You are viewing docs on Elastic's new documentation system, currently in technical preview. For all other Elastic docs, visit elastic.co/guide.
Last updated: Apr 10th, 2023

Darktrace

Collect logs from Darktrace with Elastic Agent.

What is an Elastic integration?

This integration is powered by Elastic Agent. Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to our documentation for a detailed comparison between Beats and Elastic Agent.

Prefer to use Beats for this use case? See Filebeat modules for logs or Metricbeat modules for metrics.

Overview

The Darktrace integration allows you to monitor Alert Logs. Darktrace is a network solution for detecting and investigating emerging cyber-threats that evade traditional security tools. It is powered by Enterprise Immune System technology, which uses machine learning and mathematics to monitor behaviors and detect anomalies in your organization’s network.

Use the Darktrace integration to collect and parse data from the REST APIs or via Syslog. Then visualise that data in Kibana.

For example, you could use the data from this integration to know which model is breached and analyse model breaches, and also know about system health, changes in monitored traffic, and any errors experienced by Darktrace Security Modules or probe instances.

Data streams

The Darktrace integration collects logs for three types of events: AI Analyst Alert, Model Breach Alert and System Status Alert.

AI Analyst Alert is generated by investigates, analyzes, and reports upon threats seen within your Darktrace environment; as a starting point, it reviews and investigates all Model Breaches that occur on the system. If behavior which would be of interest to a cyber analyst is detected, an event is created. See Example Schema here.

Model Breach Alert is generated when a model breach is triggered. A model is used to define a set of conditions which, when met, will alert the system to the occurrence of a particular event or chain of anomalous behavior. Darktrace models are focused on pattern-of-life anomaly detection, potentially malicious behavior, and compliance issues. See Example Schema here.

System Status Alert keep Darktrace operators informed of system health, changes in monitored traffic, and any errors experienced by Darktrace Security Modules or probe instances. System Status Alerts include details of the originating host, the severity of the event, and links that may be helpful to investigate or resolve the issue. Notifications are sent for active system events and (optionally) on event resolution. See Example Schema here.

Requirements

You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.

Firewall exceptions to allow communication from the Darktrace master instance to the Syslog server.

This module has been tested against Darktrace Threat Visualizer v5.2.

Setup

To collect data from Darktrace REST APIs, follow the below steps:

  1. Hostname URL will be your <appliance-ip>. (Threat Visualizer Console Hostname)
  2. Public and Private Token will be generated by following this Link.

Note: System Status Alert are not supported by REST API.

To collect data from Darktrace via Syslog, follow the below steps:

The user needs to create a different Syslog Forwarder with different ports for each data stream.

The process for configuring syslog-format alerts is identical for AI Analyst Alerts, Model Breach Alerts and System Status Alerts. Generic configuration guidance is provided below:

  1. Open the Darktrace Threat Visualizer Dashboard and navigate to the System Config page. (Main menu › Admin).
  2. From the left-side menu, select Modules, then navigate to the Workflow Integrations section and choose Syslog.
  3. Select Syslog JSON tab and click New to set up new Syslog Forwarder.
  4. Enter the IP Address  and Port of the Elastic Agent that is running the integration in the Server and Server Port field respectively.

For more details, see Documentation.

Note:

  • It is recommended to turn on Full Timestamps toggle in Show Advanced Options to get the full timestamp instead of the RFC3164-formatted timestamp.
  • It is also recommended to turn off Reduced Message Size toggle in Show Advanced Options to get more information about alerts.

After following generic guidance steps, below are the steps for collecting individual logs for all three data streams.

For AI Analyst Alert, below are the suggested configurations to collect all the events of AI Analyst Alert:

  • Configure the following settings in Show Advanced Options:
Field NameValue
Send AI Analyst Alerts
ON
Send AI Analyst Alerts Immediately
ON
AI Analyst Behavior Filter
Critical, Suspicious and Compliance
Minimum AI Analyst Incident Event Score
0
Minimum AI Analyst Incident Score
0
Legacy AI Analyst Alerts
OFF

For Model Breach Alert, below are the suggested configurations to collect all the events of Model Breach Alert:

  • Configure the following settings in Show Advanced Options:
Field NameValue
Send Model Breach Alerts
ON
Model Breach Behavior Filter
Critical, Suspicious, Compliance and Informational
Minimum Breach Score
0
Minimum Breach Priority
0
Model Expression
N/A
Model Tags Expression
N/A
Device IP Addresses
N/A
Device Tags Addresses
N/A

For System Status Alert, below are the suggested configurations to collect all the events of System Status Alert:

  • Configure the following settings in Show Advanced Options:
Field NameValue
Send System Status Alerts
ON
Send Resolved System Status Alerts
ON
Minimum System Status Priority
Informational

See more about Syslog Filters and Optional Settings

Note : A Fully Qualified Domain Name (FQDN) must be configured for the Darktrace instance in order for links to be included in external alerts.

  • An FQDN can be configured from the System subsection on the Settings tab of the Darktrace System Config page.

Logs reference

ai_analyst_alert

This is the ai_analyst_alert dataset.

Example

An example event for ai_analyst_alert looks as following:

