Darktrace

Darktrace is a network traffic analyzing tool that delivers notification events to downstream systems. With Third Party Alert event sources in InsightIDR, you can configure your Collector to capture these notification events and generate InsightIDR investigations around them.

To configure Darktrace as an event source, you'll need to:

  1. Configure syslog forwarding in Darktrace.
  2. Configure the event source in InsightIDR.
  3. Test the configuration.

Configure Syslog Forwarding in Darktrace

Before InsightIDR can start ingesting data from Darktrace, a Darktrace administrator with UI access must configure Darktrace to send syslog to the InsightIDR Collector.

To configure syslog forwarding in Darktrace:

  1. Log in to the Darktrace interface.
  2. Within the Threat Visualizer, navigate to Admin > System Config.
  3. From the left-hand menu, select Modules and choose Syslog from the available Workflow Integrations.
  4. In the configuration window, select the relevant form of Syslog - here, it's Syslog JSON - and click New to open the configuration settings.
  5. Set the JSON Syslog Alerts field to true.
  6. In the JSON Syslog Server field, specify the IP address of the InsightIDR Collector.
  7. In the JSON Syslog Server Port field, specify a unique port over 1024 that you will use with the InsightIDR event source.
  8. Set the JSON Syslog TCP Alerts field to true.

Darktrace will automatically save your changes.

Configure InsightIDR to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in InsightIDR.

To configure the new event source in InsightIDR:

  1. From the left menu, go to Data Collection and click Setup Event Source > Add Event Source.
  2. Do one of the following:
    • Search for Darktrace in the event sources search bar.
    • In the Product Type filter, select Third Party Alerts.
  3. Select the Darktrace event source tile.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Optionally, send unparsed logs.
  6. Enter the port you chose in the Darktrace interface.
  7. Select TCP as your protocol.
  8. Click the Save button.

Test the Configuration

After you configure the InsightIDR event source, you can send a test alert from Darktrace to InsightIDR to verify everything is working properly.

To send a test alert:

  1. Return to the Darktrace user interface.
  2. Expand the top left menu and select Admin. A second menu appears.
  3. Select the System Config page.
  4. In the Alerting section, click the Verify Alert Settings button.

You will see a message that reads “1 Alert Sent. IMAP settings valid.”

In InsightIDR, your logs should look similar to the following:

How InsightIDR Determines Priority

In InsightIDR, Darktrace events can generate alerts, which have a priority level. Depending on the detection rule configuration, the investigations created from these alerts will also inherit that priority level. The priority is determined using the Category, Score or Priority values.

A log’s Category can either be Informational or Suspicious. Alerts are never raised for Informational logs as they are less likely to represent a legitimate threat. We also do not raise alerts for any threats that contain information regarding Antigena Response because they can potentially raise numerous alerts, making the environment noisy. Learn more about these type of alerts here: https://bluekarmasecurity.net/partners/darktrace/.

Alerts are always raised for Suspicious logs. If the Score field value is present we use it to determine the priority. The values range from 0 to 1 and are mapped like this:

  • 0.8 to 1 is high priority.
  • 0.5 to 0.79 is medium priority.
  • 0 to 0.49 is low priority.

If the Score field value isn’t present, we use the Priority field value instead. The values range from 0 to 5 and are mapped like this:

  • 3 to 5 is high priority.
  • 1 to 3 is medium priority.
  • 0 to 1 is low priority.