Skip to content

Darktrace Threat Visualizer

Overview

Darktrace monitors all people and digital assets across your entire ecosystem.

This setup guide describes how to forward logs from Darktrace Threat visualizer to Sekoia.io.

Warning

Important note - This format is currently in beta. We highly value your feedback to improve its performance.

Event Categories

The following table lists the data source offered by this integration.

Data Source Description
DNS records Darktrace monitors DNS requests or connections from devices to watched domains or IP addresses.
Web logs Darktrace monitors accesses to watched domains.

In details, the following table denotes the type of events produced by this integration.

Name Values
Kind alert, event
Category network, threat
Type info

Event Samples

Find below few samples of events and how they are normalized by Sekoia.io.

{
    "message": "{\"summariser\":\"HttpAgentSummary\",\"acknowledged\":false,\"pinned\":false,\"createdAt\":1697334832520,\"attackPhases\":[2],\"mitreTactics\":[\"command-and-control\"],\"title\":\"Possible HTTP Command and Control\",\"id\":\"a400af0f-a297-478c-8fc6-c778a9558183\",\"children\":[\"a400af0f-a297-478c-8fc6-c778a9558183\"],\"category\":\"critical\",\"currentGroup\":\"ga400af0f-a297-478c-8fc6-c778a9558183\",\"groupCategory\":\"suspicious\",\"groupScore\":2.449186624037094,\"groupPreviousGroups\":[],\"activityId\":\"da39a3ee\",\"groupingIds\":[\"511a418e\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":55.52733790170975,\"summary\":\"The device 10.0.0.#36859 was observed making multiple HTTP connections to the rare external endpoint themoneyfix.org, with the same user agent string.\\n\\nMoreover, this device only used this user agent for connections to a limited set of endpoints - suggesting that the activity was initiated by a standalone software process as opposed to a web browser.\\n\\nIf such behaviour is unexpected, further investigation may be required to determine if this activity represents malicious command and control as opposed to legitimate telemetry of some form.\",\"periods\":[{\"start\":1697334679535,\"end\":1697334713852}],\"breachDevices\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"10.0.0.#36859\",\"mac\":null,\"subnet\":null,\"did\":62,\"sid\":25}],\"relatedBreaches\":[{\"modelName\":\"Device / New User Agent\",\"pbid\":34952,\"threatScore\":31.0,\"timestamp\":1697334680000}],\"details\":[[{\"header\":\"Device Making Suspicious Connections\",\"contents\":[{\"key\":null,\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"10.0.0.#36859\",\"mac\":null,\"subnet\":null,\"did\":62,\"sid\":25}]}]}],[{\"header\":\"Suspicious Application\",\"contents\":[{\"key\":\"User agent\",\"type\":\"string\",\"values\":[\"python-requests/2.25.1\"]}]},{\"header\":\"Suspicious Endpoints Contacted by Application\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1697334679535,\"end\":1697334713852}]},{\"key\":\"Hostname\",\"type\":\"externalHost\",\"values\":[{\"hostname\":\"themoneyfix.org\",\"ip\":null}]},{\"key\":\"Hostname rarity\",\"type\":\"percentage\",\"values\":[100.0]},{\"key\":\"Hostname first observed\",\"type\":\"timestamp\",\"values\":[1697334687000]},{\"key\":\"Most recent destination IP\",\"type\":\"externalHost\",\"values\":[{\"hostname\":\"45.56.79.23\",\"ip\":\"45.56.79.23\"}]},{\"key\":\"Most recent ASN\",\"type\":\"string\",\"values\":[\"AS63949 Akamai Connected Cloud\"]},{\"key\":\"Total connections\",\"type\":\"integer\",\"values\":[2]},{\"key\":\"URI\",\"type\":\"string\",\"values\":[\"/login/username=adriano.lamo&password=il0v3cH33s3\"]},{\"key\":\"Port\",\"type\":\"integer\",\"values\":[80]},{\"key\":\"HTTP method\",\"type\":\"string\",\"values\":[\"GET\"]},{\"key\":\"Status code\",\"type\":\"string\",\"values\":[\"200\"]}]}]],\"log_type\":\"aianalyst/incidentevents\"}",
    "event": {
        "category": "network",
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-10-15T01:53:52.520000Z",
    "darktrace": {
        "threat_visualizer": {
            "acknowledged": false,
            "activityId": "da39a3ee",
            "aiaScore": 55.52733790170975,
            "attackPhases": [
                2
            ],
            "breachDevices": [
                {
                    "did": 62,
                    "hostname": null,
                    "identifier": null,
                    "ip": "10.0.0.#36859",
                    "mac": null,
                    "sid": 25,
                    "subnet": null
                }
            ],
            "category": "critical",
            "children": [
                "a400af0f-a297-478c-8fc6-c778a9558183"
            ],
            "currentGroup": "ga400af0f-a297-478c-8fc6-c778a9558183",
            "externalTriggered": false,
            "groupCategory": "suspicious",
            "groupScore": 2.449186624037094,
            "groupingIds": [
                "511a418e"
            ],
            "mitreTactics": [
                "command-and-control"
            ],
            "periods": [
                {
                    "end": 1697334713852,
                    "start": 1697334679535
                }
            ],
            "relatedBreaches": [
                {
                    "modelName": "Device / New User Agent",
                    "pbid": 34952,
                    "threatScore": 31.0,
                    "timestamp": 1697334680000
                }
            ],
            "userTriggered": false
        }
    },
    "device": {
        "id": "62"
    },
    "host": {
        "id": "62"
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    }
}
{
    "message": "{\"commentCount\":0,\"pbid\":26316,\"time\":1687967502000,\"creationTime\":1687967508000,\"model\":{\"then\":{\"name\":\"AnomalousFile::ZiporGzipfromRareExternalLocation\",\"pid\":619,\"phid\":9945,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000172\",\"logic\":{\"data\":[19046],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:Tooling\",\"OTEngineer\"],\"interval\":0,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-06-28 11:53:50\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\\n\\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":42,\"mitre\":{\"tactics\":[\"resource-development\"],\"techniques\":[\"T1588.001\"]},\"priority\":1,\"category\":\"Informational\",\"compliance\":false},\"now\":{\"name\":\"AnomalousFile::ZiporGzipfromRareExternalLocation\",\"pid\":619,\"phid\":9945,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000172\",\"logic\":{\"data\":[19046],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:Tooling\",\"OTEngineer\"],\"interval\":0,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-06-28 11:53:50\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\\n\\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"Excludedcommonuseragents\",\"version\":42,\"mitre\":{\"tactics\":[\"resource-development\"],\"techniques\":[\"T1588.001\"]},\"priority\":1,\"category\":\"Informational\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687967501000,\"cbid\":26393,\"cid\":19046,\"chid\":30682,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"R\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"Q\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"T\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"W\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"104.18.103.100/32\",\"port\":80,\"metric\":{\"mlid\":1,\"name\":\"externalconnections\",\"label\":\"ExternalConnections\"},\"triggeredFilters\":[{\"cfid\":232424,\"id\":\"C\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"3\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232426,\"id\":\"F\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":232428,\"id\":\"H\",\"filterType\":\"HTTPcontenttype\",\"arguments\":{\"value\":\"application/x-gzip\"},\"comparatorType\":\"matches\",\"trigger\":{\"value\":\"application/x-gzip\"}},{\"cfid\":232430,\"id\":\"J\",\"filterType\":\"RareexternalIP\",\"arguments\":{\"value\":98},\"comparatorType\":\">=\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":232431,\"id\":\"K\",\"filterType\":\"Raredomain\",\"arguments\":{\"value\":95},\"comparatorType\":\">=\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":232432,\"id\":\"L\",\"filterType\":\"Trustedhostname\",\"arguments\":{\"value\":\"false\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"false\"}},{\"cfid\":232433,\"id\":\"M\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"9\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232434,\"id\":\"N\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"4\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232435,\"id\":\"O\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"13\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232436,\"id\":\"P\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"17\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":232437,\"id\":\"Q\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":15},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"15\",\"tag\":{\"tid\":15,\"expiry\":0,\"thid\":15,\"name\":\"ConflictingUser-Agents\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":284,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":232438,\"id\":\"R\",\"filterType\":\"DestinationIP\",\"arguments\":{\"value\":\"0.0.0.0\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"104.18.103.100\"}},{\"cfid\":232439,\"id\":\"S\",\"filterType\":\"Connectionhostname\",\"arguments\":{\"value\":\"(speed(test|check).