{
    "@timestamp": "2021-08-03T14:48:09.240Z",
    "agent": {
        "ephemeral_id": "82482032-e103-4c45-a00e-103ac604f4ae",
        "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.2.1"
    },
    "darktrace": {
        "ai_analyst_alert": {
            "activity_id": "abcd1234",
            "aia_score": 98,
            "attack_phases": [
                5
            ],
            "breach_devices": [
                {
                    "did": 10,
                    "ip": "81.2.69.144",
                    "sid": 12,
                    "subnet": "VPN"
                }
            ],
            "category": "critical",
            "children": [
                "eabcdef0-1234-1234-1234-cabcdefghij9"
            ],
            "created_at": "2021-08-03T14:48:09.240Z",
            "current_group": "eabc1234-1234-1234-1234-cabcdefg0011",
            "details": [
                [
                    {
                        "contents": [
                            {
                                "type": "device",
                                "values": [
                                    {
                                        "did": 10,
                                        "ip": "175.16.199.1",
                                        "sid": 12,
                                        "subnet": "VPN"
                                    }
                                ]
                            }
                        ],
                        "header": "Breaching Device"
                    }
                ],
                [
                    {
                        "contents": [
                            {
                                "key": "Time",
                                "type": "timestampRange",
                                "values": [
                                    {
                                        "end": 1628000141220,
                                        "start": 1627985298683
                                    }
                                ]
                            },
                            {
                                "key": "Number of unique IPs",
                                "type": "integer",
                                "values": [
                                    16
                                ]
                            },
                            {
                                "key": "Targeted IP ranges include",
                                "type": "device",
                                "values": [
                                    {
                                        "ip": "81.2.69.192"
                                    },
                                    {
                                        "ip": "175.16.199.1"
                                    },
                                    {
                                        "ip": "175.16.199.3"
                                    }
                                ]
                            },
                            {
                                "key": "Destination port",
                                "type": "integer",
                                "values": [
                                    22
                                ]
                            },
                            {
                                "key": "Connection count",
                                "type": "integer",
                                "values": [
                                    40
                                ]
                            },
                            {
                                "key": "Percentage successful",
                                "type": "percentage",
                                "values": [
                                    100
                                ]
                            }
                        ],
                        "header": "SSH Activity"
                    }
                ]
            ],
            "group_by_activity": false,
            "group_category": "critical",
            "group_score": 72.9174234,
            "grouping_ids": [
                "abcdef12"
            ],
            "id": "eabc0011-1234-1234-1234-cabcdefg0011",
            "is_acknowledged": false,
            "is_external_triggered": false,
            "is_pinned": true,
            "is_user_triggered": false,
            "periods": [
                {
                    "end": "2021-08-03T14:15:41.220Z",
                    "start": "2021-08-03T10:08:18.683Z"
                }
            ],
            "related_breaches": [
                {
                    "model_name": "Unusual Activity / Unusual Activity from Re-Activated Device",
                    "pbid": 1234,
                    "threat_score": 37,
                    "timestamp": "2021-08-03T13:25:57.000Z"
                }
            ],
            "summariser": "AdminConnSummary",
            "summary": "The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\n\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\n\nConsequently, if this activity was not expected, the security team may wish to investigate further.",
            "title": "Extensive Unusual SSH Connections"
        }
    },
    "data_stream": {
        "dataset": "darktrace.ai_analyst_alert",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.7.0"
    },
    "elastic_agent": {
        "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec",
        "snapshot": false,
        "version": "8.2.1"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "threat"
        ],
        "dataset": "darktrace.ai_analyst_alert",
        "duration": [
            14842537000000
        ],
        "end": [
            "2021-08-03T14:15:41.220Z"
        ],
        "id": "eabc0011-1234-1234-1234-cabcdefg0011",
        "ingested": "2022-09-30T11:36:06Z",
        "kind": "alert",
        "original": "{\"summariser\":\"AdminConnSummary\",\"acknowledged\":false,\"pinned\":true,\"createdAt\":1628002089240,\"attackPhases\":[5],\"title\":\"Extensive Unusual SSH Connections\",\"id\":\"eabc0011-1234-1234-1234-cabcdefg0011\",\"children\":[\"eabcdef0-1234-1234-1234-cabcdefghij9\"],\"category\":\"critical\",\"currentGroup\":\"eabc1234-1234-1234-1234-cabcdefg0011\",\"groupCategory\":\"critical\",\"groupScore\":\"72.9174234\",\"groupPreviousGroups\":null,\"activityId\":\"abcd1234\",\"groupingIds\":[\"abcdef12\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":98,\"summary\":\"The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\\n\\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\\n\\nConsequently, if this activity was not expected, the security team may wish to investigate further.\",\"periods\":[{\"start\":1627985298683,\"end\":1628000141220}],\"breachDevices\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.144\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}],\"relatedBreaches\":[{\"modelName\":\"Unusual Activity / Unusual Activity from Re-Activated Device\",\"pbid\":1234,\"threatScore\":37,\"timestamp\":1627997157000}],\"details\":[[{\"header\":\"Breaching Device\",\"contents\":[{\"key\":null,\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}]}]}],[{\"header\":\"SSH Activity\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1627985298683,\"end\":1628000141220}]},{\"key\":\"Number of unique IPs\",\"type\":\"integer\",\"values\":[16]},{\"key\":\"Targeted IP ranges include\",\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.192\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.3\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null}]},{\"key\":\"Destination port\",\"type\":\"integer\",\"values\":[22]},{\"key\":\"Connection count\",\"type\":\"integer\",\"values\":[40]},{\"key\":\"Percentage successful\",\"type\":\"percentage\",\"values\":[100]}]}]]}",
        "reason": "Extensive Unusual SSH Connections",
        "risk_score": 98,
        "risk_score_norm": 98,
        "start": [
            "2021-08-03T10:08:18.683Z"
        ],
        "type": [
            "info"
        ]
    },
    "host": {
        "id": [
            "10"
        ],
        "ip": [
            "81.2.69.144"
        ]
    },
    "input": {
        "type": "udp"
    },
    "log": {
        "source": {
            "address": "192.168.128.5:49066"
        },
        "syslog": {
            "facility": {
                "code": 20,
                "name": "local4"
            },
            "hostname": "example.cloud.darktrace.com",
            "priority": 165,
            "severity": {
                "code": 5,
                "name": "Notice"
            },
            "version": "1"
        }
    },
    "message": "The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\n\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\n\nConsequently, if this activity was not expected, the security team may wish to investigate further.",
    "related": {
        "ip": [
            "81.2.69.144",
            "175.16.199.1",
            "81.2.69.192",
            "175.16.199.3"
        ]
    },
    "rule": {
        "name": [
            "Unusual Activity / Unusual Activity from Re-Activated Device"
        ]
    },
    "tags": [
        "preserve_original_event",
        "preserve_duplicate_custom_fields",
        "forwarded",
        "darktrace-ai_analyst_alert"
    ],
    "threat": {
        "enrichments": {
