Skip to content

Darktrace Threat Visualizer

Overview

Darktrace monitors all people and digital assets across your entire ecosystem.

This setup guide describes how to forward logs from Darktrace Threat visualizer to Sekoia.io.

Warning

Important note - This format is currently in beta. We highly value your feedback to improve its performance.

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
DNS records Darktrace monitors DNS requests or connections from devices to watched domains or IP addresses.
Web logs Darktrace monitors accesses to watched domains.

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind alert, event
Category network
Type info

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

{
    "message": "{\"commentCount\":0,\"pbid\":26316,\"time\":1687967502000,\"creationTime\":1687967508000,\"model\":{\"then\":{\"name\":\"AnomalousFile::ZiporGzipfromRareExternalLocation\",\"pid\":619,\"phid\":9945,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000172\",\"logic\":{\"data\":[19046],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:Tooling\",\"OTEngineer\"],\"interval\":0,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-06-28 11:53:50\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\\n\\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":42,\"mitre\":{\"tactics\":[\"resource-development\"],\"techniques\":[\"T1588.001\"]},\"priority\":1,\"category\":\"Informational\",\"compliance\":false},\"now\":{\"name\":\"AnomalousFile::ZiporGzipfromRareExternalLocation\",\"pid\":619,\"phid\":9945,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000172\",\"logic\":{\"data\":[19046],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:Tooling\",\"OTEngineer\"],\"interval\":0,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-06-28 11:53:50\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\\n\\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"Excludedcommonuseragents\",\"version\":42,\"mitre\":{\"tactics\":[\"resource-development\"],\"techniques\":[\"T1588.001\"]},\"priority\":1,\"category\":\"Informational\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687967501000,\"cbid\":26393,\"cid\":19046,\"chid\":30682,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"104.18.103.100/32\",\"port\":80,\"metric\":{\"mlid\":1,\"name\":\"externalconnections\",\"label\":\"ExternalConnections\"},\"triggeredFilters\":[{\"cfid\":232424,\"id\":\"C\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"3\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232426,\"id\":\"F\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":232428,\"id\":\"H\",\"filterType\":\"HTTPcontenttype\",\"arguments\":{\"value\":\"application/x-gzip\"},\"comparatorType\":\"matches\",\"trigger\":{\"value\":\"application/x-gzip\"}},{\"cfid\":232430,\"id\":\"J\",\"filterType\":\"RareexternalIP\",\"arguments\":{\"value\":98},\"comparatorType\":\">=\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":232431,\"id\":\"K\",\"filterType\":\"Raredomain\",\"arguments\":{\"value\":95},\"comparatorType\":\">=\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":232432,\"id\":\"L\",\"filterType\":\"Trustedhostname\",\"arguments\":{\"value\":\"false\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"false\"}},{\"cfid\":232433,\"id\":\"M\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"9\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232434,\"id\":\"N\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"4\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232435,\"id\":\"O\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"13\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232436,\"id\":\"P\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"17\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232437,\"id\":\"Q\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":15},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"15\",\"tag\":{\"tid\":15,\"expiry\":0,\"thid\":15,\"name\":\"ConflictingUser-Agents\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":284,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":232438,\"id\":\"R\",\"filterType\":\"DestinationIP\",\"arguments\":{\"value\":\"0.0.0.0\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"104.18.103.100\"}},{\"cfid\":232439,\"id\":\"S\",\"filterType\":\"Connectionhostname\",\"arguments\":{\"value\":\"(speed(test|check).+|.+speed(test|check).+)|.*((up(date|grade)|download|content|mirrors|weather|changes|quant|ctldl|avupdate).*\\\\.(carbonblack\\\\.io|nutanix\\\\.com|pandasoftware\\\\.com|ivanti\\\\.com|mit\\\\.edu|mastercam\\\\.com|rit\\\\.edu|knime\\\\.com|logicnow\\\\.us|oppomobile\\\\.com|trendmicro\\\\.com|panorama9\\\\.com|jiransecurity\\\\.com|refinitiv\\\\.com|jiran\\\\.com|loxtop\\\\.com|snoopwall\\\\.com|tumbleweed\\\\.com|sangfor\\\\.net|alyac\\\\.com|spamassassin\\\\.org|verein-clean\\\\.net|itsupport247\\\\.net|lsfilter\\\\.com|iboss\\\\.com|eeye\\\\.com|windowsupdate\\\\.com|fireeye\\\\.com)|definitionsbd\\\\.adaware\\\\.com|nasepm\\\\.aramark\\\\.com|(bdefs|hw|ec)\\\\.threattrack\\\\.com|upd\\\\.zonelabs\\\\.com|www\\\\.solutionsam\\\\.com|licensingservice\\\\.altarix\\\\.com|autoupdate\\\\.bradyid\\\\.com|iblocklist\\\\.com|clientservices\\\\.googleapis\\\\.com|mirror\\\\.centos\\\\..*\\\\.serverforge\\\\.org|sync\\\\.bigfix\\\\.com|catalog\\\\.kace\\\\.com)\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":232440,\"id\":\"T\",\"filterType\":\"Useragent\",\"arguments\":{\"value\":\"/((libdnf|sa-update|Valve\\\\/Steam|itunesstored|pfSense|McAfee|DebianAPT-HTTP).*|Sylink|.*LANguard.*|Smc|SG\\\\_CTAVUpdater|NetpasUpdater|urlgrabber/[0-9.]+yum/[0-9.]+|ManageEngine(Endpoint|Desktop)Central).*/i\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232441,\"id\":\"U\",\"filterType\":\"Connectionhostname\",\"arguments\":{\"value\":\"(antivirus|rpm(s)?|sa-update|centos|fedora).*\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":232442,\"id\":\"V\",\"filterType\":\"URI\",\"arguments\":{\"value\":\"/.*\\\\/centos\\\\/.