+|.+speed(test|check).+)|.*((up(date|grade)|download|content|mirrors|weather|changes|quant|ctldl|avupdate).*\\\\.(carbonblack\\\\.io|nutanix\\\\.com|pandasoftware\\\\.com|ivanti\\\\.com|mit\\\\.edu|mastercam\\\\.com|rit\\\\.edu|knime\\\\.com|logicnow\\\\.us|oppomobile\\\\.com|trendmicro\\\\.com|panorama9\\\\.com|jiransecurity\\\\.com|refinitiv\\\\.com|jiran\\\\.com|loxtop\\\\.com|snoopwall\\\\.com|tumbleweed\\\\.com|sangfor\\\\.net|alyac\\\\.com|spamassassin\\\\.org|verein-clean\\\\.net|itsupport247\\\\.net|lsfilter\\\\.com|iboss\\\\.com|eeye\\\\.com|windowsupdate\\\\.com|fireeye\\\\.com)|definitionsbd\\\\.adaware\\\\.com|nasepm\\\\.aramark\\\\.com|(bdefs|hw|ec)\\\\.threattrack\\\\.com|upd\\\\.zonelabs\\\\.com|www\\\\.solutionsam\\\\.com|licensingservice\\\\.altarix\\\\.com|autoupdate\\\\.bradyid\\\\.com|iblocklist\\\\.com|clientservices\\\\.googleapis\\\\.com|mirror\\\\.centos\\\\..*\\\\.serverforge\\\\.org|sync\\\\.bigfix\\\\.com|catalog\\\\.kace\\\\.com)\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":232440,\"id\":\"T\",\"filterType\":\"Useragent\",\"arguments\":{\"value\":\"/((libdnf|sa-update|Valve\\\\/Steam|itunesstored|pfSense|McAfee|DebianAPT-HTTP).*|Sylink|.*LANguard.*|Smc|SG\\\\_CTAVUpdater|NetpasUpdater|urlgrabber/[0-9.]+yum/[0-9.]+|ManageEngine(Endpoint|Desktop)Central).*/i\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232441,\"id\":\"U\",\"filterType\":\"Connectionhostname\",\"arguments\":{\"value\":\"(antivirus|rpm(s)?|sa-update|centos|fedora).*\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":232442,\"id\":\"V\",\"filterType\":\"URI\",\"arguments\":{\"value\":\"/.*\\\\/centos\\\\/.*\\\\.xml\\\\.gz/i\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz\"}},{\"cfid\":232443,\"id\":\"W\",\"filterType\":\"URI\",\"arguments\":{\"value\":\"dl.delivery.mp.microsoft.com\"},\"comparatorType\":\"doesnotcontain\",\"trigger\":{\"value\":\"/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz\"}},{\"cfid\":232444,\"id\":\"Y\",\"filterType\":\"HTTPresponsecode\",\"arguments\":{\"value\":400},\"comparatorType\":\"<\",\"trigger\":{\"value\":\"200\"}},{\"cfid\":232445,\"id\":\"Z\",\"filterType\":\"Individualsizedown\",\"arguments\":{\"value\":10000},\"comparatorType\":\">=\",\"trigger\":{\"value\":\"60493165\"}},{\"cfid\":232446,\"id\":\"d1\",\"filterType\":\"Individualsizedown\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"60493165\"}},{\"cfid\":232447,\"id\":\"d10\",\"filterType\":\"Individualsizeup\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"679\"}},{\"cfid\":232448,\"id\":\"d11\",\"filterType\":\"HTTPreferrer\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232449,\"id\":\"d12\",\"filterType\":\"HTTPmethod\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232450,\"id\":\"d13\",\"filterType\":\"Dataratio\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"0\"}},{\"cfid\":232451,\"id\":\"d14\",\"filterType\":\"Ageofdestination\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"43965774\"}},{\"cfid\":232452,\"id\":\"d2\",\"filterType\":\"HTTPresponsecode\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"200\"}},{\"cfid\":232453,\"id\":\"d3\",\"filterType\":\"Useragent\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":232454,\"id\":\"d4\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"AS13335CLOUDFLARENET\"}},{\"cfid\":232455,\"id\":\"d5\",\"filterType\":\"URI\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz\"}},{\"cfid\":232456,\"id\":\"d6\",\"filterType\":\"DestinationIP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"104.18.103.100\"}},{\"cfid\":232457,\"id\":\"d7\",\"filterType\":\"Connectionhostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":232458,\"id\":\"d8\",\"filterType\":\"HTTPcontenttype\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"application/x-gzip\"}},{\"cfid\":232459,\"id\":\"d9\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"6\"}}]}],\"score\":0.245,\"device\":{\"did\":16,\"ip\":\"192.168.1.#18408\",\"ips\":[{\"ip\":\"192.168.1.#18408\",\"timems\":1688263200000,\"time\":\"2023-07-0202:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1644001727000,\"lastSeen\":1688266122000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"},\"log_type\":\"modelbreaches\"}",
    "event": {
        "category": "network",
        "end": "2023-06-28T11:53:50Z",
        "kind": "alert",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-06-28T15:51:42Z",
    "darktrace": {
        "threat_visualizer": {
            "commentCount": 0,
            "components": {
                "filters": [
                    {
                        "trigger_value": "6",
                        "type": "Internalsourcedevicetype"
                    },
                    {
                        "trigger_value": "out",
                        "type": "Direction"
                    },
                    {
                        "trigger_value": "application/x-gzip",
                        "type": "HTTPcontenttype"
                    },
                    {
                        "trigger_value": "100",
                        "type": "RareexternalIP"
                    },
                    {
                        "trigger_value": "100",
                        "type": "Raredomain"
                    },
                    {
                        "trigger_value": "false",
                        "type": "Trustedhostname"
                    },
                    {
                        "trigger_value": "15",
                        "type": "Taggedinternalsource"
                    },
                    {
                        "trigger_value": "104.18.103.100",
                        "type": "DestinationIP"
                    },
                    {
                        "trigger_value": "kali.download",
                        "type": "Connectionhostname"
                    },
                    {
                        "trigger_value": "/kali/dists/kali-rolling/non-free/binary-amd64/Packages.gz",
                        "type": "URI"
                    },
                    {
                        "trigger_value": "200",
                        "type": "HTTPresponsecode"
                    },
                    {
                        "trigger_value": "60493165",
                        "type": "Individualsizedown"
                    },
                    {
                        "trigger_value": "679",
                        "type": "Individualsizeup"
                    },
                    {
                        "trigger_value": "0",
                        "type": "Dataratio"
                    },
                    {
                        "trigger_value": "43965774",
                        "type": "Ageofdestination"
                    },
                    {
                        "trigger_value": "AS13335CLOUDFLARENET",
                        "type": "ASN"
                    }
                ]
            },
            "creationTime": 1687967508000,
            "device": {
                "firstSeen": 1644001727000,
                "ip": "192.168.1.#18408",
                "ips": [
                    {
                        "ip": "192.168.1.#18408",
                        "sid": 3,
                        "time": "2023-07-0202:00:00",
                        "timems": 1688263200000
                    }
                ],
                "lastSeen": 1688266122000,
                "sid": 3,
                "typelabel": "Desktop",
                "typename": "desktop"
            },
            "model": {
                "now": {
                    "behaviour": "decreasing",
                    "category": "Informational",
                    "description": "AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\n\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.",
                    "message": "Excludedcommonuseragents",
                    "mitre": {
                        "tactics": [
                            "resource-development"
                        ],
                        "techniques": [
                            "T1588.001"
                        ]
                    },
                    "name": "AnomalousFile::ZiporGzipfromRareExternalLocation",
                    "phid": 9945,
                    "pid": 619,
                    "priority": 1,
                    "tags": [
                        "",
                        "AP:Tooling",
                        "OTEngineer"
                    ],
                    "uuid": "80010119-6d7f-0000-0305-5e0000000172",
