3], \"mitreTactics\": [\"privilege-escalation\"], \"title\": \"Possible Hijack of Zoom Account\", \"id\": \"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\", \"children\": [\"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\"], \"category\": \"critical\", \"currentGroup\": \"g204a3642-a6f1-4ac3-85d0-add7dd0c9f9b\", \"groupCategory\": \"critical\", \"groupScore\": 21.063004966718992, \"groupPreviousGroups\": [], \"activityId\": \"da39a3ee\", \"groupingIds\": [\"3d2a2fc6\"], \"groupByActivity\": false, \"userTriggered\": false, \"externalTriggered\": false, \"aiaScore\": 93.67343783378601, \"summary\": \"The SaaS actor john.doe@example.com was observed making suspicious requests over a configured Zoom service from the IP 1.2.3.4.\\n\\nThis included requests made from unusual locations compared to the previous access locations observed from this actor and from the configured service in general.\\n\\nThough this behaviour could be the result of legitimate service usage or administration, it could also be a sign of this actor's account being hijacked by a malicious actor.\\n\\nConsequently, the security team may wish to confirm that this activity was legitimate and expected.\", \"periods\": [{\"start\": 1730023230000, \"end\": 1730023230000}], \"sender\": null, \"breachDevices\": [{\"identifier\": \"SaaS::Zoom: john.doe@example.com\", \"hostname\": \"SaaS::Zoom: john.doe@example.com\", \"ip\": null, \"mac\": null, \"subnet\": null, \"did\": 3820, \"sid\": -9}], \"relatedBreaches\": [{\"modelName\": \"SaaS / Access / Unusual External Source for SaaS Credential Use\", \"pbid\": 46769, \"threatScore\": 63.0, \"timestamp\": 1730023232000}], \"details\": [[{\"header\": \"SaaS User Details\", \"contents\": [{\"key\": \"SaaS account\", \"type\": \"device\", \"values\": [{\"identifier\": \"SaaS::Zoom: john.doe@example.com\", \"hostname\": \"SaaS::Zoom: john.doe@example.com\", \"ip\": null, \"mac\": null, \"subnet\": null, \"did\": 3820, \"sid\": -9}]}, {\"key\": \"Actor\", \"type\": \"string\", \"values\": [\"john.doe@example.com\"]}]}], [{\"header\": \"Agent Carrying out Suspicious Activity\", \"contents\": [{\"key\": \"Source IP\", \"type\": \"externalHost\", \"values\": [{\"hostname\": \"1.2.3.4\", \"ip\": \"1.2.3.4\"}]}, {\"key\": \"ASN\", \"type\": \"string\", \"values\": [\"AS2119 Telenor Norge AS\"]}, {\"key\": \"City\", \"type\": \"string\", \"values\": [\"Stockholm\"]}, {\"key\": \"Country\", \"type\": \"string\", \"values\": [\"Sweden\"]}]}, {\"header\": \"Summary of Activity\", \"contents\": [{\"key\": \"Time\", \"type\": \"timestampRange\", \"values\": [{\"start\": 1730023230000, \"end\": 1730023230000}]}, {\"key\": \"Suspicious properties\", \"type\": \"string\", \"values\": [\"Unusual time for activity\", \"Unusual external source for activity\"]}]}, {\"header\": \"Activity Details\", \"contents\": [{\"key\": \"Event\", \"type\": \"string\", \"values\": [\"Sign in\"]}, {\"key\": \"Number of events\", \"type\": \"integer\", \"values\": [1]}]}]], \"log_type\": \"aianalyst/incidentevents\"}",
"event": {
"category": "threat",
"kind": "alert",
"type": [
"info"
]
},
"@timestamp": "2024-10-27T10:02:28.884000Z",
"darktrace": {
"threat_visualizer": {
"acknowledged": false,
"activityId": "da39a3ee",
"aiaScore": 93.67343783378601,
"attackPhases": [
3
],
"breachDevices": [
{
"did": 3820,
"hostname": "SaaS::Zoom: john.doe@example.com",
"identifier": "SaaS::Zoom: john.doe@example.com",
"ip": null,
"mac": null,
"sid": -9,
"subnet": null
}
],
"category": "critical",
"children": [
"204a3642-a6f1-4ac3-85d0-add7dd0c9f9b"
],
"currentGroup": "g204a3642-a6f1-4ac3-85d0-add7dd0c9f9b",
"externalTriggered": false,
"groupCategory": "critical",