*\\\\.xml\\\\.gz/i\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz\"}},{\"cfid\":232443,\"id\":\"W\",\"filterType\":\"URI\",\"arguments\":{\"value\":\"dl.delivery.mp.microsoft.com\"},\"comparatorType\":\"doesnotcontain\",\"trigger\":{\"value\":\"/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz\"}},{\"cfid\":232444,\"id\":\"Y\",\"filterType\":\"HTTPresponsecode\",\"arguments\":{\"value\":400},\"comparatorType\":\"<\",\"trigger\":{\"value\":\"200\"}},{\"cfid\":232445,\"id\":\"Z\",\"filterType\":\"Individualsizedown\",\"arguments\":{\"value\":10000},\"comparatorType\":\">=\",\"trigger\":{\"value\":\"60493165\"}},{\"cfid\":232446,\"id\":\"d1\",\"filterType\":\"Individualsizedown\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"60493165\"}},{\"cfid\":232447,\"id\":\"d10\",\"filterType\":\"Individualsizeup\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"679\"}},{\"cfid\":232448,\"id\":\"d11\",\"filterType\":\"HTTPreferrer\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232449,\"id\":\"d12\",\"filterType\":\"HTTPmethod\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232450,\"id\":\"d13\",\"filterType\":\"Dataratio\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"0\"}},{\"cfid\":232451,\"id\":\"d14\",\"filterType\":\"Ageofdestination\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"43965774\"}},{\"cfid\":232452,\"id\":\"d2\",\"filterType\":\"HTTPresponsecode\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"200\"}},{\"cfid\":232453,\"id\":\"d3\",\"filterType\":\"Useragent\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232454,\"id\":\"d4\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"AS13335CLOUDFLARENET\"}},{\"cfid\":232455,\"id\":\"d5\",\"filterType\":\"URI\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz\"}},{\"cfid\":232456,\"id\":\"d6\",\"filterType\":\"DestinationIP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"104.18.103.100\"}},{\"cfid\":232457,\"id\":\"d7\",\"filterType\":\"Connectionhostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":232458,\"id\":\"d8\",\"filterType\":\"HTTPcontenttype\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"application/x-gzip\"}},{\"cfid\":232459,\"id\":\"d9\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"6\"}}]}],\"score\":0.245,\"device\":{\"did\":16,\"ip\":\"192.168.1.#18408\",\"ips\":[{\"ip\":\"192.168.1.#18408\",\"timems\":1688263200000,\"time\":\"2023-07-0202:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1644001727000,\"lastSeen\":1688266122000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}",
    "event": {
        "category": "network",
        "end": "2023-06-28T11:53:50Z",
        "kind": "alert",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-06-28T15:51:42Z",
    "host": {
        "id": "16",
        "ip": []
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    },
    "darktrace": {
        "threat_visualizer": {
            "creationTime": 1687967508000,
            "commentCount": 0,
            "pbid": 26316,
            "time": 1687967502000,
            "model": {
                "then": {
                    "name": "AnomalousFile::ZiporGzipfromRareExternalLocation",
                    "pid": 619,
                    "phid": 9945,
                    "uuid": "80010119-6d7f-0000-0305-5e0000000172",
                    "mitre": {
                        "tactics": [
                            "resource-development"
                        ],
                        "techniques": [
                            "T1588.001"
                        ]
                    },
                    "tags": [
                        "",
                        "AP:Tooling",
                        "OTEngineer"
                    ],
                    "description": "AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\n\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.",
                    "category": "Informational",
                    "priority": 1,
                    "behaviour": "decreasing",
                    "version": 42
                },
                "now": {
                    "name": "AnomalousFile::ZiporGzipfromRareExternalLocation",
                    "pid": 619,
                    "phid": 9945,
                    "uuid": "80010119-6d7f-0000-0305-5e0000000172",
                    "mitre": {
                        "tactics": [
                            "resource-development"
                        ],
                        "techniques": [
                            "T1588.001"
                        ]
                    },
                    "tags": [
                        "",
                        "AP:Tooling",
                        "OTEngineer"
                    ],
                    "description": "AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\n\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.",
                    "behaviour": "decreasing",
                    "message": "Excludedcommonuseragents",
                    "priority": 1,
                    "category": "Informational",
                    "version": 42
                }
            },
            "score": 0.245,
            "device": {
                "ip": "192.168.1.#18408",
                "ips": [
                    {
                        "ip": "192.168.1.#18408",
                        "timems": 1688263200000,
                        "time": "2023-07-0202:00:00",
                        "sid": 3
                    }
                ],
                "sid": 3,
                "firstSeen": 1644001727000,
                "lastSeen": 1688266122000,
                "typename": "desktop",
                "typelabel": "Desktop"
            }
        }
    },
    "related": {
        "ip": []
    }
}
{