            "matched": {
                "id": [
                    "eabcdef0-1234-1234-1234-cabcdefghij9"
                ]
            }
        },
        "group": {
            "id": "eabc1234-1234-1234-1234-cabcdefg0011"
        }
    }
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
darktrace.ai_analyst_alert.activity_id
An identifier for the specific activity detected by AI Analyst. If groupByActivity=true , this field should be used to group events together into an incident.
keyword
darktrace.ai_analyst_alert.aia_score
The score of the event as classified by AI Analyst - out of 100.
double
darktrace.ai_analyst_alert.attack_phases
Of the six attack phases, which phases are applicable to the activity.
long
darktrace.ai_analyst_alert.breach_devices.did
The unique device id identifier for the device that triggered the breach. This field is used to group events into device-based incidents within the Threat Visualizer.
long
darktrace.ai_analyst_alert.breach_devices.hostname
The hostname associated with the device, if available.
keyword
darktrace.ai_analyst_alert.breach_devices.identifier
An identifier for the device used when constructing summaries or reports. May be the device label, hostname or IP, depending on availability.
keyword
darktrace.ai_analyst_alert.breach_devices.ip
The IP associated with the device.
keyword
darktrace.ai_analyst_alert.breach_devices.mac_address
The MAC address associated with the device.
keyword
darktrace.ai_analyst_alert.breach_devices.sid
The subnet id for the subnet the device is currently located in.
long
darktrace.ai_analyst_alert.breach_devices.subnet
The subnet label for the corresponding subnet, if available.
keyword
darktrace.ai_analyst_alert.category
The behavior category associated with the incident event.
keyword
darktrace.ai_analyst_alert.children
One or more unique identifiers that can be used to request this AI Analyst event via the UI or API. Where there is more than one uuid, requests can be made with comma-separated values.
keyword
darktrace.ai_analyst_alert.created_at
Timestamp for event creation in epoch time.
date
darktrace.ai_analyst_alert.current_group
The UUID of the current incident this event belongs to.
keyword
darktrace.ai_analyst_alert.details
An array of multiple sections (sub-arrays) of event information.
flattened
darktrace.ai_analyst_alert.group_by_activity
Used by pre-v5.2 legacy incident construction. Indicates whether the event should be aggregated by activity or by device to create an incident. When true, the event should be aggregated by activityID, and when false, aggregated by groupingID(s).
boolean
darktrace.ai_analyst_alert.group_category
The behavior category associated with the incident overall. Relevant for v5.2+ incident construction only.
keyword
darktrace.ai_analyst_alert.group_previous_groups
If the incident event was part of an incident which was later merged with another, the UUIDs of the incidents before they were merged.
keyword
darktrace.ai_analyst_alert.group_score
The current overall score of the incident this event is part of.
double
darktrace.ai_analyst_alert.grouping_ids
Used by pre-v5.2 legacy incident construction. Each entry in the groupingIDs array refers to a device that triggered the activity detection. In single events, should only contain one ID. If groupByActivity=false , this field should be used to group events together into an incident.
keyword
darktrace.ai_analyst_alert.id
A system field.
keyword
darktrace.ai_analyst_alert.incident_event_url.domain
keyword
darktrace.ai_analyst_alert.incident_event_url.extension
keyword
darktrace.ai_analyst_alert.incident_event_url.fragment
keyword
darktrace.ai_analyst_alert.incident_event_url.full
keyword
darktrace.ai_analyst_alert.incident_event_url.original
keyword
darktrace.ai_analyst_alert.incident_event_url.password
keyword
darktrace.ai_analyst_alert.incident_event_url.path
keyword
darktrace.ai_analyst_alert.incident_event_url.port
long
darktrace.ai_analyst_alert.incident_event_url.query
keyword
darktrace.ai_analyst_alert.incident_event_url.scheme
keyword
darktrace.ai_analyst_alert.incident_event_url.username
keyword
darktrace.ai_analyst_alert.is_acknowledged
Whether the event has been acknowledged.
boolean
darktrace.ai_analyst_alert.is_external_triggered
Whether the event was created as a result of an externally triggered AI Analyst investigation.
boolean
darktrace.ai_analyst_alert.is_pinned
Whether the event, or an incident that the event is associated with, is pinned within the Threat Visualizer user interface. Pinned events will always return regardless of the timeframe specified.
boolean
darktrace.ai_analyst_alert.is_user_triggered
Whether the event was created as a result of a user-triggered AI Analyst investigation.
boolean
darktrace.ai_analyst_alert.periods.end
A timestamp for the end of the activity period in epoch time.
date
darktrace.ai_analyst_alert.periods.start
A timestamp for the start of the activity period in epoch time.
date
darktrace.ai_analyst_alert.related_breaches.model_name
The name of the model that breached.
keyword
darktrace.ai_analyst_alert.related_breaches.pbid
The policy breach ID unique identifier of the model breach.
long
darktrace.ai_analyst_alert.related_breaches.threat_score
The breach score of the associated model breach - out of 100.
long
darktrace.ai_analyst_alert.related_breaches.timestamp
The timestamp at which the model breach occurred in epoch time.
date
darktrace.ai_analyst_alert.summariser
A system field.
keyword
darktrace.ai_analyst_alert.summary
A textual summary of the suspicious activity. This example is abbreviated.
keyword
darktrace.ai_analyst_alert.title
A title describing the activity that occurred.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
ecs.version
ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
keyword
event.category
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. event.category represents the "big buckets" of ECS categories. For example, filtering on event.category:process yields all events relating to process activity. This field is closely related to event.type, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.
keyword
event.created
event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.
date
event.dataset
Event dataset.
constant_keyword
event.end
event.end contains the date when the event ended or when the activity was last observed.
date
event.id
Unique ID to describe the event.
keyword
event.kind
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
keyword
event.module
Event module.
constant_keyword
event.original
Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from _source. If users wish to override this and index this field, please see Field data types in the Elasticsearch Reference.
keyword
event.reason
Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where event.action captures the action from the event, event.reason describes why that action was taken. For example, a web proxy with an event.action which denied the request may also populate event.reason with the reason why (e.g. blocked site).
keyword
event.risk_score
Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
float
event.risk_score_norm
Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.
float
event.start
event.start contains the date when the event started or when the activity was first observed.
date
event.type
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. event.type represents a categorization "sub-bucket" that, when used along with the event.category field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.
keyword
event.url
URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by event.kind:alert, are a common use case for this field.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.name.text
Multi-field of host.os.name.
text
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Input type
keyword
log.offset
Log offset
long
log.source.address
Source address from which the log event was read / sent from.
keyword
log.syslog.appname
The device or application that originated the Syslog message, if available.
keyword
log.syslog.facility.code
The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.
long
log.syslog.facility.name
The Syslog text-based facility of the log event, if available.
keyword
log.syslog.hostname
The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector.
keyword
log.syslog.priority
Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
long
log.syslog.severity.code
The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to event.severity. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to event.severity.
long
log.syslog.severity.name
The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to log.level. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to log.level.
keyword
log.syslog.version
The version of the Syslog protocol specification. Only applicable for RFC 5424 messages.
keyword
message
For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message.
match_only_text
related.hosts
All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
keyword
related.ip
All of the IPs seen on your event.
ip
rule.name
The name of the rule or signature generating the event.
keyword
tags
List of keywords used to tag each event.
keyword
threat.enrichments.matched.id
Identifies the _id of the indicator document enriching the event.
keyword
threat.group.id
The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id.
keyword