"groupScore": 21.063004966718992,
"groupingIds": [
"3d2a2fc6"
],
"mitreTactics": [
"privilege-escalation"
],
"periods": [
{
"end": 1730023230000,
"start": 1730023230000
}
],
"relatedBreaches": [
{
"modelName": "SaaS / Access / Unusual External Source for SaaS Credential Use",
"pbid": 46769,
"threatScore": 63.0,
"timestamp": 1730023232000
}
],
"userTriggered": false
}
},
"device": {
"id": "3820"
},
"host": {
"id": "3820"
},
"observer": {
"name": "Darktrace",
"product": "Threat visualizer"
},
"user": {
"email": "john.doe@example.com"
}
}
{
"message": "{\"summariser\":\"SaasBruteforceSummary\",\"acknowledged\":false,\"pinned\":false,\"createdAt\":1708649003457,\"attackPhases\":[2,4],\"mitreTactics\":[\"credential-access\"],\"title\":\"Possible Distributed Bruteforce of AzureActiveDirectory Account\",\"id\":\"dc5f69a5-ee78-4702-a999-ed64a9e873dc\",\"incidentEventUrl\":\"https://darktrace-dt-32980-01/saas#aiaincidentevent/dc5f69a5-ee78-4702-a999-ed64a9e873dc\",\"children\":[\"dc5f69a5-ee78-4702-a999-ed64a9e873dc\"],\"category\":\"suspicious\",\"currentGroup\":\"g7bd28910-7d7d-4971-9a20-48f12b8518e1\",\"groupCategory\":\"suspicious\",\"groupScore\":32.34820100820068,\"groupPreviousGroups\":[],\"activityId\":\"da39a3ee\",\"groupingIds\":[\"6ae71ab6\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":85.47036382887099,\"summary\":\"Repeated attempts to access the account test@test.fr over a configured AzureActiveDirectory service were observed from a range of external IP addresses.\\n\\nThis included login attempts made from unusual locations for the account, and for the configured service in general.\\n\\nSince these requests originated from a wide variety of external sources, this could indicate a distributed attempt by a malicious actor to gain illegitimate access to this account.\\n\\nThe security team may therefore wish to ensure that the relevant credentials are sufficiently robust, and that additional measures such as multi-factor authentication are enabled where possible.\",\"periods\":[{\"start\":1708040149000,\"end\":1708648697000}],\"sender\":null,\"breachDevices\":[{\"identifier\":\"SaaS::AzureActiveDirectory: test@test.fr\",\"hostname\":\"SaaS::AzureActiveDirectory: test@test.fr\",\"ip\":null,\"mac\":null,\"subnet\":null,\"did\":2635,\"sid\":-9}],\"relatedBreaches\":[{\"modelName\":\"SaaS / Access / Password Spray\",\"pbid\":7130,\"threatScore\":47,\"timestamp\":1708648698000}],\"details\":[[{\"header\":\"SaaS User Details\",\"contents\":[{\"key\":\"SaaS account\",\"type\":\"device\",\"values\":[{\"identifier\":\"SaaS::AzureActiveDirectory: test@test.fr\",\"hostname\":\"SaaS::AzureActiveDirectory: test@test.fr\",\"ip\":null,\"mac\":null,\"subnet\":null,\"did\":2635,\"sid\":-9}]},{\"key\":\"Actor\",\"type\":\"string\",\"values\":[\"test@test.fr\"]}]}],[{\"header\":\"Summary of Related Access Attempts\",\"contents\":[{\"key\":\"Attempts grouped by\",\"type\":\"string\",\"values\":[\"same targeted account\"]},{\"key\":\"Number of source ASNs\",\"type\":\"integer\",\"values\":[241]},{\"key\":\"Suspicious properties\",\"type\":\"string\",\"values\":[\"Unusual time for activity\",\"Unusual external source for activity\",\"Large number of login failures\"]}]},{\"header\":\"Details of Access Attempts\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1708040149000,\"end\":1708648697000}]},{\"key\":\"Targeted account\",\"type\":\"string\",\"values\":[\"test@test.fr\"]},{\"key\":\"Total number of login failures\",\"type\":\"integer\",\"values\":[1136]},{\"key\":\"Reasons for login failures\",\"type\":\"string\",\"values\":[\"Sign-in was blocked because it came from an IP address with malicious activity\",\"The account is locked, you've tried to sign in too many times with an incorrect user ID or password.