    "message": "{\"commentCount\":0,\"pbid\":26368,\"time\":1687987886000,\"creationTime\":1687987892000,\"model\":{\"then\":{\"name\":\"Antigena::Network::Compliance::AntigenaConnectionSeen\",\"pid\":2299,\"phid\":9961,\"uuid\":\"5f78deda-3ff9-445f-a88e-2137dca625d6\",\"logic\":{\"data\":[19083],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{\"action\":\"quarantine\",\"confirm\":true,\"connector_actions\":{},\"duration\":1000,\"ignoreSchedule\":true,\"threshold\":\"50\"},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":true,\"modified\":\"2023-06-28 21:31:29\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":false,\"autoSuppress\":false,\"description\":\"\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"darktrace\",\"userID\":2},\"edited\":{\"by\":\"darktrace\",\"userID\":2},\"version\":7,\"priority\":4,\"category\":\"Suspicious\",\"compliance\":true},\"now\":{\"name\":\"Antigena::Network::Compliance::AntigenaConnectionSeen\",\"pid\":2299,\"phid\":9962,\"uuid\":\"5f78deda-3ff9-445f-a88e-2137dca625d6\",\"logic\":{\"data\":[19084],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{\"action\":\"quarantine\",\"confirm\":true,\"connector_actions\":{},\"duration\":1000,\"ignoreSchedule\":true,\"threshold\":\"50\"},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":false,\"modified\":\"2023-06-28 21:32:10\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":false,\"autoSuppress\":false,\"description\":\"\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"darktrace\",\"userID\":2},\"edited\":{\"by\":\"darktrace\",\"userID\":2},\"version\":8,\"priority\":4,\"category\":\"Suspicious\",\"compliance\":true}},\"triggeredComponents\":[{\"time\":1687987885000,\"cbid\":26445,\"cid\":19083,\"chid\":30726,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{},\"version\":\"v0.1\"},\"ip\":\"192.168.16.100/32\",\"port\":443,\"metric\":{\"mlid\":16,\"name\":\"connections\",\"label\":\"Connections\"},\"triggeredFilters\":[]}],\"score\":0.871,\"device\":{\"did\":31,\"hostname\":\"my_host\",\"vendor\":\"\",\"ip\":\"192.168.1.2\",\"ips\":[{\"ip\":\"192.168.1.2\",\"timems\":1688389200000,\"time\":\"2023-07-0313:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1649669953000,\"lastSeen\":1688391406000,\"typename\":\"dnsserver\",\"typelabel\":\"DNSServer\"}}",
    "event": {
        "category": "network",
        "end": "2023-06-28T21:31:29Z",
        "kind": "alert",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-06-28T21:31:26Z",
    "host": {
        "id": "31",
        "hostname": "my_host",
        "ip": [
            "192.168.1.2"
        ],
        "name": "my_host"
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    },
    "darktrace": {
        "threat_visualizer": {
            "creationTime": 1687987892000,
            "commentCount": 0,
            "pbid": 26368,
            "time": 1687987886000,
            "model": {
                "then": {
                    "name": "Antigena::Network::Compliance::AntigenaConnectionSeen",
                    "pid": 2299,
                    "phid": 9961,
                    "uuid": "5f78deda-3ff9-445f-a88e-2137dca625d6",
                    "tags": [],
                    "category": "Suspicious",
                    "priority": 4,
                    "behaviour": "decreasing",
                    "defeats": [],
                    "version": 7
                },
                "now": {
                    "name": "Antigena::Network::Compliance::AntigenaConnectionSeen",
                    "pid": 2299,
                    "phid": 9962,
                    "uuid": "5f78deda-3ff9-445f-a88e-2137dca625d6",
                    "tags": [],
                    "behaviour": "decreasing",
                    "defeats": [],
                    "edited": {
                        "userID": 2
                    },
                    "priority": 4,
                    "category": "Suspicious",
                    "version": 8
                }
            },
            "score": 0.871,
            "device": {
                "ip": "192.168.1.2",
                "ips": [
                    {
                        "ip": "192.168.1.2",
                        "timems": 1688389200000,
                        "time": "2023-07-0313:00:00",
                        "sid": 3
                    }
                ],
                "sid": 3,
                "firstSeen": 1649669953000,
                "lastSeen": 1688391406000,
                "typename": "dnsserver",
                "typelabel": "DNSServer"
            }
        }
    },
    "related": {
        "ip": [
            "192.168.1.2"
        ],
        "hosts": [
            "my_host"
        ]
    }
}
{
    "message": "{\"commentCount\":0,\"pbid\":27103,\"time\":1688266123000,\"creationTime\":1688266130000,\"model\":{\"then\":{\"name\":\"Device::AttackandReconTools\",\"pid\":76,\"phid\":8953,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000197\",\"logic\":{\"data\":[{\"cid\":17299,\"weight\":1},{\"cid\":17302,\"weight\":1},{\"cid\":17298,\"weight\":1},{\"cid\":17300,\"weight\":1},{\"cid\":17301,\"weight\":1},{\"cid\":17303,\"weight\":1},{\"cid\":17304,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":604800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:InternalRecon\",\"OTEngineer\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-03-14 12:53:21\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"Adeviceisusingcommonpenetrationtestingtools.\\n\\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":87,\"mitre\":{\"tactics\":[\"initial-access\"],\"techniques\":[\"T1200\"]},\"priority\":4,\"category\":\"Suspicious\",\"compliance\":false},\"now\":{\"name\":\"Device::AttackandReconTools\",\"pid\":76,\"phid\":8953,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000197\",\"logic\":{\"data\":[{\"cid\":17299,\"weight\":1},{\"cid\":17302,\"weight\":1},{\"cid\":17298,\"weight\":1},{\"cid\":17300,\"weight\":1},{\"cid\":17301,\"weight\":1},{\"cid\":17303,\"weight\":1},{\"cid\":17304,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":604800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:InternalRecon\",\"OTEngineer\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-03-14 12:53:21\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"Adeviceisusingcommonpenetrationtestingtools.\\n\\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"Addeddetectionforgobusteranddirbuster\",\"version\":87,\"mitre\":{\"tactics\":[\"initial-access\"],\"techniques\":[\"T1200\"]},\"priority\":4,\"category\":\"Suspicious\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1688266122000,\"cbid\":27180,\"cid\":17302,\"chid\":27905,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"J\"}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":\"H\"}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"I\"}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.1.2/32\",\"port\":53,\"metric\":{\"mlid\":11,\"name\":\"dnsrequests\",\"label\":\"DNSRequests\"},\"triggeredFilters\":[{\"cfid\":208828,\"id\":\"A\",\"filterType\":\"DNShostlookup\",\"arguments\":{\"value\":\"kali(\\\\..