Collect logs from Darktrace with Elastic Agent.
What is an Elastic integration?
This integration is powered by Elastic Agent. Elastic Agent is a single, unified way to add monitoring for logs, metrics, and other types of data to a host. It can also protect hosts from security threats, query data from operating systems, forward data from remote services or hardware, and more. Refer to our documentation for a detailed comparison between Beats and Elastic Agent.
Prefer to use Beats for this use case? See Filebeat modules for logs or Metricbeat modules for metrics.
See the integrations quick start guides to get started:
The Darktrace integration allows you to monitor Alert Logs. Darktrace is a network solution for detecting and investigating emerging cyber-threats that evade traditional security tools. It is powered by Enterprise Immune System technology, which uses machine learning and mathematics to monitor behaviors and detect anomalies in your organization’s network.
Use the Darktrace integration to collect and parse data from the REST APIs or via Syslog. Then visualise that data in Kibana.
For example, you could use the data from this integration to know which model is breached and analyse model breaches, and also know about system health, changes in monitored traffic, and any errors experienced by Darktrace Security Modules or probe instances.
The Darktrace integration collects logs for three types of events: AI Analyst Alert, Model Breach Alert and System Status Alert.
AI Analyst Alert is generated by investigates, analyzes, and reports upon threats seen within your Darktrace environment; as a starting point, it reviews and investigates all Model Breaches that occur on the system. If behavior which would be of interest to a cyber analyst is detected, an event is created. See Example Schema here.
Model Breach Alert is generated when a model breach is triggered. A model is used to define a set of conditions which, when met, will alert the system to the occurrence of a particular event or chain of anomalous behavior. Darktrace models are focused on pattern-of-life anomaly detection, potentially malicious behavior, and compliance issues. See Example Schema here.
System Status Alert keep Darktrace operators informed of system health, changes in monitored traffic, and any errors experienced by Darktrace Security Modules or probe instances. System Status Alerts include details of the originating host, the severity of the event, and links that may be helpful to investigate or resolve the issue. Notifications are sent for active system events and (optionally) on event resolution. See Example Schema here.
You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.
Firewall exceptions to allow communication from the Darktrace master instance to the Syslog server.
This module has been tested against Darktrace Threat Visualizer v5.2.
<appliance-ip>
. (Threat Visualizer Console Hostname)Note: System Status Alert are not supported by REST API.
The user needs to create a different Syslog Forwarder with different ports for each data stream.
The process for configuring syslog-format alerts is identical for AI Analyst Alerts, Model Breach Alerts and System Status Alerts. Generic configuration guidance is provided below:
For more details, see Documentation.
Note:
Field Name | Value |
---|---|
Send AI Analyst Alerts | ON |
Send AI Analyst Alerts Immediately | ON |
AI Analyst Behavior Filter | Critical, Suspicious and Compliance |
Minimum AI Analyst Incident Event Score | 0 |
Minimum AI Analyst Incident Score | 0 |
Legacy AI Analyst Alerts | OFF |
Field Name | Value |
---|---|
Send Model Breach Alerts | ON |
Model Breach Behavior Filter | Critical, Suspicious, Compliance and Informational |
Minimum Breach Score | 0 |
Minimum Breach Priority | 0 |
Model Expression | N/A |
Model Tags Expression | N/A |
Device IP Addresses | N/A |
Device Tags Addresses | N/A |
Field Name | Value |
---|---|
Send System Status Alerts | ON |
Send Resolved System Status Alerts | ON |
Minimum System Status Priority | Informational |
Note : A Fully Qualified Domain Name (FQDN) must be configured for the Darktrace instance in order for links to be included in external alerts.
This is the ai_analyst_alert
dataset.
An example event for ai_analyst_alert
looks as following:
{
"@timestamp": "2021-08-03T14:48:09.240Z",
"agent": {
"ephemeral_id": "82482032-e103-4c45-a00e-103ac604f4ae",
"id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.2.1"
},
"darktrace": {
"ai_analyst_alert": {
"activity_id": "abcd1234",
"aia_score": 98,
"attack_phases": [
5
],
"breach_devices": [
{
"did": 10,
"ip": "81.2.69.144",
"sid": 12,
"subnet": "VPN"
}
],
"category": "critical",
"children": [
"eabcdef0-1234-1234-1234-cabcdefghij9"
],
"created_at": "2021-08-03T14:48:09.240Z",
"current_group": "eabc1234-1234-1234-1234-cabcdefg0011",
"details": [
[
{
"contents": [
{
"type": "device",
"values": [
{
"did": 10,
"ip": "175.16.199.1",
"sid": 12,
"subnet": "VPN"
}
]
}
],
"header": "Breaching Device"
}
],
[
{
"contents": [
{
"key": "Time",
"type": "timestampRange",
"values": [
{
"end": 1628000141220,
"start": 1627985298683
}
]
},
{
"key": "Number of unique IPs",
"type": "integer",
"values": [
16
]
},
{
"key": "Targeted IP ranges include",
"type": "device",
"values": [
{
"ip": "81.2.69.192"
},
{
"ip": "175.16.199.1"
},
{
"ip": "175.16.199.3"
}
]
},
{
"key": "Destination port",
"type": "integer",
"values": [
22
]
},
{
"key": "Connection count",
"type": "integer",
"values": [
40
]
},
{
"key": "Percentage successful",
"type": "percentage",
"values": [
100
]
}
],
"header": "SSH Activity"
}
]
],
"group_by_activity": false,
"group_category": "critical",
"group_score": 72.9174234,
"grouping_ids": [
"abcdef12"
],
"id": "eabc0011-1234-1234-1234-cabcdefg0011",
"is_acknowledged": false,
"is_external_triggered": false,
"is_pinned": true,
"is_user_triggered": false,
"periods": [
{
"end": "2021-08-03T14:15:41.220Z",
"start": "2021-08-03T10:08:18.683Z"
}
],
"related_breaches": [
{
"model_name": "Unusual Activity / Unusual Activity from Re-Activated Device",
"pbid": 1234,
"threat_score": 37,
"timestamp": "2021-08-03T13:25:57.000Z"
}
],
"summariser": "AdminConnSummary",
"summary": "The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\n\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\n\nConsequently, if this activity was not expected, the security team may wish to investigate further.",
"title": "Extensive Unusual SSH Connections"
}
},
"data_stream": {
"dataset": "darktrace.ai_analyst_alert",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.7.0"
},
"elastic_agent": {
"id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec",
"snapshot": false,
"version": "8.2.1"
},
"event": {
"agent_id_status": "verified",
"category": [
"threat"
],
"dataset": "darktrace.ai_analyst_alert",
"duration": [
14842537000000
],
"end": [
"2021-08-03T14:15:41.220Z"
],
"id": "eabc0011-1234-1234-1234-cabcdefg0011",
"ingested": "2022-09-30T11:36:06Z",
"kind": "alert",
"original": "{\"summariser\":\"AdminConnSummary\",\"acknowledged\":false,\"pinned\":true,\"createdAt\":1628002089240,\"attackPhases\":[5],\"title\":\"Extensive Unusual SSH Connections\",\"id\":\"eabc0011-1234-1234-1234-cabcdefg0011\",\"children\":[\"eabcdef0-1234-1234-1234-cabcdefghij9\"],\"category\":\"critical\",\"currentGroup\":\"eabc1234-1234-1234-1234-cabcdefg0011\",\"groupCategory\":\"critical\",\"groupScore\":\"72.9174234\",\"groupPreviousGroups\":null,\"activityId\":\"abcd1234\",\"groupingIds\":[\"abcdef12\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":98,\"summary\":\"The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\\n\\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\\n\\nConsequently, if this activity was not expected, the security team may wish to investigate further.\",\"periods\":[{\"start\":1627985298683,\"end\":1628000141220}],\"breachDevices\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.144\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}],\"relatedBreaches\":[{\"modelName\":\"Unusual Activity / Unusual Activity from Re-Activated Device\",\"pbid\":1234,\"threatScore\":37,\"timestamp\":1627997157000}],\"details\":[[{\"header\":\"Breaching Device\",\"contents\":[{\"key\":null,\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}]}]}],[{\"header\":\"SSH Activity\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1627985298683,\"end\":1628000141220}]},{\"key\":\"Number of unique IPs\",\"type\":\"integer\",\"values\":[16]},{\"key\":\"Targeted IP ranges include\",\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.192\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.3\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null}]},{\"key\":\"Destination port\",\"type\":\"integer\",\"values\":[22]},{\"key\":\"Connection count\",\"type\":\"integer\",\"values\":[40]},{\"key\":\"Percentage successful\",\"type\":\"percentage\",\"values\":[100]}]}]]}",
