DarkTrace

In today's threat landscape, SIEM alone lacks the capability to identify emerging threats or incidents that bypass traditional defenses or are active within your network. Combining SIEM with DarkTrace enhances its value by providing real-time monitoring and detection of threats over raw network traffic.

Release Details

Version: 5.2.0

Release date: May 07, 2024

Supported On: Logpoint v7.4.0 or later for log source template

SHA 256: a66d7a2564f18bb58fc0b6b9d886756b10724cbb4d6054bd86bc62d65b269153

Download

Package Details

DarkTrace components:

Dashboard Package
- LP_Darktrace
Compiled Normalizer
- DarkTraceNormalizer

Enhancement

Description	Issue ID	Reference ID
Added Syslog Collector based Darktrace log source template, simplifying the log source configuration process. To learn more, go to Creating Log Source via a Template.	KB-23951	-

Installation

To install DarkTrace:

Download the .pak file from the Download link above.
Go to Settings >> System Settings from the navigation bar and click Applications.
Click Import.
Browse to the downloaded .pak file.
Click Upload.

Past Release

DarkTrace v5.1.0

Release Date: July 01, 2021

Supported On: Logpoint v6.7.0 and later

Download: DarkTrace_5.1.0.pak

SHA256: 3c18a076eb0d63293d6c551b37809cebf33fc51c9c3566716a1446359f4bed8d

Bug Fix

Description	Issue ID	Zendesk Support ID
An issue in the compiled normalizer DarkTraceNormalizer where some DarkTrace breach logs were not normalized.	12652	53589, 56432

Supported Version

Logpoint supports all versions of DarkTrace with the JSON format log.

Log Format

Expected Log Format

JSON log (Key:Value format)

Log Samples

<165>Aug 30 12:03:51 xx.x.x.xxx darktrace {"pbid":xxxxx,"pid":xxx,"time":1567166631000,"timestamp":"2019-08-30 12:03:51","creationTime":1567166631000,"creationTimestamp":"2019-08-30 12:03:51","name":"System::System","components":[3486],"didRestrictions":[],"didExclusions":[],"throttle":10,"sharedEndpoints":false,"interval":0,"sequenced":true,

"active":true,"retired":false,"state":"New","commentCount":0,

"triggeredComponents":[{"time":1567166630000,"timestamp":"2019-08-30 12:03:50","cbid":xxxxxx,"cid":xxxx,"chid":xxxx,"size":1,"threshold":0,"interval":3600,"logic":{"data":{"left":"A","operator":"AND","right":{"left":"B","operator":"AND","right":"C"}},"version":"v0.1"},"metric":{"mlid":xxx,"name":"dtsystem","label":"System"},"device":{"did":-1},"triggeredFilters":[{"cfid":xxxxx,"id":"A","filterType":"System message","comparatorType":"is not","arguments":{"value":"Subnet size change"},"triggeringValue":"New subnet detected"},{"cfid":xxxxx,"id":"B","filterType":"Event details","comparatorType":"does not contain","arguments":{"value":"analyze credential ignore list"},"triggeringValue":"New subnet xx.xxx.x.x/xx"},{"cfid":xxxxx,"id":"C","filterType":"System message","comparatorType":"is not","arguments":{"value":"Device model change"},"triggeringValue":"New subnet detected"},{"cfid":xxxxx,"id":"d1","filterType":"System message","comparatorType":"display","arguments":{},"triggeringValue":"New subnet detected"},{"cfid":xxxxxx,"id":"xx","filterType":"Event details","comparatorType":"display","arguments":{},"triggeringValue":"New subnet xx.xxx.x.x/xx"}]}]

<165>1 2021-01-07T09:40:42+00:00 10.10.10.10 darktrace - - - {"breachUrl":"","device":{"ip":"1.2.3.4","hostname":"abc.com","macaddress":"xx:xx:xx:xx:xx:xx","vendor":"Test Vendor","label":"Test Device"},"pbid":123,"score":1,"model":{"description":"Test model used for testing alerting configuration.","created":{"by":"System"},"edited":{"by":"Nobody"},"name":"Unrestricted Test Model","priority":5},"triggeredComponents":[{"metric":{"label":"Test Metric"},"triggeredFilters":[{"comparatorType":"display","filterType":"Test Metric Filter","trigger":{"value":"Test filter value"}}]}],"creationTime":1610012442097,"time":1610012442097}

Support

If you have any questions or require assistance, create a support ticket.