Darktrace is a network traffic analyzing tool that delivers notification events to downstream systems. With Third Party Alert event sources in InsightIDR, you can configure your Collector to capture these notification events and generate InsightIDR investigations around them.

To configure Darktrace as an event source, you'll need to:

  1. Configure syslog forwarding in Darktrace.
  2. Configure the event source in InsightIDR.
  3. Test the configuration.

Configure Syslog Forwarding in Darktrace

Before InsightIDR can start ingesting data from Darktrace, a Darktrace administrator with UI access must configure Darktrace to send syslog to the InsightIDR Collector.

To configure syslog forwarding in Darktrace:

  1. Log in to the Darktrace interface.
  2. Within the Threat Visualizer, navigate to Admin > System Config.
  3. From the left-hand menu, select Modules and choose Syslog from the available Workflow Integrations.
  4. In the configuration window, select the relevant form of Syslog - here, it's Syslog JSON - and click New to open the configuration settings.
  5. Set the JSON Syslog Alerts field to true.
  6. In the JSON Syslog Server field, specify the IP address of the InsightIDR Collector.
  7. In the JSON Syslog Server Port field, specify a unique port over 1024 that you will use with the InsightIDR event source.
  8. Set the JSON Syslog TCP Alerts field to true.

Darktrace will automatically save your changes.

How to Configure This Event Source

  1. From your InsightIDR dashboard, select Data Collection on the left menu.
  2. On the Data Collection screen, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the Third Party Alerts section, click the Darktrace icon. The Add Event Source panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Optionally, send unparsed logs.
  6. Enter the port you chose in the Darktrace interface.
  7. Select TCP as your protocol.
  8. Click the Save button.

Test the Configuration

After you configure the InsightIDR event source, you can send a test alert from Darktrace to InsightIDR to verify everything is working properly.

To send a test alert:

  1. Return to the Darktrace user interface.
  2. Expand the top left menu and select Admin. A second menu appears.
  3. Select the System Config page.
  4. In the Alerting section, click the Verify Alert Settings button.

You will see a message that reads “1 Alert Sent. IMAP settings valid.”

In InsightIDR, your logs should look similar to the following: