Darktrace Applications

Overview

Note: This beta connector guide is created by experienced users of the SNYPR platform and is currently going through verification processes within Securonix. This connector is made available to early adopters for the purposes of providing guidance and integration support prior to the release of official documentation.

This document describe how to integrate the Darktrace application. with SNYPR.

The following properties are specific to the connector:

  • Collection method: Syslog

  • Format: LEEF

  • Functionality: IDS / IPS / UTM / Threat Detection

  • Parser: SCNX_DARKTR_DARKTRACE_ITD_SYS_LEE

  • Vendor version: -

Configure the connection on device

Complete the following steps to configure the Darktrace applications with SNYPR:

  1. Log in to the Darktrace interface.

  2. Expand the top left menu and select Admin to display Admin options.

  3. Click System Config.

  4. Click the Verify Alert Settings button in the Alerting section.

  5. Set the JSON Syslog Alerts setting to True.

  6. Set the syslog server to the IP address of the Remote Ingester Node (RIN).

  7. Set the syslog server port to 514.

  8. Set the LEEF Syslog TCP Alerts setting to True.

  9. Set the Legacy JSON Alert Format setting to False.

Verify the Configuration

You can send a test alert from Darktrace to SNYPR to verify the integration.

To send a test alert:

  1. Return to the Darktrace user interface.

  2. Expand the top left menu and select Admin to display Admin options.

  3. Click System Config.

  4. Click the Verify Alert Settings button in the Alerting section. If the connection is successful, the 1 Alert Sent. IMAP settings valid message is displayed.

On the Remote Ingester Node, verify if RIN is receiving logs using the following command:

tcpdump -i eth0 tcp port 514 -v -A

Sample response:

Jan 3 02:51:38 172.31.1.54 1 2021-01-03T08:51:38+00:00 172.31.1.54 darktrace - - - LEEF:1.0|Darktrace|DCIP|4.1|Device/Bruteforce Activity|externalId=10000000003530 src=172.20.87.9 dst=172.25.92.10 srcType=Desktop sev=9 pid=93 darktraceUrl=https://darktrace.securonix.com/#modelbreach/10000000003530
Jan 3 01:53:34 172.31.1.54 1 2021-01-03T07:53:35+00:00 172.31.1.54 darktrace - - - LEEF:1.0|Darktrace|DCIP|4.1|Compromise/SSL to DynDNS|externalId=4000000007769 src=172.21.87.112 dst=202.65.157.17 srcType=Desktop sev=4 pid=445 darktraceUrl=https://darktrace.securonix.com/#modelbreach/4000000007769
Jan 3 03:14:43 172.31.1.54 1 2021-01-03T09:14:43+00:00 172.31.1.54 darktrace - - - LEEF:1.0|Darktrace|DCIP|4.1|Compromise/Repeating Connections Over 4 Days|externalId=9000000006187 src=172.19.40.72 dst=23.208.52.231 srcMAC=54:bf:64:78:74:c7 srcType=Desktop sev=7 pid=403 darktraceUrl=https://darktrace.securonix.com/#modelbreach/9000000006187
Jan 3 04:51:50 172.31.1.54 1 2021-01-03T10:51:50+00:00 172.31.1.54 darktrace - - - LEEF:1.0|Darktrace|DCIP|4.1|Anomalous Connection/Sustained MIME Type Conversion|externalId=9000000006188 src=172.23.36.22 dst=172.23.35.105 srcType=Desktop sev=7 pid=475 darktraceUrl=https://darktrace.securonix.com/#modelbreach/9000000006188

Configure the connection in SNYPR

Complete the following steps to configure Darktrace in the SNYPR application:

  1. Resource group information

  2. Parser management

  3. Identity attribution

  4. Detect policy violations

  5. Summary

Step 1. Resource group information

  1. In SNYPR, navigate to Menu > Add Data > Activity.

  2. Click Add Data > Add Data for Supported Device Type to setup the ingestion process.

  3. Click Vendor in the Resource Type Information section and select the following information:

    1. Vendors: Darktrace
    2. Device Types: Darktrace
    3. Collection Method: syslog[LEEF]
  4. Select an ingester from the list.

  5. Perform the following steps in the Ingesters section:

    1. Select an ingester from the list.

    2. Click + to add a filter for the ingester, and then provide the following information:

      1. Provide a name for the filter.

      2. Add the following syslog expression to identify events that are associated with the device:

        {host("10.0.0.1");};

        Note: The IP address is the address of the host initiating the traffic.

      3. Click Add to add the filter.

  6. Complete the following information in the Device Information section:

    1. Datasource Name: Enter Darktrace.
    2. Specify timezone for activity logs: Select a time zone from the list.

  7. Click Get Preview in the upper right corner of the page to preview the ingested data from the datasource.

  8. Click Save & Next.

Complete the following steps if you are using SNYPR 6.4:

  1. Navigate to Menu > Add Data > Activity in the SNYPR application.

  2. Click Discovered. The section displays a list of discovered devices by recommended parsers.

    Note: You can locate a datasource/device by specifying CIDR or keyword in the Search field.

  3. Review discovered devices to locate devices that you want to import.

  4. Select a resource or any number of resources to view details on the right-section of the screen.

  5. In the right section of the screen, select a resource and click Select Timezone. The Select Timezone drop-down list is displayed.

  6. Select a timezone.

  7. Review and select the existing parser, or you can search for another parser by performing the following steps:

    1. Select By Vendor from Choose Existing Parser.

    2. Click Vendors > Resource Types > Parser Name. The following image is just for reference:

      For Darktrace, select the following information:

      • Vendors: Darktrace
      • Resource Types: Darktrace
      • Parser Name: CNX_DARKTR_DARKTRACE_ITD_SYS_LEE

  8. Click Get Preview in the upper right corner of the page to preview the ingested data from the datasource.

  9. Click Save & Next.

Step 2. Parser management

Click Save & Next.

Note: For more information on Parser Management, refer to the SNYPR 6.4 Data Integration Guide.

Step 3. Identity attribution

  1. Click Add Condition > Add New Correlation Rule to add a correlation rule.

  2. Provide a descriptive name for the correlation rule in the Correlation Rule section.

    Note: For more information on Identity Attribution, refer to the SNYPR 6.4 Data Integration Guide.

  3. Specify the User Attribute, Operation, Parameter, Condition, and Separator parameters in the Correlate events to user using rule section.

  4. Click Save in the lower-right corner of the page to save the Correlate events to user using rule table.

  5. Click Save & Next in the upper-right corner of the page.

Step 4. Detect policy violations

Click Save & Next.

Step 5. Summary

  1. Select Do you want to schedule this job for future? in the Job Scheduling Information section and select any of the following based on the collection method:

    • Run every 1 minutes for datasources with the collection method as syslog.

    • Run every 10 minutes for non-syslog based datasources.

  2. Click Save & Run.

Verifying the job

Following a successful import, the security log data for the datasource is accessible in the Available Datasources section of Spotter. To access the imported security log data, complete the following steps:

  1. Navigate to Menu > Security Center > Spotter.

  2. Enter the datasource name provided while creating the connection, and then click the magnifying glass icon in the search bar.

Note: Refer to the Spotter Query Reference Guide for information on how to write queries in Spotter.