From 9c534b8d06d8067b74354f68a2d3c9b3240a4716 Mon Sep 17 00:00:00 2001 From: vinit-elastic Date: Tue, 16 Aug 2022 12:53:13 +0530 Subject: [PATCH 1/5] Initial Release for the Darktrace --- .github/CODEOWNERS | 1 + packages/darktrace/_dev/build/build.yml | 3 + packages/darktrace/_dev/build/docs/README.md | 138 ++ .../_dev/deploy/docker/docker-compose.yml | 60 + .../_dev/deploy/docker/files/config.yml | 13 + .../docker/sample_logs/ai_analyst_alert.log | 2 + .../docker/sample_logs/model_breach_alert.log | 4 + .../sample_logs/system_status_alert.log | 2 + packages/darktrace/changelog.yml | 6 + .../test/pipeline/test-ai_analyst_alert.log | 2 + .../test-ai_analyst_alert.log-expected.json | 482 ++++++ .../_dev/test/pipeline/test-common-config.yml | 4 + .../_dev/test/system/test-httpjson-config.yml | 10 + .../_dev/test/system/test-tcp-config.yml | 10 + .../_dev/test/system/test-tls-config.yml | 62 + .../_dev/test/system/test-udp-config.yml | 10 + .../agent/stream/httpjson.yml.hbs | 48 + .../ai_analyst_alert/agent/stream/tcp.yml.hbs | 26 + .../ai_analyst_alert/agent/stream/udp.yml.hbs | 23 + .../elasticsearch/ingest_pipeline/default.yml | 856 +++++++++ .../ai_analyst_alert/fields/agent.yml | 186 ++ .../ai_analyst_alert/fields/base-fields.yml | 20 + .../ai_analyst_alert/fields/ecs.yml | 66 + .../ai_analyst_alert/fields/fields.yml | 143 ++ .../data_stream/ai_analyst_alert/manifest.yml | 171 ++ .../ai_analyst_alert/sample_event.json | 241 +++ .../_dev/test/pipeline/test-common-config.yml | 4 + .../test/pipeline/test-model_breach_alert.log | 5 + .../test-model_breach_alert.log-expected.json | 1285 ++++++++++++++ .../_dev/test/system/test-httpjson-config.yml | 10 + .../_dev/test/system/test-tcp-config.yml | 10 + .../_dev/test/system/test-tls-config.yml | 62 + .../_dev/test/system/test-udp-config.yml | 10 + .../agent/stream/httpjson.yml.hbs | 51 + .../agent/stream/tcp.yml.hbs | 26 + .../agent/stream/udp.yml.hbs | 23 + .../elasticsearch/ingest_pipeline/default.yml | 1446 ++++++++++++++++ .../model_breach_alert/fields/agent.yml | 186 ++ .../model_breach_alert/fields/base-fields.yml | 20 + .../model_breach_alert/fields/ecs.yml | 76 + .../model_breach_alert/fields/fields.yml | 428 +++++ .../model_breach_alert/manifest.yml | 171 ++ .../model_breach_alert/sample_event.json | 583 +++++++ .../_dev/test/pipeline/test-common-config.yml | 4 + .../pipeline/test-system_status_alert.log | 2 + ...test-system_status_alert.log-expected.json | 109 ++ .../_dev/test/system/test-tcp-config.yml | 10 + .../_dev/test/system/test-tls-config.yml | 62 + .../_dev/test/system/test-udp-config.yml | 10 + .../agent/stream/tcp.yml.hbs | 26 + .../agent/stream/udp.yml.hbs | 23 + .../elasticsearch/ingest_pipeline/default.yml | 235 +++ .../system_status_alert/fields/agent.yml | 186 ++ .../fields/base-fields.yml | 20 + .../system_status_alert/fields/ecs.yml | 48 + .../system_status_alert/fields/fields.yml | 70 + .../system_status_alert/manifest.yml | 117 ++ .../system_status_alert/sample_event.json | 92 + packages/darktrace/docs/README.md | 1470 ++++++++++++++++ packages/darktrace/img/darktrace-logo.svg | 1 + .../darktrace/img/darktrace-screenshot.png | Bin 0 -> 75879 bytes ...-6bd3c320-13b2-11ed-bdc1-9f13147efcf8.json | 513 ++++++ ...-da768d80-1399-11ed-bdc1-9f13147efcf8.json | 1528 +++++++++++++++++ ...-eb643d20-13a5-11ed-bdc1-9f13147efcf8.json | 981 +++++++++++ ...-31a3f8a0-13a3-11ed-bdc1-9f13147efcf8.json | 44 + ...-c0e40350-13aa-11ed-bdc1-9f13147efcf8.json | 44 + ...-fbf9cfc0-13b3-11ed-bdc1-9f13147efcf8.json | 45 + packages/darktrace/manifest.yml | 136 ++ 68 files changed, 12761 insertions(+) create mode 100644 packages/darktrace/_dev/build/build.yml create mode 100644 packages/darktrace/_dev/build/docs/README.md create mode 100644 packages/darktrace/_dev/deploy/docker/docker-compose.yml create mode 100644 packages/darktrace/_dev/deploy/docker/files/config.yml create mode 100644 packages/darktrace/_dev/deploy/docker/sample_logs/ai_analyst_alert.log create mode 100644 packages/darktrace/_dev/deploy/docker/sample_logs/model_breach_alert.log create mode 100644 packages/darktrace/_dev/deploy/docker/sample_logs/system_status_alert.log create mode 100644 packages/darktrace/changelog.yml create mode 100644 packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/test-ai_analyst_alert.log create mode 100644 packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/test-ai_analyst_alert.log-expected.json create mode 100644 packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/test-common-config.yml create mode 100644 packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-httpjson-config.yml create mode 100644 packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-tcp-config.yml create mode 100644 packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-tls-config.yml create mode 100644 packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-udp-config.yml create mode 100644 packages/darktrace/data_stream/ai_analyst_alert/agent/stream/httpjson.yml.hbs create mode 100644 packages/darktrace/data_stream/ai_analyst_alert/agent/stream/tcp.yml.hbs create mode 100644 packages/darktrace/data_stream/ai_analyst_alert/agent/stream/udp.yml.hbs create mode 100644 packages/darktrace/data_stream/ai_analyst_alert/elasticsearch/ingest_pipeline/default.yml create mode 100644 packages/darktrace/data_stream/ai_analyst_alert/fields/agent.yml create mode 100644 packages/darktrace/data_stream/ai_analyst_alert/fields/base-fields.yml create mode 100644 packages/darktrace/data_stream/ai_analyst_alert/fields/ecs.yml create mode 100644 packages/darktrace/data_stream/ai_analyst_alert/fields/fields.yml create mode 100644 packages/darktrace/data_stream/ai_analyst_alert/manifest.yml create mode 100644 packages/darktrace/data_stream/ai_analyst_alert/sample_event.json create mode 100644 packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-common-config.yml create mode 100644 packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model_breach_alert.log create mode 100644 packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model_breach_alert.log-expected.json create mode 100644 packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-httpjson-config.yml create mode 100644 packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-tcp-config.yml create mode 100644 packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-tls-config.yml create mode 100644 packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-udp-config.yml create mode 100644 packages/darktrace/data_stream/model_breach_alert/agent/stream/httpjson.yml.hbs create mode 100644 packages/darktrace/data_stream/model_breach_alert/agent/stream/tcp.yml.hbs create mode 100644 packages/darktrace/data_stream/model_breach_alert/agent/stream/udp.yml.hbs create mode 100644 packages/darktrace/data_stream/model_breach_alert/elasticsearch/ingest_pipeline/default.yml create mode 100644 packages/darktrace/data_stream/model_breach_alert/fields/agent.yml create mode 100644 packages/darktrace/data_stream/model_breach_alert/fields/base-fields.yml create mode 100644 packages/darktrace/data_stream/model_breach_alert/fields/ecs.yml create mode 100644 packages/darktrace/data_stream/model_breach_alert/fields/fields.yml create mode 100644 packages/darktrace/data_stream/model_breach_alert/manifest.yml create mode 100644 packages/darktrace/data_stream/model_breach_alert/sample_event.json create mode 100644 packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/test-common-config.yml create mode 100644 packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/test-system_status_alert.log create mode 100644 packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/test-system_status_alert.log-expected.json create mode 100644 packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-tcp-config.yml create mode 100644 packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-tls-config.yml create mode 100644 packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-udp-config.yml create mode 100644 packages/darktrace/data_stream/system_status_alert/agent/stream/tcp.yml.hbs create mode 100644 packages/darktrace/data_stream/system_status_alert/agent/stream/udp.yml.hbs create mode 100644 packages/darktrace/data_stream/system_status_alert/elasticsearch/ingest_pipeline/default.yml create mode 100644 packages/darktrace/data_stream/system_status_alert/fields/agent.yml create mode 100644 packages/darktrace/data_stream/system_status_alert/fields/base-fields.yml create mode 100644 packages/darktrace/data_stream/system_status_alert/fields/ecs.yml create mode 100644 packages/darktrace/data_stream/system_status_alert/fields/fields.yml create mode 100644 packages/darktrace/data_stream/system_status_alert/manifest.yml create mode 100644 packages/darktrace/data_stream/system_status_alert/sample_event.json create mode 100644 packages/darktrace/docs/README.md create mode 100644 packages/darktrace/img/darktrace-logo.svg create mode 100644 packages/darktrace/img/darktrace-screenshot.png create mode 100644 packages/darktrace/kibana/dashboard/darktrace-6bd3c320-13b2-11ed-bdc1-9f13147efcf8.json create mode 100644 packages/darktrace/kibana/dashboard/darktrace-da768d80-1399-11ed-bdc1-9f13147efcf8.json create mode 100644 packages/darktrace/kibana/dashboard/darktrace-eb643d20-13a5-11ed-bdc1-9f13147efcf8.json create mode 100644 packages/darktrace/kibana/search/darktrace-31a3f8a0-13a3-11ed-bdc1-9f13147efcf8.json create mode 100644 packages/darktrace/kibana/search/darktrace-c0e40350-13aa-11ed-bdc1-9f13147efcf8.json create mode 100644 packages/darktrace/kibana/search/darktrace-fbf9cfc0-13b3-11ed-bdc1-9f13147efcf8.json create mode 100644 packages/darktrace/manifest.yml diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index ea772efe4bc..42a10cae9a4 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -54,6 +54,7 @@ /packages/cyberark @elastic/security-external-integrations /packages/cyberarkpas @elastic/security-external-integrations /packages/cylance @elastic/security-external-integrations +/packages/darktrace @elastic/security-external-integrations /packages/dga @elastic/ml-ui /packages/docker @elastic/obs-cloudnative-monitoring /packages/elastic_agent @elastic/elastic-agent-control-plane diff --git a/packages/darktrace/_dev/build/build.yml b/packages/darktrace/_dev/build/build.yml new file mode 100644 index 00000000000..2254d90483c --- /dev/null +++ b/packages/darktrace/_dev/build/build.yml @@ -0,0 +1,3 @@ +dependencies: + ecs: + reference: git@v8.4.0-rc1 diff --git a/packages/darktrace/_dev/build/docs/README.md b/packages/darktrace/_dev/build/docs/README.md new file mode 100644 index 00000000000..eeeb8975149 --- /dev/null +++ b/packages/darktrace/_dev/build/docs/README.md @@ -0,0 +1,138 @@ +# Darktrace + +## Overview + +The [Darktrace](https://darktrace.com/) integration allows you to monitor Alert Logs. Darktrace is a network solution for detecting and investigating emerging cyber-threats that evade traditional security tools. It is powered by Enterprise Immune System technology, which uses machine learning and mathematics to monitor behaviors and detect anomalies in your organization’s network. + +Use the Darktrace integration to collect and parse data from the REST APIs or via Syslog. Then visualise that data in Kibana. + +For example, you could use the data from this integration to know which model is breached and analyse model breaches, and also know about system health, changes in monitored traffic, and any errors experienced by Darktrace Security Modules or probe instances. + +## Data streams + +The Darktrace integration collects logs for three types of events: AI Analyst Alert, Model Breach Alert and System Status Alert. + +**AI Analyst Alert** is generated by investigates, analyzes, and reports upon threats seen within your Darktrace environment; as a starting point, it reviews and investigates all Model Breaches that occur on the system. If behavior