"reason": "Extensive Unusual SSH Connections",
"risk_score": 98,
"risk_score_norm": 98,
"start": [
"2021-08-03T10:08:18.683Z"
],
"type": [
"info"
]
},
"host": {
"id": [
"10"
],
"ip": [
"81.2.69.144"
]
},
"input": {
"type": "udp"
},
"log": {
"source": {
"address": "192.168.128.5:49066"
},
"syslog": {
"facility": {
"code": 20,
"name": "local4"
},
"hostname": "example.cloud.darktrace.com",
"priority": 165,
"severity": {
"code": 5,
"name": "Notice"
},
"version": "1"
}
},
"message": "The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\n\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\n\nConsequently, if this activity was not expected, the security team may wish to investigate further.",
"related": {
"ip": [
"81.2.69.144",
"175.16.199.1",
"81.2.69.192",
"175.16.199.3"
]
},
"rule": {
"name": [
"Unusual Activity / Unusual Activity from Re-Activated Device"
]
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"darktrace-ai_analyst_alert"
],
"threat": {
"enrichments": {
"matched": {
"id": [
"eabcdef0-1234-1234-1234-cabcdefghij9"
]
}
},
"group": {
"id": "eabc1234-1234-1234-1234-cabcdefg0011"
}
}
}
Exported fields
Field | Description | Type |
---|---|---|
@timestamp | Event timestamp. | date |
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
cloud.availability_zone | Availability zone in which this host is running. | keyword |
cloud.image.id | Image ID for the cloud instance. | keyword |
cloud.instance.id | Instance ID of the host machine. | keyword |
cloud.instance.name | Instance name of the host machine. | keyword |
cloud.machine.type | Machine type of the host machine. | keyword |
cloud.project.id | Name of the project in Google Cloud. | keyword |
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
cloud.region | Region in which this host is running. | keyword |
container.id | Unique container id. | keyword |
container.image.name | Name of the image the container was built on. | keyword |
container.labels | Image labels. | object |
container.name | Container name. | keyword |
darktrace.ai_analyst_alert.activity_id | An identifier for the specific activity detected by AI Analyst. If groupByActivity=true , this field should be used to group events together into an incident. | keyword |
darktrace.ai_analyst_alert.aia_score | The score of the event as classified by AI Analyst - out of 100. | double |
darktrace.ai_analyst_alert.attack_phases | Of the six attack phases, which phases are applicable to the activity. | long |
darktrace.ai_analyst_alert.breach_devices.did | The unique device id identifier for the device that triggered the breach. This field is used to group events into device-based incidents within the Threat Visualizer. | long |
darktrace.ai_analyst_alert.breach_devices.hostname | The hostname associated with the device, if available. | keyword |
darktrace.ai_analyst_alert.breach_devices.identifier | An identifier for the device used when constructing summaries or reports. May be the device label, hostname or IP, depending on availability. | keyword |
darktrace.ai_analyst_alert.breach_devices.ip | The IP associated with the device. | keyword |
darktrace.ai_analyst_alert.breach_devices.mac_address | The MAC address associated with the device. | keyword |
darktrace.ai_analyst_alert.breach_devices.sid | The subnet id for the subnet the device is currently located in. | long |
darktrace.ai_analyst_alert.breach_devices.subnet | The subnet label for the corresponding subnet, if available. | keyword |
darktrace.ai_analyst_alert.category | The behavior category associated with the incident event. | keyword |
darktrace.ai_analyst_alert.children | One or more unique identifiers that can be used to request this AI Analyst event via the UI or API. Where there is more than one uuid, requests can be made with comma-separated values. | keyword |
darktrace.ai_analyst_alert.created_at | Timestamp for event creation in epoch time. | date |
darktrace.ai_analyst_alert.current_group | The UUID of the current incident this event belongs to. | keyword |
darktrace.ai_analyst_alert.details | An array of multiple sections (sub-arrays) of event information. | flattened |
darktrace.ai_analyst_alert.group_by_activity | Used by pre-v5.2 legacy incident construction. Indicates whether the event should be aggregated by activity or by device to create an incident. When true, the event should be aggregated by activityID, and when false, aggregated by groupingID(s). | boolean |
darktrace.ai_analyst_alert.group_category | The behavior category associated with the incident overall. Relevant for v5.2+ incident construction only. | keyword |
darktrace.ai_analyst_alert.group_previous_groups | If the incident event was part of an incident which was later merged with another, the UUIDs of the incidents before they were merged. | keyword |
darktrace.ai_analyst_alert.group_score | The current overall score of the incident this event is part of. | double |
darktrace.ai_analyst_alert.grouping_ids | Used by pre-v5.2 legacy incident construction. Each entry in the groupingIDs array refers to a device that triggered the activity detection. In single events, should only contain one ID. If groupByActivity=false , this field should be used to group events together into an incident. | keyword |
darktrace.ai_analyst_alert.id | A system field. | keyword |
darktrace.ai_analyst_alert.incident_event_url.domain | keyword | |
darktrace.ai_analyst_alert.incident_event_url.extension | keyword | |
darktrace.ai_analyst_alert.incident_event_url.fragment | keyword | |
darktrace.ai_analyst_alert.incident_event_url.full | keyword | |
darktrace.ai_analyst_alert.incident_event_url.original | keyword | |
darktrace.ai_analyst_alert.incident_event_url.password | keyword | |
darktrace.ai_analyst_alert.incident_event_url.path | keyword | |
darktrace.ai_analyst_alert.incident_event_url.port | long | |
darktrace.ai_analyst_alert.incident_event_url.query | keyword | |
darktrace.ai_analyst_alert.incident_event_url.scheme | keyword | |
darktrace.ai_analyst_alert.incident_event_url.username | keyword | |
darktrace.ai_analyst_alert.is_acknowledged | Whether the event has been acknowledged. | boolean |
darktrace.ai_analyst_alert.is_external_triggered | Whether the event was created as a result of an externally triggered AI Analyst investigation. | boolean |
darktrace.ai_analyst_alert.is_pinned | Whether the event, or an incident that the event is associated with, is pinned within the Threat Visualizer user interface. Pinned events will always return regardless of the timeframe specified. | boolean |
darktrace.ai_analyst_alert.is_user_triggered | Whether the event was created as a result of a user-triggered AI Analyst investigation. | boolean |
darktrace.ai_analyst_alert.periods.end | A timestamp for the end of the activity period in epoch time. | date |
darktrace.ai_analyst_alert.periods.start | A timestamp for the start of the activity period in epoch time. | date |
darktrace.ai_analyst_alert.related_breaches.model_name | The name of the model that breached. | keyword |