+)?\"},\"comparatorType\":\"matchesregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":208829,\"id\":\"B\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":208830,\"id\":\"C\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":18},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"18\",\"tag\":{\"tid\":18,\"expiry\":0,\"thid\":18,\"name\":\"DNSServer\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":112,\"description\":\"DevicesreceivingandmakingDNSqueries\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":208831,\"id\":\"D\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":208832,\"id\":\"E\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":4},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"4\",\"tag\":{\"tid\":4,\"expiry\":0,\"thid\":4,\"name\":\"SecurityDevice\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":55,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":208835,\"id\":\"H\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":58},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"58\",\"tag\":{\"tid\":58,\"expiry\":0,\"thid\":58,\"name\":\"MailServer\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":200,\"description\":\"\"},\"isReferenced\":true}}},{\"cfid\":208836,\"id\":\"I\",\"filterType\":\"DNShostlookup\",\"arguments\":{\"value\":\"backbox.com\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":208837,\"id\":\"J\",\"filterType\":\"DNShostlookup\",\"arguments\":{\"value\":\"^kali\\\\.(by|hu|hr|cheng-tsui\\\\.com|tradair\\\\.com)$\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":208838,\"id\":\"d1\",\"filterType\":\"DNShostlookup\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"kali.download\"}}]}],\"score\":0.871,\"device\":{\"did\":16,\"ip\":\"192.168.1.#18408\",\"ips\":[{\"ip\":\"192.168.1.#18408\",\"timems\":1688263200000,\"time\":\"2023-07-0202:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1644001727000,\"lastSeen\":1688266122000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}",
    "event": {
        "category": "network",
        "end": "2023-03-14T12:53:21Z",
        "kind": "alert",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-07-02T02:48:43Z",
    "host": {
        "id": "16",
        "ip": []
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    },
    "darktrace": {
        "threat_visualizer": {
            "creationTime": 1688266130000,
            "commentCount": 0,
            "pbid": 27103,
            "time": 1688266123000,
            "model": {
                "then": {
                    "name": "Device::AttackandReconTools",
                    "pid": 76,
                    "phid": 8953,
                    "uuid": "80010119-6d7f-0000-0305-5e0000000197",
                    "mitre": {
                        "tactics": [
                            "initial-access"
                        ],
                        "techniques": [
                            "T1200"
                        ]
                    },
                    "tags": [
                        "",
                        "AP:InternalRecon",
                        "OTEngineer"
                    ],
                    "description": "Adeviceisusingcommonpenetrationtestingtools.\n\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.",
                    "category": "Suspicious",
                    "priority": 4,
                    "behaviour": "decreasing",
                    "version": 87
                },
                "now": {
                    "name": "Device::AttackandReconTools",
                    "pid": 76,
                    "phid": 8953,
                    "uuid": "80010119-6d7f-0000-0305-5e0000000197",
                    "mitre": {
                        "tactics": [
                            "initial-access"
                        ],
                        "techniques": [
                            "T1200"
                        ]
                    },
                    "tags": [
                        "",
                        "AP:InternalRecon",
                        "OTEngineer"
                    ],
                    "description": "Adeviceisusingcommonpenetrationtestingtools.\n\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.",
                    "behaviour": "decreasing",
                    "message": "Addeddetectionforgobusteranddirbuster",
                    "priority": 4,
                    "category": "Suspicious",
                    "version": 87
                }
            },
            "score": 0.871,
            "device": {
                "ip": "192.168.1.#18408",
                "ips": [
                    {
                        "ip": "192.168.1.#18408",
                        "timems": 1688263200000,
                        "time": "2023-07-0202:00:00",
                        "sid": 3
                    }
                ],
                "sid": 3,
                "firstSeen": 1644001727000,
                "lastSeen": 1688266122000,
                "typename": "desktop",
                "typelabel": "Desktop"
            }
        }
    },
    "related": {
        "ip": []
    }
}
{
    "message": "{\"commentCount\":0,\"pbid\":25808,\"time\":1687774142000,\"creationTime\":1687774148000,\"model\":{\"then\":{\"name\":\"Compromise::WatchedDomain\",\"pid\":608,\"phid\":6768,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000256\",\"logic\":{\"data\":[{\"cid\":13112,\"weight\":1},{\"cid\":13114,\"weight\":1},{\"cid\":13115,\"weight\":1},{\"cid\":13113,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:C2Comms\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-06-22 15:56:27\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\\n\\nAction:ReviewthedomainandIPbeingconnectedto.\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":31,\"priority\":5,\"category\":\"Critical\",\"compliance\":false},\"now\":{\"name\":\"Compromise::WatchedDomain\",\"pid\":608,\"phid\":6768,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000256\",\"logic\":{\"data\":[{\"cid\":13112,\"weight\":1},{\"cid\":13114,\"weight\":1},{\"cid\":13115,\"weight\":1},{\"cid\":13113,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:C2Comms\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-06-22 15:56:27\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\\n\\nAction:ReviewthedomainandIPbeingconnectedto.