which would be of interest to a cyber analyst is detected, an event is created. See Example Schema [here](https://customerportal.darktrace.com/product-guides/main/syslog-aia-json-schema). + +**Model Breach Alert** is generated when a model breach is triggered. A model is used to define a set of conditions which, when met, will alert the system to the occurrence of a particular event or chain of anomalous behavior. Darktrace models are focused on pattern-of-life anomaly detection, potentially malicious behavior, and compliance issues. See Example Schema [here](https://customerportal.darktrace.com/product-guides/main/syslog-json-schema). + +**System Status Alert** keep Darktrace operators informed of system health, changes in monitored traffic, and any errors experienced by Darktrace Security Modules or probe instances. System Status Alerts include details of the originating host, the severity of the event, and links that may be helpful to investigate or resolve the issue. Notifications are sent for active system events and (optionally) on event resolution. See Example Schema [here](https://customerportal.darktrace.com/product-guides/main/syslog-json-system-schema). + +## Requirements + +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. + +Firewall exceptions to allow communication from the Darktrace master instance to the Syslog server. + +This module has been tested against **Darktrace Threat Visualizer v5.2**. + +## Setup + +### To collect data from Darktrace REST APIs, follow the below steps: + +1. Hostname URL will be your . (Threat Visualizer Console Hostname) +2. Public and Private Token will be generated by following this [Link](https://customerportal.darktrace.com/product-guides/main/api-tokens). + +**Note:** System Status Alert are not supported by REST API. + +### To collect data from Darktrace via Syslog, follow the below steps: + +The user needs to create a different Syslog Forwarder with different ports for each data stream. + +The process for configuring syslog-format alerts is identical for AI Analyst Alerts, Model Breach Alerts and System Status Alerts. Generic configuration guidance is provided below: + +1. Open the Darktrace Threat Visualizer Dashboard and navigate to the **System Config** page. (**Main menu › Admin**). +2. From the left-side menu, select **Modules**, then navigate to the **Workflow Integrations** section and choose **Syslog**. +3. Select **Syslog JSON** tab and click **New** to set up new Syslog Forwarder. +4. Enter the **IP Address**  and **Port** of the Elastic Agent that is running the integration in the **Server** and **Server Port** field respectively. + +For more details, see [Documentation](https://customerportal.darktrace.com/product-guides/main/json-alerts). + +**Note:** + - It is recommended to turn on **Full Timestamps** toggle in **Show Advanced Options** to get the full timestamp instead of the RFC3164-formatted timestamp. + - It is also recommended to turn off **Reduced Message Size** toggle in **Show Advanced Options** to get more information about alerts. + +### After following generic guidance steps, below are the steps for collecting individual logs for all three data streams. + +#### For AI Analyst Alert, below are the suggested configurations to collect all the events of AI Analyst Alert: + +- Configure the following settings in **Show Advanced Options**: + +| Field Name | Value | +| --------------------------------------- | ----------------------------------- | +| Send AI Analyst Alerts | ON | +| Send AI Analyst Alerts Immediately | ON | +| AI Analyst Behavior Filter | Critical, Suspicious and Compliance | +| Minimum AI Analyst Incident Event Score | 0 | +| Minimum AI Analyst Incident Score | 0 | +| Legacy AI Analyst Alerts | OFF | + +#### For Model Breach Alert, below are the suggested configurations to collect all the events of Model Breach Alert: + +- Configure the following settings in **Show Advanced Options**: + +| Field Name | Value | +| ---------------------------- | -------------------------------------------------- | +| Send Model Breach Alerts | ON | +| Model Breach Behavior Filter | Critical, Suspicious, Compliance and Informational | +| Minimum Breach Score | 0 | +| Minimum Breach Priority | 0 | +| Model Expression | N/A | +| Model Tags Expression | N/A | +| Device IP Addresses | N/A | +| Device Tags Addresses | N/A | + +#### For System Status Alert, below are the suggested configurations to collect all the events of System Status Alert: + +- Configure the following settings in **Show Advanced Options**: + +| Field Name | Value | +| ---------------------------------- | ------------- | +| Send System Status Alerts | ON | +| Send Resolved System Status Alerts | ON | +| Minimum System Status Priority | Informational | + +### See more about [Syslog Filters and Optional Settings](https://customerportal.darktrace.com/product-guides/main/syslog-json-alert-settings) + +**Note** : A Fully Qualified Domain Name (FQDN) must be configured for the Darktrace instance in order for links to be included in external alerts. + - An FQDN can be configured from the **System** subsection on the **Settings** tab of the Darktrace **System Config** page. + +### Enabling the integration in Elastic + +1. In Kibana go to **Management > Integrations**. +2. In the "Search for integrations" search bar, type **Darktrace**. +3. Click on **Darktrace** integration from the search results. +4. Click on **Add Darktrace** button to add Darktrace integration. +5. Enable the Integration with either via API or TCP or UDP input. + +## Logs reference + +### ai_analyst_alert + +This is the `ai_analyst_alert` dataset. + +#### Example + +{{event "ai_analyst_alert"}} + +{{fields "ai_analyst_alert"}} + +### model_breach_alert + +This is the `model_breach_alert` dataset. + +#### Example + +{{event "model_breach_alert"}} + +{{fields "model_breach_alert"}} + +### system_status_alert + +This is the `system_status_alert` dataset. + +#### Example + +{{event "system_status_alert"}} + +{{fields "system_status_alert"}} \ No newline at end of file diff --git a/packages/darktrace/_dev/deploy/docker/docker-compose.yml b/packages/darktrace/_dev/deploy/docker/docker-compose.yml new file mode 100644 index 00000000000..7d4d2e2a612 --- /dev/null +++ b/packages/darktrace/_dev/deploy/docker/docker-compose.yml @@ -0,0 +1,60 @@ +version: '2.3' +services: + darktrace-ai_analyst_alert-tls: + image: docker.elastic.co/observability/stream:v0.7.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9571 -p=tls --insecure /sample_logs/ai_analyst_alert.log + darktrace-ai_analyst_alert-tcp: + image: docker.elastic.co/observability/stream:v0.7.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9571 -p=tcp /sample_logs/ai_analyst_alert.log + darktrace-ai_analyst_alert-udp: + image: docker.elastic.co/observability/stream:v0.7.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9574 -p=udp /sample_logs/ai_analyst_alert.log + darktrace-model_breach_alert-tls: + image: docker.elastic.co/observability/stream:v0.7.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9572 -p=tls --insecure /sample_logs/model_breach_alert.log + darktrace-model_breach_alert-tcp: + image: docker.elastic.co/observability/stream:v0.7.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9572 -p=tcp /sample_logs/model_breach_alert.log + darktrace-model_breach_alert-udp: + image: docker.elastic.co/observability/stream:v0.7.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9575 -p=udp /sample_logs/model_breach_alert.log + darktrace-system_status_alert-tls: + image: docker.elastic.co/observability/stream:v0.7.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9573 -p=tls --insecure /sample_logs/system_status_alert.log + darktrace-system_status_alert-tcp: + image: docker.elastic.co/observability/stream:v0.7.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9573 -p=tcp /sample_logs/system_status_alert.log + darktrace-system_status_alert-udp: + image: docker.elastic.co/observability/stream:v0.7.0 + volumes: + - ./sample_logs:/sample_logs:ro + command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9576 -p=udp /sample_logs/system_status_alert.log + darktrace: + image: docker.elastic.co/observability/stream:v0.7.0 + hostname: darktrace + ports: + - 8080 + volumes: + - ./files:/files:ro + environment: + PORT: "8080" + command: + - http-server + - --addr=:8080 + - --config=/files/config.yml diff --git a/packages/darktrace/_dev/deploy/docker/files/config.yml b/packages/darktrace/_dev/deploy/docker/files/config.yml new file mode 100644 index 00000000000..d2f4b9e218b --- /dev/null +++ b/packages/darktrace/_dev/deploy/docker/files/config.yml @@ -0,0 +1,13 @@ +rules: + - path: /modelbreaches + methods: ["GET"] + responses: + - status_code: 200 + body: | + [{"model":{"name":"Device::Attack and Recon Tools","pid":135,"phid":1198,"uuid":"8abcdefg-1234-1234-1234-5abcdefg12","logic":{"data":[{"cid":2311,"weight":1},{"cid":2312,"weight":1},{"cid":2315,"weight":1},{"cid":2316,"weight":1},{"cid":2314,"weight":1},{"cid":2310,"weight":1},{"cid":2313,"weight":1}],"targetScore":1,"type":"weightedComponentList","version":1},"throttle":604800,"sharedEndpoints":false,"actions":{"alert":true,"antigena":{},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":["AP: Internal Recon","OT Engineer"],"interval":3600,"delay":0,"sequenced":false,"active":true,"modified":"2022-07-11 11:47:51","activeTimes":{"devices":{},"tags":{},"type":"exclusions","version":2},"autoUpdatable":true,"autoUpdate":true,"autoSuppress":true,"description":"A device is using common penetration testing tools.\\n\\nAction: Review the device to see if it a security device, these can be tagged as such to exclude them from future breaches. Activity from non security devices merit further investigation into what else the device is doing and could be a significant risk within the network.","behaviour":"decreasing","created":{"by":"System"},"edited":{"by":"System"},"version":77,"priority":4,"category":"Suspicious","compliance":false},"device":{"did":7,"ip":"81.2.69.192","ips":[{"ip":"175.16.199.2","timems":1657746000000,"time":"2022-07-13 21:00:00","sid":1}],"sid":1,"hostname":"localhost.local","firstSeen":1657544891000,"lastSeen":1657748638000,"typename":"desktop","typelabel":"Desktop","credentials":["dummy"],"tags":[{"tid":66,"expiry":0,"thid":66,"name":"Domain Authenticated","restricted":false,"data":{"auto":false,"color":183,"description":""},"isReferenced":true},{"tid":29,"expiry":0,"thid":29,"name":"Linux","restricted":false,"data":{"auto":false,"color":168,"description":"","visibility":"Public"},"isReferenced":true},{"tid":45,"expiry":0,"thid":45,"name":"New Device","restricted":false,"data":{"auto":false,"color":130,"description":"","visibility":"Public"},"isReferenced":true}]},"triggeredComponents":[{"time":1657748807000,"cbid":6,"cid":2311,"chid":2676,"size":1,"threshold":0,"interval":300,"logic":{"data":{"left":{"left":"A","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"B","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"N","operator":"AND","right":"O"}}}},"operator":"OR","right":{"left":{"left":"C","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"E","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"F","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"G","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"H","operator":"AND","right":{"left":"I","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"K","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"L","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"M","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"N","operator":"AND","right":"P"}}}}}}}}}}}}},"version":"v0.1"},"metric":{"mlid":16,"name":"connections","label":"Connections"},"triggeredFilters":[{"cfid":26781,"id":"H","filterType":"Direction","arguments":{"value":"out"},"comparatorType":"is","trigger":{"value":"out"}},{"cfid":26783,"id":"J","filterType":"Tagged