darktrace.ai_analyst_alert.related_breaches.pbid | The policy breach ID unique identifier of the model breach. | long |
darktrace.ai_analyst_alert.related_breaches.threat_score | The breach score of the associated model breach - out of 100. | long |
darktrace.ai_analyst_alert.related_breaches.timestamp | The timestamp at which the model breach occurred in epoch time. | date |
darktrace.ai_analyst_alert.summariser | A system field. | keyword |
darktrace.ai_analyst_alert.summary | A textual summary of the suspicious activity. This example is abbreviated. | keyword |
darktrace.ai_analyst_alert.title | A title describing the activity that occurred. | keyword |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. event.category represents the "big buckets" of ECS categories. For example, filtering on event.category:process yields all events relating to process activity. This field is closely related to event.type , which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
event.dataset | Event dataset. | constant_keyword |
event.end | event.end contains the date when the event ended or when the activity was last observed. | date |
event.id | Unique ID to describe the event. | keyword |
event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
event.module | Event module. | constant_keyword |
event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from _source . If users wish to override this and index this field, please see Field data types in the Elasticsearch Reference . | keyword |
event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where event.action captures the action from the event, event.reason describes why that action was taken. For example, a web proxy with an event.action which denied the request may also populate event.reason with the reason why (e.g. blocked site ). | keyword |
event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float |
event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float |
event.start | event.start contains the date when the event started or when the activity was first observed. | date |
event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. event.type represents a categorization "sub-bucket" that, when used along with the event.category field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by event.kind:alert , are a common use case for this field. | keyword |
host.architecture | Operating system architecture. | keyword |
host.containerized | If the host is a container. | boolean |
host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
host.hostname | Hostname of the host. It normally contains what the hostname command returns on the host machine. | keyword |
host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name . | keyword |
host.ip | Host ip addresses. | ip |
host.mac | Host mac addresses. | keyword |
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name (FQDN), or a name specified by the user. The recommended value is the lowercase FQDN of the host. | keyword |
host.os.build | OS build information. | keyword |
host.os.codename | OS codename, if any. | keyword |
host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
host.os.kernel | Operating system kernel version as a raw string. | keyword |
host.os.name | Operating system name, without the version. | keyword |
host.os.name.text | Multi-field of host.os.name . | text |
host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
host.os.version | Operating system version as a raw string. | keyword |
host.type | Type of host. For Cloud providers this can be the machine type like t2.medium . If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
input.type | Input type | keyword |
log.offset | Log offset | long |
log.source.address | Source address from which the log event was read / sent from. | keyword |
log.syslog.appname | The device or application that originated the Syslog message, if available. | keyword |
log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword |
log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword |
log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to event.severity . If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to event.severity . | long |
log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to log.level . If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to log.level . | keyword |
log.syslog.version | The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. | keyword |
message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text |
related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
related.ip | All of the IPs seen on your event. | ip |
rule.name | The name of the rule or signature generating the event. | keyword |
tags | List of keywords used to tag each event. | keyword |
threat.enrichments.matched.id | Identifies the _id of the indicator document enriching the event. | keyword |
threat.group.id | The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. | keyword |
This is the model_breach_alert
dataset.
An example event for model_breach_alert
looks as following:
{
"@timestamp": "2022-07-11T13:04:08.000Z",
"agent": {
"ephemeral_id": "572d7663-c480-491f-b06f-96f0330cf942",
"id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.2.1"
},
"darktrace": {
"model_breach_alert": {
"aianalyst_data": [
{
"related": [
1
],
"summariser": "BeaconSummary",
"uuid": "1234abcd-1234-1234-1234-123456abcdef"
}
],
"comment": {
"count": 0
},
"creation_time": "2022-07-11T13:04:19.000Z",
"device": {
"did": 3,
"first_seen": "2022-07-11T12:54:49.000Z",
"ip": "81.2.69.142",
"last_seen": "2022-07-11T13:00:18.000Z",
"sid": 1,
"type_label": "Desktop",
"type_name": "desktop"
},
"model": {
"actions": {
"is_alerting": true,
"is_breach": true,
"is_priority_set": false,
"is_tag_set": false,
"is_type_set": false,
"model": true
},
"active_times": {
"type": "exclusions",
"version": 2
},
"behaviour": "incdec1",
"category": "Informational",
"created": {
"by": "System"
},
"delay": 0,
"description": "A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\n\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.",
"edited": {
"by": "System"
},
"in_compliance_behavior_category": false,
"interval": 10800,
"is_active": true,
"is_auto_suppress": true,
"is_auto_updatable": true,
"is_auto_update": true,
"is_sequenced": false,
"is_shared_endpoints": false,
"logic": {
"data_weighted_component_list": [
{
"cid": 2026,
"weight": 1
},
{
"cid": 2024,
"weight": 1
},
{
"cid": 2025,
"weight": -100
}
],
"target_score": 1,
"type": "weightedComponentList",
"version": 1
},
"modified": "2022-07-11T11:47:37.000Z",
"name": "Compromise::Beaconing Activity To External Rare",
"phid": 1072,
"pid": 156,
"priority": 2,
"tags": [
"AP: C2 Comms"
],
"throttle": 10800,
"uuid": "1234abcd-1234-1234-1234-123456abcdef",
"version": 23
},
"pbid": 1,
"score": 0.674,
"time": "2022-07-11T13:04:08.000Z",
"triggered_components": [
{
"cbid": 1,
"chid": 2113,
"cid": 2026,
"interval": 3600,
"logic": {
"data": "{left={left=A, right={left=AA, right={left=AC, right={left=AD, right={left=AF, right={left=AG, right={left=AH, right={left=B, right={left=C, right={left=D, right={left=E, right={left=H, right={left=I, right={left=J, right={left=K, right={left=L, right={left=M, right={left=N, right={left=O, right={left=P, right={left=S, right={left=U, right={left=V, right={left=X, right={left=Y, right=Z, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, right={left=A, right={left=AA, right={left=AB, right={left=AE, right={left=AF, right={left=AG, right={left=AH, right={left=C, right={left=D, right={left=E, right={left=H, right={left=I, right={left=J, right={left=K, right={left=L, right={left=M, right={left=N, right={left=O, right={left=P, right={left=S, right={left=U, right={left=V, right={left=X, right={left=Y, right=Z, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=OR}",
"version": "v0.1"
},
"metric": {
"label": "External Connections",
"mlid": 1,
"name": "externalconnections"
},
"size": 11,
"threshold": 10,
"time": "2022-07-11T13:04:08.000Z",