\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"Adjustingmodellogicforproxiedconnections\",\"version\":31,\"priority\":5,\"category\":\"Critical\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687774141000,\"cbid\":25885,\"cid\":13112,\"chid\":20980,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":\"F\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":\"F\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":\"G\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":\"G\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"I\"}}}},\"operator\":\"OR\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"I\"}}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.1.2/32\",\"port\":53,\"metric\":{\"mlid\":223,\"name\":\"dtwatcheddomain\",\"label\":\"WatchedDomain\"},\"triggeredFilters\":[{\"cfid\":156173,\"id\":\"A\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\".+\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156175,\"id\":\"C\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":156177,\"id\":\"E\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":156179,\"id\":\"G\",\"filterType\":\"Destinationport\",\"arguments\":{\"value\":53},\"comparatorType\":\"=\",\"trigger\":{\"value\":\"53\"}},{\"cfid\":156180,\"id\":\"d1\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":156181,\"id\":\"d10\",\"filterType\":\"Watchedendpointdescription\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156182,\"id\":\"d2\",\"filterType\":\"Connectionhostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156183,\"id\":\"d3\",\"filterType\":\"DestinationIP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"192.168.1.2\"}},{\"cfid\":156184,\"id\":\"d4\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156185,\"id\":\"d5\",\"filterType\":\"Country\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156186,\"id\":\"d6\",\"filterType\":\"Message\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"amazonlinux-2-repos-eu-west-2.s3.eu-west-2.amazonaws.com\"}},{\"cfid\":156187,\"id\":\"d7\",\"filterType\":\"Watchedendpoint\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"true\"}},{\"cfid\":156188,\"id\":\"d8\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156189,\"id\":\"d9\",\"filterType\":\"Watchedendpointstrength\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":156190,\"id\":\"H\",\"filterType\":\"Internaldestination\",\"arguments\":{},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"true\"}},{\"cfid\":156191,\"id\":\"I\",\"filterType\":\"Internaldestinationdevicetype\",\"arguments\":{\"value\":\"11\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"12\"}}]}],\"score\":0.541,\"device\":{\"did\":6,\"hostname\":\"SaaS::Slack: john.doe@company.com\",\"ip\":\"192.168.16.#54818\",\"ips\":[{\"ip\":\"192.168.16.#54818\",\"timems\":1688385600000,\"time\":\"2023-07-0312:00:00\",\"sid\":4}],\"sid\":4,\"firstSeen\":1639068361000,\"lastSeen\":1688385853000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}",
    "event": {
        "category": "network",
        "end": "2022-06-22T15:56:27Z",
        "kind": "alert",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-06-26T10:09:02Z",
    "host": {
        "id": "6",
        "ip": []
    },
    "service": {
        "name": "Slack"
    },
    "user": {
        "email": "john.doe@company.com"
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    },
    "darktrace": {
        "threat_visualizer": {
            "creationTime": 1687774148000,
            "commentCount": 0,
            "pbid": 25808,
            "time": 1687774142000,
            "model": {
                "then": {
                    "name": "Compromise::WatchedDomain",
                    "pid": 608,
                    "phid": 6768,
                    "uuid": "80010119-6d7f-0000-0305-5e0000000256",
                    "tags": [
                        "",
                        "AP:C2Comms"
                    ],
                    "description": "AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\n\nAction:ReviewthedomainandIPbeingconnectedto.",
                    "category": "Critical",
                    "priority": 5,
                    "behaviour": "decreasing",
                    "defeats": [],
                    "version": 31
                },
                "now": {
                    "name": "Compromise::WatchedDomain",
                    "pid": 608,
                    "phid": 6768,
                    "uuid": "80010119-6d7f-0000-0305-5e0000000256",
                    "tags": [
                        "",
                        "AP:C2Comms"
                    ],
                    "description": "AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\n\nAction:ReviewthedomainandIPbeingconnectedto.",
                    "behaviour": "decreasing",
                    "defeats": [],
                    "message": "Adjustingmodellogicforproxiedconnections",
                    "priority": 5,
                    "category": "Critical",
                    "version": 31
                }
            },
            "score": 0.541,
            "device": {
                "ip": "192.168.16.#54818",
                "ips": [
                    {
                        "ip": "192.168.16.#54818",
                        "timems": 1688385600000,
                        "time": "2023-07-0312:00:00",
                        "sid": 4
                    }
                ],
                "sid": 4,
                "firstSeen": 1639068361000,
                "lastSeen": 1688385853000,
                "typename": "desktop",
                "typelabel": "Desktop"
            }
        }
    },
    "related": {
        "ip": []
    }
}
{