model_breach_alert

This is the model_breach_alert dataset.

Example

An example event for model_breach_alert looks as following:

{
    "@timestamp": "2022-07-11T13:04:08.000Z",
    "agent": {
        "ephemeral_id": "572d7663-c480-491f-b06f-96f0330cf942",
        "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.2.1"
    },
    "darktrace": {
        "model_breach_alert": {
            "aianalyst_data": [
                {
                    "related": [
                        1
                    ],
                    "summariser": "BeaconSummary",
                    "uuid": "1234abcd-1234-1234-1234-123456abcdef"
                }
            ],
            "comment": {
                "count": 0
            },
            "creation_time": "2022-07-11T13:04:19.000Z",
            "device": {
                "did": 3,
                "first_seen": "2022-07-11T12:54:49.000Z",
                "ip": "81.2.69.142",
                "last_seen": "2022-07-11T13:00:18.000Z",
                "sid": 1,
                "type_label": "Desktop",
                "type_name": "desktop"
            },
            "model": {
                "actions": {
                    "is_alerting": true,
                    "is_breach": true,
                    "is_priority_set": false,
                    "is_tag_set": false,
                    "is_type_set": false,
                    "model": true
                },
                "active_times": {
                    "type": "exclusions",
                    "version": 2
                },
                "behaviour": "incdec1",
                "category": "Informational",
                "created": {
                    "by": "System"
                },
                "delay": 0,
                "description": "A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\n\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.",
                "edited": {
                    "by": "System"
                },
                "in_compliance_behavior_category": false,
                "interval": 10800,
                "is_active": true,
                "is_auto_suppress": true,
                "is_auto_updatable": true,
                "is_auto_update": true,
                "is_sequenced": false,
                "is_shared_endpoints": false,
                "logic": {
                    "data_weighted_component_list": [
                        {
                            "cid": 2026,
                            "weight": 1
                        },
                        {
                            "cid": 2024,
                            "weight": 1
                        },
                        {
                            "cid": 2025,
                            "weight": -100
                        }
                    ],
                    "target_score": 1,
                    "type": "weightedComponentList",
                    "version": 1
                },
                "modified": "2022-07-11T11:47:37.000Z",
                "name": "Compromise::Beaconing Activity To External Rare",
                "phid": 1072,
                "pid": 156,
                "priority": 2,
                "tags": [
                    "AP: C2 Comms"
                ],
                "throttle": 10800,
                "uuid": "1234abcd-1234-1234-1234-123456abcdef",
                "version": 23
            },
            "pbid": 1,
            "score": 0.674,
            "time": "2022-07-11T13:04:08.000Z",
            "triggered_components": [
                {
                    "cbid": 1,
                    "chid": 2113,
                    "cid": 2026,
                    "interval": 3600,
                    "logic": {
                        "data": "{left={left=A, right={left=AA, right={left=AC, right={left=AD, right={left=AF, right={left=AG, right={left=AH, right={left=B, right={left=C, right={left=D, right={left=E, right={left=H, right={left=I, right={left=J, right={left=K, right={left=L, right={left=M, right={left=N, right={left=O, right={left=P, right={left=S, right={left=U, right={left=V, right={left=X, right={left=Y, right=Z, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, right={left=A, right={left=AA, right={left=AB, right={left=AE, right={left=AF, right={left=AG, right={left=AH, right={left=C, right={left=D, right={left=E, right={left=H, right={left=I, right={left=J, right={left=K, right={left=L, right={left=M, right={left=N, right={left=O, right={left=P, right={left=S, right={left=U, right={left=V, right={left=X, right={left=Y, right=Z, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=OR}",
                        "version": "v0.1"
                    },
                    "metric": {
                        "label": "External Connections",
                        "mlid": 1,
                        "name": "externalconnections"
                    },
                    "size": 11,
                    "threshold": 10,
                    "time": "2022-07-11T13:04:08.000Z",
                    "triggered_filters": [
                        {
                            "arguments": {
                                "value": 60
                            },
                            "cfid": 23426,
                            "comparator_type": "\u003e",
                            "filter_type": "Beaconing score",
                            "id": "A",
                            "trigger": {
                                "value": "100"
                            }
                        },
                        {
                            "arguments": {
                                "value": 0
                            },
                            "cfid": 23427,
                            "comparator_type": "\u003e",
                            "filter_type": "Individual size up",
                            "id": "AA",
                            "trigger": {
                                "value": "4382"
                            }
                        },
                        {
                            "arguments": {
                                "value": 95
                            },
                            "cfid": 23428,
                            "comparator_type": "\u003e",
                            "filter_type": "Rare domain",
                            "id": "AB",
                            "trigger": {
                                "value": "100"
                            }
                        },
                        {
                            "arguments": {
                                "value": 1209600
                            },
                            "cfid": 23430,
                            "comparator_type": "\u003c",
                            "filter_type": "Age of destination",
                            "id": "AD",
                            "trigger": {
                                "value": "558"
                            }
                        },
                        {
                            "arguments": {
                                "value": 1209600
                            },
                            "cfid": 23431,
                            "comparator_type": "\u003c",
                            "filter_type": "Age of external hostname",
                            "id": "AE",
                            "trigger": {
                                "value": "558"
                            }
                        },
                        {
                            "arguments": {
                                "value": "examples"
                            },
                            "cfid": 23432,
                            "comparator_type": "does not match regular expression",
                            "filter_type": "Connection hostname",
                            "id": "AF",
                            "trigger": {
                                "value": "example.com"
                            }
                        },
                        {
                            "arguments": {
                                "value": "examples"
                            },
                            "cfid": 23433,
                            "comparator_type": "does not match regular expression",
                            "filter_type": "ASN",
                            "id": "AG",
                            "trigger": {
                                "value": "AS12345 LOCAL-02"
                            }
                        },
                        {
                            "arguments": {
                                "value": "5d41402abc4b2a76b9719d911017c592"
                            },
                            "cfid": 23434,
                            "comparator_type": "does not match",
                            "filter_type": "JA3 hash",
                            "id": "AH",
                            "trigger": {
                                "value": "5d41402abc4b2a76b9719d911017c592"
                            }
                        },
                        {
                            "arguments": {
                                "value": 95
                            },
                            "cfid": 23435,
                            "comparator_type": "\u003e",
                            "filter_type": "Rare external IP",
                            "id": "B",
                            "trigger": {
                                "value": "100"
                            }
                        },
                        {
                            "arguments": {
                                "value": "1003"
                            },
                            "cfid": 23436,
                            "comparator_type": "is not",
                            "filter_type": "Application protocol",
                            "id": "C",
                            "trigger": {
                                "value": "1004"
                            }
                        },
                        {
                            "arguments": {
                                "value": 53
                            },
                            "cfid": 23437,
                            "comparator_type": "!=",
                            "filter_type": "Destination port",
                            "id": "D",
                            "trigger": {
                                "value": "443"
                            }
                        },
                        {
                            "arguments": {
                                "value": "out"
                            },
                            "cfid": 23438,
                            "comparator_type": "is",
                            "filter_type": "Direction",
                            "id": "E",
                            "trigger": {
                                "value": "out"
                            }
                        },
                        {
                            "arguments": {
                                "value": 137
                            },
                            "cfid": 23439,
                            "comparator_type": "!=",
                            "filter_type": "Destination port",
                            "id": "H",
                            "trigger": {
                                "value": "443"