"triggered_filters": [
{
"arguments": {
"value": 60
},
"cfid": 23426,
"comparator_type": "\u003e",
"filter_type": "Beaconing score",
"id": "A",
"trigger": {
"value": "100"
}
},
{
"arguments": {
"value": 0
},
"cfid": 23427,
"comparator_type": "\u003e",
"filter_type": "Individual size up",
"id": "AA",
"trigger": {
"value": "4382"
}
},
{
"arguments": {
"value": 95
},
"cfid": 23428,
"comparator_type": "\u003e",
"filter_type": "Rare domain",
"id": "AB",
"trigger": {
"value": "100"
}
},
{
"arguments": {
"value": 1209600
},
"cfid": 23430,
"comparator_type": "\u003c",
"filter_type": "Age of destination",
"id": "AD",
"trigger": {
"value": "558"
}
},
{
"arguments": {
"value": 1209600
},
"cfid": 23431,
"comparator_type": "\u003c",
"filter_type": "Age of external hostname",
"id": "AE",
"trigger": {
"value": "558"
}
},
{
"arguments": {
"value": "examples"
},
"cfid": 23432,
"comparator_type": "does not match regular expression",
"filter_type": "Connection hostname",
"id": "AF",
"trigger": {
"value": "example.com"
}
},
{
"arguments": {
"value": "examples"
},
"cfid": 23433,
"comparator_type": "does not match regular expression",
"filter_type": "ASN",
"id": "AG",
"trigger": {
"value": "AS12345 LOCAL-02"
}
},
{
"arguments": {
"value": "5d41402abc4b2a76b9719d911017c592"
},
"cfid": 23434,
"comparator_type": "does not match",
"filter_type": "JA3 hash",
"id": "AH",
"trigger": {
"value": "5d41402abc4b2a76b9719d911017c592"
}
},
{
"arguments": {
"value": 95
},
"cfid": 23435,
"comparator_type": "\u003e",
"filter_type": "Rare external IP",
"id": "B",
"trigger": {
"value": "100"
}
},
{
"arguments": {
"value": "1003"
},
"cfid": 23436,
"comparator_type": "is not",
"filter_type": "Application protocol",
"id": "C",
"trigger": {
"value": "1004"
}
},
{
"arguments": {
"value": 53
},
"cfid": 23437,
"comparator_type": "!=",
"filter_type": "Destination port",
"id": "D",
"trigger": {
"value": "443"
}
},
{
"arguments": {
"value": "out"
},
"cfid": 23438,
"comparator_type": "is",
"filter_type": "Direction",
"id": "E",
"trigger": {
"value": "out"
}
},
{
"arguments": {
"value": 137
},
"cfid": 23439,
"comparator_type": "!=",
"filter_type": "Destination port",
"id": "H",
"trigger": {
"value": "443"
}
},
{
"arguments": {
"value": 161
},
"cfid": 23440,
"comparator_type": "!=",
"filter_type": "Destination port",
"id": "I",
"trigger": {
"value": "443"
}
},
{
"arguments": {
"value": "6"
},
"cfid": 23441,
"comparator_type": "is",
"filter_type": "Protocol",
"id": "J",
"trigger": {
"value": "6"
}
},
{
"arguments": {
"value": "Company"
},
"cfid": 23442,
"comparator_type": "does not contain",
"filter_type": "ASN",
"id": "K",
"trigger": {
"value": "AS12345 LOCAL-02"
}
},
{
"arguments": {
"value": "Company"
},
"cfid": 23443,
"comparator_type": "does not contain",
"filter_type": "ASN",
"id": "L",
"trigger": {
"value": "AS12345 LOCAL-02"
}
},
{
"arguments": {
"value": "13"
},
"cfid": 23444,
"comparator_type": "is not",
"filter_type": "Internal source device type",
"id": "M",
"trigger": {
"value": "6"
}
},
{
"arguments": {
"value": "5"
},
"cfid": 23445,
"comparator_type": "is not",
"filter_type": "Internal source device type",
"id": "N",
"trigger": {
"value": "6"
}
},
{
"arguments": {
"value": "9"
},
"cfid": 23446,
"comparator_type": "is not",
"filter_type": "Internal source device type",
"id": "O",
"trigger": {
"value": "6"
}
},
{
"arguments": {
"value": "12"
},
"cfid": 23447,
"comparator_type": "is not",
"filter_type": "Internal source device type",
"id": "P",
"trigger": {
"value": "6"
}
},
{
"arguments": {
"value": "30"
},
"cfid": 23448,
"comparator_type": "is not",
"filter_type": "Internal source device type",
"id": "S",
"trigger": {
"value": "6"
}
},
{
"arguments": {
"value": "4"
},
"cfid": 23449,
"comparator_type": "is not",
"filter_type": "Internal source device type",
"id": "U",
"trigger": {
"value": "6"
}
},
{
"arguments": {
"value": "3"
},
"cfid": 23450,
"comparator_type": "is not",
"filter_type": "Internal source device type",
"id": "V",
"trigger": {
"value": "6"
}
},
{
"arguments": {
"value": "false"
},
"cfid": 23451,
"comparator_type": "is",
"filter_type": "Trusted hostname",
"id": "X",
"trigger": {
"value": "false"
}
},
{
"arguments": {
"value": 26
},
"cfid": 23452,
"comparator_type": "does not have tag",
"filter_type": "Tagged internal source",
"id": "Y",
"trigger": {
"tag": {
"data": {
"auto": false,
"color": 5,
"visibility": "Public"
},
"expiry": 0,
"is_referenced": true,
"name": "No Device Tracking",
"restricted": false,
"thid": 26,
"tid": 26
},
"value": "26"
}
},
{
"arguments": {
"value": 0
},
"cfid": 23453,
"comparator_type": "\u003e",
"filter_type": "Individual size down",
"id": "Z",
"trigger": {
"value": "5862"
}
},
{
"cfid": 23454,
"comparator_type": "display",
"filter_type": "JA3 hash",
"id": "d1",
"trigger": {
"value": "5d41402abc4b2a76b9719d911017c592"
}
},
{
"cfid": 23455,
"comparator_type": "display",
"filter_type": "ASN",
"id": "d2",
"trigger": {
"value": "AS12345 LOCAL-02"
}
},
{
"cfid": 23456,
"comparator_type": "display",
"filter_type": "Destination IP",
"id": "d3",
"trigger": {
"value": "81.2.69.192"
}
},
{
"cfid": 23457,
"comparator_type": "display",
"filter_type": "Connection hostname",
"id": "d4",
"trigger": {
"value": "example.com"
}
}
]
}
]
}
},
"data_stream": {
"dataset": "darktrace.model_breach_alert",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.7.0"
},
"elastic_agent": {
"id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec",
"snapshot": false,
"version": "8.2.1"
},
"event": {
"agent_id_status": "verified",
"category": [
"network"
],
"created": "2022-07-11T13:04:19.000Z",
"dataset": "darktrace.model_breach_alert",
"ingested": "2022-09-30T11:39:13Z",
"kind": "event",
"original": "{\"commentCount\":0,\"pbid\":1,\"time\":1657544648000,\"creationTime\":1657544659000,\"aianalystData\":[{\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"related\":[1],\"summariser\":\"BeaconSummary\"}],\"model\":{\"name\":\"Compromise::Beaconing Activity To External Rare\",\"pid\":156,\"phid\":1072,\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"logic\":{\"data\":[{\"cid\":2026,\"weight\":1},{\"cid\":2024,\"weight\":1},{\"cid\":2025,\"weight\":-100}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":10800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"AP: C2 Comms\"],\"interval\":10800,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-07-11 11:47:37\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\\\n\\\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.\",\"behaviour\":\"incdec1\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":23,\"priority\":2,\"category\":\"Informational\",\"compliance\":false},\"triggeredComponents\":[{\"time\":1657544648000,\"cbid\":1,\"cid\":2026,\"chid\":2113,\"size\":11,\"threshold\":10,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AC\",\"operator\":\"AND\",\"right\":{\"left\":\"AD\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AB\",\"operator\":\"AND\",\"right\":{\"left\":\"AE\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"version\":\"v0.1\"},\"metric\":{\"mlid\":1,\"name\":\"externalconnections\",\"label\":\"External Connections\"},\"triggeredFilters\":[{\"cfid\":23426,\"id\":\"A\",\"filterType\":\"Beaconing score\",\"arguments\":{\"value\":60},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23427,\"id\":\"AA\",\"filterType\":\"Individual size up\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"4382\"}},{\"cfid\":23428,\"id\":\"AB\",\"filterType\":\"Rare domain\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23430,\"id\":\"AD\",\"filterType\":\"Age of destination\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23431,\"id\":\"AE\",\"filterType\":\"Age of external hostname\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23432,\"id\":\"AF\",\"filterType\":\"Connection hostname\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"example.com\"}},{\"cfid\":23433,\"id\":\"AG\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23434,\"id\":\"AH\",\"filterType\":\"JA3 