Document toolboxDocument toolbox

ids.darktrace

Owned by Juan Tomás Alonso Nieto (Deactivated), created
Aug 21, 2023
1 min read
[ 1 Introduction ] [ 2 Valid tags and data tables  ] [ 3 Table structure ]

Introduction

The tags beginning with ids.darktrace identify events generated by Darktrace.

Valid tags and data tables 

The full tag must have 3 levels. The first two are fixed as ids.darktrace. The third level identifies the type of events sent.

These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

Product / Service

Tags

Data tables

Darktrace platform

ids.darktrace.threats

ids.darktrace.threats

For more information, read more About Devo tags.

Table structure

These are the fields displayed in this table:

ids.darktrace.threats

Field

Type

Field transformation

Source field name

Extra fields

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

 

 

 

host

str

 

vhost

 

creationTime

int8

 

 

 

breachUrl

str

 

 

 

commentCount

int4

 

 

 

pbid

int4

 

 

 

time

int8

 

 

 

model_name

str

 

 

 

model_pid

int4

 

 

 

model_phid

int4

 

 

 

model_uuid

str

 

 

 

model_logic_data_str

str

stringify(json(model_logic_data))

model_logic_data

 

model_logic_type

str

 

 

 

model_logic_version

int4

 

 

 

model_throttle

int4

 

 

 

model_sharedEndpoints

bool

 

 

 

model_actions_alert

bool

 

 

 

model_actions_breach

bool

 

 

 

model_actions_model

bool

 

 

 

model_actions_setPriority

bool

 

 

 

model_actions_setTag

bool

 

 

 

model_actions_setType

bool

 

 

 

model_tags_str

str

join(model_tags, ",")

model_tags

 

model_interval

int4

 

 

 

model_sequenced

bool

 

 

 

model_active

bool

 

 

 

model_modified

str

 

 

 

model_activeTimes_type

str

 

 

 

model_activeTimes_version

int4

 

 

 

model_priority

int4

 

 

 

model_autoUpdate

bool

 

 

 

model_autoSuppress

bool

 

 

 

model_description

str

 

 

 

model_behaviour

str

 

 

 

model_created_by

str

 

 

 

model_edited_by

str

 

 

 

model_version

int4

 

 

 

score

float8

 

 

 

device_os

str

 

 

 

device_hostname

str

 

 

 

device_did

int4

 

 

 

device_ip

str

 

 

 

device_sid

int4

 

 

 

device_firstSeen

int8

 

 

 

device_lastSeen

int8

 

 

 

device_typename

str

 

 

 

device_typelabel

str

 

 

 

ips_ip_str

str

join(ips_ip, ",")

ips_ip

 

ips_timems_str

str

ips_timems

 

ips_time_str

str

ips_time

 

ips_sid_str

str

ips_sid

 

triggeredFilters_message

str

 

 

 

triggeredFilters_sourcePort

str

 

 

 

triggeredFilters_destinationIP

str

 

 

 

triggeredFilters_destinationPort

str

 

 

 

triggeredFilters_connectionHostname

str

 

 

 

triggeredFilters_uri

str

 

 

 

triggeredFilters_httpMethod

str

 

 

 

triggeredFilters_httpContentType

str

 

 

 

triggeredFilters_userAgent

str

 

 

 

triggeredFilters_dnsHostLooup

str

 

 

 

hostchain

str

 

 

✓

tag

str

 

 

✓

rawMessage

str

 

rawSource

✓