                    "version": 42
                },
                "then": {
                    "behaviour": "decreasing",
                    "category": "Informational",
                    "description": "AdevicehasdownloadedaZIPfilefromalocationthatthenetworkdoesnotnormallyvisit.\n\nAction:Reviewthefile,itshashandthesourcetoensurethatthisfileisrequiredwithinthenetworkforbusinesspurposes.",
                    "mitre": {
                        "tactics": [
                            "resource-development"
                        ],
                        "techniques": [
                            "T1588.001"
                        ]
                    },
                    "name": "AnomalousFile::ZiporGzipfromRareExternalLocation",
                    "phid": 9945,
                    "pid": 619,
                    "priority": 1,
                    "tags": [
                        "",
                        "AP:Tooling",
                        "OTEngineer"
                    ],
                    "uuid": "80010119-6d7f-0000-0305-5e0000000172",
                    "version": 42
                }
            },
            "pbid": 26316,
            "score": 0.245,
            "time": 1687967502000
        }
    },
    "host": {
        "id": "16",
        "ip": []
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    },
    "related": {
        "ip": []
    }
}
{
    "message": "{\"commentCount\":0,\"pbid\":26368,\"time\":1687987886000,\"creationTime\":1687987892000,\"model\":{\"then\":{\"name\":\"Antigena::Network::Compliance::AntigenaConnectionSeen\",\"pid\":2299,\"phid\":9961,\"uuid\":\"5f78deda-3ff9-445f-a88e-2137dca625d6\",\"logic\":{\"data\":[19083],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{\"action\":\"quarantine\",\"confirm\":true,\"connector_actions\":{},\"duration\":1000,\"ignoreSchedule\":true,\"threshold\":\"50\"},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":true,\"modified\":\"2023-06-28 21:31:29\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":false,\"autoSuppress\":false,\"description\":\"\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"darktrace\",\"userID\":2},\"edited\":{\"by\":\"darktrace\",\"userID\":2},\"version\":7,\"priority\":4,\"category\":\"Suspicious\",\"compliance\":true},\"now\":{\"name\":\"Antigena::Network::Compliance::AntigenaConnectionSeen\",\"pid\":2299,\"phid\":9962,\"uuid\":\"5f78deda-3ff9-445f-a88e-2137dca625d6\",\"logic\":{\"data\":[19084],\"type\":\"componentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{\"action\":\"quarantine\",\"confirm\":true,\"connector_actions\":{},\"duration\":1000,\"ignoreSchedule\":true,\"threshold\":\"50\"},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":false,\"modified\":\"2023-06-28 21:32:10\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":false,\"autoSuppress\":false,\"description\":\"\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"darktrace\",\"userID\":2},\"edited\":{\"by\":\"darktrace\",\"userID\":2},\"version\":8,\"priority\":4,\"category\":\"Suspicious\",\"compliance\":true}},\"triggeredComponents\":[{\"time\":1687987885000,\"cbid\":26445,\"cid\":19083,\"chid\":30726,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{},\"version\":\"v0.1\"},\"ip\":\"192.168.16.100/32\",\"port\":443,\"metric\":{\"mlid\":16,\"name\":\"connections\",\"label\":\"Connections\"},\"triggeredFilters\":[]}],\"score\":0.871,\"device\":{\"did\":31,\"hostname\":\"my_host\",\"vendor\":\"\",\"ip\":\"192.168.1.2\",\"ips\":[{\"ip\":\"192.168.1.2\",\"timems\":1688389200000,\"time\":\"2023-07-0313:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1649669953000,\"lastSeen\":1688391406000,\"typename\":\"dnsserver\",\"typelabel\":\"DNSServer\"},\"log_type\":\"modelbreaches\"}",
    "event": {
        "category": "network",
        "end": "2023-06-28T21:31:29Z",
        "kind": "alert",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-06-28T21:31:26Z",
    "darktrace": {
        "threat_visualizer": {
            "commentCount": 0,
            "components": {
                "filters": []
            },
            "creationTime": 1687987892000,
            "device": {
                "firstSeen": 1649669953000,
                "ip": "192.168.1.2",
                "ips": [
                    {
                        "ip": "192.168.1.2",
                        "sid": 3,
                        "time": "2023-07-0313:00:00",
                        "timems": 1688389200000
                    }
                ],
                "lastSeen": 1688391406000,
                "sid": 3,
                "typelabel": "DNSServer",
                "typename": "dnsserver"
            },
            "model": {
                "now": {
                    "behaviour": "decreasing",
                    "category": "Suspicious",
                    "defeats": [],
                    "edited": {
                        "userID": 2
                    },
                    "name": "Antigena::Network::Compliance::AntigenaConnectionSeen",
                    "phid": 9962,
                    "pid": 2299,
                    "priority": 4,
                    "tags": [],
                    "uuid": "5f78deda-3ff9-445f-a88e-2137dca625d6",
                    "version": 8
                },
                "then": {
                    "behaviour": "decreasing",
                    "category": "Suspicious",
                    "defeats": [],
                    "name": "Antigena::Network::Compliance::AntigenaConnectionSeen",
                    "phid": 9961,
                    "pid": 2299,
                    "priority": 4,
                    "tags": [],
                    "uuid": "5f78deda-3ff9-445f-a88e-2137dca625d6",
                    "version": 7
                }
            },
            "pbid": 26368,
            "score": 0.871,
            "time": 1687987886000
        }
    },
    "host": {
        "hostname": "my_host",
        "id": "31",
        "ip": [
            "192.168.1.2"
        ],
        "name": "my_host"
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    },
    "related": {
        "hosts": [
            "my_host"
        ],
        "ip": [
            "192.168.1.2"
        ]
    }
}
{
    "message": "{\"commentCount\":0,\"pbid\":27103,\"time\":1688266123000,\"creationTime\":1688266130000,\"model\":{\"then\":{\"name\":\"Device::AttackandReconTools\",\"pid\":76,\"phid\":8953,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000197\",\"logic\":{\"data\":[{\"cid\":17299,\"weight\":1},{\"cid\":17302,\"weight\":1},{\"cid\":17298,\"weight\":1},{\"cid\":17300,\"weight\":1},{\"cid\":17301,\"weight\":1},{\"cid\":17303,\"weight\":1},{\"cid\":17304,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":604800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:InternalRecon\",\"OTEngineer\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-03-14 12:53:21\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"Adeviceisusingcommonpenetrationtestingtools.\\n\\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":87,\"mitre\":{\"tactics\":[\"initial-access\"],\"techniques\":[\"T1200\"]},\"priority\":4,\"category\":\"Suspicious\",\"compliance\":false},\"now\":{\"name\":\"Device::AttackandReconTools\",\"pid\":76,\"phid\":8953,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000197\",\"logic\":{\"data\":[{\"cid\":17299,\"weight\":1},{\"cid\":17302,\"weight\":1},{\"cid\":17298,\"weight\":1},{\"cid\":17300,\"weight\":1},{\"cid\":17301,\"weight\":1},{\"cid\":17303,\"weight\":1},{\"cid\":17304,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":604800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:InternalRecon\",\"OTEngineer\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2023-03-14 12:53:21\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"Adeviceisusingcommonpenetrationtestingtools.\\n\\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"Addeddetectionforgobusteranddirbuster\",\"version\":87,\"mitre\":{\"tactics\":[\"initial-access\"],\"techniques\":[\"T1200\"]},\"priority\":4,\"category\":\"Suspicious\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1688266122000,\"cbid\":27180,\"cid\":17302,\"chid\":27905,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"J\"}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":\"H\"}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"I\"}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.1.2/32\",\"port\":53,\"metric\":{\"mlid\":11,\"name\":\"dnsrequests\",\"label\":\"DNSRequests\"},\"triggeredFilters\":[{\"cfid\":208828,\"id\":\"A\",\"filterType\":\"DNShostlookup\",\"arguments\":{\"value\":\"kali(\\\\..+)?