hash\",\"arguments\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"},\"comparatorType\":\"does not match\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23435,\"id\":\"B\",\"filterType\":\"Rare external IP\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23436,\"id\":\"C\",\"filterType\":\"Application protocol\",\"arguments\":{\"value\":\"1003\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"1004\"}},{\"cfid\":23437,\"id\":\"D\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":53},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23438,\"id\":\"E\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":23439,\"id\":\"H\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":137},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23440,\"id\":\"I\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":161},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23441,\"id\":\"J\",\"filterType\":\"Protocol\",\"arguments\":{\"value\":\"6\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23442,\"id\":\"K\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23443,\"id\":\"L\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23444,\"id\":\"M\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"13\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23445,\"id\":\"N\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"5\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23446,\"id\":\"O\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"9\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23447,\"id\":\"P\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23448,\"id\":\"S\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"30\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23449,\"id\":\"U\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"4\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23450,\"id\":\"V\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"3\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23451,\"id\":\"X\",\"filterType\":\"Trusted hostname\",\"arguments\":{\"value\":\"false\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"false\"}},{\"cfid\":23452,\"id\":\"Y\",\"filterType\":\"Tagged internal source\",\"arguments\":{\"value\":26},\"comparatorType\":\"does not have tag\",\"trigger\":{\"value\":\"26\",\"tag\":{\"tid\":26,\"expiry\":0,\"thid\":26,\"name\":\"No Device Tracking\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":5,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":23453,\"id\":\"Z\",\"filterType\":\"Individual size down\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"5862\"}},{\"cfid\":23454,\"id\":\"d1\",\"filterType\":\"JA3 hash\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23455,\"id\":\"d2\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23456,\"id\":\"d3\",\"filterType\":\"Destination IP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"81.2.69.192\"}},{\"cfid\":23457,\"id\":\"d4\",\"filterType\":\"Connection hostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"example.com\"}}]}],\"score\":0.674,\"device\":{\"did\":3,\"ip\":\"81.2.69.142\",\"sid\":1,\"firstSeen\":1657544089000,\"lastSeen\":1657544418000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}",
"risk_score": 0.674,
"risk_score_norm": 67.4,
"severity": 2,
"start": [
"2022-07-11T13:04:08.000Z"
],
"type": [
"info",
"connection"
]
},
"host": {
"id": "3",
"ip": [
"81.2.69.142"
],
"type": "desktop"
},
"input": {
"type": "udp"
},
"log": {
"source": {
"address": "192.168.128.5:60206"
},
"syslog": {
"facility": {
"code": 20,
"name": "local4"
},
"hostname": "example.cloud.darktrace.com",
"priority": 165,
"severity": {
"code": 5,
"name": "Notice"
},
"version": "1"
}
},
"related": {
"ip": [
"81.2.69.142"
],
"user": [
"System"
]
},
"rule": {
"author": "System",
"category": "Informational",
"description": "A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\n\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.",
"name": "Compromise::Beaconing Activity To External Rare",
"ruleset": [
"AP: C2 Comms"
],
"uuid": "1234abcd-1234-1234-1234-123456abcdef",
"version": "23"
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"darktrace-model_breach_alert"
]
}
Exported fields
Field | Description | Type |
---|---|---|
@timestamp | Event timestamp. | date |
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
cloud.availability_zone | Availability zone in which this host is running. | keyword |
cloud.image.id | Image ID for the cloud instance. | keyword |
cloud.instance.id | Instance ID of the host machine. | keyword |
cloud.instance.name | Instance name of the host machine. | keyword |
cloud.machine.type | Machine type of the host machine. | keyword |
cloud.project.id | Name of the project in Google Cloud. | keyword |
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
cloud.region | Region in which this host is running. | keyword |
container.id | Unique container id. | keyword |
container.image.name | Name of the image the container was built on. | keyword |
container.labels | Image labels. | object |
container.name | Container name. | keyword |
darktrace.model_breach_alert.aianalyst_data.related | long | |
darktrace.model_breach_alert.aianalyst_data.summariser | keyword | |
darktrace.model_breach_alert.aianalyst_data.uuid | keyword | |
darktrace.model_breach_alert.breach_url.domain | keyword | |
darktrace.model_breach_alert.breach_url.extension | keyword | |
darktrace.model_breach_alert.breach_url.fragment | keyword | |
darktrace.model_breach_alert.breach_url.full | keyword | |
darktrace.model_breach_alert.breach_url.original | keyword | |
darktrace.model_breach_alert.breach_url.password | keyword | |
darktrace.model_breach_alert.breach_url.path | keyword | |
darktrace.model_breach_alert.breach_url.port | long | |
darktrace.model_breach_alert.breach_url.query | keyword | |
darktrace.model_breach_alert.breach_url.scheme | keyword | |
darktrace.model_breach_alert.breach_url.username | keyword | |
darktrace.model_breach_alert.comment.count | The number of comments made against this breach. | long |
darktrace.model_breach_alert.creation_time | The timestamp that the record of the breach was created. This is distinct from the “time” field. | date |
darktrace.model_breach_alert.device.credentials | keyword | |
darktrace.model_breach_alert.device.did | The “device id”, a unique identifier. | long |
darktrace.model_breach_alert.device.first_seen | The first time the device was seen on the network. | date |
darktrace.model_breach_alert.device.hostname | The current device hostname. | keyword |
darktrace.model_breach_alert.device.ip | The current IP associated with the device. | keyword |
darktrace.model_breach_alert.device.ip6 | Current IPv6 address of this device if applicable, otherwise undefined. | keyword |
darktrace.model_breach_alert.device.ips.ip | A historic IP associated with the device. | keyword |
darktrace.model_breach_alert.device.ips.sid | The subnet id for the subnet the IP belongs to. | long |
darktrace.model_breach_alert.device.ips.time | The time the IP was last seen associated with that device in readable format. | date |
darktrace.model_breach_alert.device.ips.timems | The time the IP was last seen associated with that device in epoch time. | date |
darktrace.model_breach_alert.device.last_seen | The last time the device was seen on the network. | date |
darktrace.model_breach_alert.device.mac_address | The current MAC address associated with the device. | keyword |
darktrace.model_breach_alert.device.sid | The subnet id for the subnet the device is currently located in. | long |
darktrace.model_breach_alert.device.tags.data.auto | boolean | |
darktrace.model_breach_alert.device.tags.data.color | long | |
darktrace.model_breach_alert.device.tags.data.description | keyword | |
darktrace.model_breach_alert.device.tags.data.visibility | keyword | |
darktrace.model_breach_alert.device.tags.expiry | long | |
darktrace.model_breach_alert.device.tags.is_referenced | boolean | |