    "message": "{\"commentCount\":0,\"pbid\":25860,\"time\":1687793533000,\"creationTime\":1687793540000,\"model\":{\"then\":{\"name\":\"Device::ThreatIndicator\",\"pid\":540,\"phid\":6656,\"uuid\":\"84c92ea6-36b9-402f-9df1-3c5bfaee9176\",\"logic\":{\"data\":[{\"cid\":12878,\"weight\":1},{\"cid\":12876,\"weight\":1},{\"cid\":12877,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false,\"tagTTL\":604800},\"tags\":[\"\",\"RequiresConfiguration\"],\"interval\":1,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-06-15 12:01:36\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.\\n\\nAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.,behaviour:decreasing,created:{by:System},edited:{by:System},version:39,priority:5,category:Critical,compliance:false},now:{name:Device::ThreatIndicator,pid:540,phid:6656,uuid:84c92ea6-36b9-402f-9df1-3c5bfaee9176,logic:{data:[{cid:12878,weight:1},{cid:12876,weight:1},{cid:12877,weight:1}],targetScore:1,type:weightedComponentList,version:1},throttle:3600,sharedEndpoints:false,actions:{alert:true,antigena:{},breach:true,model:true,setPriority:false,setTag:false,setType:false,tagTTL:604800},tags:[,RequiresConfiguration],interval:1,delay:0,sequenced:false,active:true,modified:2022-06-15 12:01:36,activeTimes:{devices:{},tags:{},type:exclusions,version:2},autoUpdatable:true,autoUpdate:true,autoSuppress:true,description:AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.nnAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"UpdatedWatchedendpointsourceregextoexcludeAttackSurfaceManagement\",\"version\":39,\"priority\":5,\"category\":\"Critical\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687793532000,\"cbid\":25937,\"cid\":12876,\"chid\":20545,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":\"K\"}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.1.2/32\",\"port\":53,\"metric\":{\"mlid\":223,\"name\":\"dtwatcheddomain\",\"label\":\"WatchedDomain\"},\"triggeredFilters\":[{\"cfid\":153437,\"id\":\"A\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"^(\\\\_?Darktrace.*|AttackSurfaceManagement)\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153437,\"id\":\"A\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"^(\\\\_?Darktrace.*|AttackSurfaceManagement)\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153438,\"id\":\"F\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\".+\"},\"comparatorType\":\"matchesregularexpression\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153439,\"id\":\"G\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"Default\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153439,\"id\":\"G\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"Default\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153440,\"id\":\"H\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":4},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"4\",\"tag\":{\"tid\":4,\"expiry\":0,\"thid\":4,\"name\":\"SecurityDevice\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":55,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":153441,\"id\":\"I\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"7\"}},{\"cfid\":153442,\"id\":\"J\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":18},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"18\",\"tag\":{\"tid\":18,\"expiry\":0,\"thid\":18,\"name\":\"DNSServer\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":112,\"description\":\"DevicesreceivingandmakingDNSqueries\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":153443,\"id\":\"K\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":153444,\"id\":\"d1\",\"filterType\":\"Ageofdestination\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"38123579\"}},{\"cfid\":153445,\"id\":\"d2\",\"filterType\":\"Country\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153446,\"id\":\"d3\",\"filterType\":\"DestinationIP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"192.168.1.2\"}},{\"cfid\":153447,\"id\":\"d4\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153448,\"id\":\"d5\",\"filterType\":\"Destinationport\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"53\"}},{\"cfid\":153449,\"id\":\"d6\",\"filterType\":\"Rareexternalendpoint\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"0\"}},{\"cfid\":153450,\"id\":\"d7\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153450,\"id\":\"d7\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153451,\"id\":\"d8\",\"filterType\":\"Message\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"clients2.google.com\"}}]}],\"score\":0.612,\"device\":{\"did\":39,\"vendor\":\"\",\"ip\":\"192.168.1.3\",\"ips\":[{\"ip\":\"192.168.1.3\",\"timems\":1688389200000,\"time\":\"2023-07-0313:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1666276905000,\"lastSeen\":1688391268000,\"os\":\"Windows(10.0)\",\"typename\":\"server\",\"typelabel\":\"Server\"}}",
    "event": {
        "category": "network",
        "end": "2022-06-15T12:01:36Z",
        "kind": "alert",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-06-26T15:32:13Z",
    "host": {
        "id": "39",
        "ip": [
            "192.168.1.3"
        ]
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    },
    "darktrace": {
        "threat_visualizer": {
            "creationTime": 1687793540000,
            "commentCount": 0,
            "pbid": 25860,
            "time": 1687793533000,
            "model": {
                "then": {
                    "name": "Device::ThreatIndicator",
                    "pid": 540,
                    "phid": 6656,
                    "uuid": "84c92ea6-36b9-402f-9df1-3c5bfaee9176",
                    "tags": [
                        "",
                        "RequiresConfiguration"
                    ],
                    "description": "AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.\n\nAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.,behaviour:decreasing,created:{by:System},edited:{by:System},version:39,priority:5,category:Critical,compliance:false},now:{name:Device::ThreatIndicator,pid:540,phid:6656,uuid:84c92ea6-36b9-402f-9df1-3c5bfaee9176,logic:{data:[{cid:12878,weight:1},{cid:12876,weight:1},{cid:12877,weight:1}],targetScore:1,type:weightedComponentList,version:1},throttle:3600,sharedEndpoints:false,actions:{alert:true,antigena:{},breach:true,model:true,setPriority:false,setTag:false,setType:false,tagTTL:604800},tags:[,RequiresConfiguration],interval:1,delay:0,sequenced:false,active:true,modified:2022-06-15 12:01:36,activeTimes:{devices:{},tags:{},type:exclusions,version:2},autoUpdatable:true,autoUpdate:true,autoSuppress:true,description:AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.nnAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.",
                    "category": "Critical",
                    "priority": 5,