\"},\"comparatorType\":\"matchesregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":208829,\"id\":\"B\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":208830,\"id\":\"C\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":18},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"18\",\"tag\":{\"tid\":18,\"expiry\":0,\"thid\":18,\"name\":\"DNSServer\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":112,\"description\":\"DevicesreceivingandmakingDNSqueries\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":208831,\"id\":\"D\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":208832,\"id\":\"E\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":4},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"4\",\"tag\":{\"tid\":4,\"expiry\":0,\"thid\":4,\"name\":\"SecurityDevice\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":55,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":208835,\"id\":\"H\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":58},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"58\",\"tag\":{\"tid\":58,\"expiry\":0,\"thid\":58,\"name\":\"MailServer\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":200,\"description\":\"\"},\"isReferenced\":true}}},{\"cfid\":208836,\"id\":\"I\",\"filterType\":\"DNShostlookup\",\"arguments\":{\"value\":\"backbox.com\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":208837,\"id\":\"J\",\"filterType\":\"DNShostlookup\",\"arguments\":{\"value\":\"^kali\\\\.(by|hu|hr|cheng-tsui\\\\.com|tradair\\\\.com)$\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"kali.download\"}},{\"cfid\":208838,\"id\":\"d1\",\"filterType\":\"DNShostlookup\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"kali.download\"}}]}],\"score\":0.871,\"device\":{\"did\":16,\"ip\":\"192.168.1.#18408\",\"ips\":[{\"ip\":\"192.168.1.#18408\",\"timems\":1688263200000,\"time\":\"2023-07-0202:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1644001727000,\"lastSeen\":1688266122000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"},\"log_type\":\"modelbreaches\"}",
    "event": {
        "category": "network",
        "end": "2023-03-14T12:53:21Z",
        "kind": "alert",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-07-02T02:48:43Z",
    "darktrace": {
        "threat_visualizer": {
            "commentCount": 0,
            "components": {
                "filters": [
                    {
                        "trigger_value": "kali.download",
                        "type": "DNShostlookup"
                    },
                    {
                        "trigger_value": "6",
                        "type": "Internalsourcedevicetype"
                    },
                    {
                        "trigger_value": "18",
                        "type": "Taggedinternalsource"
                    },
                    {
                        "trigger_value": "out",
                        "type": "Direction"
                    },
                    {
                        "trigger_value": "4",
                        "type": "Taggedinternalsource"
                    },
                    {
                        "trigger_value": "58",
                        "type": "Taggedinternalsource"
                    }
                ]
            },
            "creationTime": 1688266130000,
            "device": {
                "firstSeen": 1644001727000,
                "ip": "192.168.1.#18408",
                "ips": [
                    {
                        "ip": "192.168.1.#18408",
                        "sid": 3,
                        "time": "2023-07-0202:00:00",
                        "timems": 1688263200000
                    }
                ],
                "lastSeen": 1688266122000,
                "sid": 3,
                "typelabel": "Desktop",
                "typename": "desktop"
            },
            "model": {
                "now": {
                    "behaviour": "decreasing",
                    "category": "Suspicious",
                    "description": "Adeviceisusingcommonpenetrationtestingtools.\n\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.",
                    "message": "Addeddetectionforgobusteranddirbuster",
                    "mitre": {
                        "tactics": [
                            "initial-access"
                        ],
                        "techniques": [
                            "T1200"
                        ]
                    },
                    "name": "Device::AttackandReconTools",
                    "phid": 8953,
                    "pid": 76,
                    "priority": 4,
                    "tags": [
                        "",
                        "AP:InternalRecon",
                        "OTEngineer"
                    ],
                    "uuid": "80010119-6d7f-0000-0305-5e0000000197",
                    "version": 87
                },
                "then": {
                    "behaviour": "decreasing",
                    "category": "Suspicious",
                    "description": "Adeviceisusingcommonpenetrationtestingtools.\n\nAction:Reviewthedevicetoseeifitasecuritydevice,thesecanbetaggedassuchtoexcludethemfromfuturebreaches.Activityfromnonsecuritydevicesmeritfurtherinvestigationintowhatelsethedeviceisdoingandcouldbeasignificantriskwithinthenetwork.",
                    "mitre": {
                        "tactics": [
                            "initial-access"
                        ],
                        "techniques": [
                            "T1200"
                        ]
                    },
                    "name": "Device::AttackandReconTools",
                    "phid": 8953,
                    "pid": 76,
                    "priority": 4,
                    "tags": [
                        "",
                        "AP:InternalRecon",
                        "OTEngineer"
                    ],
                    "uuid": "80010119-6d7f-0000-0305-5e0000000197",
                    "version": 87
                }
            },
            "pbid": 27103,
            "score": 0.871,
            "time": 1688266123000
        }
    },
    "host": {
        "id": "16",
        "ip": []
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    },
    "related": {
        "ip": []
    }
}
{
    "message": "{\"commentCount\":0,\"pbid\":25808,\"time\":1687774142000,\"creationTime\":1687774148000,\"model\":{\"then\":{\"name\":\"Compromise::WatchedDomain\",\"pid\":608,\"phid\":6768,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000256\",\"logic\":{\"data\":[{\"cid\":13112,\"weight\":1},{\"cid\":13114,\"weight\":1},{\"cid\":13115,\"weight\":1},{\"cid\":13113,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:C2Comms\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-06-22 15:56:27\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\\n\\nAction:ReviewthedomainandIPbeingconnectedto.\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":31,\"priority\":5,\"category\":\"Critical\",\"compliance\":false},\"now\":{\"name\":\"Compromise::WatchedDomain\",\"pid\":608,\"phid\":6768,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000256\",\"logic\":{\"data\":[{\"cid\":13112,\"weight\":1},{\"cid\":13114,\"weight\":1},{\"cid\":13115,\"weight\":1},{\"cid\":13113,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"\",\"AP:C2Comms\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-06-22 15:56:27\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\\n\\nAction:ReviewthedomainandIPbeingconnectedto.\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"Adjustingmodellogicforproxiedconnections\",\"version\":31,\"priority\":5,\"category\":\"Critical\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687774141000,\"cbid\":25885,\"cid\":13112,\"chid\":20980,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":\"F\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":\"F\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":\"G\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":\"G\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"I\"}}}},\"operator\":\"OR\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"I\"}}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.1.2/32\",\"port\":53,\"metric\":{\"mlid\":223,\"name\":\"dtwatcheddomain\",\"label\":\"WatchedDomain\"},\"triggeredFilters\":[{\"cfid\":156173,\"id\":\"A\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\".+\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156175,\"id\":\"C\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":156177,\"id\":\"E\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":156179,\"id\":\"G\",\"filterType\":\"Destinationport\",\"arguments\":{\"value\":53},\"comparatorType\":\"=\",\"trigger\":{\"value\":\"53\"}},{\"cfid\":156180,\"id\":\"d1\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":156181,\"id\":\"d10\",\"filterType\":\"Watchedendpointdescription\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156182,\"id\":\"d2\",\"filterType\":\"Connectionhostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156183,\"id\":\"d3\",\"filterType\":\"DestinationIP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"192.168.1.2\"}},{\"cfid\":156184,\"id\":\"d4\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156185,\"id\":\"d5\",\"filterType\":\"Country\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156186,\"id\":\"d6\",\"filterType\":\"Message\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"amazonlinux-2-repos-eu-west-2.s3.eu-west-2.amazonaws.com\"}},{\"cfid\":156187,\"id\":\"d7\",\"filterType\":\"Watchedendpoint\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"true\"}},{\"cfid\":156188,\"id\":\"d8\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":156189,\"id\":\"d9\",\"filterType\":\"Watchedendpointstrength\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":156190,\"id\":\"H\",\"filterType\":\"Internaldestination\",\"arguments\":{},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"true\"}},{\"cfid\":156191,\"id\":\"I\",\"filterType\":\"Internaldestinationdevicetype\",\"arguments\":{\"value\":\"11\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"12\"}}]}],\"score\":0.541,\"device\":{\"did\":6,\"hostname\":\"SaaS::Slack: john.doe@company.com\",\"ip\":\"192.168.16.#54818\",\"ips\":[{\"ip\":\"192.168.16.#54818\",\"timems\":1688385600000,\"time\":\"2023-07-0312:00:00\",\"sid\":4}],\"sid\":4,\"firstSeen\":1639068361000,\"lastSeen\":1688385853000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"},\"log_type\":\"modelbreaches\"}",