                            }
                        },
                        {
                            "arguments": {
                                "value": 161
                            },
                            "cfid": 23440,
                            "comparator_type": "!=",
                            "filter_type": "Destination port",
                            "id": "I",
                            "trigger": {
                                "value": "443"
                            }
                        },
                        {
                            "arguments": {
                                "value": "6"
                            },
                            "cfid": 23441,
                            "comparator_type": "is",
                            "filter_type": "Protocol",
                            "id": "J",
                            "trigger": {
                                "value": "6"
                            }
                        },
                        {
                            "arguments": {
                                "value": "Company"
                            },
                            "cfid": 23442,
                            "comparator_type": "does not contain",
                            "filter_type": "ASN",
                            "id": "K",
                            "trigger": {
                                "value": "AS12345 LOCAL-02"
                            }
                        },
                        {
                            "arguments": {
                                "value": "Company"
                            },
                            "cfid": 23443,
                            "comparator_type": "does not contain",
                            "filter_type": "ASN",
                            "id": "L",
                            "trigger": {
                                "value": "AS12345 LOCAL-02"
                            }
                        },
                        {
                            "arguments": {
                                "value": "13"
                            },
                            "cfid": 23444,
                            "comparator_type": "is not",
                            "filter_type": "Internal source device type",
                            "id": "M",
                            "trigger": {
                                "value": "6"
                            }
                        },
                        {
                            "arguments": {
                                "value": "5"
                            },
                            "cfid": 23445,
                            "comparator_type": "is not",
                            "filter_type": "Internal source device type",
                            "id": "N",
                            "trigger": {
                                "value": "6"
                            }
                        },
                        {
                            "arguments": {
                                "value": "9"
                            },
                            "cfid": 23446,
                            "comparator_type": "is not",
                            "filter_type": "Internal source device type",
                            "id": "O",
                            "trigger": {
                                "value": "6"
                            }
                        },
                        {
                            "arguments": {
                                "value": "12"
                            },
                            "cfid": 23447,
                            "comparator_type": "is not",
                            "filter_type": "Internal source device type",
                            "id": "P",
                            "trigger": {
                                "value": "6"
                            }
                        },
                        {
                            "arguments": {
                                "value": "30"
                            },
                            "cfid": 23448,
                            "comparator_type": "is not",
                            "filter_type": "Internal source device type",
                            "id": "S",
                            "trigger": {
                                "value": "6"
                            }
                        },
                        {
                            "arguments": {
                                "value": "4"
                            },
                            "cfid": 23449,
                            "comparator_type": "is not",
                            "filter_type": "Internal source device type",
                            "id": "U",
                            "trigger": {
                                "value": "6"
                            }
                        },
                        {
                            "arguments": {
                                "value": "3"
                            },
                            "cfid": 23450,
                            "comparator_type": "is not",
                            "filter_type": "Internal source device type",
                            "id": "V",
                            "trigger": {
                                "value": "6"
                            }
                        },
                        {
                            "arguments": {
                                "value": "false"
                            },
                            "cfid": 23451,
                            "comparator_type": "is",
                            "filter_type": "Trusted hostname",
                            "id": "X",
                            "trigger": {
                                "value": "false"
                            }
                        },
                        {
                            "arguments": {
                                "value": 26
                            },
                            "cfid": 23452,
                            "comparator_type": "does not have tag",
                            "filter_type": "Tagged internal source",
                            "id": "Y",
                            "trigger": {
                                "tag": {
                                    "data": {
                                        "auto": false,
                                        "color": 5,
                                        "visibility": "Public"
                                    },
                                    "expiry": 0,
                                    "is_referenced": true,
                                    "name": "No Device Tracking",
                                    "restricted": false,
                                    "thid": 26,
                                    "tid": 26
                                },
                                "value": "26"
                            }
                        },
                        {
                            "arguments": {
                                "value": 0
                            },
                            "cfid": 23453,
                            "comparator_type": "\u003e",
                            "filter_type": "Individual size down",
                            "id": "Z",
                            "trigger": {
                                "value": "5862"
                            }
                        },
                        {
                            "cfid": 23454,
                            "comparator_type": "display",
                            "filter_type": "JA3 hash",
                            "id": "d1",
                            "trigger": {
                                "value": "5d41402abc4b2a76b9719d911017c592"
                            }
                        },
                        {
                            "cfid": 23455,
                            "comparator_type": "display",
                            "filter_type": "ASN",
                            "id": "d2",
                            "trigger": {
                                "value": "AS12345 LOCAL-02"
                            }
                        },
                        {
                            "cfid": 23456,
                            "comparator_type": "display",
                            "filter_type": "Destination IP",
                            "id": "d3",
                            "trigger": {
                                "value": "81.2.69.192"
                            }
                        },
                        {
                            "cfid": 23457,
                            "comparator_type": "display",
                            "filter_type": "Connection hostname",
                            "id": "d4",
                            "trigger": {
                                "value": "example.com"
                            }
                        }
                    ]
                }
            ]
        }
    },
    "data_stream": {
        "dataset": "darktrace.model_breach_alert",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.7.0"
    },
    "elastic_agent": {
        "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec",
        "snapshot": false,
        "version": "8.2.1"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "network"
        ],
        "created": "2022-07-11T13:04:19.000Z",
        "dataset": "darktrace.model_breach_alert",
        "ingested": "2022-09-30T11:39:13Z",
        "kind": "event",
        "original": "{\"commentCount\":0,\"pbid\":1,\"time\":1657544648000,\"creationTime\":1657544659000,\"aianalystData\":[{\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"related\":[1],\"summariser\":\"BeaconSummary\"}],\"model\":{\"name\":\"Compromise::Beaconing Activity To External Rare\",\"pid\":156,\"phid\":1072,\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"logic\":{\"data\":[{\"cid\":2026,\"weight\":1},{\"cid\":2024,\"weight\":1},{\"cid\":2025,\"weight\":-100}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":10800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"AP: C2 Comms\"],\"interval\":10800,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-07-11 11:47:37\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\\\n\\\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.