Skip to end of metadata
Go to start of metadata

You are viewing an old version of this content. View the current version.

Compare with Current View Version History

« Previous Version 3 Current »

Introduction

The tags beginning with ndr.darktrace identify events generated by Darktrace NDR.

Valid tags and data tables 

The full tag must have 4 levels. The first two are fixed as ndr.darktrace. The third level identifies the type of events sent. The fourth level indicates the event subtype.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Darktrace NDR

ndr.darktrace.action.event

ndr.darktrace.action.event

ndr.darktrace.model_breach.event

ndr.darktrace.model_breach.event

ndr.darktrace.other.event

ndr.darktrace.other.event

ndr.darktrace.system.event

ndr.darktrace.system.event

ndr.darktrace.threat.event

ndr.darktrace.threat.event

For more information, read more About Devo tags.

How is the data sent to Devo?

Logs generated by Darktrace NDR may be sent to the Devo platform via the Devo Relay to secure communication. See the required relay rules below:

Rule for Darktrace Audit (threat) events

  • Source port - Any available port and the same port for all rules in this section.

  • Source data - darktrace_audit

  • Sent without syslog tag -

  • Target tag - ndr.darktrace.threat.event

  • Target message - \\D0

  • Stop processing -

Rule for Darktrace Alert (model_breach) events

  • Source port - Any available port and the same port for all rules in this section.

  • Source data - \"model\": ?\{

  • Sent without syslog tag -

  • Target tag - ndr.darktrace.model_breach.event

  • Target message - \\D0

  • Stop processing -

Rule for Darktrace Action events

  • Source port - Any available port and the same port for all rules in this section.

  • Source data - \"url\": ?\"https:\/\/.*\/#actions\/

  • Sent without syslog tag -

  • Target tag - ndr.darktrace.action.event

  • Target message - \\D0

  • Stop processing -

Rule for Darktrace System events

  • Source port - Any available port and the same port for all rules in this section.

  • Source data - \"url\": ?\"https:\/\/.*\/sysstatus

  • Sent without syslog tag -

  • Target tag - ndr.darktrace.system.event

  • Target message - \\D0

  • Stop processing -

Rule for Darktrace Others events

This is a sink rule to gather all events that do not match with any of the criteria above.

  • Source port - Any available port and the same port for all rules in this section.

  • Leave Source data empty

  • Sent without syslog tag -

  • Target tag - ndr.darktrace.other.event

  • Target message - \\D0

  • Stop processing -

Table structure

These are the fields displayed in these tables:

ndr.darktrace.action.event

Field

Type

Extra Label

eventdate

timestamp

machine

str

url

str

iris_event_type

str

code_uuid

str

code_id

str

action_family

str

action

str

username

str

reason

str

start

timestamp

end

timestamp

device_modeled_id

str

policy_breach_id

str

action_creator

str

model

str

inhibitor

str

device_ip

str

device_ipv4

ip4

device_ipv6

ip6

device_ips

str

device_subnet_id

str

device_first_seen

timestamp

device_last_seen

timestamp

device_os

str

device_ossource

str

device_typename

str

device_typelabel

str

hostchain

str

tag

str

rawMessage

str

ndr.darktrace.model_breach.event

Field

Type

Extra Label

eventdate

timestamp

machine

str

model_description

str

model_created_by

str

model_edited_by

str

model_name

str

model_priority

int4

model_policy_id

str

model_uuid

str

model_category

str

model_compliance

bool

model_policy_history_id

str

model_logic_data

str

model_logic_target_score

int4

model_logic_type

str

model_logic_version

int4

model_throttle

int4

model_shared_endpoints

bool

model_actions_alert

bool

model_actions_model

bool

model_actions_breach

bool

model_actions_set_tag

bool

model_actions_set_type

bool

model_actions_aianalyst_hypotheses

str

model_actions_set_priority

bool

model_tags

str

model_interval

int4

model_delay

int4

model_sequenced

bool

model_active

bool

model_modified

timestamp

model_active_times_type

str

model_active_times_version

int4

model_auto_updatable

bool

model_auto_update

bool

model_auto_suppress

bool

model_behaviour

str

model_defeats

str

model_version

int4

model_mitre_tactics

str

model_mitre_techniques

str

device_ip

str

device_ipv4

ip4

device_ipv6

ip6

device_hostname

str

device_mac_address

str

device_vendor

str

device_label

str

device_modeled_id

str

device_subnet_id

str

device_uuid

str

device_ips

str

device_first_seen

timestamp

device_last_seen

timestamp

device_os

str

device_os_source

str

device_type_name

str

device_type_label

str

device_tags

str

triggered_components

str

breach_url

str

policy_breach_id

str

score

str

creation_time

timestamp

time

timestamp

mitre_techniques

str

comment_count

int4

hostchain

str

tag

str

rawMessage

str

ndr.darktrace.other.event

Field

Type

Extra Label

Source field name

eventdate

timestamp

 

machine

str

 

message

str

rawMessage

hostchain

str

 

tag

str

 

rawMessage

str

 

ndr.darktrace.system.event

Field

Type

Extra Label

eventdate

timestamp

machine

str

hostname

str

label

str

address_ipv4

ip4

address_ipv6

ip6

address_ip

str

child_id

str

name

str

priority

int4

priority_level

str

alert_name

str

status

str

message

str

last_updated

timestamp

last_updated_status

timestamp

acknowledge_time

str

acknowledge_timeout

str

uuid

str

url

str

hostchain

str

tag

str

rawMessage

str

ndr.darktrace.threat.event

Field

Type

Extra Label

eventdate

timestamp

machine

str

username

str

method

str

endpoint

str

address_ip

str

address_ipv4

ip4

address_ipv6

ip6

status

int4

description

str

additional_info__details

str

additional_info__user

str

additional_info__changes__display__threat_tray_display_mode

str

hostchain

str

tag

str

rawMessage

str

  • No labels