darktrace.model_breach_alert.device.tags.name | keyword | |
darktrace.model_breach_alert.device.tags.restricted | boolean | |
darktrace.model_breach_alert.device.tags.thid | long | |
darktrace.model_breach_alert.device.tags.tid | long | |
darktrace.model_breach_alert.device.type_label | The device type in readable format. | keyword |
darktrace.model_breach_alert.device.type_name | The device type in system format. | keyword |
darktrace.model_breach_alert.device.vendor | The vendor of the device network card as derived by Darktrace from the MAC address. | keyword |
darktrace.model_breach_alert.device_score | double | |
darktrace.model_breach_alert.is_acknowledged | boolean | |
darktrace.model_breach_alert.mitre_techniques.id | keyword | |
darktrace.model_breach_alert.mitre_techniques.name | keyword | |
darktrace.model_breach_alert.model.actions.antigena.action | The action to be performed. | keyword |
darktrace.model_breach_alert.model.actions.antigena.duration | The duration in seconds that the antigena action should last for. | long |
darktrace.model_breach_alert.model.actions.antigena.is_confirm_by_human_operator | Whether the action must be confirmed by a human operator, regardless of the global setting for Human Confirmation mode. | boolean |
darktrace.model_breach_alert.model.actions.antigena.threshold | The breach score threshold (out of 100) over which antigena will take an action. | long |
darktrace.model_breach_alert.model.actions.is_alerting | If true, an alert turned on will be pushed out to external systems if conditions for such alerting are met. | boolean |
darktrace.model_breach_alert.model.actions.is_breach | If true, an alert turned on will be pushed out to external systems if conditions for such alerting are met. | boolean |
darktrace.model_breach_alert.model.actions.is_priority_set | If the priority is to be changed on breach, the numeric value it should become. If no priority change action, a false boolean. | boolean |
darktrace.model_breach_alert.model.actions.is_tag_set | If a tag is to be applied on model breach, a single number or array of the system ID for the tag(s) to be applied. If no tag action, a false boolean. | boolean |
darktrace.model_breach_alert.model.actions.is_type_set | If a change device type action is to be applied on model breach, the numeric system ID for the label to be applied. If no change device type action is applied to the model, a false boolean. | boolean |
darktrace.model_breach_alert.model.actions.model | If true, creates an event in the device’s event log without creating an alert/ model breach in the threat tray. | boolean |
darktrace.model_breach_alert.model.active_times.devices | The device ids for devices on the list. | flattened |
darktrace.model_breach_alert.model.active_times.tags | A system field. | flattened |
darktrace.model_breach_alert.model.active_times.type | The type of list: “restrictions” indicates a blacklist, “exclusions” a whitelist. | keyword |
darktrace.model_breach_alert.model.active_times.version | A system field. | long |
darktrace.model_breach_alert.model.behaviour | The score modulation function as set in the model editor. | keyword |
darktrace.model_breach_alert.model.category | The behavior category of the model that was breached. | keyword |
darktrace.model_breach_alert.model.created.by | Username that created the model. | keyword |
darktrace.model_breach_alert.model.defeats.arguments.value | The value(s) that must match for the defeat to take effect. | keyword |
darktrace.model_breach_alert.model.defeats.comparator | The comparator that the value is compared against the create the defeat. | keyword |
darktrace.model_breach_alert.model.defeats.filtertype | The filter the defeat is made from. | keyword |
darktrace.model_breach_alert.model.defeats.id | A unique ID for the defeat. | long |
darktrace.model_breach_alert.model.delay | Minimum delay in seconds after a positive-scoring component has fired before the overall model score is calculated. Only applicable in target score models. | long |
darktrace.model_breach_alert.model.description | The optional description of the model. | keyword |
darktrace.model_breach_alert.model.edited.by | Username that last edited the model. | keyword |
darktrace.model_breach_alert.model.edited.userid | long | |
darktrace.model_breach_alert.model.in_compliance_behavior_category | Whether the model is in the compliance behavior category. | boolean |
darktrace.model_breach_alert.model.interval | Where a model contains multiple components, this interval represents the time window in seconds in which all the components should fire for this model to be breached. | long |
darktrace.model_breach_alert.model.is_active | Whether the model is enabled or disabled. | boolean |
darktrace.model_breach_alert.model.is_auto_suppress | Whether the model will automatically be suppressed in the case of over-breaching. | boolean |
darktrace.model_breach_alert.model.is_auto_updatable | Whether the model is suitable for auto update. | boolean |
darktrace.model_breach_alert.model.is_auto_update | Whether the model is enabled for auto update. | boolean |
darktrace.model_breach_alert.model.is_sequenced | Whether the components are required to fire in the specified order for the model breach to occur. | boolean |
darktrace.model_breach_alert.model.is_shared_endpoints | For models that contain multiple components that reference an endpoint, this value indicates whether all endpoints should be identical for the model to fire. | boolean |
darktrace.model_breach_alert.model.logic.data_component_list | This will be a list of component ID numbers. | long |
darktrace.model_breach_alert.model.logic.data_weighted_component_list.cid | long | |
darktrace.model_breach_alert.model.logic.data_weighted_component_list.weight | long | |
darktrace.model_breach_alert.model.logic.target_score | long | |
darktrace.model_breach_alert.model.logic.type | The type of model. | keyword |
darktrace.model_breach_alert.model.logic.version | A number representing the version of model logic. | long |
darktrace.model_breach_alert.model.modified | Timestamp at which the model was last modified, in a readable format. | date |
darktrace.model_breach_alert.model.name | Name of the model that was breached. | keyword |
darktrace.model_breach_alert.model.phid | The model “policy history” id. Increments when the model is modified. | long |
darktrace.model_breach_alert.model.pid | The “policy id” of the model that was breached. | long |
darktrace.model_breach_alert.model.priority | The model’s priority affects the strength with which it breaches (0-5 scale). | long |
darktrace.model_breach_alert.model.tags | A list of tags that have been applied to this model in the Threat Visualizer model editor. | keyword |
darktrace.model_breach_alert.model.throttle | For an individual device, this is the value in seconds for which this model will not fire again. | long |
darktrace.model_breach_alert.model.uuid | A unique ID that is generated on creation of the model. | keyword |
darktrace.model_breach_alert.model.version | The version of the model. Increments on each edit. | long |
darktrace.model_breach_alert.pb_score | The model breach score, represented by a value between 0 and 1. | double |
darktrace.model_breach_alert.pbid | The “policy breach ID” of the model breach. | long |
darktrace.model_breach_alert.score | The model breach score, represented by a value between 0 and 1. | double |
darktrace.model_breach_alert.time | The timestamp when the record was created in epoch time. | date |
darktrace.model_breach_alert.triggered_components.cbid | The “component breach id”. A unique identifier for the component breach. | long |
darktrace.model_breach_alert.triggered_components.chid | The “component history id”. Increments when the component is edited. | long |
darktrace.model_breach_alert.triggered_components.cid | The “component id”. A unique identifier. | long |