    "event": {
        "category": "network",
        "end": "2022-06-22T15:56:27Z",
        "kind": "alert",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-06-26T10:09:02Z",
    "darktrace": {
        "threat_visualizer": {
            "commentCount": 0,
            "components": {
                "filters": [
                    {
                        "trigger_value": "out",
                        "type": "Direction"
                    },
                    {
                        "trigger_value": "6",
                        "type": "Internalsourcedevicetype"
                    },
                    {
                        "trigger_value": "53",
                        "type": "Destinationport"
                    },
                    {
                        "trigger_value": "192.168.1.2",
                        "type": "DestinationIP"
                    },
                    {
                        "trigger_value": "amazonlinux-2-repos-eu-west-2.s3.eu-west-2.amazonaws.com",
                        "type": "Message"
                    },
                    {
                        "trigger_value": "true",
                        "type": "Watchedendpoint"
                    },
                    {
                        "trigger_value": "100",
                        "type": "Watchedendpointstrength"
                    },
                    {
                        "trigger_value": "true",
                        "type": "Internaldestination"
                    },
                    {
                        "trigger_value": "12",
                        "type": "Internaldestinationdevicetype"
                    }
                ]
            },
            "creationTime": 1687774148000,
            "device": {
                "firstSeen": 1639068361000,
                "ip": "192.168.16.#54818",
                "ips": [
                    {
                        "ip": "192.168.16.#54818",
                        "sid": 4,
                        "time": "2023-07-0312:00:00",
                        "timems": 1688385600000
                    }
                ],
                "lastSeen": 1688385853000,
                "sid": 4,
                "typelabel": "Desktop",
                "typename": "desktop"
            },
            "model": {
                "now": {
                    "behaviour": "decreasing",
                    "category": "Critical",
                    "defeats": [],
                    "description": "AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\n\nAction:ReviewthedomainandIPbeingconnectedto.",
                    "message": "Adjustingmodellogicforproxiedconnections",
                    "name": "Compromise::WatchedDomain",
                    "phid": 6768,
                    "pid": 608,
                    "priority": 5,
                    "tags": [
                        "",
                        "AP:C2Comms"
                    ],
                    "uuid": "80010119-6d7f-0000-0305-5e0000000256",
                    "version": 31
                },
                "then": {
                    "behaviour": "decreasing",
                    "category": "Critical",
                    "defeats": [],
                    "description": "AdeviceisobservedmakingDNSrequestsorconnectionstowatcheddomainsorIPaddresses.ThewatchlistcanbeeditedfromthemainGUImenu,Intelsub-menu,undertheiconWatchedDomains.\n\nAction:ReviewthedomainandIPbeingconnectedto.",
                    "name": "Compromise::WatchedDomain",
                    "phid": 6768,
                    "pid": 608,
                    "priority": 5,
                    "tags": [
                        "",
                        "AP:C2Comms"
                    ],
                    "uuid": "80010119-6d7f-0000-0305-5e0000000256",
                    "version": 31
                }
            },
            "pbid": 25808,
            "score": 0.541,
            "time": 1687774142000
        }
    },
    "host": {
        "id": "6",
        "ip": []
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    },
    "related": {
        "ip": []
    },
    "service": {
        "name": "Slack"
    },
    "user": {
        "email": "john.doe@company.com"
    }
}
{
    "message": "{\"commentCount\":0,\"pbid\":25860,\"time\":1687793533000,\"creationTime\":1687793540000,\"model\":{\"then\":{\"name\":\"Device::ThreatIndicator\",\"pid\":540,\"phid\":6656,\"uuid\":\"84c92ea6-36b9-402f-9df1-3c5bfaee9176\",\"logic\":{\"data\":[{\"cid\":12878,\"weight\":1},{\"cid\":12876,\"weight\":1},{\"cid\":12877,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":3600,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false,\"tagTTL\":604800},\"tags\":[\"\",\"RequiresConfiguration\"],\"interval\":1,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-06-15 12:01:36\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.\\n\\nAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.,behaviour:decreasing,created:{by:System},edited:{by:System},version:39,priority:5,category:Critical,compliance:false},now:{name:Device::ThreatIndicator,pid:540,phid:6656,uuid:84c92ea6-36b9-402f-9df1-3c5bfaee9176,logic:{data:[{cid:12878,weight:1},{cid:12876,weight:1},{cid:12877,weight:1}],targetScore:1,type:weightedComponentList,version:1},throttle:3600,sharedEndpoints:false,actions:{alert:true,antigena:{},breach:true,model:true,setPriority:false,setTag:false,setType:false,tagTTL:604800},tags:[,RequiresConfiguration],interval:1,delay:0,sequenced:false,active:true,modified:2022-06-15 12:01:36,activeTimes:{devices:{},tags:{},type:exclusions,version:2},autoUpdatable:true,autoUpdate:true,autoSuppress:true,description:AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.nnAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"message\":\"UpdatedWatchedendpointsourceregextoexcludeAttackSurfaceManagement\",\"version\":39,\"priority\":5,\"category\":\"Critical\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687793532000,\"cbid\":25937,\"cid\":12876,\"chid\":20545,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":\"K\"}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.1.2/32\",\"port\":53,\"metric\":{\"mlid\":223,\"name\":\"dtwatcheddomain\",\"label\":\"WatchedDomain\"},\"triggeredFilters\":[{\"cfid\":153437,\"id\":\"A\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"^(\\\\_?Darktrace.*|AttackSurfaceManagement)\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153437,\"id\":\"A\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"^(\\\\_?Darktrace.*|AttackSurfaceManagement)\"},\"comparatorType\":\"doesnotmatchregularexpression\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153438,\"id\":\"F\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\".