\",\"behaviour\":\"incdec1\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":23,\"priority\":2,\"category\":\"Informational\",\"compliance\":false},\"triggeredComponents\":[{\"time\":1657544648000,\"cbid\":1,\"cid\":2026,\"chid\":2113,\"size\":11,\"threshold\":10,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AC\",\"operator\":\"AND\",\"right\":{\"left\":\"AD\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AB\",\"operator\":\"AND\",\"right\":{\"left\":\"AE\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"version\":\"v0.1\"},\"metric\":{\"mlid\":1,\"name\":\"externalconnections\",\"label\":\"External Connections\"},\"triggeredFilters\":[{\"cfid\":23426,\"id\":\"A\",\"filterType\":\"Beaconing score\",\"arguments\":{\"value\":60},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23427,\"id\":\"AA\",\"filterType\":\"Individual size up\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"4382\"}},{\"cfid\":23428,\"id\":\"AB\",\"filterType\":\"Rare domain\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23430,\"id\":\"AD\",\"filterType\":\"Age of destination\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23431,\"id\":\"AE\",\"filterType\":\"Age of external hostname\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23432,\"id\":\"AF\",\"filterType\":\"Connection hostname\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"example.com\"}},{\"cfid\":23433,\"id\":\"AG\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23434,\"id\":\"AH\",\"filterType\":\"JA3 hash\",\"arguments\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"},\"comparatorType\":\"does not match\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23435,\"id\":\"B\",\"filterType\":\"Rare external IP\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23436,\"id\":\"C\",\"filterType\":\"Application protocol\",\"arguments\":{\"value\":\"1003\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"1004\"}},{\"cfid\":23437,\"id\":\"D\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":53},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23438,\"id\":\"E\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":23439,\"id\":\"H\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":137},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23440,\"id\":\"I\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":161},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23441,\"id\":\"J\",\"filterType\":\"Protocol\",\"arguments\":{\"value\":\"6\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23442,\"id\":\"K\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23443,\"id\":\"L\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23444,\"id\":\"M\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"13\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23445,\"id\":\"N\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"5\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23446,\"id\":\"O\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"9\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23447,\"id\":\"P\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23448,\"id\":\"S\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"30\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23449,\"id\":\"U\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"4\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23450,\"id\":\"V\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"3\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23451,\"id\":\"X\",\"filterType\":\"Trusted hostname\",\"arguments\":{\"value\":\"false\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"false\"}},{\"cfid\":23452,\"id\":\"Y\",\"filterType\":\"Tagged internal source\",\"arguments\":{\"value\":26},\"comparatorType\":\"does not have tag\",\"trigger\":{\"value\":\"26\",\"tag\":{\"tid\":26,\"expiry\":0,\"thid\":26,\"name\":\"No Device Tracking\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":5,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":23453,\"id\":\"Z\",\"filterType\":\"Individual size down\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"5862\"}},{\"cfid\":23454,\"id\":\"d1\",\"filterType\":\"JA3 hash\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23455,\"id\":\"d2\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23456,\"id\":\"d3\",\"filterType\":\"Destination IP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"81.2.69.192\"}},{\"cfid\":23457,\"id\":\"d4\",\"filterType\":\"Connection hostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"example.com\"}}]}],\"score\":0.674,\"device\":{\"did\":3,\"ip\":\"81.2.69.142\",\"sid\":1,\"firstSeen\":1657544089000,\"lastSeen\":1657544418000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}",
        "risk_score": 0.674,
        "risk_score_norm": 67.4,
        "severity": 2,
        "start": [
            "2022-07-11T13:04:08.000Z"
        ],
        "type": [
            "info",
            "connection"
        ]
    },
    "host": {
        "id": "3",
        "ip": [
            "81.2.69.142"
        ],
        "type": "desktop"
    },
    "input": {
        "type": "udp"
    },
    "log": {
        "source": {
            "address": "192.168.128.5:60206"
        },
        "syslog": {
            "facility": {
                "code": 20,
                "name": "local4"
            },
            "hostname": "example.cloud.darktrace.com",
            "priority": 165,
            "severity": {
                "code": 5,
                "name": "Notice"
            },
            "version": "1"
        }
    },
    "related": {
        "ip": [
            "81.2.69.142"
        ],
        "user": [
            "System"
        ]
    },
    "rule": {
        "author": "System",
        "category": "Informational",
        "description": "A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\n\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.",
        "name": "Compromise::Beaconing Activity To External Rare",
        "ruleset": [
            "AP: C2 Comms"
        ],
        "uuid": "1234abcd-1234-1234-1234-123456abcdef",
        "version": "23"
    },
    "tags": [
        "preserve_original_event",
        "preserve_duplicate_custom_fields",
        "forwarded",
        "darktrace-model_breach_alert"
    ]
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
darktrace.model_breach_alert.aianalyst_data.related
long
darktrace.model_breach_alert.aianalyst_data.summariser
keyword
darktrace.model_breach_alert.aianalyst_data.uuid
keyword
darktrace.model_breach_alert.breach_url.domain
keyword
darktrace.model_breach_alert.breach_url.extension
keyword
darktrace.model_breach_alert.breach_url.fragment
keyword
darktrace.model_breach_alert.breach_url.full
keyword
darktrace.model_breach_alert.breach_url.original
keyword
darktrace.model_breach_alert.breach_url.password
keyword
darktrace.model_breach_alert.breach_url.path
keyword
darktrace.model_breach_alert.breach_url.port
long
darktrace.model_breach_alert.breach_url.query
keyword
darktrace.model_breach_alert.breach_url.scheme
keyword
darktrace.model_breach_alert.breach_url.username
keyword
darktrace.model_breach_alert.comment.count
The number of comments made against this breach.
long
darktrace.model_breach_alert.creation_time
The timestamp that the record of the breach was created. This is distinct from the “time” field.
date
darktrace.model_breach_alert.device.credentials
keyword
darktrace.model_breach_alert.device.did
The “device id”, a unique identifier.
long
darktrace.model_breach_alert.device.first_seen
The first time the device was seen on the network.
date
darktrace.model_breach_alert.device.hostname
The current device hostname.
keyword
darktrace.model_breach_alert.device.ip
The current IP associated with the device.
keyword
darktrace.model_breach_alert.device.ip6
Current IPv6 address of this device if applicable, otherwise undefined.
keyword
darktrace.model_breach_alert.device.ips.ip
A historic IP associated with the device.
keyword
darktrace.model_breach_alert.device.ips.sid
The subnet id for the subnet the IP belongs to.
long
darktrace.model_breach_alert.device.ips.time
The time the IP was last seen associated with that device in readable format.
date
darktrace.model_breach_alert.device.ips.timems
The time the IP was last seen associated with that device in epoch time.
date
darktrace.model_breach_alert.device.last_seen
The last time the device was seen on the network.
date
darktrace.model_breach_alert.device.mac_address
The current MAC address associated with the device.
keyword
darktrace.model_breach_alert.device.sid
The subnet id for the subnet the device is currently located in.
long
darktrace.model_breach_alert.device.tags.data.auto
boolean
darktrace.model_breach_alert.device.tags.data.color
long
darktrace.model_breach_alert.device.tags.data.description
keyword
darktrace.model_breach_alert.device.tags.data.visibility
keyword
darktrace.model_breach_alert.device.tags.expiry
long
darktrace.model_breach_alert.device.tags.is_referenced
boolean
darktrace.model_breach_alert.device.tags.name
keyword
darktrace.model_breach_alert.device.tags.restricted
boolean
darktrace.model_breach_alert.device.tags.thid
long
darktrace.model_breach_alert.device.tags.tid
long
darktrace.model_breach_alert.device.type_label
The device type in readable format.
keyword
darktrace.model_breach_alert.device.type_name
The device type in system format.
keyword
darktrace.model_breach_alert.device.vendor
The vendor of the device network card as derived by Darktrace from the MAC address.
keyword
darktrace.model_breach_alert.device_score
double
darktrace.model_breach_alert.is_acknowledged
boolean
darktrace.model_breach_alert.mitre_techniques.id
keyword
darktrace.model_breach_alert.mitre_techniques.name
keyword
darktrace.model_breach_alert.model.actions.antigena.action
The action to be performed.
keyword
darktrace.model_breach_alert.model.actions.antigena.duration
The duration in seconds that the antigena action should last for.
long
darktrace.model_breach_alert.model.actions.antigena.is_confirm_by_human_operator
Whether the action must be confirmed by a human operator, regardless of the global setting for Human Confirmation mode.
boolean
darktrace.model_breach_alert.model.actions.antigena.threshold
The breach score threshold (out of 100) over which antigena will take an action.
long
darktrace.model_breach_alert.model.actions.is_alerting
If true, an alert turned on will be pushed out to external systems if conditions for such alerting are met.
boolean
darktrace.model_breach_alert.model.actions.is_breach
If true, an alert turned on will be pushed out to external systems if conditions for such alerting are met.
boolean
darktrace.model_breach_alert.model.actions.is_priority_set
If the priority is to be changed on breach, the numeric value it should become. If no priority change action, a false boolean.
boolean
darktrace.model_breach_alert.model.actions.is_tag_set
If a tag is to be applied on model breach, a single number or array of the system ID for the tag(s) to be applied. If no tag action, a false boolean.
boolean
darktrace.model_breach_alert.model.actions.is_type_set
If a change device type action is to be applied on model breach, the numeric system ID for the label to be applied. If no change device type action is applied to the model, a false boolean.
boolean
darktrace.model_breach_alert.model.actions.model
If true, creates an event in the device’s event log without creating an alert/ model breach in the threat tray.
boolean
darktrace.model_breach_alert.model.active_times.devices
The device ids for devices on the list.
flattened
darktrace.model_breach_alert.model.active_times.tags
A system field.
flattened
darktrace.model_breach_alert.model.active_times.type
The type of list: “restrictions” indicates a blacklist, “exclusions” a whitelist.
keyword
darktrace.model_breach_alert.model.active_times.version
A system field.
long
darktrace.model_breach_alert.model.behaviour
The score modulation function as set in the model editor.
keyword
darktrace.model_breach_alert.model.category
The behavior category of the model that was breached.
keyword
darktrace.model_breach_alert.model.created.by
Username that created the model.
keyword
darktrace.model_breach_alert.model.defeats.arguments.value
The value(s) that must match for the defeat to take effect.
keyword
darktrace.model_breach_alert.model.defeats.comparator
The comparator that the value is compared against the create the defeat.
keyword