internal source","arguments":{"value":12},"comparatorType":"does not have tag","trigger":{"value":"12","tag":{"tid":12,"expiry":0,"thid":12,"name":"Security Device","restricted":false,"data":{"auto":false,"color":55,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":26787,"id":"N","filterType":"Tagged internal destination","arguments":{"value":12},"comparatorType":"does not have tag","trigger":{"value":"12","tag":{"tid":12,"expiry":0,"thid":12,"name":"Security Device","restricted":false,"data":{"auto":false,"color":55,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":26788,"id":"O","filterType":"User agent","arguments":{"value":"examples"},"comparatorType":"does not match regular expression","trigger":{"value":""}},{"cfid":26789,"id":"P","filterType":"URI","arguments":{"value":"examples"},"comparatorType":"matches regular expression","trigger":{"value":""}},{"cfid":26790,"id":"d1","filterType":"Proxied connection","arguments":{"value":"true"},"comparatorType":"display","trigger":{"value":"false"}},{"cfid":26791,"id":"d10","filterType":"HTTP response code","arguments":{},"comparatorType":"display","trigger":{"value":"0"}},{"cfid":26792,"id":"d2","filterType":"HTTP referrer","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":26793,"id":"d3","filterType":"HTTP method","arguments":{},"comparatorType":"display","trigger":{"value":"GET"}},{"cfid":26794,"id":"d4","filterType":"HTTP X-Forwarded-For","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":26795,"id":"d5","filterType":"URI","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":26796,"id":"d6","filterType":"User agent","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":26797,"id":"d7","filterType":"Destination IP","arguments":{},"comparatorType":"display","trigger":{"value":"81.2.69.144"}},{"cfid":26798,"id":"d8","filterType":"Internal destination device name","arguments":{},"comparatorType":"display","trigger":{"value":"localhost.local"}},{"cfid":26799,"id":"d9","filterType":"Connection hostname","arguments":{},"comparatorType":"display","trigger":{"value":""}}]}],"breachUrl":"https://example.com/#modelbreach/6","pbid":6,"score":0.871,"commentCount":0,"creationTime":1657748815000,"time":1657748808000,"mitreTechniques":[{"technique":"Hardware Additions Mitigation","techniqueID":"T1200"}]}] + - path: /aianalyst/incidentevents + methods: ["GET"] + responses: + - status_code: 200 + body: | + [{"summariser":"AdminConnSummary","acknowledged":false,"pinned":true,"createdAt":1628002089240,"attackPhases":[5],"title":"Extensive Unusual SSH Connections","id":"eabc0011-1234-1234-1234-cabcdefg0011","children":["eabcdef0-1234-1234-1234-cabcdefghij9"],"category":"critical","currentGroup":"eabc1234-1234-1234-1234-cabcdefg0011","groupCategory":"critical","groupScore":"72.9174234","groupPreviousGroups":null,"activityId":"abcd1234","groupingIds":["abcdef12"],"groupByActivity":false,"userTriggered":false,"externalTriggered":false,"aiaScore":98,"summary":"The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\n\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\n\nConsequently, if this activity was not expected, the security team may wish to investigate further.","periods":[{"start":1627985298683,"end":1628000141220}],"breachDevices":[{"identifier":null,"hostname":null,"ip":"81.2.69.144","mac":null,"subnet":"VPN","did":10,"sid":12}],"relatedBreaches":[{"modelName":"Unusual Activity / Unusual Activity from Re-Activated Device","pbid":1234,"threatScore":37,"timestamp":1627997157000}],"details":[[{"header":"Breaching Device","contents":[{"key":null,"type":"device","values":[{"identifier":null,"hostname":null,"ip":"175.16.199.1","mac":null,"subnet":"VPN","did":10,"sid":12}]}]}],[{"header":"SSH Activity","contents":[{"key":"Time","type":"timestampRange","values":[{"start":1627985298683,"end":1628000141220}]},{"key":"Number of unique IPs","type":"integer","values":[16]},{"key":"Targeted IP ranges include","type":"device","values":[{"identifier":null,"hostname":null,"ip":"81.2.69.192","mac":null,"subnet":null,"did":null,"sid":null},{"identifier":null,"hostname":null,"ip":"175.16.199.1","mac":null,"subnet":null,"did":null,"sid":null},{"identifier":null,"hostname":null,"ip":"175.16.199.3","mac":null,"subnet":null,"did":null,"sid":null}]},{"key":"Destination port","type":"integer","values":[22]},{"key":"Connection count","type":"integer","values":[40]},{"key":"Percentage successful","type":"percentage","values":[100]}]}]]}] diff --git a/packages/darktrace/_dev/deploy/docker/sample_logs/ai_analyst_alert.log b/packages/darktrace/_dev/deploy/docker/sample_logs/ai_analyst_alert.log new file mode 100644 index 00000000000..68401029818 --- /dev/null +++ b/packages/darktrace/_dev/deploy/docker/sample_logs/ai_analyst_alert.log @@ -0,0 +1,2 @@ +<165>1 2022-01-10T21:09:27+00:00 example.cloud.darktrace.com darktrace - - - {"summariser":"AdminConnSummary","acknowledged":false,"pinned":true,"createdAt":1628002089240,"attackPhases":[5],"title":"Extensive Unusual SSH Connections","id":"eabc0011-1234-1234-1234-cabcdefg0011","children":["eabcdef0-1234-1234-1234-cabcdefghij9"],"category":"critical","currentGroup":"eabc1234-1234-1234-1234-cabcdefg0011","groupCategory":"critical","groupScore":"72.9174234","groupPreviousGroups":null,"activityId":"abcd1234","groupingIds":["abcdef12"],"groupByActivity":false,"userTriggered":false,"externalTriggered":false,"aiaScore":98,"summary":"The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\n\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\n\nConsequently, if this activity was not expected, the security team may wish to investigate further.","periods":[{"start":1627985298683,"end":1628000141220}],"breachDevices":[{"identifier":null,"hostname":null,"ip":"81.2.69.144","mac":null,"subnet":"VPN","did":10,"sid":12}],"relatedBreaches":[{"modelName":"Unusual Activity / Unusual Activity from Re-Activated Device","pbid":1234,"threatScore":37,"timestamp":1627997157000}],"details":[[{"header":"Breaching Device","contents":[{"key":null,"type":"device","values":[{"identifier":null,"hostname":null,"ip":"175.16.199.1","mac":null,"subnet":"VPN","did":10,"sid":12}]}]}],[{"header":"SSH Activity","contents":[{"key":"Time","type":"timestampRange","values":[{"start":1627985298683,"end":1628000141220}]},{"key":"Number of unique IPs","type":"integer","values":[16]},{"key":"Targeted IP ranges include","type":"device","values":[{"identifier":null,"hostname":null,"ip":"81.2.69.192","mac":null,"subnet":null,"did":null,"sid":null},{"identifier":null,"hostname":null,"ip":"175.16.199.1","mac":null,"subnet":null,"did":null,"sid":null},{"identifier":null,"hostname":null,"ip":"175.16.199.3","mac":null,"subnet":null,"did":null,"sid":null}]},{"key":"Destination port","type":"integer","values":[22]},{"key":"Connection count","type":"integer","values":[40]},{"key":"Percentage successful","type":"percentage","values":[100]}]}]]} +<165>1 2022-02-19T11:50:10+00:00 example.cloud.darktrace.com darktrace - - - {"summariser":"ScanSummary","acknowledged":false,"pinned":false,"createdAt":1657749437781,"attackPhases":[4],"title":"Port Scanning","id":"eabcdef0-1234-1234-1234-cabcdefghij9","incidentEventUrl":"https://www.example.com/#aiaincidentevent/eabcdef0-1234-1234-1234-cabcdefghij9","children":["eabcdef0-1234-1234-1234-cabcdefghij9"],"category":"suspicious","currentGroup":"eab12345-1234-1234-1234-cabcdef12345","groupCategory":"suspicious","groupScore":6.857722547303857,"groupPreviousGroups":[],"activityId":"abcdefee","groupingIds":["ab123456"],"groupByActivity":false,"userTriggered":false,"externalTriggered":false,"aiaScore":64,"summary":"The device linux.local was observed making an unusually large number of internal connection attempts to multiple devices, suggesting scanning activity.\n\nNetwork scanning can be used during reconnaissance to gather information about internal devices, such as their list of open ports, and is thus a possible indicator of preparation for malicious or unauthorised internal activity.\n\nIf the activity from the device was not expected, it is recommended that the security team investigate it further to determine whether it was part of legitimate network activity.","periods":[{"start":1657747020967,"end":1657749405342}],"breachDevices":[{"identifier":"linux.local","hostname":"linux.local","ip":"175.16.199.1/24","mac":null,"subnet":null,"did":7,"sid":1}],"relatedBreaches":[{"modelName":"Device / Attack and Recon Tools","pbid":6,"threatScore":88,"timestamp":1657748808000}],"details":[[{"header":"Overview of Scan","contents":[{"key":"Time","type":"timestampRange","values":[{"start":1657747020967,"end":1657749405342}]},{"key":"Source device","type":"device","values":[{"identifier":"linux.local","hostname":"linux.local","ip":"175.16.199.3/28","mac":null,"subnet":null,"did":7,"sid":1}]},{"key":"Scanned IPs","type":"device","values":[{"identifier":null,"hostname":null,"ip":"81.2.69.144","mac":null,"subnet":null,"did":null,"sid":null},{"identifier":null,"hostname":null,"ip":"81.2.69.192","mac":null,"subnet":null,"did":null,"sid":null}]},{"key":"Username observed prior to activity","type":"string","values":["user1"]},{"key":"Source of username","type":"string","values":["User login"]},{"key":"Time observed","type":"timestamp","values":[1657739323000]},{"key":"Event UID","type":"string","values":["CABCDabcdABCDabcd000"]}]}],[{"header":"TCP Scanning Activity","contents":[{"key":"Total connections","type":"integer","values":[4537]},{"key":"Total ports scanned","type":"integer","values":[996]},{"key":"Port range","type":"integerRange","values":[{"start":"1","end":"65389"}]},{"key":"Key ports","type":"integer","values":[21,22,23,80,389,443,1433,3128,3306,4444,4899,8080]}]}],[{"header":"UDP Scanning Activity","contents":[{"key":"Total connections","type":"integer","values":[116]},{"key":"Port","type":"integer","values":[137]}]}]]} diff --git a/packages/darktrace/_dev/deploy/docker/sample_logs/model_breach_alert.log b/packages/darktrace/_dev/deploy/docker/sample_logs/model_breach_alert.log new file mode 100644 index 00000000000..d5d96f42422 --- /dev/null +++ b/packages/darktrace/_dev/deploy/docker/sample_logs/model_breach_alert.log @@ -0,0 +1,4 @@ +<165>1 2022-02-12T19:10:23+00:00 example.cloud.darktrace.com darktrace - - - {"model":{"name":"Device::Attack and Recon Tools","pid":135,"phid":1199,"uuid":"7abcdefg-1234-1234-1234-5abcdefg12","logic":{"data":[{"cid":2311,"weight":1},{"cid":2312,"weight":1},{"cid":2315,"weight":1},{"cid":2316,"weight":1},{"cid":2314,"weight":1},{"cid":2310,"weight":1},{"cid":2313,"weight":1}],"targetScore":1,"type":"weightedComponentList","version":1},"throttle":604800,"sharedEndpoints":false,"actions":{"alert":true,"antigena":{},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":["AP: Internal Recon","OT Engineer"],"interval":3600,"delay":0,"sequenced":false,"active":true,"modified":"2022-07-11 11:47:51","activeTimes":{"devices":{},"tags":{},"type":"exclusions","version":2},"autoUpdatable":true,"autoUpdate":true,"autoSuppress":true,"description":"A device is using common penetration testing tools.