darktrace.model_breach_alert.triggered_components.interval | The timeframe in seconds within which the threshold must be satisfied. | long |
darktrace.model_breach_alert.triggered_components.logic.data | It representing the logical relationship between component filters. Each filter is given an alphabetical reference and the contents of this field describe the relationship between those filters. | text |
darktrace.model_breach_alert.triggered_components.logic.version | The version of the component logic. | keyword |
darktrace.model_breach_alert.triggered_components.metric.label | The metric which data is returned for in readable format. | keyword |
darktrace.model_breach_alert.triggered_components.metric.mlid | The “metric logic” id - unique identifier. | long |
darktrace.model_breach_alert.triggered_components.metric.name | The metric which data is returned for in system format. | keyword |
darktrace.model_breach_alert.triggered_components.size | The size of the value that was compared in the component. | long |
darktrace.model_breach_alert.triggered_components.threshold | The threshold value that the size must exceed for the component to breach. | long |
darktrace.model_breach_alert.triggered_components.time | A timestamp in Epoch time at which the components were triggered. | date |
darktrace.model_breach_alert.triggered_components.triggered_filters.arguments.value | The value the filtertype should be compared against (using the specified comparator) to create the filter. | keyword |
darktrace.model_breach_alert.triggered_components.triggered_filters.cfid | The ‘component filter id’. A unique identifier for the filter as part of a the component. | long |
darktrace.model_breach_alert.triggered_components.triggered_filters.comparator_type | The comparator. A full list of comparators available for each filtertype can be found on the /filtertypes endpoint. | keyword |
darktrace.model_breach_alert.triggered_components.triggered_filters.filter_type | The filtertype that is used in the filter. A full list of filtertypes can be found on the /filtertypes endpoint. | keyword |
darktrace.model_breach_alert.triggered_components.triggered_filters.id | A filter that is used in the component logic. All filters are given alphabetical identifiers. Display filters - those that appear in the breach notification - can be identified by a lowercase ‘d’ and a numeral. | keyword |
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.auto | boolean | |
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.color | long | |
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.description | keyword | |
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.visibility | keyword | |
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.expiry | nan | long |
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.isReferenced | nan | boolean |
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.name | nan | keyword |
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.restricted | nan | boolean |
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.thid | nan | long |
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.tid | nan | long |
darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.value | The actual value that triggered the filter. | keyword |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
event.action | The action captured by the event. This describes the information in the event. It is more specific than event.category . Examples are group-add , process-started , file-created . The value is normally defined by the implementer. | keyword |
event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. event.category represents the "big buckets" of ECS categories. For example, filtering on event.category:process yields all events relating to process activity. This field is closely related to event.type , which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
event.dataset | Event dataset. | constant_keyword |
event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
event.module | Event module. | constant_keyword |
event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from _source . If users wish to override this and index this field, please see Field data types in the Elasticsearch Reference . | keyword |
event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float |
event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float |
event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in log.syslog.severity.code . event.severity is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the log.syslog.severity.code to event.severity . | long |
event.start | event.start contains the date when the event started or when the activity was first observed. | date |
event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. event.type represents a categorization "sub-bucket" that, when used along with the event.category field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by event.kind:alert , are a common use case for this field. | keyword |
host.architecture | Operating system architecture. | keyword |
host.containerized | If the host is a container. | boolean |
host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
host.hostname | Hostname of the host. It normally contains what the hostname command returns on the host machine. | keyword |
host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name . | keyword |
host.ip | Host ip addresses. | ip |
host.mac | Host mac addresses. | keyword |
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
host.os.build | OS build information. | keyword |
host.os.codename | OS codename, if any. | keyword |
host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
host.os.kernel | Operating system kernel version as a raw string. | keyword |
host.os.name | Operating system name, without the version. | keyword |
host.os.name.text | Multi-field of host.os.name . | text |
host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
host.os.version | Operating system version as a raw string. | keyword |
host.type | Type of host. For Cloud providers this can be the machine type like t2.medium . If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
input.type | Input type | keyword |
log.offset | Log offset | long |
log.source.address | Source address from which the log event was read / sent from. | keyword |
log.syslog.appname | The device or application that originated the Syslog message, if available. | keyword |
log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword |
log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword |
log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to event.severity . If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to event.severity . | long |
log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to log.level . If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to log.level . | keyword |
log.syslog.version | The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. | keyword |
related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
related.ip | All of the IPs seen on your event. | ip |
related.user | All the user names or other user identifiers seen on the event. | keyword |
rule.author | Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. | keyword |
rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword |
rule.description | The description of the rule generating the event. | keyword |
rule.name | The name of the rule or signature generating the event. | keyword |
rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword |
rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword |
rule.version | The version / revision of the rule being used for analysis. | keyword |
tags | List of keywords used to tag each event. | keyword |
threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword |
threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword |
threat.technique.name.text | Multi-field of threat.technique.name . | match_only_text |
This is the system_status_alert
dataset.