+\"},\"comparatorType\":\"matchesregularexpression\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153439,\"id\":\"G\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"Default\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153439,\"id\":\"G\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{\"value\":\"Default\"},\"comparatorType\":\"doesnotmatch\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153440,\"id\":\"H\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":4},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"4\",\"tag\":{\"tid\":4,\"expiry\":0,\"thid\":4,\"name\":\"SecurityDevice\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":55,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":153441,\"id\":\"I\",\"filterType\":\"Internalsourcedevicetype\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"isnot\",\"trigger\":{\"value\":\"7\"}},{\"cfid\":153442,\"id\":\"J\",\"filterType\":\"Taggedinternalsource\",\"arguments\":{\"value\":18},\"comparatorType\":\"doesnothavetag\",\"trigger\":{\"value\":\"18\",\"tag\":{\"tid\":18,\"expiry\":0,\"thid\":18,\"name\":\"DNSServer\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":112,\"description\":\"DevicesreceivingandmakingDNSqueries\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":153443,\"id\":\"K\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":153444,\"id\":\"d1\",\"filterType\":\"Ageofdestination\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"38123579\"}},{\"cfid\":153445,\"id\":\"d2\",\"filterType\":\"Country\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153446,\"id\":\"d3\",\"filterType\":\"DestinationIP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"192.168.1.2\"}},{\"cfid\":153447,\"id\":\"d4\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153448,\"id\":\"d5\",\"filterType\":\"Destinationport\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"53\"}},{\"cfid\":153449,\"id\":\"d6\",\"filterType\":\"Rareexternalendpoint\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"0\"}},{\"cfid\":153450,\"id\":\"d7\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"ThreatIntel\"}},{\"cfid\":153450,\"id\":\"d7\",\"filterType\":\"Watchedendpointsource\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":153451,\"id\":\"d8\",\"filterType\":\"Message\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"clients2.google.com\"}}]}],\"score\":0.612,\"device\":{\"did\":39,\"vendor\":\"\",\"ip\":\"192.168.1.3\",\"ips\":[{\"ip\":\"192.168.1.3\",\"timems\":1688389200000,\"time\":\"2023-07-0313:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1666276905000,\"lastSeen\":1688391268000,\"os\":\"Windows(10.0)\",\"typename\":\"server\",\"typelabel\":\"Server\"},\"log_type\":\"modelbreaches\"}",
    "event": {
        "category": "network",
        "end": "2022-06-15T12:01:36Z",
        "kind": "alert",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-06-26T15:32:13Z",
    "darktrace": {
        "threat_visualizer": {
            "commentCount": 0,
            "components": {
                "filters": [
                    {
                        "trigger_value": "ThreatIntel",
                        "type": "Watchedendpointsource"
                    },
                    {
                        "trigger_value": "4",
                        "type": "Taggedinternalsource"
                    },
                    {
                        "trigger_value": "7",
                        "type": "Internalsourcedevicetype"
                    },
                    {
                        "trigger_value": "18",
                        "type": "Taggedinternalsource"
                    },
                    {
                        "trigger_value": "out",
                        "type": "Direction"
                    },
                    {
                        "trigger_value": "38123579",
                        "type": "Ageofdestination"
                    },
                    {
                        "trigger_value": "192.168.1.2",
                        "type": "DestinationIP"
                    },
                    {
                        "trigger_value": "53",
                        "type": "Destinationport"
                    },
                    {
                        "trigger_value": "0",
                        "type": "Rareexternalendpoint"
                    },
                    {
                        "trigger_value": "clients2.google.com",
                        "type": "Message"
                    }
                ]
            },
            "creationTime": 1687793540000,
            "device": {
                "firstSeen": 1666276905000,
                "ip": "192.168.1.3",
                "ips": [
                    {
                        "ip": "192.168.1.3",
                        "sid": 3,
                        "time": "2023-07-0313:00:00",
                        "timems": 1688389200000
                    }
                ],
                "lastSeen": 1688391268000,
                "sid": 3,
                "typelabel": "Server",
                "typename": "server"
            },
            "model": {
                "then": {
                    "behaviour": "decreasing",
                    "category": "Critical",
                    "description": "AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.\n\nAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.,behaviour:decreasing,created:{by:System},edited:{by:System},version:39,priority:5,category:Critical,compliance:false},now:{name:Device::ThreatIndicator,pid:540,phid:6656,uuid:84c92ea6-36b9-402f-9df1-3c5bfaee9176,logic:{data:[{cid:12878,weight:1},{cid:12876,weight:1},{cid:12877,weight:1}],targetScore:1,type:weightedComponentList,version:1},throttle:3600,sharedEndpoints:false,actions:{alert:true,antigena:{},breach:true,model:true,setPriority:false,setTag:false,setType:false,tagTTL:604800},tags:[,RequiresConfiguration],interval:1,delay:0,sequenced:false,active:true,modified:2022-06-15 12:01:36,activeTimes:{devices:{},tags:{},type:exclusions,version:2},autoUpdatable:true,autoUpdate:true,autoSuppress:true,description:AdevicehasvisitedanexternallocationthathasbeenidentifiedbyanIndicatoraddedtothewatchlistsorviaTAXII.nnAction:InvestigatedevicesnetworkbehaviourspayingparticularattentiontothedomainsorIPsbeinghighlighted.Verifytheindicatorisatruemaliciousindicator.",
                    "name": "Device::ThreatIndicator",
                    "phid": 6656,
                    "pid": 540,
                    "priority": 5,
                    "tags": [
                        "",
                        "RequiresConfiguration"
                    ],
                    "uuid": "84c92ea6-36b9-402f-9df1-3c5bfaee9176",
                    "version": 39
                }
            },
            "pbid": 25860,
            "score": 0.612,
            "time": 1687793533000
        }
    },
    "host": {
        "id": "39",
        "ip": [
            "192.168.1.3"
        ],
        "os": {
            "name": "Windows(10.0)"
        }
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    },
    "related": {
        "ip": [
            "192.168.1.3"
        ]
    }
}
{
    "message": "{\"commentCount\":0,\"pbid\":25908,\"time\":1687811707000,\"creationTime\":1687811713000,\"model\":{\"then\":{\"name\":\"PenTest\",\"pid\":2721,\"phid\":9287,\"uuid\":\"8b3d5e73-0cf0-4c32-8451-a6919b9978f8\",\"logic\":{\"data\":[18021],\"type\":\"componentList\",\"version\":1},\"throttle\":1000,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":true,\"modified\":\"2023-04-17 11:34:25\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"\",\"behaviour\":\"flat\",\"defeats\":[],\"created\":{\"by\":\"sam.gorse\",\"userID\":22},\"edited\":{\"by\":\"sam.gorse\",\"userID\":22},\"version\":7,\"priority\":5,\"category\":\"Critical\",\"compliance\":false},\"now\":{\"name\":\"PenTest\",\"pid\":2721,\"phid\":9287,\"uuid\":\"8b3d5e73-0cf0-4c32-8451-a6919b9978f8\",\"logic\":{\"data\":[18021],\"type\":\"componentList\",\"version\":1},\"throttle\":1000,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":3600,\"delay\":0,\"sequenced\":true,\"active\":true,\"modified\":\"2023-04-17 11:34:25\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":false,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"\",\"behaviour\":\"flat\",\"defeats\":[],\"created\":{\"by\":\"sam.gorse\",\"userID\":22},\"edited\":{\"by\":\"sam.gorse\",\"userID\":22},\"version\":7,\"priority\":5,\"category\":\"Critical\",\"compliance\":false}},\"triggeredComponents\":[{\"time\":1687811706000,\"cbid\":25985,\"cid\":18021,\"chid\":29073,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":\"A\",\"operator\":\"OR\",\"right\":{\"left\":\"B\",\"operator\":\"OR\",\"right\":{\"left\":\"C\",\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":\"D\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":\"B\"},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":\"C\"},\"operator\":\"OR\",\"right\":{\"left\":\"D\",\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":\"C\"}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":\"D\"}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":\"D\"},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":\"D\"}}}}}}}}}}},\"version\":\"v0.1\"},\"ip\":\"192.168.16.100/32\",\"port\":80,\"metric\":{\"mlid\":16,\"name\":\"connections\",\"label\":\"Connections\"},\"triggeredFilters\":[{\"cfid\":217209,\"id\":\"C\",\"filterType\":\"Destinationport\",\"arguments\":{\"value\":80},\"comparatorType\":\"=\",\"trigger\":{\"value\":\"80\"}}]}],\"score\":1.0,\"device\":{\"did\":31,\"vendor\":\"\",\"ip\":\"192.168.1.2\",\"ips\":[{\"ip\":\"192.168.1.2\",\"timems\":1688389200000,\"time\":\"2023-07-0313:00:00\",\"sid\":3}],\"sid\":3,\"firstSeen\":1649669953000,\"lastSeen\":1688391406000,\"typename\":\"dnsserver\",\"typelabel\":\"DNSServer\"},\"log_type\":\"modelbreaches\"}",
    "event": {
        "category": "network",
        "end": "2023-04-17T11:34:25Z",
        "kind": "alert",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-06-26T20:35:07Z",
    "darktrace": {
        "threat_visualizer": {
            "commentCount": 0,
            "components": {