\",\"Error validating credentials due to invalid username or password.\"]}]},{\"header\":\"Sources of Access Attempts\",\"contents\":[{\"key\":\"Source ASNs include\",\"type\":\"string\",\"values\":[\"AS4134 Chinanet\",\"AS4837 CHINA UNICOM China169 Backbone\",\"AS4766 Korea Telecom\",\"AS9808 China Mobile Communications Group Co., Ltd.\",\"AS24560 Bharti Airtel Ltd., Telemedia Services\"]},{\"key\":\"Source IPs include\",\"type\":\"externalHost\",\"values\":[{\"hostname\":\"122.4.70.38\",\"ip\":\"122.4.70.38\"},{\"hostname\":\"41.207.248.204\",\"ip\":\"41.207.248.204\"},{\"hostname\":\"124.89.116.178\",\"ip\":\"124.89.116.178\"},{\"hostname\":\"121.184.235.17\",\"ip\":\"121.184.235.17\"},{\"hostname\":\"61.153.208.38\",\"ip\":\"61.153.208.38\"}]},{\"key\":\"Countries include\",\"type\":\"string\",\"values\":[\"China\",\"South Korea\",\"India\",\"United States\",\"Brazil\"]},{\"key\":\"User agent\",\"type\":\"string\",\"values\":[\"Office 365 Exchange Online\"]}]}]]}\n",
"event": {
"category": "network",
"type": [
"info"
]
},
"@timestamp": "2024-02-23T00:43:23.457000Z",
"darktrace": {
"threat_visualizer": {
"acknowledged": false,
"activityId": "da39a3ee",
"aiaScore": 85.47036382887099,
"attackPhases": [
2,
4
],
"breachDevices": [
{
"did": 2635,
"hostname": "SaaS::AzureActiveDirectory: test@test.fr",
"identifier": "SaaS::AzureActiveDirectory: test@test.fr",
"ip": null,
"mac": null,
"sid": -9,
"subnet": null
}
],
"category": "suspicious",
"children": [
"dc5f69a5-ee78-4702-a999-ed64a9e873dc"
],
"currentGroup": "g7bd28910-7d7d-4971-9a20-48f12b8518e1",
"externalTriggered": false,
"groupCategory": "suspicious",
"groupScore": 32.34820100820068,
"groupingIds": [
"6ae71ab6"
],
"mitreTactics": [
"credential-access"
],
"periods": [
{
"end": 1708648697000,
"start": 1708040149000
}
],
"relatedBreaches": [
{
"modelName": "SaaS / Access / Password Spray",
"pbid": 7130,
"threatScore": 47,
"timestamp": 1708648698000
}
],
"userTriggered": false
}
},
"device": {
"id": "2635"
},
"host": {
"id": "2635"
},
"observer": {
"name": "Darktrace",
"product": "Threat visualizer"
},
"user": {
"email": "test@test.fr"
}
}
{
"message": "{\"commentCount\":0,\"pbid\":26316,\"time\":1687967502000,\"creationTime\":1687967508000,\"model\":{\"then\":{\"name\":\"AnomalousFile::ZiporGzipfromRareExternalLocation\",\"pid\":619,\"phid\":9945,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000172\",\"logic\":{\"data\":[19046],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:Tooling\",\"OTEngineer\"],\"interval\":0,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-06-28 11:53:50\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\\n\\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":42,\"mitre\":{\"tactics\":[\"resource-development\"],\"techniques\":[\"T1588.001\"]},\"priority\":1,\"category\":\"Informational\",\"compliance\":false},\"now\":{\"name\":\"AnomalousFile::ZiporGzipfromRareExternalLocation\",\"pid\":619,\"phid\":9945,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000172\",\"logic\":{\"data\":[19046],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:Tooling\",\"OTEngineer\"],\"interval\":0,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-06-28 11:53:50\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\\n\\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"Excludedcommonuseragents\",\"version\":42,\"mitre\":{\"tactics\":[\"resource-development\"],\"techniques\":[\"T1588.001\"]},\"priority\":1,\"category\":\"Informational\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687967501000,\"cbid\":26393,\"cid\":19046,\"chid\":30682,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"