                    "behaviour": "decreasing",
                    "version": 39
                }
            },
            "score": 0.612,
            "device": {
                "ip": "192.168.1.3",
                "ips": [
                    {
                        "ip": "192.168.1.3",
                        "timems": 1688389200000,
                        "time": "2023-07-0313:00:00",
                        "sid": 3
                    }
                ],
                "sid": 3,
                "firstSeen": 1666276905000,
                "lastSeen": 1688391268000,
                "typename": "server",
                "typelabel": "Server"
            }
        }
    },
    "related": {
        "ip": [
            "192.168.1.3"
        ]
    }
}
{
    "message": "{\"commentCount\":0,\"pbid\":25908,\"time\":1687811707000,\"creationTime\":1687811713000,\"model\":{\"then\":{\"name\":\"PenTest\",\"pid\":2721,\"phid\":9287,\"uuid\":\"8b3d5e73-0cf0-4c32-8451-a6919b9978f8\",\"logic\":{\"data\":[18021],\"type\":\"componentList\",\"version\":1},\"throttle\":1000,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":true,\"modified\":\"2023-04-17 11:34:25\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"\",\"behaviour\":\"flat\",\"defeats\":[],\"created\":{\"by\":\"sam.gorse\",\"userID\":22},\"edited\":{\"by\":\"sam.gorse\",\"userID\":22},\"version\":7,\"priority\":5,\"category\":\"Critical\",\"compliance\":false},\"now\":{\"name\":\"PenTest\",\"pid\":2721,\"phid\":9287,\"uuid\":\"8b3d5e73-0cf0-4c32-8451-a6919b9978f8\",\"logic\":{\"data\":[18021],\"type\":\"componentList\",\"version\":1},\"throttle\":1000,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":true,\"modified\":\"2023-04-17 11:34:25\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":false,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"\",\"behaviour\":\"flat\",\"defeats\":[],\"created\":{\"by\":\"sam.gorse\",\"userID\":22},\"edited\":{\"by\":\"sam.gorse\",\"userID\":22},\"version\":7,\"priority\":5,\"category\":\"Critical\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687811706000,\"cbid\":25985,\"cid\":18021,\"chid\":29073,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":\"A\",\"operator\":\"OR\",\"right\":{\"left\":\"B\",\"operator\":\"OR\",\"right\":{\"left\":\"C\",\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":\"D\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":\"B\"},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":\"C\"},\"operator\":\"OR\",\"right\":{\"left\":\"D\",\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":\"C\"}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":\"D\"}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":\"D\"},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":\"D\"}}}}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.16.100/32\",\"port\":80,\"metric\":{\"mlid\":16,\"name\":\"connections\",\"label\":\"Connections\"},\"triggeredFilters\":[{\"cfid\":217209,\"id\":\"C\",\"filterType\":\"Destinationport\",\"arguments\":{\"value\":80},\"comparatorType\":\"=\",\"trigger\":{\"value\":\"80\"}}]}],\"score\":1.0,\"device\":{\"did\":31,\"vendor\":\"\",\"ip\":\"192.168.1.2\",\"ips\":[{\"ip\":\"192.168.1.2\",\"timems\":1688389200000,\"time\":\"2023-07-0313:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1649669953000,\"lastSeen\":1688391406000,\"typename\":\"dnsserver\",\"typelabel\":\"DNSServer\"}}",
    "event": {
        "category": "network",
        "end": "2023-04-17T11:34:25Z",
        "kind": "alert",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-06-26T20:35:07Z",
    "host": {
        "id": "31",
        "ip": [
            "192.168.1.2"
        ]
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    },
    "darktrace": {
        "threat_visualizer": {
            "creationTime": 1687811713000,
            "commentCount": 0,
            "pbid": 25908,
            "time": 1687811707000,
            "model": {
                "then": {
                    "name": "PenTest",
                    "pid": 2721,
                    "phid": 9287,
                    "uuid": "8b3d5e73-0cf0-4c32-8451-a6919b9978f8",
                    "tags": [],
                    "category": "Critical",
                    "priority": 5,
                    "behaviour": "flat",
                    "defeats": [],
                    "version": 7
                },
                "now": {
                    "name": "PenTest",
                    "pid": 2721,
                    "phid": 9287,
                    "uuid": "8b3d5e73-0cf0-4c32-8451-a6919b9978f8",
                    "tags": [],
                    "behaviour": "flat",
                    "defeats": [],
                    "edited": {
                        "userID": 22
                    },
                    "priority": 5,
                    "category": "Critical",
                    "version": 7
                }
            },
            "score": 1.0,
            "device": {
                "ip": "192.168.1.2",
                "ips": [
                    {
                        "ip": "192.168.1.2",
                        "timems": 1688389200000,
                        "time": "2023-07-0313:00:00",
                        "sid": 3
                    }
                ],
                "sid": 3,
                "firstSeen": 1649669953000,
                "lastSeen": 1688391406000,
                "typename": "dnsserver",
                "typelabel": "DNSServer"
            }
        }
    },
    "related": {
        "ip": [
            "192.168.1.2"
        ]
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
darktrace.threat_visualizer.commentCount number The number of comments made against this breach.
darktrace.threat_visualizer.creationTime number The timestamp that the record of the breach was created. This is distinct from the time field.
darktrace.threat_visualizer.device.firstSeen number The first time the device was seen on the network.
darktrace.threat_visualizer.device.ip string The current IP associated with the device.
darktrace.threat_visualizer.device.ips array IPs associated with the device historically.
darktrace.threat_visualizer.device.ips.ip string A historic IP associated with the device.
darktrace.threat_visualizer.device.ips.sid number The subnet id for the subnet the IP belongs to.