                "filters": [
                    {
                        "trigger_value": "80",
                        "type": "Destinationport"
                    }
                ]
            },
            "creationTime": 1687811713000,
            "device": {
                "firstSeen": 1649669953000,
                "ip": "192.168.1.2",
                "ips": [
                    {
                        "ip": "192.168.1.2",
                        "sid": 3,
                        "time": "2023-07-0313:00:00",
                        "timems": 1688389200000
                    }
                ],
                "lastSeen": 1688391406000,
                "sid": 3,
                "typelabel": "DNSServer",
                "typename": "dnsserver"
            },
            "model": {
                "now": {
                    "behaviour": "flat",
                    "category": "Critical",
                    "defeats": [],
                    "edited": {
                        "userID": 22
                    },
                    "name": "PenTest",
                    "phid": 9287,
                    "pid": 2721,
                    "priority": 5,
                    "tags": [],
                    "uuid": "8b3d5e73-0cf0-4c32-8451-a6919b9978f8",
                    "version": 7
                },
                "then": {
                    "behaviour": "flat",
                    "category": "Critical",
                    "defeats": [],
                    "name": "PenTest",
                    "phid": 9287,
                    "pid": 2721,
                    "priority": 5,
                    "tags": [],
                    "uuid": "8b3d5e73-0cf0-4c32-8451-a6919b9978f8",
                    "version": 7
                }
            },
            "pbid": 25908,
            "score": 1.0,
            "time": 1687811707000
        }
    },
    "host": {
        "id": "31",
        "ip": [
            "192.168.1.2"
        ]
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    },
    "related": {
        "ip": [
            "192.168.1.2"
        ]
    }
}
{
    "message": "{\"commentCount\": 0, \"pbid\": 36586, \"time\": 1700634482000, \"creationTime\": 1700634481000, \"model\": {\"name\": \"System::System\", \"pid\": 530, \"phid\": 4861, \"uuid\": \"1c3f429b-ccb9-46a2-b864-868653bc780a\", \"logic\": {\"data\": [9686], \"type\": \"componentList\", \"version\": 1}, \"throttle\": 10, \"sharedEndpoints\": false, \"actions\": {\"alert\": true, \"antigena\": {}, \"breach\": true, \"model\": true, \"setPriority\": false, \"setTag\": false, \"setType\": false}, \"tags\": [], \"interval\": 0, \"delay\": 0, \"sequenced\": true, \"active\": true, \"modified\": \"2021-11-24 18:04:19\", \"activeTimes\": {\"devices\": {}, \"tags\": {}, \"type\": \"exclusions\", \"version\": 2}, \"autoUpdatable\": true, \"autoUpdate\": true, \"autoSuppress\": true, \"description\": \"An issue with the system has been detected. This system alert is generated for system information that may merit further investigation. This may be due to things like probes failing to connect.\\n\\nAction: Review the system message. Use the status page to see additional system information that may help with diagnostics.\", \"behaviour\": \"decreasing\", \"defeats\": [], \"created\": {\"by\": \"System\"}, \"edited\": {\"by\": \"System\"}, \"version\": 16, \"priority\": 3, \"category\": \"Informational\", \"compliance\": false}, \"triggeredComponents\": [{\"time\": 1700634481000, \"cbid\": 36900, \"cid\": 9686, \"chid\": 15251, \"size\": 1, \"threshold\": 0, \"interval\": 3600, \"logic\": {\"data\": {\"left\": {\"left\": \"A\", \"operator\": \"AND\", \"right\": \"B\"}, \"operator\": \"OR\", \"right\": {\"left\": {\"left\": \"A\", \"operator\": \"AND\", \"right\": \"C\"}, \"operator\": \"OR\", \"right\": {\"left\": {\"left\": \"A\", \"operator\": \"AND\", \"right\": \"D\"}, \"operator\": \"OR\", \"right\": {\"left\": {\"left\": \"A\", \"operator\": \"AND\", \"right\": \"E\"}, \"operator\": \"OR\", \"right\": {\"left\": \"A\", \"operator\": \"AND\", \"right\": \"F\"}}}}}, \"version\": \"v0.1\"}, \"metric\": {\"mlid\": 206, \"name\": \"dtsystem\", \"label\": \"System\"}, \"triggeredFilters\": [{\"cfid\": 111299, \"id\": \"A\", \"filterType\": \"Event details\", \"arguments\": {\"value\": \"analyze credential ignore list\"}, \"comparatorType\": \"does not contain\", \"trigger\": {\"value\": \"Probe erebus-pull-mode-vsensor (54.155.33.146) last contact was 50 hours ago\"}}, {\"cfid\": 111300, \"id\": \"B\", \"filterType\": \"System message\", \"arguments\": {\"value\": \"Probe error\"}, \"comparatorType\": \"is\", \"trigger\": {\"value\": \"Probe error\"}}, {\"cfid\": 111305, \"id\": \"d1\", \"filterType\": \"Event details\", \"arguments\": {}, \"comparatorType\": \"display\", \"trigger\": {\"value\": \"Probe erebus-pull-mode-vsensor (54.155.33.146) last contact was 50 hours ago\"}}, {\"cfid\": 111306, \"id\": \"d2\", \"filterType\": \"System message\", \"arguments\": {}, \"comparatorType\": \"display\", \"trigger\": {\"value\": \"Probe error\"}}]}], \"score\": 0.674, \"device\": {\"did\": -1},\"log_type\":\"modelbreaches\"}",
    "event": {
        "category": "network",
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "@timestamp": "2023-11-22T06:28:02Z",
    "darktrace": {
        "threat_visualizer": {
            "commentCount": 0,
            "components": {
                "filters": [
                    {
                        "trigger_value": "Probe erebus-pull-mode-vsensor (54.155.33.146) last contact was 50 hours ago",
                        "type": "Event details"
                    },
                    {
                        "trigger_value": "Probe error",
                        "type": "System message"
                    }
                ]
            },
            "creationTime": 1700634481000,
            "model": {
                "then": {
                    "behaviour": "decreasing",
                    "category": "Informational",
                    "description": "An issue with the system has been detected. This system alert is generated for system information that may merit further investigation. This may be due to things like probes failing to connect.\n\nAction: Review the system message. Use the status page to see additional system information that may help with diagnostics.",
                    "name": "System::System",
                    "phid": 4861,
                    "pid": 530,
                    "priority": 3,
                    "uuid": "1c3f429b-ccb9-46a2-b864-868653bc780a",
                    "version": 16
                }
            },
            "pbid": 36586,
            "score": 0.674,
            "time": 1700634482000
        }
    },
    "host": {
        "id": "-1"
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    }
}
{
    "message": "{\"url\":\"https://darktrace-dt/#actions/000/111\",\"iris-event-type\":\"antigena_state_change\",\"codeuuid\":\"\",\"codeid\":537,\"action_family\":\"NETWORK\",\"action\":\"CREATE_NEEDSCONFIRMATION\",\"username\":\"JDOE\",\"reason\":\"\",\"start\":1702896511,\"end\":1702903711,\"did\":901,\"pbid\":0,\"action_creator\":\"\",\"model\":\"test_model_network\",\"inhibitor\":\"Enforce pattern of life\",\"device\":{\"did\":901,\"macaddress\":\"00:11:22:33:44:55\",\"vendor\":\"test_vendor\",\"ip\":\"1.2.3.4\",\"ips\":[{\"ip\":\"1.2.3.4\",\"timems\":1702893600000,\"time\":\"2023-12-18 10:00:00\",\"sid\":69,\"vlan\":0}],\"sid\":69,\"hostname\":\"test_hostname\",\"firstSeen\":1671027693000,\"lastSeen\":1702896182000,\"os\":\"Windows\",\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}",
    "event": {
        "action": "CREATE_NEEDSCONFIRMATION",
        "category": "network",
        "kind": "event",
        "type": [
            "info"
        ]
    },
    "darktrace": {
        "threat_visualizer": {
            "device": {
                "firstSeen": 1671027693000,
                "ip": "1.2.3.4",
                "ips": [
                    {
                        "ip": "1.2.3.4",
                        "sid": 69,
                        "time": "2023-12-18 10:00:00",
                        "timems": 1702893600000,
                        "vlan": 0
                    }
                ],
                "lastSeen": 1702896182000,
                "sid": 69,
                "typelabel": "Desktop",
                "typename": "desktop"
            },
            "pbid": 0
        }
    },
    "host": {
        "hostname": "test_hostname",
        "id": "901",
        "ip": [
            "1.2.3.4"
        ],
        "name": "test_hostname",
        "os": {
            "name": "Windows"
        }
    },
    "observer": {
        "name": "Darktrace",
        "product": "Threat visualizer"
    },
    "related": {
        "hosts": [
            "test_hostname"
        ],
        "ip": [
            "1.2.3.4"
        ],
        "user": [
            "JDOE"
        ]
    },
    "source": {
        "user": {
            "name": "JDOE"
        }
    }
}