\\n\\nAction: Review the device to see if it a security device, these can be tagged as such to exclude them from future breaches. Activity from non security devices merit further investigation into what else the device is doing and could be a significant risk within the network.","behaviour":"decreasing","created":{"by":"System"},"edited":{"by":"System"},"version":77,"priority":4,"category":"Suspicious","compliance":false},"device":{"did":7,"ip":"81.2.69.192","ips":[{"ip":"175.16.199.2","timems":1657746000000,"time":"2022-07-13 21:00:00","sid":1}],"sid":1,"hostname":"localhost.local","firstSeen":1657544891000,"lastSeen":1657748638000,"typename":"desktop","typelabel":"Desktop","credentials":["dummy"],"tags":[{"tid":66,"expiry":0,"thid":66,"name":"Domain Authenticated","restricted":false,"data":{"auto":false,"color":183,"description":""},"isReferenced":true},{"tid":29,"expiry":0,"thid":29,"name":"Linux","restricted":false,"data":{"auto":false,"color":168,"description":"","visibility":"Public"},"isReferenced":true},{"tid":45,"expiry":0,"thid":45,"name":"New Device","restricted":false,"data":{"auto":false,"color":130,"description":"","visibility":"Public"},"isReferenced":true}]},"triggeredComponents":[{"time":1657748807000,"cbid":6,"cid":2311,"chid":2676,"size":1,"threshold":0,"interval":300,"logic":{"data":{"left":{"left":"A","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"B","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"N","operator":"AND","right":"O"}}}},"operator":"OR","right":{"left":{"left":"C","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"E","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"F","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"G","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"H","operator":"AND","right":{"left":"I","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"K","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"L","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"M","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"N","operator":"AND","right":"P"}}}}}}}}}}}}},"version":"v0.1"},"metric":{"mlid":16,"name":"connections","label":"Connections"},"triggeredFilters":[{"cfid":26781,"id":"H","filterType":"Direction","arguments":{"value":"out"},"comparatorType":"is","trigger":{"value":"out"}},{"cfid":26783,"id":"J","filterType":"Tagged internal source","arguments":{"value":12},"comparatorType":"does not have tag","trigger":{"value":"12","tag":{"tid":12,"expiry":0,"thid":12,"name":"Security Device","restricted":false,"data":{"auto":false,"color":55,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":26787,"id":"N","filterType":"Tagged internal destination","arguments":{"value":12},"comparatorType":"does not have tag","trigger":{"value":"12","tag":{"tid":12,"expiry":0,"thid":12,"name":"Security Device","restricted":false,"data":{"auto":false,"color":55,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":26788,"id":"O","filterType":"User agent","arguments":{"value":"examples"},"comparatorType":"does not match regular expression","trigger":{"value":""}},{"cfid":26789,"id":"P","filterType":"URI","arguments":{"value":"examples"},"comparatorType":"matches regular expression","trigger":{"value":""}},{"cfid":26790,"id":"d1","filterType":"Proxied connection","arguments":{"value":"true"},"comparatorType":"display","trigger":{"value":"false"}},{"cfid":26791,"id":"d10","filterType":"HTTP response code","arguments":{},"comparatorType":"display","trigger":{"value":"0"}},{"cfid":26792,"id":"d2","filterType":"HTTP referrer","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":26793,"id":"d3","filterType":"HTTP method","arguments":{},"comparatorType":"display","trigger":{"value":"GET"}},{"cfid":26794,"id":"d4","filterType":"HTTP X-Forwarded-For","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":26795,"id":"d5","filterType":"URI","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":26796,"id":"d6","filterType":"User agent","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":26797,"id":"d7","filterType":"Destination IP","arguments":{},"comparatorType":"display","trigger":{"value":"81.2.69.144"}},{"cfid":26798,"id":"d8","filterType":"Internal destination device name","arguments":{},"comparatorType":"display","trigger":{"value":"localhost.local"}},{"cfid":26799,"id":"d9","filterType":"Connection hostname","arguments":{},"comparatorType":"display","trigger":{"value":""}}]}],"breachUrl":"https://example.com/#modelbreach/6","pbid":6,"score":0.871,"commentCount":0,"creationTime":1657748815000,"time":1657748808000,"mitreTechniques":[{"technique":"Hardware Additions Mitigation","techniqueID":"T1200"}]} +<165>1 2022-03-09T22:11:20+00:00 example.cloud.darktrace.com darktrace - - - {"commentCount":0,"pbid":1,"time":1657544648000,"creationTime":1657544659000,"aianalystData":[{"uuid":"1234abcd-1234-1234-1234-123456abcdef","related":[1],"summariser":"BeaconSummary"}],"model":{"name":"Compromise::Beaconing Activity To External Rare","pid":156,"phid":1072,"uuid":"1234abcd-1234-1234-1234-123456abcdef","logic":{"data":[{"cid":2026,"weight":1},{"cid":2024,"weight":1},{"cid":2025,"weight":-100}],"targetScore":1,"type":"weightedComponentList","version":1},"throttle":10800,"sharedEndpoints":false,"actions":{"alert":true,"antigena":{},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":["AP: C2 Comms"],"interval":10800,"delay":0,"sequenced":false,"active":true,"modified":"2022-07-11 11:47:37","activeTimes":{"devices":{},"tags":{},"type":"exclusions","version":2},"autoUpdatable":true,"autoUpdate":true,"autoSuppress":true,"description":"A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\n\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.","behaviour":"incdec1","created":{"by":"System"},"edited":{"by":"System"},"version":23,"priority":2,"category":"Informational","compliance":false},"triggeredComponents":[{"time":1657544648000,"cbid":1,"cid":2026,"chid":2113,"size":11,"threshold":10,"interval":3600,"logic":{"data":{"left":{"left":"A","operator":"AND","right":{"left":"AA","operator":"AND","right":{"left":"AC","operator":"AND","right":{"left":"AD","operator":"AND","right":{"left":"AF","operator":"AND","right":{"left":"AG","operator":"AND","right":{"left":"AH","operator":"AND","right":{"left":"B","operator":"AND","right":{"left":"C","operator":"AND","right":{"left":"D","operator":"AND","right":{"left":"E","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"I","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"K","operator":"AND","right":{"left":"L","operator":"AND","right":{"left":"M","operator":"AND","right":{"left":"N","operator":"AND","right":{"left":"O","operator":"AND","right":{"left":"P","operator":"AND","right":{"left":"S","operator":"AND","right":{"left":"U","operator":"AND","right":{"left":"V","operator":"AND","right":{"left":"X","operator":"AND","right":{"left":"Y","operator":"AND","right":"Z"}}}}}}}}}}}}}}}}}}}}}}}}},"operator":"OR","right":{"left":"A","operator":"AND","right":{"left":"AA","operator":"AND","right":{"left":"AB","operator":"AND","right":{"left":"AE","operator":"AND","right":{"left":"AF","operator":"AND","right":{"left":"AG","operator":"AND","right":{"left":"AH","operator":"AND","right":{"left":"C","operator":"AND","right":{"left":"D","operator":"AND","right":{"left":"E","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"I","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"K","operator":"AND","right":{"left":"L","operator":"AND","right":{"left":"M","operator":"AND","right":{"left":"N","operator":"AND","right":{"left":"O","operator":"AND","right":{"left":"P","operator":"AND","right":{"left":"S","operator":"AND","right":{"left":"U","operator":"AND","right":{"left":"V","operator":"AND","right":{"left":"X","operator":"AND","right":{"left":"Y","operator":"AND","right":"Z"}}}}}}}}}}}}}}}}}}}}}}}}},"version":"v0.1"},"metric":{"mlid":1,"name":"externalconnections","label":"External Connections"},"triggeredFilters":[{"cfid":23426,"id":"A","filterType":"Beaconing score","arguments":{"value":60},"comparatorType":">","trigger":{"value":"100"}},{"cfid":23427,"id":"AA","filterType":"Individual size up","arguments":{"value":0},"comparatorType":">","trigger":{"value":"4382"}},{"cfid":23428,"id":"AB","filterType":"Rare domain","arguments":{"value":95},"comparatorType":">","trigger":{"value":"100"}},{"cfid":23430,"id":"AD","filterType":"Age of destination","arguments":{"value":1209600},"comparatorType":"<","trigger":{"value":"558"}},{"cfid":23431,"id":"AE","filterType":"Age of external hostname","arguments":{"value":1209600},"comparatorType":"<","trigger":{"value":"558"}},{"cfid":23432,"id":"AF","filterType":"Connection hostname","arguments":{"value":"examples"},"comparatorType":"does not match regular expression","trigger":{"value":"example.com"}},{"cfid":23433,"id":"AG","filterType":"ASN","arguments":{"value":"examples"},"comparatorType":"does not match regular expression","trigger":{"value":"AS12345 LOCAL-02"}},{"cfid":23434,"id":"AH","filterType":"JA3 hash","arguments":{"value":"5d41402abc4b2a76b9719d911017c592"},"comparatorType":"does not match","trigger":{"value":"5d41402abc4b2a76b9719d911017c592"}},{"cfid":23435,"id":"B","filterType":"Rare external IP","arguments":{"value":95},"comparatorType":">","trigger":{"value":"100"}},{"cfid":23436,"id":"C","filterType":"Application protocol","arguments":{"value":"1003"},"comparatorType":"is not","trigger":{"value":"1004"}},{"cfid":23437,"id":"D","filterType":"Destination port","arguments":{"value":53},"comparatorType":"!=","trigger":{"value":"443"}},{"cfid":23438,"id":"E","filterType":"Direction","arguments":{"value":"out"},"comparatorType":"is","trigger":{"value":"out"}},{"cfid":23439,"id":"H","filterType":"Destination port","arguments":{"value":137},"comparatorType":"!=","trigger":{"value":"443"}},{"cfid":23440,"id":"I","filterType":"Destination port","arguments":{"value":161},"comparatorType":"!=","trigger":{"value":"443"}},{"cfid":23441,"id":"J","filterType":"Protocol","arguments":{"value":"6"},"comparatorType":"is","trigger":{"value":"6"}},{"cfid":23442,"id":"K","filterType":"ASN","arguments":{"value":"Company"},"comparatorType":"does not contain","trigger":{"value":"AS12345 LOCAL-02"}},{"cfid":23443,"id":"L","filterType":"ASN","arguments":{"value":"Company"},"comparatorType":"does not contain","trigger":{"value":"AS12345 LOCAL-02"}},{"cfid":23444,"id":"M","filterType":"Internal source device type","arguments":{"value":"13"},"comparatorType":"is not","trigger":{"value":"6"}},{"cfid":23445,"id":"N","filterType":"Internal source device type","arguments":{"value":"5"},"comparatorType":"is not","trigger":{"value":"6"}},{"cfid":23446,"id":"O","filterType":"Internal source device type","arguments":{"value":"9"},"comparatorType":"is not","trigger":{"value":"6"}},{"cfid":23447,"id":"P","filterType":"Internal source device type","arguments":{"value":"12"},"comparatorType":"is not","trigger":{"value":"6"}},{"cfid":23448,"id":"S","filterType":"Internal source device type","arguments":{"value":"30"},"comparatorType":"is not","trigger":{"value":"6"}},{"cfid":23449,"id":"U","filterType":"Internal source device type","arguments":{"value":"4"},"comparatorType":"is not","trigger":{"value":"6"}},{"cfid":23450,"id":"V","filterType":"Internal source device type","arguments":{"value":"3"},"comparatorType":"is not","trigger":{"value":"6"}},{"cfid":23451,"id":"X","filterType":"Trusted hostname","arguments":{"value":"false"},"comparatorType":"is","trigger":{"value":"false"}},{"cfid":23452,"id":"Y","filterType":"Tagged internal source","arguments":{"value":26},"comparatorType":"does not have tag","trigger":{"value":"26","tag":{"tid":26,"expiry":0,"thid":26,"name":"No Device Tracking","restricted":false,"data":{"auto":false,"color":5,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":23453,"id":"Z","filterType":"Individual size down","arguments":{"value":0},"comparatorType":">","trigger":{"value":"5862"}},{"cfid":23454,"id":"d1","filterType":"JA3 hash","arguments":{},"comparatorType":"display","trigger":{"value":"5d41402abc4b2a76b9719d911017c592"}},{"cfid":23455,"id":"d2","filterType":"ASN","arguments":{},"comparatorType":"display","trigger":{"value":"AS12345 LOCAL-02"}},{"cfid":23456,"id":"d3","filterType":"Destination IP","arguments":{},"comparatorType":"display","trigger":{"value":"81.2.69.192"}},{"cfid":23457,"id":"d4","filterType":"Connection hostname","arguments":{},"comparatorType":"display","trigger":{"value":"example.com"}}]}],"score":0.674,"device":{"did":3,"ip":"81.2.69.142","sid":1,"firstSeen":1657544089000,"lastSeen":1657544418000,"typename":"desktop","typelabel":"Desktop"}} +<165>1 2022-03-06T10:04:57+00:00 example.cloud.darktrace.com darktrace - - - {"model":{"name":"System::System","pid":802,"phid":803,"uuid":"7abcdefh-1234-1234-1234-5abababab","logic":{"data":[1594],"type":"componentList","version":1},"throttle":10,"sharedEndpoints":false,"actions":{"alert":true,"antigena":{},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":[],"interval":0,"delay":0,"sequenced":true,"active":true,"modified":"2022-07-11 11:41:08","activeTimes":{"devices":{},"tags":{},"type":"exclusions","version":2},"autoUpdatable":true,"autoUpdate":true,"autoSuppress":true,"description":"An issue with the system has been detected. This system alert is generated for system information that may merit further investigation. This may be due to things like probes failing to connect.