DarkTrace

Darktrace is a network traffic analyzing tool that delivers notification events to downstream systems. With Third Party Alert event sources in InsightIDR, you can configure your Collector to capture these notification events and generate InsightIDR investigations around them.

Before You Begin

You must configure Darktrace to send syslog to the InsightIDR Collector. You must be an Darktrace administrator with access to the user interface.

To configure syslog forwarding for Darktrace:

  1. Log in to the Darktrace interface.
  2. Expand the top left menu and select Admin. A second menu appears.
  3. Select the System Config page.
  1. In the “Alerting” section, click the Verify Alert Settings button.
  2. In “JSON Syslog Alerts,” set the field to True.
  3. Set the syslog server to the IP address of the InsightIDR Collector.
  4. Set a unique port above 1024 that you will use with the InsightIDR event source.
  5. Set “JSON Syslog TCP Alerts” to True.

Darktrace will automatically save your changes.

How to Configure This Event Source

  1. From your dashboard, select Data Collection on the left hand menu.
  2. When the Data Collection page appears, click the Setup Event Source dropdown and choose Add Event Source.
  3. From the “Third Party Alerts” section, click the Darktrace icon. The “Add Event Source” panel appears.
  4. Choose your collector and event source. You can also name your event source if you want.
  5. Optionally send unfiltered logs.
  6. Enter the port you chose in the Darktrace interface.
  7. Select TCP as your protocol.
  8. Click the Save button.

Verify the Configuration

After you configure the InsightIDR event source, you can send a test alert from Darktrace to InsightIDR to verify everything is working properly.

To send a test alert:

  1. Return to the Darktrace user interface.
  2. Expand the top left menu and select Admin. A second menu appears.
  3. Select the System Config page.
  4. In the “Alerting” section, click the Verify Alert Settings button.

You will see a message that reads “1 Alert Sent. IMAP settings valid.”

In InsightIDR, your logs should look similar to the following.