Extracted Fields

The following table lists the fields that are extracted, normalized under the ECS format, analyzed and indexed by the parser. It should be noted that infered fields are not listed.

Name Type Description
@timestamp date Date/time when the event originated.
darktrace.threat_visualizer.acknowledged boolean Whether the event has been acknowledged. (example value: 'FALSE')
darktrace.threat_visualizer.activityId keyword Used by pre-v5.2 legacy incident construction. An identifier for the specific activity detected by AI Analyst. If groupByActivity=true, this field should be used to group events together into an incident. (example value: 'da39a3ee')
darktrace.threat_visualizer.aiaScore number The anomalousness of the event as classified by AI Analyst - out of 100. (example value: '98')
darktrace.threat_visualizer.attackPhases array Of the six attack phases, which phases are applicable to the activity. (example value: '5')
darktrace.threat_visualizer.breachDevices array An array of devices involved in the related model breach(es).
darktrace.threat_visualizer.category keyword The behavior category associated with the incident event. Relevant for v5.2+ incident construction only. (example value: 'critical')
darktrace.threat_visualizer.children array A unique identifier that can be used to request this AI Analyst event. This array will only contain one entry as of v5.2 and above. (example value: '04a3f36e-4u8w-v9dh-x6lb-894778cf9633')
darktrace.threat_visualizer.commentCount number The number of comments made against this breach.
darktrace.threat_visualizer.components.filters array
darktrace.threat_visualizer.creationTime number The timestamp that the record of the breach was created. This is distinct from the time field.
darktrace.threat_visualizer.currentGroup keyword The UUID of the current incident this event belongs to. Used for v5.2+ incident construction. (example value: 'g04a3f36e-4u8w-v9dh-x6lb-894778cf9633')
darktrace.threat_visualizer.device.firstSeen number The first time the device was seen on the network.
darktrace.threat_visualizer.device.ip keyword The current IP associated with the device.
darktrace.threat_visualizer.device.ips array IPs associated with the device historically.
darktrace.threat_visualizer.device.ips.ip keyword A historic IP associated with the device.
darktrace.threat_visualizer.device.ips.sid number The subnet id for the subnet the IP belongs to.
darktrace.threat_visualizer.device.ips.time keyword The time the IP was last seen associated with that device in readable format.
darktrace.threat_visualizer.device.ips.timems number The time the IP was last seen associated with that device in epoch time.
darktrace.threat_visualizer.device.lastSeen number The last time the device was seen on the network.
darktrace.threat_visualizer.device.sid number The subnet id for the subnet the device is currently located in.
darktrace.threat_visualizer.device.typelabel keyword The device type in readable format.
darktrace.threat_visualizer.device.typename keyword The device type in system format.
darktrace.threat_visualizer.externalTriggered boolean Whether the event was created as a result of an externally triggered AI Analyst investigation. (example value: 'FALSE')
darktrace.threat_visualizer.groupCategory keyword The behavior category associated with the incident overall. Relevant for v5.2+ incident construction only. (example value: 'critical')
darktrace.threat_visualizer.groupScore number The current overall score of the incident this event is part of. Relevant for v5.2+ incident construction only. (example value: '72.9174234')
darktrace.threat_visualizer.groupingIds array Used by pre-v5.2 legacy incident construction. Each entry in the groupingIDs array refers to a device that triggered the activity detection. In single events, should only contain one ID. If groupByActivity=false, this field should be used to group events together into an incident. (example value: '268d2b8c')
darktrace.threat_visualizer.mitreTactics array An array of MITRE ATT&CK Framework tactics that have been mapped to this event. (example value: 'lateral-movement')
darktrace.threat_visualizer.model.now.behaviour keyword The score modulation function as set in the model editor.
darktrace.threat_visualizer.model.now.category keyword The behavior category associated with the model at the time of request.
darktrace.threat_visualizer.model.now.defeats array An array of model defeats - AND conditions - which if met, prevent the model from breaching.
darktrace.threat_visualizer.model.now.defeats.arguments.value keyword
darktrace.threat_visualizer.model.now.defeats.comparator keyword The comparator that the value is compared against the create the defeat.
darktrace.threat_visualizer.model.now.defeats.defeatID number A unique ID for the defeat.
darktrace.threat_visualizer.model.now.defeats.filtertype keyword The filter the defeat is made from.
darktrace.threat_visualizer.model.now.description keyword The optional description of the model.
darktrace.threat_visualizer.model.now.edited.userID number Username that last edited the model.
darktrace.threat_visualizer.model.now.message keyword The commit message for the change.
darktrace.threat_visualizer.model.now.mitre.tactics array An array of MITRE ATT&CK framework tactics the model has been mapped to.
darktrace.threat_visualizer.model.now.mitre.techniques array An array of MITRE ATT&CK framework techniques the model has been mapped to.
darktrace.threat_visualizer.model.now.name keyword Name of the model that was breached.
darktrace.threat_visualizer.model.now.phid number The model policy history id. Increments when the model is modified.
darktrace.threat_visualizer.model.now.pid number The policy id of the model that was breached.
darktrace.threat_visualizer.model.now.priority number The numeric behavior category associated with the model at the time of request: 0-3 equates to informational, 4 equates to suspicious and 5 equates to critical.
darktrace.threat_visualizer.model.now.tags array AP: Bruteforce
darktrace.threat_visualizer.model.now.uuid keyword A unique ID that is generated on creation of the model.
darktrace.threat_visualizer.model.now.version number The version of the model. Increments on each edit.
darktrace.threat_visualizer.model.then.behaviour keyword The score modulation function as set in the model editor.
darktrace.threat_visualizer.model.then.category keyword The behavior category associated with the model at the time of the breach.
darktrace.threat_visualizer.model.then.defeats array An array of model defeats - AND conditions - which if met, prevent the model from breaching.
darktrace.threat_visualizer.model.then.defeats.arguments.value keyword
darktrace.threat_visualizer.model.then.defeats.comparator keyword The comparator that the value is compared against the create the defeat.
darktrace.threat_visualizer.model.then.defeats.defeatID number A unique ID for the defeat.
darktrace.threat_visualizer.model.then.defeats.filtertype keyword The filter the defeat is made from.
darktrace.threat_visualizer.model.then.description keyword The optional description of the model.
darktrace.threat_visualizer.model.then.mitre.tactics array An array of MITRE ATT&CK framework tactics the model has been mapped to.
darktrace.threat_visualizer.model.then.mitre.techniques array An array of MITRE ATT&CK framework techniques the model has been mapped to.
darktrace.threat_visualizer.model.then.name keyword Name of the model that was breached.
darktrace.threat_visualizer.model.then.phid number The model policy history id. Increments when the model is modified.
darktrace.threat_visualizer.model.then.pid number The policy id of the model that was breached.
darktrace.threat_visualizer.model.then.priority number The numeric behavior category associated with the model at the time of the breach: 0-3 equates to informational, 4 equates to suspicious and 5 equates to critical.
darktrace.threat_visualizer.model.then.tags array A list of tags that have been applied to this model in the Threat Visualizer model editor.
darktrace.threat_visualizer.model.then.uuid keyword A unique ID that is generated on creation of the model.
darktrace.threat_visualizer.model.then.version number The version of the model. Increments on each edit.
darktrace.threat_visualizer.pbid number The policy breach ID of the model breach.
darktrace.threat_visualizer.periods array An array of one or more periods of time where anomalous activity occurred that AI Analyst investigated.
darktrace.threat_visualizer.relatedBreaches array An array of model breaches related to the activity investigated by AI analyst.
darktrace.threat_visualizer.score number The model breach score, represented by a value between 0 and 1.
darktrace.threat_visualizer.time number The timestamp when the record was created in epoch time.
darktrace.threat_visualizer.userTriggered boolean Whether the event was created as a result of a user-triggered AI Analyst investigation. (example value: 'FALSE')
event.action keyword The action captured by the event.
event.category keyword Event category. The second categorization field in the hierarchy.
event.end date event.end contains the date when the event ended or when the activity was last observed.
event.kind keyword The kind of the event. The highest categorization field in the hierarchy.
event.reason keyword Reason why this event happened, according to the source
event.type keyword Event type. The third categorization field in the hierarchy.
host.hostname keyword Hostname of the host.
host.id keyword Unique host id.
host.ip ip Host ip addresses.
host.mac keyword Host MAC addresses.
host.name keyword Name of the host.
host.os.name keyword Operating system name, without the version.
observer.name keyword Custom name of the observer.
observer.product keyword The product name of the observer.
service.name keyword Name of the service.
source.user.name keyword Short name or login of the user.
user.email keyword User email address.
user.name keyword Short name or login of the user.

Configure

As a prerequisite, you need a Darktrace Threat Visualizer API tenant url.

Acquire your public and private key

See the Darktrace documentation for intructions to acquire your public and private key.

Create the intake

Go to the intake page and create a new intake from the format Threat Visualizer.

Pull events

Go to the playbook page and create a new playbook with the Darktrace connector.

Set up the trigger configuration with the api url, the private key and the public key.

Start the playbook and enjoy your events.