\\n\\nAction: Review the system message. Use the status page to see additional system information that may help with diagnostics.","behaviour":"decreasing","defeats":[],"created":{"by":"System"},"edited":{"by":"Nobody"},"version":16,"priority":3,"category":"Informational","compliance":false},"device":{"did":-1},"triggeredComponents":[{"time":1657678365000,"cbid":5,"cid":1594,"chid":1594,"size":1,"threshold":0,"interval":3600,"logic":{"data":{"left":{"left":"A","operator":"AND","right":"B"},"operator":"OR","right":{"left":{"left":"A","operator":"AND","right":"C"},"operator":"OR","right":{"left":{"left":"A","operator":"AND","right":"D"},"operator":"OR","right":{"left":{"left":"A","operator":"AND","right":"E"},"operator":"OR","right":{"left":"A","operator":"AND","right":"F"}}}}},"version":"v0.1"},"metric":{"mlid":207,"name":"dtsystem","label":"System"},"triggeredFilters":[{"cfid":18136,"id":"A","filterType":"Event details","arguments":{"value":"analyze credential ignore list"},"comparatorType":"does not contain","trigger":{"value":"Probe 175.16.199.1 last contact was 18 minutes ago"}},{"cfid":18137,"id":"B","filterType":"System message","arguments":{"value":"Probe error"},"comparatorType":"is","trigger":{"value":"Probe error"}},{"cfid":18142,"id":"d1","filterType":"Event details","arguments":{},"comparatorType":"display","trigger":{"value":"Probe 175.16.199.1 last contact was 18 minutes ago"}},{"cfid":18143,"id":"d2","filterType":"System message","arguments":{},"comparatorType":"display","trigger":{"value":"Probe error"}}]}],"breachUrl":"https://example.com/#modelbreach/5","pbid":5,"score":0.674,"commentCount":0,"creationTime":1657678365000,"time":1657678366000,"mitreTechniques":[]} +<165>Aug 5 03:34:46 example.cloud.darktrace.com darktrace {"model":{"description":"Test model used for testing alerting configuration.","created":{"by":"System"},"edited":{"by":"Nobody"},"name":"Unrestricted Test Model","priority":5},"device":{"ip":"175.16.199.1","hostname":"test-device.example.com","macaddress":"00:00:5e:00:53:00","vendor":"Test Vendor","label":"Test Device"},"triggeredComponents":[{"metric":{"label":"Test Metric"},"triggeredFilters":[{"comparatorType":"display","filterType":"Test Metric Filter","trigger":{"value":"Test filter value"}}]}],"breachUrl":"","pbid":123,"score":1,"creationTime":1659692086317,"time":1659692086317,"mitreTechniques":[]} diff --git a/packages/darktrace/_dev/deploy/docker/sample_logs/system_status_alert.log b/packages/darktrace/_dev/deploy/docker/sample_logs/system_status_alert.log new file mode 100644 index 00000000000..9cbdb646d8b --- /dev/null +++ b/packages/darktrace/_dev/deploy/docker/sample_logs/system_status_alert.log @@ -0,0 +1,2 @@ +<165>1 2022-03-10T10:11:10+00:00 example.cloud.darktrace.com darktrace - - - {"last_updated":1618760651,"uuid":"abcdabcd-1234-1234-1234-3abababcdcd3","priority":43,"priority_level":"medium","hostname":"example-vsensor","ip_address":"175.16.199.1","message":"There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test","name":"advanced_search","acknowledge_timeout":null,"alert_name":"Advanced Search","child_id":1,"last_updated_status":1618760651,"status":"active"} +<165>1 2022-02-19T04:02:50+00:00 example.cloud.darktrace.com darktrace - - - {"hostname":"local-abc","ip_address":"175.16.199.1","child_id":null,"name":"probe_down-0","priority":98,"priority_level":"critical","alert_name":"Probe Down","status":"Active","message":"The probe 1/175.16.199.1 has lost connection to the Master instance. Please ensure HTTPS bidirectional connectivity exists between the Master and the Probe.\n\nIf you have any issues, please open a ticket using the following link. https://example.com/test","last_updated":1658110810.556194,"last_updated_status":1658110810.556194,"acknowledge_timeout":null,"uuid":"abcd1234-1234-1234-1234-3abababcdcd3","url":"https://example.com/test?value=abcd1234-1234-1234-1234-3abababcdcd3"} diff --git a/packages/darktrace/changelog.yml b/packages/darktrace/changelog.yml new file mode 100644 index 00000000000..0da913124e3 --- /dev/null +++ b/packages/darktrace/changelog.yml @@ -0,0 +1,6 @@ +# newer versions go on top +- version: "0.1.0" + changes: + - description: Initial draft of the package + type: enhancement + link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link diff --git a/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/test-ai_analyst_alert.log b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/test-ai_analyst_alert.log new file mode 100644 index 00000000000..72c8836b507 --- /dev/null +++ b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/test-ai_analyst_alert.log @@ -0,0 +1,2 @@ +{"summariser":"AdminConnSummary","acknowledged":false,"pinned":true,"createdAt":1628002089240,"attackPhases":[5],"title":"Extensive Unusual SSH Connections","id":"eabc0011-1234-1234-1234-cabcdefg0011","children":["eabcdef0-1234-1234-1234-cabcdefghij9"],"category":"critical","currentGroup":"eabc1234-1234-1234-1234-cabcdefg0011","groupCategory":"critical","groupScore":"72.9174234","groupPreviousGroups":null,"activityId":"abcd1234","groupingIds":["abcdef12"],"groupByActivity":false,"userTriggered":false,"externalTriggered":false,"aiaScore":98,"summary":"The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\n\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\n\nConsequently, if this activity was not expected, the security team may wish to investigate further.","periods":[{"start":1627985298683,"end":1628000141220}],"breachDevices":[{"identifier":null,"hostname":"linux.local","ip":"81.2.69.144","mac":null,"subnet":"VPN","did":10,"sid":12}],"relatedBreaches":[{"modelName":"Unusual Activity / Unusual Activity from Re-Activated Device","pbid":1234,"threatScore":37,"timestamp":1627997157000}],"details":[[{"header":"Breaching Device","contents":[{"key":null,"type":"device","values":[{"identifier":null,"hostname":null,"ip":"175.16.199.1","mac":null,"subnet":"VPN","did":10,"sid":12}]}]}],[{"header":"SSH Activity","contents":[{"key":"Time","type":"timestampRange","values":[{"start":1627985298683,"end":1628000141220}]},{"key":"Number of unique IPs","type":"integer","values":[16]},{"key":"Targeted IP ranges include","type":"device","values":[{"identifier":null,"hostname":null,"ip":"81.2.69.192","mac":null,"subnet":null,"did":null,"sid":null},{"identifier":null,"hostname":null,"ip":"175.16.199.1","mac":null,"subnet":null,"did":null,"sid":null},{"identifier":null,"hostname":null,"ip":"175.16.199.3","mac":null,"subnet":null,"did":null,"sid":null}]},{"key":"Destination port","type":"integer","values":[22]},{"key":"Connection count","type":"integer","values":[40]},{"key":"Percentage successful","type":"percentage","values":[100]}]}]]} +{"summariser":"ScanSummary","acknowledged":false,"pinned":false,"createdAt":1657749437781,"attackPhases":[4],"title":"Port Scanning","id":"eabcdef0-1234-1234-1234-cabcdefghij9","incidentEventUrl":"https://www.example.com/#aiaincidentevent/eabcdef0-1234-1234-1234-cabcdefghij9","children":["eabcdef0-1234-1234-1234-cabcdefghij9"],"category":"suspicious","currentGroup":"eab12345-1234-1234-1234-cabcdef12345","groupCategory":"suspicious","groupScore":6.857722547303857,"groupPreviousGroups":[],"activityId":"abcdefee","groupingIds":["ab123456"],"groupByActivity":false,"userTriggered":false,"externalTriggered":false,"aiaScore":64,"summary":"The device linux.local was observed making an unusually large number of internal connection attempts to multiple devices, suggesting scanning activity.\n\nNetwork scanning can be used during reconnaissance to gather information about internal devices, such as their list of open ports, and is thus a possible indicator of preparation for malicious or unauthorised internal activity.\n\nIf the activity from the device was not expected, it is recommended that the security team investigate it further to determine whether it was part of legitimate network activity.","periods":[{"start":1657747020967,"end":1657749405342}],"breachDevices":[{"identifier":"linux.local","hostname":"linux.local","ip":"175.16.199.1/24","mac":null,"subnet":null,"did":7,"sid":1}],"relatedBreaches":[{"modelName":"Device / Attack and Recon Tools","pbid":6,"threatScore":88,"timestamp":1657748808000}],"details":[[{"header":"Overview of Scan","contents":[{"key":"Time","type":"timestampRange","values":[{"start":1657747020967,"end":1657749405342}]},{"key":"Source device","type":"device","values":[{"identifier":"linux.local","hostname":"linux.local","ip":"175.16.199.3/28","mac":null,"subnet":null,"did":7,"sid":1}]},{"key":"Scanned IPs","type":"device","values":[{"identifier":null,"hostname":null,"ip":"81.2.69.144","mac":null,"subnet":null,"did":null,"sid":null},{"identifier":null,"hostname":null,"ip":"81.2.69.192","mac":null,"subnet":null,"did":null,"sid":null}]},{"key":"Username observed prior to activity","type":"string","values":["user1"]},{"key":"Source of username","type":"string","values":["User login"]},{"key":"Time observed","type":"timestamp","values":[1657739323000]},{"key":"Event UID","type":"string","values":["CABCDabcdABCDabcd000"]}]}],[{"header":"TCP Scanning Activity","contents":[{"key":"Total connections","type":"integer","values":[4537]},{"key":"Total ports scanned","type":"integer","values":[996]},{"key":"Port range","type":"integerRange","values":[{"start":"1","end":"65389"}]},{"key":"Key ports","type":"integer","values":[21,22,23,80,389,443,1433,3128,3306,4444,4899,8080]}]}],[{"header":"UDP Scanning Activity","contents":[{"key":"Total connections","type":"integer","values":[116]},{"key":"Port","type":"integer","values":[137]}]}]]} diff --git a/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/test-ai_analyst_alert.log-expected.json b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/test-ai_analyst_alert.log-expected.json new file mode 100644 index 00000000000..c2a4fad58b2 --- /dev/null +++ b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/test-ai_analyst_alert.log-expected.json @@ -0,0 +1,482 @@ +{ + "expected": [ + { + "@timestamp": "2021-08-03T14:48:09.240Z", + "darktrace": { + "ai_analyst_alert": { + "activity_id": "abcd1234", + "aia_score": 98.0, + "attack_phases": [ + 5 + ], + "breach_devices": [ + { + "did": 10, + "hostname": "linux.local", + "ip": "81.2.69.144", + "sid": 12, + "subnet": "VPN" + } + ], + "category": "critical", + "children": [ + "eabcdef0-1234-1234-1234-cabcdefghij9" + ], + "created_at": "2021-08-03T14:48:09.240Z", + "current_group": "eabc1234-1234-1234-1234-cabcdefg0011", + "details": [ + [ + { + "contents": [ + { + "type": "device", + "values": [ + { + "did": 10, + "ip": "175.16.199.1", + "sid": 12, + "subnet": "VPN" + } + ] + } + ], + "header": "Breaching Device" + } + ], + [ + { + "contents": [ + { + "key": "Time", + "type": "timestampRange", + "values": [ + { + "end": 1628000141220, + "start": 1627985298683 + } + ] + }, + { + "key": "Number of unique IPs", + "type": "integer", + "values": [ + 16 + ] + }, + { + "key": "Targeted IP ranges include", + "type": "device", + "values": [ + { + "ip": "81.2.69.192" + }, + { + "ip": "175.16.199.1" + }, + { + "ip": "175.16.199.3" + } + ] + }, + { + "key": "Destination port", + "type": "integer", + "values": [ + 22 + ] + }, + { + "key": "Connection