darktrace.threat_visualizer.device.ips.time string The time the IP was last seen associated with that device in readable format.
darktrace.threat_visualizer.device.ips.timems number The time the IP was last seen associated with that device in epoch time.
darktrace.threat_visualizer.device.lastSeen number The last time the device was seen on the network.
darktrace.threat_visualizer.device.sid number The subnet id for the subnet the device is currently located in.
darktrace.threat_visualizer.device.typelabel keyword The device type in readable format.
darktrace.threat_visualizer.device.typename keyword The device type in system format.
darktrace.threat_visualizer.model.now.behaviour string The score modulation function as set in the model editor.
darktrace.threat_visualizer.model.now.category string The behavior category associated with the model at the time of request.
darktrace.threat_visualizer.model.now.defeats array An array of model defeats - AND conditions - which if met, prevent the model from breaching.
darktrace.threat_visualizer.model.now.defeats.arguments.value string
darktrace.threat_visualizer.model.now.defeats.comparator string The comparator that the value is compared against the create the defeat.
darktrace.threat_visualizer.model.now.defeats.defeatID number A unique ID for the defeat.
darktrace.threat_visualizer.model.now.defeats.filtertype string The filter the defeat is made from.
darktrace.threat_visualizer.model.now.description string The optional description of the model.
darktrace.threat_visualizer.model.now.edited.userID number Username that last edited the model.
darktrace.threat_visualizer.model.now.message string The commit message for the change.
darktrace.threat_visualizer.model.now.mitre.tactics array An array of MITRE ATT&CK framework tactics the model has been mapped to.
darktrace.threat_visualizer.model.now.mitre.techniques array An array of MITRE ATT&CK framework techniques the model has been mapped to.
darktrace.threat_visualizer.model.now.name string Name of the model that was breached.
darktrace.threat_visualizer.model.now.phid number The model policy history id. Increments when the model is modified.
darktrace.threat_visualizer.model.now.pid number The policy id of the model that was breached.
darktrace.threat_visualizer.model.now.priority number The numeric behavior category associated with the model at the time of request: 0-3 equates to informational, 4 equates to suspicious and 5 equates to critical.
darktrace.threat_visualizer.model.now.tags array AP: Bruteforce
darktrace.threat_visualizer.model.now.uuid string A unique ID that is generated on creation of the model.
darktrace.threat_visualizer.model.now.version number The version of the model. Increments on each edit.
darktrace.threat_visualizer.model.then.behaviour string The score modulation function as set in the model editor.
darktrace.threat_visualizer.model.then.category string The behavior category associated with the model at the time of the breach.
darktrace.threat_visualizer.model.then.defeats array An array of model defeats - AND conditions - which if met, prevent the model from breaching.
darktrace.threat_visualizer.model.then.defeats.arguments.value string
darktrace.threat_visualizer.model.then.defeats.comparator string The comparator that the value is compared against the create the defeat.
darktrace.threat_visualizer.model.then.defeats.defeatID number A unique ID for the defeat.
darktrace.threat_visualizer.model.then.defeats.filtertype string The filter the defeat is made from.
darktrace.threat_visualizer.model.then.description string The optional description of the model.
darktrace.threat_visualizer.model.then.mitre.tactics array An array of MITRE ATT&CK framework tactics the model has been mapped to.
darktrace.threat_visualizer.model.then.mitre.techniques array An array of MITRE ATT&CK framework techniques the model has been mapped to.
darktrace.threat_visualizer.model.then.name string Name of the model that was breached.
darktrace.threat_visualizer.model.then.phid number The model policy history id. Increments when the model is modified.
darktrace.threat_visualizer.model.then.pid number The policy id of the model that was breached.
darktrace.threat_visualizer.model.then.priority number The numeric behavior category associated with the model at the time of the breach: 0-3 equates to informational, 4 equates to suspicious and 5 equates to critical.
darktrace.threat_visualizer.model.then.tags array A list of tags that have been applied to this model in the Threat Visualizer model editor.
darktrace.threat_visualizer.model.then.uuid string A unique ID that is generated on creation of the model.
darktrace.threat_visualizer.model.then.version number The version of the model. Increments on each edit.
darktrace.threat_visualizer.pbid number The policy breach ID of the model breach.
darktrace.threat_visualizer.score number The model breach score, represented by a value between 0 and 1.
darktrace.threat_visualizer.time number The timestamp when the record was created in epoch time.
event.category keyword Event category. The second categorization field in the hierarchy.
event.end date event.end contains the date when the event ended or when the activity was last observed.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.type keyword Event type. The third categorization field in the hierarchy.
host.hostname keyword Hostname of the host.
host.id keyword Unique host id.
host.ip ip Host ip addresses.
observer.name keyword Custom name of the observer.
observer.product keyword The product name of the observer.
service.name keyword Name of the service.
user.email keyword User email address.
user.name keyword Short name or login of the user.

Configure

As a prerequisite, you need a Darktrace Threat Visualizer API tenant url.

Acquire your public and private key

See the Darktrace documentation for intructions to acquire your public and private key.

Create the intake

Go to the intake page and create a new intake from the format Threat Visualizer.

Pull events

Go to the playbook page and create a new playbook with the Darktrace connector.

Set up the trigger configuration with the api url, the private key and the public key.

Start the playbook and enjoy your events.