darktrace.model_breach_alert.model.defeats.filtertype
The filter the defeat is made from.
keyword
darktrace.model_breach_alert.model.defeats.id
A unique ID for the defeat.
long
darktrace.model_breach_alert.model.delay
Minimum delay in seconds after a positive-scoring component has fired before the overall model score is calculated. Only applicable in target score models.
long
darktrace.model_breach_alert.model.description
The optional description of the model.
keyword
darktrace.model_breach_alert.model.edited.by
Username that last edited the model.
keyword
darktrace.model_breach_alert.model.edited.userid
long
darktrace.model_breach_alert.model.in_compliance_behavior_category
Whether the model is in the compliance behavior category.
boolean
darktrace.model_breach_alert.model.interval
Where a model contains multiple components, this interval represents the time window in seconds in which all the components should fire for this model to be breached.
long
darktrace.model_breach_alert.model.is_active
Whether the model is enabled or disabled.
boolean
darktrace.model_breach_alert.model.is_auto_suppress
Whether the model will automatically be suppressed in the case of over-breaching.
boolean
darktrace.model_breach_alert.model.is_auto_updatable
Whether the model is suitable for auto update.
boolean
darktrace.model_breach_alert.model.is_auto_update
Whether the model is enabled for auto update.
boolean
darktrace.model_breach_alert.model.is_sequenced
Whether the components are required to fire in the specified order for the model breach to occur.
boolean
darktrace.model_breach_alert.model.is_shared_endpoints
For models that contain multiple components that reference an endpoint, this value indicates whether all endpoints should be identical for the model to fire.
boolean
darktrace.model_breach_alert.model.logic.data_component_list
This will be a list of component ID numbers.
long
darktrace.model_breach_alert.model.logic.data_weighted_component_list.cid
long
darktrace.model_breach_alert.model.logic.data_weighted_component_list.weight
long
darktrace.model_breach_alert.model.logic.target_score
long
darktrace.model_breach_alert.model.logic.type
The type of model.
keyword
darktrace.model_breach_alert.model.logic.version
A number representing the version of model logic.
long
darktrace.model_breach_alert.model.modified
Timestamp at which the model was last modified, in a readable format.
date
darktrace.model_breach_alert.model.name
Name of the model that was breached.
keyword
darktrace.model_breach_alert.model.phid
The model “policy history” id. Increments when the model is modified.
long
darktrace.model_breach_alert.model.pid
The “policy id” of the model that was breached.
long
darktrace.model_breach_alert.model.priority
The model’s priority affects the strength with which it breaches (0-5 scale).
long
darktrace.model_breach_alert.model.tags
A list of tags that have been applied to this model in the Threat Visualizer model editor.
keyword
darktrace.model_breach_alert.model.throttle
For an individual device, this is the value in seconds for which this model will not fire again.
long
darktrace.model_breach_alert.model.uuid
A unique ID that is generated on creation of the model.
keyword
darktrace.model_breach_alert.model.version
The version of the model. Increments on each edit.
long
darktrace.model_breach_alert.pb_score
The model breach score, represented by a value between 0 and 1.
double
darktrace.model_breach_alert.pbid
The “policy breach ID” of the model breach.
long
darktrace.model_breach_alert.score
The model breach score, represented by a value between 0 and 1.
double
darktrace.model_breach_alert.time
The timestamp when the record was created in epoch time.
date
darktrace.model_breach_alert.triggered_components.cbid
The “component breach id”. A unique identifier for the component breach.
long
darktrace.model_breach_alert.triggered_components.chid
The “component history id”. Increments when the component is edited.
long
darktrace.model_breach_alert.triggered_components.cid
The “component id”. A unique identifier.
long
darktrace.model_breach_alert.triggered_components.interval
The timeframe in seconds within which the threshold must be satisfied.
long
darktrace.model_breach_alert.triggered_components.logic.data
It representing the logical relationship between component filters. Each filter is given an alphabetical reference and the contents of this field describe the relationship between those filters.
text
darktrace.model_breach_alert.triggered_components.logic.version
The version of the component logic.
keyword
darktrace.model_breach_alert.triggered_components.metric.label
The metric which data is returned for in readable format.
keyword
darktrace.model_breach_alert.triggered_components.metric.mlid
The “metric logic” id - unique identifier.
long
darktrace.model_breach_alert.triggered_components.metric.name
The metric which data is returned for in system format.
keyword
darktrace.model_breach_alert.triggered_components.size
The size of the value that was compared in the component.
long
darktrace.model_breach_alert.triggered_components.threshold
The threshold value that the size must exceed for the component to breach.
long
darktrace.model_breach_alert.triggered_components.time
A timestamp in Epoch time at which the components were triggered.
date
darktrace.model_breach_alert.triggered_components.triggered_filters.arguments.value
The value the filtertype should be compared against (using the specified comparator) to create the filter.
keyword
darktrace.model_breach_alert.triggered_components.triggered_filters.cfid
The ‘component filter id’. A unique identifier for the filter as part of a the component.
long
darktrace.model_breach_alert.triggered_components.triggered_filters.comparator_type
The comparator. A full list of comparators available for each filtertype can be found on the /filtertypes endpoint.
keyword
darktrace.model_breach_alert.triggered_components.triggered_filters.filter_type
The filtertype that is used in the filter. A full list of filtertypes can be found on the /filtertypes endpoint.
keyword
darktrace.model_breach_alert.triggered_components.triggered_filters.id
A filter that is used in the component logic. All filters are given alphabetical identifiers. Display filters - those that appear in the breach notification - can be identified by a lowercase ‘d’ and a numeral.
keyword
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.auto
boolean
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.color
long
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.description
keyword
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.visibility
keyword
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.expiry
nan
long
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.isReferenced
nan
boolean
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.name
nan
keyword
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.restricted
nan
boolean
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.thid
nan
long
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.tid
nan
long
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.value
The actual value that triggered the filter.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
ecs.version
ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
keyword
event.action
The action captured by the event. This describes the information in the event. It is more specific than event.category. Examples are group-add, process-started, file-created. The value is normally defined by the implementer.
keyword
event.category
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. event.category represents the "big buckets" of ECS categories. For example, filtering on event.category:process yields all events relating to process activity. This field is closely related to event.type, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.
keyword
event.created
event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.
date
event.dataset
Event dataset.
constant_keyword
event.kind
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
keyword
event.module
Event module.
constant_keyword
event.original
Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from _source. If users wish to override this and index this field, please see Field data types in the Elasticsearch Reference.
keyword
event.risk_score
Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
float
event.risk_score_norm
Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.
float
event.severity
The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in log.syslog.severity.code. event.severity is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the log.syslog.severity.code to event.severity.
long
event.start
event.start contains the date when the event started or when the activity was first observed.
date
event.type
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. event.type represents a categorization "sub-bucket" that, when used along with the event.category field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.
keyword
event.url
URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by event.kind:alert, are a common use case for this field.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.name.text
Multi-field of host.os.name.
text
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Input type
keyword
log.offset
Log offset
long
log.source.address
Source address from which the log event was read / sent from.
keyword
log.syslog.appname
The device or application that originated the Syslog message, if available.
keyword
log.syslog.facility.code
The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.
long
log.syslog.facility.name
The Syslog text-based facility of the log event, if available.
keyword
log.syslog.hostname
The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector.
keyword
log.syslog.priority
Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
long
log.syslog.severity.code
The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to event.severity. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to event.severity.
long
log.syslog.severity.name
The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to log.level. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to log.level.
keyword
log.syslog.version
The version of the Syslog protocol specification. Only applicable for RFC 5424 messages.
keyword
related.hosts
All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
keyword
related.ip
All of the IPs seen on your event.
ip
related.user
All the user names or other user identifiers seen on the event.
keyword
rule.author
Name, organization, or pseudonym of the author or authors who created the rule used to generate this event.
keyword
rule.category
A categorization value keyword used by the entity using the rule for detection of this event.
keyword
rule.description
The description of the rule generating the event.
keyword
rule.name
The name of the rule or signature generating the event.
keyword
rule.ruleset
Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member.
keyword
rule.uuid
A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event.
keyword
rule.version
The version / revision of the rule being used for analysis.
keyword
tags
List of keywords used to tag each event.
keyword
threat.technique.id
The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
keyword
threat.technique.name
The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/)
keyword
threat.technique.name.text
Multi-field of threat.technique.name.
match_only_text