count", + "type": "integer", + "values": [ + 40 + ] + }, + { + "key": "Percentage successful", + "type": "percentage", + "values": [ + 100 + ] + } + ], + "header": "SSH Activity" + } + ] + ], + "group_by_activity": false, + "group_category": "critical", + "group_score": 72.9174234, + "grouping_ids": [ + "abcdef12" + ], + "id": "eabc0011-1234-1234-1234-cabcdefg0011", + "is_acknowledged": false, + "is_external_triggered": false, + "is_pinned": true, + "is_user_triggered": false, + "periods": [ + { + "end": "2021-08-03T14:15:41.220Z", + "start": "2021-08-03T10:08:18.683Z" + } + ], + "related_breaches": [ + { + "model_name": "Unusual Activity / Unusual Activity from Re-Activated Device", + "pbid": 1234, + "threat_score": 37, + "timestamp": "2021-08-03T13:25:57.000Z" + } + ], + "summariser": "AdminConnSummary", + "summary": "The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\n\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\n\nConsequently, if this activity was not expected, the security team may wish to investigate further.", + "title": "Extensive Unusual SSH Connections" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": [ + "threat" + ], + "duration": [ + 14842537000000 + ], + "end": [ + "2021-08-03T14:15:41.220Z" + ], + "id": "eabc0011-1234-1234-1234-cabcdefg0011", + "kind": "alert", + "original": "{\"summariser\":\"AdminConnSummary\",\"acknowledged\":false,\"pinned\":true,\"createdAt\":1628002089240,\"attackPhases\":[5],\"title\":\"Extensive Unusual SSH Connections\",\"id\":\"eabc0011-1234-1234-1234-cabcdefg0011\",\"children\":[\"eabcdef0-1234-1234-1234-cabcdefghij9\"],\"category\":\"critical\",\"currentGroup\":\"eabc1234-1234-1234-1234-cabcdefg0011\",\"groupCategory\":\"critical\",\"groupScore\":\"72.9174234\",\"groupPreviousGroups\":null,\"activityId\":\"abcd1234\",\"groupingIds\":[\"abcdef12\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":98,\"summary\":\"The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\\n\\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\\n\\nConsequently, if this activity was not expected, the security team may wish to investigate further.\",\"periods\":[{\"start\":1627985298683,\"end\":1628000141220}],\"breachDevices\":[{\"identifier\":null,\"hostname\":\"linux.local\",\"ip\":\"81.2.69.144\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}],\"relatedBreaches\":[{\"modelName\":\"Unusual Activity / Unusual Activity from Re-Activated Device\",\"pbid\":1234,\"threatScore\":37,\"timestamp\":1627997157000}],\"details\":[[{\"header\":\"Breaching Device\",\"contents\":[{\"key\":null,\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}]}]}],[{\"header\":\"SSH Activity\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1627985298683,\"end\":1628000141220}]},{\"key\":\"Number of unique IPs\",\"type\":\"integer\",\"values\":[16]},{\"key\":\"Targeted IP ranges include\",\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.192\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.3\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null}]},{\"key\":\"Destination port\",\"type\":\"integer\",\"values\":[22]},{\"key\":\"Connection count\",\"type\":\"integer\",\"values\":[40]},{\"key\":\"Percentage successful\",\"type\":\"percentage\",\"values\":[100]}]}]]}", + "reason": "Extensive Unusual SSH Connections", + "risk_score": 98.0, + "risk_score_norm": 98.0, + "start": [ + "2021-08-03T10:08:18.683Z" + ], + "type": [ + "info" + ] + }, + "host": { + "hostname": [ + "linux.local" + ], + "id": [ + "10" + ], + "ip": [ + "81.2.69.144" + ] + }, + "message": "The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\n\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\n\nConsequently, if this activity was not expected, the security team may wish to investigate further.", + "related": { + "hosts": [ + "linux.local" + ], + "ip": [ + "81.2.69.144", + "175.16.199.1", + "81.2.69.192", + "175.16.199.3" + ] + }, + "rule": { + "name": [ + "Unusual Activity / Unusual Activity from Re-Activated Device" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "enrichments": { + "matched": { + "id": [ + "eabcdef0-1234-1234-1234-cabcdefghij9" + ] + } + }, + "group": { + "id": "eabc1234-1234-1234-1234-cabcdefg0011" + } + } + }, + { + "@timestamp": "2022-07-13T21:57:17.781Z", + "darktrace": { + "ai_analyst_alert": { + "activity_id": "abcdefee", + "aia_score": 64.0, + "attack_phases": [ + 4 + ], + "breach_devices": [ + { + "did": 7, + "hostname": "linux.local", + "identifier": "linux.local", + "ip": "175.16.199.1/24", + "sid": 1 + } + ], + "category": "suspicious", + "children": [ + "eabcdef0-1234-1234-1234-cabcdefghij9" + ], + "created_at": "2022-07-13T21:57:17.781Z", + "current_group": "eab12345-1234-1234-1234-cabcdef12345", + "details": [ + [ + { + "contents": [ + { + "key": "Time", + "type": "timestampRange", + "values": [ + { + "end": 1657749405342, + "start": 1657747020967 + } + ] + }, + { + "key": "Source device", + "type": "device", + "values": [ + { + "did": 7, + "hostname": "linux.local", + "identifier": "linux.local", + "ip": "175.16.199.3/28", + "sid": 1 + } + ] + }, + { + "key": "Scanned IPs", + "type": "device", + "values": [ + { + "ip": "81.2.69.144" + }, + { + "ip": "81.2.69.192" + } + ] + }, + { + "key": "Username observed prior to activity", + "type": "string", + "values": [ + "user1" + ] + }, + { + "key": "Source of username", + "type": "string", + "values": [ + "User login" + ] + }, + { + "key": "Time observed", + "type": "timestamp", + "values": [ + 1657739323000 + ] + }, + { + "key": "Event UID", + "type": "string", + "values": [ + "CABCDabcdABCDabcd000" + ] + } + ], + "header": "Overview of Scan" + } + ], + [ + { + "contents": [ + { + "key": "Total connections", + "type": "integer", + "values": [ + 4537 + ] + }, + { + "key": "Total ports scanned", + "type": "integer", + "values": [ + 996 + ] + }, + { + "key": "Port range", + "type": "integerRange", + "values": [ + { + "end": "65389", + "start": "1" + } + ] + }, + { + "key": "Key ports", + "type": "integer", + "values": [ + 21, + 22, + 23, + 80, + 389, + 443, + 1433, + 3128, + 3306, + 4444, + 4899, + 8080 + ] + } + ], + "header": "TCP Scanning Activity" + } + ], + [ + { + "contents": [ + { + "key": "Total connections", + "type": "integer", + "values": [ + 116 + ] + }, + { + "key": "Port", + "type": "integer", + "values": [ + 137 + ] + } + ], + "header": "UDP Scanning Activity" + } + ] + ], + "group_by_activity": false, + "group_category": "suspicious", + "group_score": 6.857722547303857, + "grouping_ids": [ + "ab123456" + ], + "id": "eabcdef0-1234-1234-1234-cabcdefghij9", + "incident_event_url": { + "domain": "www.example.com", + "fragment": "aiaincidentevent/eabcdef0-1234-1234-1234-cabcdefghij9", + "original": "https://www.example.com/#aiaincidentevent/eabcdef0-1234-1234-1234-cabcdefghij9", + "path": "/", + "scheme": "https" + }, + "is_acknowledged": false, + "is_external_triggered": false, + "is_pinned": false, + "is_user_triggered": false, + "periods": [ + { + "end": "2022-07-13T21:56:45.342Z", + "start": "2022-07-13T21:17:00.967Z" + } + ], + "related_breaches": [ + { + "model_name": "Device / Attack and Recon Tools", + "pbid": 6, + "threat_score": 88, + "timestamp": "2022-07-13T21:46:48.000Z" + } + ], + "summariser": "ScanSummary", + "summary": "The device linux.local was observed making an unusually large number of internal connection attempts to multiple devices, suggesting scanning activity.\n\nNetwork scanning can be used during reconnaissance to gather information about internal devices, such as their list of open ports, and is thus a possible indicator of preparation for malicious or unauthorised internal activity.\n\nIf the activity from the device was not expected, it is recommended that the security team investigate it further to determine whether it was part of legitimate network activity.", + "title": "Port Scanning" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": [ + "threat" + ], + "duration": [ + 2384375000000 + ], + "end": [ + "2022-07-13T21:56:45.342Z" + ], + "id": "eabcdef0-1234-1234-1234-cabcdefghij9", + "kind": "alert", + "original": "{\"summariser\":\"ScanSummary\",\"acknowledged\":false,\"pinned\":false,\"createdAt\":1657749437781,\"attackPhases\":[4],\"title\":\"Port Scanning\",\"id\":\"eabcdef0-1234-1234-1234-cabcdefghij9\",\"incidentEventUrl\":\"https://www.example.com/#aiaincidentevent/eabcdef0-1234-1234-1234-cabcdefghij9\",\"children\":[\"eabcdef0-1234-1234-1234-cabcdefghij9\"],\"category\":\"suspicious\",\"currentGroup\":\"eab12345-1234-1234-1234-cabcdef12345\",\"groupCategory\":\"suspicious\",\"groupScore\":6.857722547303857,\"groupPreviousGroups\":[],\"activityId\":\"abcdefee\",\"groupingIds\":[\"ab123456\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":64,\"summary\":\"The device linux.local was observed making an unusually large number of internal connection attempts to multiple devices, suggesting scanning activity.\\n\\nNetwork scanning can be used during reconnaissance to gather information about internal devices, such as their list of open ports, and is thus a possible indicator of preparation for malicious or unauthorised internal activity.\\n\\nIf the activity from the device was not expected, it is recommended that the security team investigate it further to determine whether it was part of legitimate network activity.\",\"periods\":[{\"start\":1657747020967,\"end\":1657749405342}],\"breachDevices\":[{\"identifier\":\"linux.local\",\"hostname\":\"linux.local\",\"ip\":\"175.16.199.1/24\",\"mac\":null,\"subnet\":null,\"did\":7,\"sid\":1}],\"relatedBreaches\":[{\"modelName\":\"Device / Attack and Recon Tools\",\"pbid\":6,\"threatScore\":88,\"timestamp\":1657748808000}],\"details\":[[{\"header\":\"Overview of Scan\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1657747020967,\"end\":1657749405342}]},{\"key\":\"Source device\",\"type\":\"device\",\"values\":[{\"identifier\":\"linux.local\",\"hostname\":\"linux.local\",\"ip\":\"175.16.199.3/28\",\"mac\":null,\"subnet\":null,\"did\":7,\"sid\":1}]},{\"key\":\"Scanned IPs\",\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.144\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.192\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null}]},{\"key\":\"Username observed prior to activity\",\"type\":\"string\",\"values\":[\"user1\"]},{\"key\":\"Source of username\",\"type\":\"string\",\"values\":[\"User login\"]},{\"key\":\"Time observed\",\"type\":\"timestamp\",\"values\":[1657739323000]},{\"key\":\"Event UID\",\"type\":\"string\",\"values\":[\"CABCDabcdABCDabcd000\"]}]}],[{\"header\":\"TCP Scanning Activity\",\"contents\":[{\"key\":\"Total connections\",\"type\":\"integer\",\"values\":[4537]},{\"key\":\"Total ports scanned\",\"type\":\"integer\",\"values\":[996]},{\"key\":\"Port range\",\"type\":\"integerRange\",\"values\":[{\"start\":\"1\",\"end\":\"65389\"}]},{\"key\":\"Key ports\",\"type\":\"integer\",\"values\":[21,22,23,80,389,443,1433,3128,3306,4444,4899,8080]}]}],[{\"header\":\"UDP Scanning Activity\",\"contents\":[{\"key\":\"Total connections\",\"type\":\"integer\",\"values\":[116]},{\"key\":\"Port\",\"type\":\"integer\",\"values\":[137]}]}]]}", + "reason": "Port Scanning", + "risk_score": 64.0, + "risk_score_norm": 64.0, + "start": [ + "2022-07-13T21:17:00.967Z" + ], + "type": [ + "info" + ], + "url": "https://www.example.com/#aiaincidentevent/eabcdef0-1234-1234-1234-cabcdefghij9" + }, + "host": { + "hostname": [ + "linux.local" + ], + "id": [ + "7" + ], + "name": [ + "linux.local" + ] + }, + "message": "The device linux.local was observed making an unusually large number of internal connection attempts to multiple devices, suggesting scanning activity.\n\nNetwork scanning can be used during reconnaissance to gather information about internal devices, such as their list of open ports, and is thus a possible indicator of preparation for malicious or unauthorised internal activity.