An example event for system_status_alert
looks as following:
{
"@timestamp": "2021-04-18T15:44:11.000Z",
"agent": {
"ephemeral_id": "5b042cea-01fa-47a2-ab0f-ac1f7baa6bd2",
"id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.2.1"
},
"darktrace": {
"system_status_alert": {
"alert_name": "Advanced Search",
"child_id": 1,
"hostname": "example-vsensor",
"ip_address": "175.16.199.1",
"last_updated": "2021-04-18T15:44:11.000Z",
"last_updated_status": "2021-04-18T15:44:11.000Z",
"message": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test",
"name": "advanced_search",
"priority": 43,
"priority_level": "medium",
"status": "active",
"uuid": "abcdabcd-1234-1234-1234-3abababcdcd3"
}
},
"data_stream": {
"dataset": "darktrace.system_status_alert",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.7.0"
},
"elastic_agent": {
"id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec",
"snapshot": false,
"version": "8.2.1"
},
"event": {
"agent_id_status": "verified",
"dataset": "darktrace.system_status_alert",
"id": "abcdabcd-1234-1234-1234-3abababcdcd3",
"ingested": "2022-09-30T11:41:35Z",
"kind": "alert",
"original": "{\"last_updated\":1618760651,\"uuid\":\"abcdabcd-1234-1234-1234-3abababcdcd3\",\"priority\":43,\"priority_level\":\"medium\",\"hostname\":\"example-vsensor\",\"ip_address\":\"175.16.199.1\",\"message\":\"There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test\",\"name\":\"advanced_search\",\"acknowledge_timeout\":null,\"alert_name\":\"Advanced Search\",\"child_id\":1,\"last_updated_status\":1618760651,\"status\":\"active\"}",
"reason": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test",
"risk_score": 43,
"risk_score_norm": 43,
"type": [
"info"
]
},
"host": {
"hostname": "example-vsensor",
"ip": "175.16.199.1"
},
"input": {
"type": "udp"
},
"log": {
"source": {
"address": "192.168.128.5:36197"
},
"syslog": {
"facility": {
"code": 20,
"name": "local4"
},
"hostname": "example.cloud.darktrace.com",
"priority": 165,
"severity": {
"code": 5,
"name": "Notice"
},
"version": "1"
}
},
"related": {
"hosts": [
"example-vsensor"
],
"ip": [
"175.16.199.1"
]
},
"tags": [
"preserve_original_event",
"preserve_duplicate_custom_fields",
"forwarded",
"darktrace-system_status_alert"
]
}
Exported fields
Field | Description | Type |
---|---|---|
@timestamp | Event timestamp. | date |
cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword |
cloud.availability_zone | Availability zone in which this host is running. | keyword |
cloud.image.id | Image ID for the cloud instance. | keyword |
cloud.instance.id | Instance ID of the host machine. | keyword |
cloud.instance.name | Instance name of the host machine. | keyword |
cloud.machine.type | Machine type of the host machine. | keyword |
cloud.project.id | Name of the project in Google Cloud. | keyword |
cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword |
cloud.region | Region in which this host is running. | keyword |
container.id | Unique container id. | keyword |
container.image.name | Name of the image the container was built on. | keyword |
container.labels | Image labels. | object |
container.name | Container name. | keyword |
darktrace.system_status_alert.acknowledge_timeout | When acknowledgement of the alert expires. As alerts are sent externally on creation before acknowledgement is possible, this will be null in almost all cases. | keyword |
darktrace.system_status_alert.alert_name | A human readable name of the alert type. | keyword |
darktrace.system_status_alert.child_id | For probes (physical or virtual), the unique ID associated with the probe. | long |
darktrace.system_status_alert.hostname | The hostname (if known) of the host experiencing the system alert. An exception exists for disconnection notices, where the hostname will be of the master from which the instance has disconnected. | keyword |
darktrace.system_status_alert.ip_address | The IP of the host experiencing the system alert. An exception exists for disconnection notices, where the IP will be of the master from which the instance has disconnected. | keyword |
darktrace.system_status_alert.last_updated | A timestamp in epoch time that the system alert itself was updated. | date |
darktrace.system_status_alert.last_updated_status | A timestamp in epoch time that the status of the system alert was last updated globally. A status update is distinct from a update to the alert itself. | date |
darktrace.system_status_alert.message | A textual description of the system event that has triggered the alert. | keyword |
darktrace.system_status_alert.name | A system name of the alert type. | keyword |
darktrace.system_status_alert.priority | The numeric criticality associated with the alert. | double |
darktrace.system_status_alert.priority_level | The criticality of the alert. This value is calculated from the priority value: 0 - 40 low, 41 - 60 medium, 61 - 80 high, 81 - 100 critical. | keyword |
darktrace.system_status_alert.status | The current status of the alert. Active alerts are ongoing, acknowledged events are those acknowledged on the System Status page, resolved alerts are system alerts that are no longer ongoing. Alerts will only be sent when alert enters the “active” or “resolved” state. | keyword |
darktrace.system_status_alert.url.domain | keyword | |
darktrace.system_status_alert.url.extension | keyword | |
darktrace.system_status_alert.url.fragment | keyword | |
darktrace.system_status_alert.url.full | keyword | |
darktrace.system_status_alert.url.original | keyword | |
darktrace.system_status_alert.url.password | keyword | |
darktrace.system_status_alert.url.path | keyword | |
darktrace.system_status_alert.url.port | long | |
darktrace.system_status_alert.url.query | keyword | |
darktrace.system_status_alert.url.scheme | keyword | |
darktrace.system_status_alert.url.username | keyword | |
darktrace.system_status_alert.uuid | A consistent UUID that can be used to navigate to the specific alert in the Threat Visualizer (https://[instance]/sysstatus/[uuid]). Where an alert is reactivated after resolution due to the issue reoccurring, the UUId will remain consistent across alerts. | keyword |
data_stream.dataset | Data stream dataset. | constant_keyword |
data_stream.namespace | Data stream namespace. | constant_keyword |
data_stream.type | Data stream type. | constant_keyword |
ecs.version | ECS version this event conforms to. ecs.version is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword |
event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. event.category represents the "big buckets" of ECS categories. For example, filtering on event.category:process yields all events relating to process activity. This field is closely related to event.type , which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword |
event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date |
event.dataset | Event dataset. | constant_keyword |
event.id | Unique ID to describe the event. | keyword |
event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. event.kind gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword |
event.module | Event module. | constant_keyword |
event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from _source . If users wish to override this and index this field, please see Field data types in the Elasticsearch Reference . | keyword |
event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where event.action captures the action from the event, event.reason describes why that action was taken. For example, a web proxy with an event.action which denied the request may also populate event.reason with the reason why (e.g. blocked site ). | keyword |
event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float |
event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float |
event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. event.type represents a categorization "sub-bucket" that, when used along with the event.category field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword |
event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by event.kind:alert , are a common use case for this field. | keyword |
host.architecture | Operating system architecture. | keyword |
host.containerized | If the host is a container. | boolean |
host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword |
host.hostname | Hostname of the host. It normally contains what the hostname command returns on the host machine. | keyword |
host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of beat.name . | keyword |
host.ip | Host ip addresses. | ip |
host.mac | Host mac addresses. | keyword |
host.name | Name of the host. It can contain what hostname returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword |
host.os.build | OS build information. | keyword |
host.os.codename | OS codename, if any. | keyword |
host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword |
host.os.kernel | Operating system kernel version as a raw string. | keyword |
host.os.name | Operating system name, without the version. | keyword |
host.os.name.text | Multi-field of host.os.name . | text |
host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword |
host.os.version | Operating system version as a raw string. | keyword |
host.type | Type of host. For Cloud providers this can be the machine type like t2.medium . If vm, this could be the container, for example, or other information meaningful in your environment. | keyword |
input.type | Input type | keyword |
log.offset | Log offset | long |
log.source.address | Source address from which the log event was read / sent from. | keyword |
log.syslog.appname | The device or application that originated the Syslog message, if available. | keyword |
log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long |
log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword |
log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword |
log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 * facility + severity. This number is therefore expected to contain a value between 0 and 191. | long |
log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to event.severity . If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to event.severity . | long |
log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to log.level . If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to log.level . | keyword |
log.syslog.version | The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. | keyword |
related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword |
related.ip | All of the IPs seen on your event. | ip |
tags | List of keywords used to tag each event. | keyword |
Version | Details |
---|---|
1.1.0 | Enhancement View pull request Update package to ECS 8.7.0. |
1.0.0 | Enhancement View pull request Release Darktrace as GA. |
0.3.1 | Enhancement View pull request Added categories and/or subcategories. |
0.3.0 | Enhancement View pull request Update package to ECS 8.6.0. |
0.2.0 | Enhancement View pull request Update package to ECS 8.5.0. |
0.1.2 | Bug fix View pull request Remove duplicate fields. |
0.1.1 | Bug fix View pull request Fix documentation |
0.1.0 | Enhancement View pull request Initial Release. |