darktrace/detect

VendorDarktrace Limited
AuthorCrowdStrike
Version1.1.0
Minimum LogScale Version1.142.0

Darktrace Detect is a network solution for detecting and investigating emerging cyber-threats that evade traditional security tools. Use Darktrace Detect to monitor alert logs, collect and parse data via Syslog, then visualize the data.

This package provides a parser for Darktrace Detect events in JSON format.

Breaking Changes

This update includes parser changes, which means that data ingested after upgrade will not be backwards compatible with logs ingested with the previous version.

Updating to version 1.0.0 or newer will therefore result in issues with existing queries in for example dashboards or alerts created prior to this version.

See CrowdStrike Parsing Standard (CPS) 1.0 for more details on the new parser schema.

Follow the CPS Migration to update your queries to use the fields and tags that are available in data parsed with version 1.0.0.

Configurations and Sending The Logs to LogScale

See Darktrace Syslog Specification manual for information on how to send Darktrace logs to Falcon Log Collector.

Installing the Darktrace Detect Package in LogScale

Find the repository where you want to send the logs, or create a new one.

  1. Navigate to your repository in the LogScale interface, click Settings and then Packages on the left.

  2. Click Marketplace and install the LogScale package for CTD (i.e. darktrace/detect).

  3. When the package has finished installing, click Ingest tokens on the left (still under the Settings, see Ingest Tokens).

  4. In the right panel, click + Add Token to create a new token. Give the token an appropriate name (e.g.the name of the server and the name of the server the token is ingesting logs for), and leave the parser unassigned. You can assign the parser to the LogScale Collector Configuration as described in the documentation Sources & Examples.

    Before leaving this page, view the ingest token and copy it to your clipboard — to save it temporarily elsewhere.

    Now that you have a repository set up in LogScale along with an ingest token you're ready to send logs to LogScale.

  5. Next, configure the Falcon LogScale Collector to ship the logs from your syslog server into LogScale. Follow LogScale Collector Install Falcon Log Collector and Configure Falcon Log Collector. LogScale Collector documentation also provides an example of how you can configure your syslog datasource, see this syslog example.

Setting Up Syslog in the DarkTrace Threat Visualizer Dashboard

When setting up the Darktrace Threat Visualizer dashboard, follow the below steps:

  1. Install the Darknet Detect package in the relevant repository.

  2. Create an ingest token and assign it to the parser.

  3. Set up syslog in the Darktrace Threat Visualizer Dashboard to send logs to LogScale Collector, which acts as the syslog receiver.

  4. To send the logs to LogScale, enroll the LogScale Collector using this syslog example.

  5. Open the Darktrace Threat Visualizer Dashboard and navigate to the System Config page. (Main menu › Admin).

  6. From the left-side menu, select Modules, then navigate to the Workflow Integrations section and choose Syslog.

  7. Select Syslog JSON tab and click New to set up new Syslog Forwarder.

  8. Enter the IP Address and Port of the LogCollector that is running the integration in the Server and Server Port field respectively.

Note: For DarkTrace, you need to create different syslog forwarders with different ports for each data stream.

Verify Data is Arriving in LogScale

Once you have completed the above steps the data should be arriving in your LogScale repository.

You can verify this by doing a simple search for #Vendor = "darktrace" | #event.module = "detect" to see the events.