system_status_alert

This is the system_status_alert dataset.

Example

An example event for system_status_alert looks as following:

{
    "@timestamp": "2021-04-18T15:44:11.000Z",
    "agent": {
        "ephemeral_id": "5b042cea-01fa-47a2-ab0f-ac1f7baa6bd2",
        "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.2.1"
    },
    "darktrace": {
        "system_status_alert": {
            "alert_name": "Advanced Search",
            "child_id": 1,
            "hostname": "example-vsensor",
            "ip_address": "175.16.199.1",
            "last_updated": "2021-04-18T15:44:11.000Z",
            "last_updated_status": "2021-04-18T15:44:11.000Z",
            "message": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test",
            "name": "advanced_search",
            "priority": 43,
            "priority_level": "medium",
            "status": "active",
            "uuid": "abcdabcd-1234-1234-1234-3abababcdcd3"
        }
    },
    "data_stream": {
        "dataset": "darktrace.system_status_alert",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.7.0"
    },
    "elastic_agent": {
        "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec",
        "snapshot": false,
        "version": "8.2.1"
    },
    "event": {
        "agent_id_status": "verified",
        "dataset": "darktrace.system_status_alert",
        "id": "abcdabcd-1234-1234-1234-3abababcdcd3",
        "ingested": "2022-09-30T11:41:35Z",
        "kind": "alert",
        "original": "{\"last_updated\":1618760651,\"uuid\":\"abcdabcd-1234-1234-1234-3abababcdcd3\",\"priority\":43,\"priority_level\":\"medium\",\"hostname\":\"example-vsensor\",\"ip_address\":\"175.16.199.1\",\"message\":\"There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test\",\"name\":\"advanced_search\",\"acknowledge_timeout\":null,\"alert_name\":\"Advanced Search\",\"child_id\":1,\"last_updated_status\":1618760651,\"status\":\"active\"}",
        "reason": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test",
        "risk_score": 43,
        "risk_score_norm": 43,
        "type": [
            "info"
        ]
    },
    "host": {
        "hostname": "example-vsensor",
        "ip": "175.16.199.1"
    },
    "input": {
        "type": "udp"
    },
    "log": {
        "source": {
            "address": "192.168.128.5:36197"
        },
        "syslog": {
            "facility": {
                "code": 20,
                "name": "local4"
            },
            "hostname": "example.cloud.darktrace.com",
            "priority": 165,
            "severity": {
                "code": 5,
                "name": "Notice"
            },
            "version": "1"
        }
    },
    "related": {
        "hosts": [
            "example-vsensor"
        ],
        "ip": [
            "175.16.199.1"
        ]
    },
    "tags": [
        "preserve_original_event",
        "preserve_duplicate_custom_fields",
        "forwarded",
        "darktrace-system_status_alert"
    ]
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.account.id
The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.
keyword
cloud.availability_zone
Availability zone in which this host is running.
keyword
cloud.image.id
Image ID for the cloud instance.
keyword
cloud.instance.id
Instance ID of the host machine.
keyword
cloud.instance.name
Instance name of the host machine.
keyword
cloud.machine.type
Machine type of the host machine.
keyword
cloud.project.id
Name of the project in Google Cloud.
keyword
cloud.provider
Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean.
keyword
cloud.region
Region in which this host is running.
keyword
container.id
Unique container id.
keyword
container.image.name
Name of the image the container was built on.
keyword
container.labels
Image labels.
object
container.name
Container name.
keyword
darktrace.system_status_alert.acknowledge_timeout
When acknowledgement of the alert expires. As alerts are sent externally on creation before acknowledgement is possible, this will be null in almost all cases.
keyword
darktrace.system_status_alert.alert_name
A human readable name of the alert type.
keyword
darktrace.system_status_alert.child_id
For probes (physical or virtual), the unique ID associated with the probe.
long
darktrace.system_status_alert.hostname
The hostname (if known) of the host experiencing the system alert. An exception exists for disconnection notices, where the hostname will be of the master from which the instance has disconnected.
keyword
darktrace.system_status_alert.ip_address
The IP of the host experiencing the system alert. An exception exists for disconnection notices, where the IP will be of the master from which the instance has disconnected.
keyword
darktrace.system_status_alert.last_updated
A timestamp in epoch time that the system alert itself was updated.
date
darktrace.system_status_alert.last_updated_status
A timestamp in epoch time that the status of the system alert was last updated globally. A status update is distinct from a update to the alert itself.
date
darktrace.system_status_alert.message
A textual description of the system event that has triggered the alert.
keyword
darktrace.system_status_alert.name
A system name of the alert type.
keyword
darktrace.system_status_alert.priority
The numeric criticality associated with the alert.
double
darktrace.system_status_alert.priority_level
The criticality of the alert. This value is calculated from the priority value: 0 - 40 low, 41 - 60 medium, 61 - 80 high, 81 - 100 critical.
keyword
darktrace.system_status_alert.status
The current status of the alert. Active alerts are ongoing, acknowledged events are those acknowledged on the System Status page, resolved alerts are system alerts that are no longer ongoing. Alerts will only be sent when alert enters the “active” or “resolved” state.
keyword
darktrace.system_status_alert.url.domain
keyword
darktrace.system_status_alert.url.extension
keyword
darktrace.system_status_alert.url.fragment
keyword
darktrace.system_status_alert.url.full
keyword
darktrace.system_status_alert.url.original
keyword
darktrace.system_status_alert.url.password
keyword
darktrace.system_status_alert.url.path
keyword
darktrace.system_status_alert.url.port
long
darktrace.system_status_alert.url.query
keyword
darktrace.system_status_alert.url.scheme
keyword
darktrace.system_status_alert.url.username
keyword
darktrace.system_status_alert.uuid
A consistent UUID that can be used to navigate to the specific alert in the Threat Visualizer (https://[instance]/sysstatus/[uuid]). Where an alert is reactivated after resolution due to the issue reoccurring, the UUId will remain consistent across alerts.
keyword
data_stream.dataset
Data stream dataset.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
ecs.version
ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events.
keyword
event.category
This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. event.category represents the "big buckets" of ECS categories. For example, filtering on event.category:process yields all events relating to process activity. This field is closely related to event.type, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories.
keyword
event.created
event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used.
date
event.dataset
Event dataset.
constant_keyword
event.id
Unique ID to describe the event.
keyword
event.kind
This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not.
keyword
event.module
Event module.
constant_keyword
event.original
Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from _source. If users wish to override this and index this field, please see Field data types in the Elasticsearch Reference.
keyword
event.reason
Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where event.action captures the action from the event, event.reason describes why that action was taken. For example, a web proxy with an event.action which denied the request may also populate event.reason with the reason why (e.g. blocked site).
keyword
event.risk_score
Risk score or priority of the event (e.g. security solutions). Use your system's original value here.
float
event.risk_score_norm
Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems.
float
event.type
This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. event.type represents a categorization "sub-bucket" that, when used along with the event.category field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types.
keyword
event.url
URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by event.kind:alert, are a common use case for this field.
keyword
host.architecture
Operating system architecture.
keyword
host.containerized
If the host is a container.
boolean
host.domain
Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider.
keyword
host.hostname
Hostname of the host. It normally contains what the hostname command returns on the host machine.
keyword
host.id
Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name.
keyword
host.ip
Host ip addresses.
ip
host.mac
Host mac addresses.
keyword
host.name
Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.
keyword
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
host.os.family
OS family (such as redhat, debian, freebsd, windows).
keyword
host.os.kernel
Operating system kernel version as a raw string.
keyword
host.os.name
Operating system name, without the version.
keyword
host.os.name.text
Multi-field of host.os.name.
text
host.os.platform
Operating system platform (such centos, ubuntu, windows).
keyword
host.os.version
Operating system version as a raw string.
keyword
host.type
Type of host. For Cloud providers this can be the machine type like t2.medium. If vm, this could be the container, for example, or other information meaningful in your environment.
keyword
input.type
Input type
keyword
log.offset
Log offset
long
log.source.address
Source address from which the log event was read / sent from.
keyword
log.syslog.appname
The device or application that originated the Syslog message, if available.
keyword
log.syslog.facility.code
The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23.
long
log.syslog.facility.name
The Syslog text-based facility of the log event, if available.
keyword
log.syslog.hostname
The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector.
keyword
log.syslog.priority
Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191.
long
log.syslog.severity.code
The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to event.severity. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to event.severity.
long
log.syslog.severity.name
The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to log.level. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to log.level.
keyword
log.syslog.version
The version of the Syslog protocol specification. Only applicable for RFC 5424 messages.
keyword
related.hosts
All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases.
keyword
related.ip
All of the IPs seen on your event.
ip
tags
List of keywords used to tag each event.
keyword

Changelog

VersionDetails
1.1.0
Enhancement View pull request
Update package to ECS 8.7.0.
1.0.0
Enhancement View pull request
Release Darktrace as GA.
0.3.1
Enhancement View pull request
Added categories and/or subcategories.
0.3.0
Enhancement View pull request
Update package to ECS 8.6.0.
0.2.0
Enhancement View pull request
Update package to ECS 8.5.0.
0.1.2
Bug fix View pull request
Remove duplicate fields.
0.1.1
Bug fix View pull request
Fix documentation
0.1.0
Enhancement View pull request
Initial Release.