\n\nIf the activity from the device was not expected, it is recommended that the security team investigate it further to determine whether it was part of legitimate network activity.", + "related": { + "hosts": [ + "linux.local" + ], + "ip": [ + "81.2.69.144", + "81.2.69.192" + ] + }, + "rule": { + "name": [ + "Device / Attack and Recon Tools" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "enrichments": { + "matched": { + "id": [ + "eabcdef0-1234-1234-1234-cabcdefghij9" + ] + } + }, + "group": { + "id": "eab12345-1234-1234-1234-cabcdef12345" + } + } + } + ] +} \ No newline at end of file diff --git a/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/test-common-config.yml b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..be41bb0d476 --- /dev/null +++ b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields diff --git a/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-httpjson-config.yml b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-httpjson-config.yml new file mode 100644 index 00000000000..938018884cf --- /dev/null +++ b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-httpjson-config.yml @@ -0,0 +1,10 @@ +input: httpjson +service: darktrace +vars: + url: http://{{Hostname}}:{{Port}} + public_token: xxxx + private_token: xxxx +data_stream: + vars: + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-tcp-config.yml b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-tcp-config.yml new file mode 100644 index 00000000000..53314b710b8 --- /dev/null +++ b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-tcp-config.yml @@ -0,0 +1,10 @@ +service: darktrace-ai_analyst_alert-tcp +service_notify_signal: SIGHUP +input: tcp +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9571 + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-tls-config.yml b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-tls-config.yml new file mode 100644 index 00000000000..d3819b60c78 --- /dev/null +++ b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-tls-config.yml @@ -0,0 +1,62 @@ +service: darktrace-ai_analyst_alert-tls +service_notify_signal: SIGHUP +input: tcp +vars: + listen_address: 0.0.0.0 + ssl: | + key: | + -----BEGIN PRIVATE KEY----- + MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDhCLvLsQAHufsN + U+u1x/CequAUphfXZqLhDo2Eo/holfBS0+ey4bnzPL6lS9NFL5JkLQA2gYESqsXU + /Ru8E76Az1egzMwT3TVAPLVU8NbrxBqeNiQa2m9wC37HQy4qC9OxL28LUoKtFjxS + cD1sa0oikXCJN1a3BSoAf9iiZ/dxz4WVfrNhrzq2JFXjravY84n5ujkZOg45Pg70 + 4vHOeg0rBbIoSNfjDUVZWjwC95K1BMN3msOTL9juv/EDa6BujqCxl+G1nY7JPFDL + SHWis65p+1AAa5xieYDb47vyJ0SSR7lEURTXZOkkM6k5JWfgkATEmGzRxPkOloIT + Xg9ag1OlAgMBAAECggEAEHfPJmzhj68wjB0kFr13AmWG2Hv/Kqg8KzQhbx+AwkaW + u7j+L70NGpvLZ9VQtLNyhxoz9cksZO1SZO/Q48aeHlcOFppmJN3/U6AdtQWa9M35 + FLLpmX16wjxVHsfvzOvopgLOoYl8PqZt66qDFDgVyMnT7na6RdJ+7GJuvBPXq+Bc + vgThvAZitHSAOhnBFYmTMlBi6AzOMMsaFlgE3Xf9v3M0pAKItPRKMhXlC3MyvA/v + jgbra4Ib+0ryohggHheHB3bn3Jgv7iFKoW9OQSePVxacJ+kfr9H+No5g495URzqR + mx/96WCiv3rAh3ct8Sk/C4/3zMC8fUueDJIVjhgw0QKBgQD8NufLINNkIpBrLoCS + 972oFEjZB2u6EusQ7X9raROqpaw26ZSu+zSHeIKCGQ93M3aRb3FpdGeOxgZ095MV + 8a+nlh4stOvHj2Mm5YhTBDUavTC7o9aVR3Od5eTXUpHnaJpNI/uyIcKupeK1UJnV + UlBLeIwo/vJ1gsVrKMMAJkuKbwKBgQDkaWRRd0w2gUIbCTGf203BqXft0VdIiOW7 + +gnkeaNHAf09XljzxMcQzrB8kG63aKVGbJffphEfzxtiJ+HRQVH+7QpKRhU/GHmu + +6OKkxTcxJm5zhoRFxcSi2wG4PWmUGJvc7ss1OJGcaOUxwocCepO7N/jfdDz9Uke + KnA+YWOdKwKBgQDteZkYlojT0QOgF8HyH5gQyUCqMKWLJ0LzxltiPCbLV4Dml1pq + w5Z7M8nWS1hXiTpLx93GSFc1hFkSCwYP9GfK6Lryp0sVtHnMZvTMDbseuSJImwRx + vDwtYQfugg1lEQWwOoBEAiu3m/PxernNtNprpU57T0nlwUK3GkM5QdWAuwKBgQCZ + ZF3GiANapzupxGbbH//8Cr9LqsafI7CEqMpz8WxBh4h16iJ6sq+tDeFgBe8UpOY5 + gTwNKg1d+0w8guQYD3HtbWr3rlEeamVtqfiOW3ArQqyqJ0tCJuuLvK3zgKf35Qv2 + JRaSaPT8sdxVUcXsRoxgLJu+vwPQke1koMN4YRbwuQKBgQDJiZ/WSeqa5oIqkXbn + hjm7RXKaf2oE1U/bNjdSFtdEP7T4vUvvr7Hq2f/jiBLtCE7w16PJjKx9iIq2+jMl + qIY43Sk9bdi5FxtYTHda0hwrbH274P+QVcVs5PXCT0TGktOleHGBlXaaPrxl9iCh + 8tmmxZZYa5aQxEO/lxB9xQKaiQ== + -----END PRIVATE KEY----- + certificate: | + -----BEGIN CERTIFICATE----- + MIIDazCCAlOgAwIBAgIUW5TDu1tJMY2Oa7PsL+BQSmeWqz0wDQYJKoZIhvcNAQEL + BQAwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM + GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTEwMDEwNTAwMjNaFw0yMTEw + MDIwNTAwMjNaMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw + HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB + AQUAA4IBDwAwggEKAoIBAQDhCLvLsQAHufsNU+u1x/CequAUphfXZqLhDo2Eo/ho + lfBS0+ey4bnzPL6lS9NFL5JkLQA2gYESqsXU/Ru8E76Az1egzMwT3TVAPLVU8Nbr + xBqeNiQa2m9wC37HQy4qC9OxL28LUoKtFjxScD1sa0oikXCJN1a3BSoAf9iiZ/dx + z4WVfrNhrzq2JFXjravY84n5ujkZOg45Pg704vHOeg0rBbIoSNfjDUVZWjwC95K1 + BMN3msOTL9juv/EDa6BujqCxl+G1nY7JPFDLSHWis65p+1AAa5xieYDb47vyJ0SS + R7lEURTXZOkkM6k5JWfgkATEmGzRxPkOloITXg9ag1OlAgMBAAGjUzBRMB0GA1Ud + DgQWBBRYUSKDHBBE9Q6fTeTqogicCxcXwDAfBgNVHSMEGDAWgBRYUSKDHBBE9Q6f + TeTqogicCxcXwDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBc + T8B+GpvPy9NQ700LsywRPY0L9IJCKiu6j3TP1tqqSPjAC/cg9ac+bFXuWOu7V+KJ + s09Q/pItq9SLX6UvnfRzTxu5lCBwwGX9cL131mTIu5SmFo7Eks+sorbiIarWDMoC + e+9An3GFpagW+YhOt4BdIM5lTqoeodzganDBsOUZI9aDAj2Yo5h2O7r6Wd12cb6T + mz8vMfB2eG8BxU20ZMfkdERWjiyXHOSBQqeqfkV8d9370gMu5RcJNcIgnbmTRdho + X3HJFiimZVaNjXATqmC/y2A1KXvJdamPLy3mGXkW2cFLoPCdK2OZFUHqiuc1bigA + qEf55SihFqErRMeURPPF + -----END CERTIFICATE----- +data_stream: + vars: + listen_port: 9571 + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-udp-config.yml b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-udp-config.yml new file mode 100644 index 00000000000..0d9b6eb6f0e --- /dev/null +++ b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/system/test-udp-config.yml @@ -0,0 +1,10 @@ +service: darktrace-ai_analyst_alert-udp +service_notify_signal: SIGHUP +input: udp +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9574 + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/darktrace/data_stream/ai_analyst_alert/agent/stream/httpjson.yml.hbs b/packages/darktrace/data_stream/ai_analyst_alert/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..7a5327f9c6b --- /dev/null +++ b/packages/darktrace/data_stream/ai_analyst_alert/agent/stream/httpjson.yml.hbs @@ -0,0 +1,48 @@ +config_version: 2 +interval: {{interval}} +request.timeout: 5m +request.method: GET +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.url: {{url}}/aianalyst/incidentevents?includeacknowledged=true&includeincidenteventurl=true +request.transforms: + - set: + target: header.DTAPI-Token + value: {{public_token}} + - set: + target: header.DTAPI-Date + value: '[[formatDate (now) "20060102T150405"]]' + - set: + target: url.params.starttime + value: '[[.cursor.last_execution_datetime]]' + default: '[[(now (parseDuration "-{{initial_interval}}")).UnixMilli]]' + - set: + target: url.params.endtime + value: '[[(now).UnixMilli]]' + - set: + target: header.DTAPI-Signature + value: '[[hmac "sha1" "{{private_token}}" (sprintf "%s?%s\n%s\n%s" .url.Path .url.RawQuery "{{public_token}}" (formatDate (now) "20060102T150405"))]]' +cursor: + last_execution_datetime: + value: '[[.last_response.url.params.Get "endtime"]]' +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/darktrace/data_stream/ai_analyst_alert/agent/stream/tcp.yml.hbs b/packages/darktrace/data_stream/ai_analyst_alert/agent/stream/tcp.yml.hbs new file mode 100644 index 00000000000..b1d260f0f9c --- /dev/null +++ b/packages/darktrace/data_stream/ai_analyst_alert/agent/stream/tcp.yml.hbs @@ -0,0 +1,26 @@ +host: "{{listen_address}}:{{listen_port}}" +{{#if tcp_options}} +{{tcp_options}} +{{/if}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- syslog: + field: message +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/darktrace/data_stream/ai_analyst_alert/agent/stream/udp.yml.hbs b/packages/darktrace/data_stream/ai_analyst_alert/agent/stream/udp.yml.hbs new file mode 100644 index 00000000000..f342c4fa75c --- /dev/null +++ b/packages/darktrace/data_stream/ai_analyst_alert/agent/stream/udp.yml.hbs @@ -0,0 +1,23 @@ +host: "{{listen_address}}:{{listen_port}}" +{{#if udp_options}} +{{udp_options}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- syslog: + field: message +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/darktrace/data_stream/ai_analyst_alert/elasticsearch/ingest_pipeline/default.yml b/packages/darktrace/data_stream/ai_analyst_alert/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..3b22b43d8bb --- /dev/null +++ b/packages/darktrace/data_stream/ai_analyst_alert/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,856 @@ +--- +description: Pipeline for processing AI Analyst Alert logs. +processors: + - set: + field: ecs.version + value: '8.4.0' + - grok: + field: message + patterns: + - "^%{FIELD:log.syslog.appname}\\s*%{GREEDYDATA:message}$" + pattern_definitions: + FIELD: "[a-zA-Z]*" + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - fingerprint: + fields: + - json.id + - json.createdAt + - json.activityId + - json.currentGroup + target_field: _id + ignore_missing: true + - set: + field: event.kind + value: alert + if: (['critical','suspicious'].contains(ctx.json?.category?.toLowerCase())) + - set: + field: event.kind + value: event + if: (['compliance','informational'].contains(ctx.json?.category?.toLowerCase())) + - set: + field: event.category + value: [threat] + if: ctx.event?.kind == 'alert' + - set: + field: event.type + value: [info] + - rename: + field: json.activityId + target_field: darktrace.ai_analyst_alert.activity_id + ignore_missing: true + - convert: + field: json.aiaScore + target_field: darktrace.ai_analyst_alert.aia_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: event.risk_score + copy_from: darktrace.ai_analyst_alert.aia_score + ignore_failure: true + - set: + field: event.risk_score_norm + copy_from: darktrace.ai_analyst_alert.aia_score + ignore_failure: true + - foreach: + field: json.attackPhases + if: ctx.json?.attackPhases instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value + type: long + on_failure: + - remove: + field: _ingest._value + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.attackPhases + target_field: darktrace.ai_analyst_alert.attack_phases + ignore_missing: true + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.did + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.did + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + append: + field: host.id + value: '{{{_ingest._value.did}}}' + allow_duplicates: false + ignore_failure: true + - convert: + field: host.id + type: string + ignore_missing: true + on_failure: + - remove: + field: host.id + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.hostname + type: ip + target_field: _ingest._value._temp_.hostname_ip + ignore_missing: true + on_failure: + - append: + field: host.hostname + value: '{{{_ingest._value.hostname}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + append: + field: related.ip + value: '{{{_ingest._value._temp_.hostname_ip}}}' + allow_duplicates: false + ignore_failure: true + - set: + field: related.hosts + copy_from: host.hostname + ignore_failure: true + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.identifier + target_field: _ingest._value._temp_.identifier_ip + type: ip + ignore_missing: true + on_failure: + - append: + field: host.name + value: '{{{_ingest._value.identifier}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + append: + field: related.ip + value: '{{{_ingest._value._temp_.identifier_ip}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: host.name + if: ctx.host?.name instanceof List + ignore_failure: true + processor: + append: + field: related.hosts + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.ip + target_field: _ingest._value._temp_.ip + type: ip + ignore_failure: true + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + append: + field: host.ip + value: '{{{_ingest._value._temp_.ip}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: host.ip + if: ctx.host?.ip instanceof List + ignore_failure: true + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + gsub: + field: _ingest._value.mac + target_field: _ingest._value.mac_address + pattern: '[:.]' + replacement: '-' + ignore_missing: true + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + uppercase: + field: _ingest._value.mac_address + ignore_missing: true + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + append: + field: host.mac + value: '{{{_ingest._value.mac_address}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.sid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.sid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.breachDevices + if: ctx.json?.breachDevices instanceof List + ignore_failure: true + processor: + remove: + field: + - _ingest._value._temp_ + - _ingest._value.mac + ignore_missing: true + - rename: + field: json.breachDevices + target_field: darktrace.ai_analyst_alert.breach_devices + ignore_missing: true + - rename: + field: json.category + target_field: darktrace.ai_analyst_alert.category + ignore_missing: true + - rename: + field: json.children + target_field: darktrace.ai_analyst_alert.children + ignore_missing: true + - set: + field: threat.enrichments.matched.id + copy_from: darktrace.ai_analyst_alert.children + ignore_failure: true + - date: + field: json.createdAt + target_field: darktrace.ai_analyst_alert.created_at + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + if: ctx.json?.createdAt != null + on_failure: + - remove: + field: json.createdAt + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + copy_from: darktrace.ai_analyst_alert.created_at + ignore_failure: true + - rename: + field: json.currentGroup + target_field: darktrace.ai_analyst_alert.current_group + ignore_missing: true + - set: + field: threat.group.id + copy_from: darktrace.ai_analyst_alert.current_group + ignore_failure: true + if: ctx.darktrace?.ai_analyst_alert?.current_group != null + - foreach: + field: json.details + if: ctx.json?.details instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value + ignore_failure: true + processor: + foreach: + field: _ingest._value.contents + ignore_failure: true + processor: + foreach: + field: _ingest._value.values + ignore_failure: true + processor: + convert: + field: _ingest._value.ip + target_field: _ingest._value._temp_.ip + type: ip + ignore_failure: true + - foreach: + field: json.details + if: ctx.json?.details instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value + ignore_failure: true + processor: + foreach: + field: _ingest._value.contents + ignore_failure: true + processor: + foreach: + field: _ingest._value.values + ignore_failure: true + processor: + append: + field: related.ip + value: '{{{_ingest._value._temp_.ip}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.details + if: ctx.json?.details instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value + ignore_failure: true + processor: + foreach: + field: _ingest._value.contents + ignore_failure: true + processor: + foreach: + field: _ingest._value.values + ignore_failure: true + processor: + convert: + field: _ingest._value.hostname + target_field: _ingest._value._temp_.hostname_ip + type: ip + ignore_missing: true + on_failure: + - append: + field: related.hosts + value: '{{{_ingest._value.hostname}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.details + if: ctx.json?.details instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value + ignore_failure: true + processor: + foreach: + field: _ingest._value.contents + ignore_failure: true + processor: + foreach: + field: _ingest._value.values + ignore_failure: true + processor: + append: + field: related.ip + value: '{{{_ingest._value._temp_.hostname_ip}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.details + if: ctx.json?.details instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value + ignore_failure: true + processor: + foreach: + field: _ingest._value.contents + ignore_failure: true + processor: + foreach: + field: _ingest._value.values + ignore_failure: true + processor: + convert: + field: _ingest._value.identifier + target_field: _ingest._value._temp_.identifier_ip + type: ip + ignore_missing: true + on_failure: + - append: + field: related.hosts + value: '{{{_ingest._value.identifier}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.details + if: ctx.json?.details instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value + ignore_failure: true + processor: + foreach: + field: _ingest._value.contents + ignore_failure: true + processor: + foreach: + field: _ingest._value.values + ignore_failure: true + processor: + append: + field: related.ip + value: '{{{_ingest._value._temp_.identifier_ip}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.details + if: ctx.json?.details instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value + ignore_failure: true + processor: + foreach: + field: _ingest._value.contents + ignore_failure: true + processor: + foreach: + field: _ingest._value.values + ignore_failure: true + processor: + gsub: + field: _ingest._value.mac + target_field: _ingest._value.mac_address + pattern: '[:.]' + replacement: '-' + ignore_missing: true + - foreach: + field: json.details + if: ctx.json?.details instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value + ignore_failure: true + processor: + foreach: + field: _ingest._value.contents + ignore_failure: true + processor: + foreach: + field: _ingest._value.values + ignore_failure: true + processor: + uppercase: + field: _ingest._value.mac_address + ignore_missing: true + - foreach: + field: json.details + if: ctx.json?.details instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value + ignore_failure: true + processor: + foreach: + field: _ingest._value.contents + ignore_failure: true + processor: + foreach: + field: _ingest._value.values + ignore_failure: true + processor: + remove: + field: + - _ingest._value._temp_ + - _ingest._value.mac + ignore_missing: true + - rename: + field: json.details + target_field: darktrace.ai_analyst_alert.details + ignore_missing: true + - convert: + field: json.groupByActivity + target_field: darktrace.ai_analyst_alert.group_by_activity + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: threat.group.id + copy_from: darktrace.ai_analyst_alert.activity_id + ignore_failure: true + if: ctx.threat?.group?.id == null && ctx.darktrace?.ai_analyst_alert?.group_by_activity == true + - rename: + field: json.groupCategory + target_field: darktrace.ai_analyst_alert.group_category + ignore_missing: true + - rename: + field: json.groupPreviousGroups + target_field: darktrace.ai_analyst_alert.group_previous_groups + ignore_missing: true + - convert: + field: json.groupScore + target_field: darktrace.ai_analyst_alert.group_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.groupingIds + target_field: darktrace.ai_analyst_alert.grouping_ids + ignore_missing: true + - rename: + field: json.id + target_field: darktrace.ai_analyst_alert.id + ignore_missing: true + - set: + field: event.id + copy_from: darktrace.ai_analyst_alert.id + ignore_failure: true + - uri_parts: + field: json.incidentEventUrl + target_field: darktrace.ai_analyst_alert.incident_event_url + if: ctx.json?.incidentEventUrl != null + keep_original: true + on_failure: + - remove: + field: json.incidentEventUrl + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: event.url + copy_from: darktrace.ai_analyst_alert.incident_event_url.original + ignore_failure: true + - convert: + field: json.acknowledged + target_field: darktrace.ai_analyst_alert.is_acknowledged + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.externalTriggered + target_field: darktrace.ai_analyst_alert.is_external_triggered + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.pinned + target_field: darktrace.ai_analyst_alert.is_pinned + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.userTriggered + target_field: darktrace.ai_analyst_alert.is_user_triggered + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - script: + description: Determine event.duration from starting and ending activity timestamp. + if: ctx.json?.periods instanceof List + lang: painless + ignore_failure: true + params: + NANOS_IN_A_MILLI_SECOND: 1000000 + source: + def duration = new ArrayList(); + for (event in ctx.json.periods) { + duration.add((event?.end - event?.start) * params.NANOS_IN_A_MILLI_SECOND); + } + ctx.event.duration = duration; + - foreach: + field: json.periods + if: ctx.json?.periods instanceof List + ignore_failure: true + processor: + date: + field: _ingest._value.end + target_field: _ingest._value.end + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + on_failure: + - remove: + field: _ingest._value.end + ignore_missing: true + - foreach: + field: json.periods + if: ctx.json?.periods instanceof List + ignore_failure: true + processor: + date: + field: _ingest._value.start + target_field: _ingest._value.start + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + on_failure: + - remove: + field: _ingest._value.start + ignore_missing: true + - rename: + field: json.periods + target_field: darktrace.ai_analyst_alert.periods + ignore_missing: true + - foreach: + field: darktrace.ai_analyst_alert.periods + if: ctx.darktrace?.ai_analyst_alert?.periods instanceof List + ignore_failure: true + processor: + append: + field: event.end + value: '{{{_ingest._value.end}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: darktrace.ai_analyst_alert.periods + if: ctx.darktrace?.ai_analyst_alert?.periods instanceof List + ignore_failure: true + processor: + append: + field: event.start + value: '{{{_ingest._value.start}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.relatedBreaches + if: ctx.json?.relatedBreaches instanceof List + ignore_failure: true + processor: + date: + field: _ingest._value.timestamp + target_field: _ingest._value.timestamp + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + on_failure: + - remove: + field: _ingest._value.timestamp + ignore_missing: true + - foreach: + field: json.relatedBreaches + if: ctx.json?.relatedBreaches instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.pbid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.pbid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.relatedBreaches + if: ctx.json?.relatedBreaches instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.threatScore + target_field: _ingest._value.threat_score + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.threatScore + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.relatedBreaches + if: ctx.json?.relatedBreaches instanceof List + ignore_failure: true + processor: + rename: + field: _ingest._value.modelName + target_field: _ingest._value.model_name + ignore_missing: true + - foreach: + field: json.relatedBreaches + if: ctx.json?.relatedBreaches instanceof List + ignore_failure: true + processor: + append: + field: rule.name + value: '{{{_ingest._value.model_name}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.relatedBreaches + if: ctx.json?.relatedBreaches instanceof List + ignore_failure: true + processor: + remove: + field: _ingest._value.threatScore + ignore_missing: true + - rename: + field: json.relatedBreaches + target_field: darktrace.ai_analyst_alert.related_breaches + ignore_missing: true + - rename: + field: json.summariser + target_field: darktrace.ai_analyst_alert.summariser + ignore_missing: true + - rename: + field: json.summary + target_field: darktrace.ai_analyst_alert.summary + ignore_missing: true + - set: + field: message + copy_from: darktrace.ai_analyst_alert.summary + ignore_failure: true + - rename: + field: json.title + target_field: darktrace.ai_analyst_alert.title + ignore_missing: true + - set: + field: event.reason + copy_from: darktrace.ai_analyst_alert.title + ignore_failure: true + - remove: + field: json + ignore_missing: true + - remove: + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + field: + - darktrace.ai_analyst_alert.created_at + - darktrace.ai_analyst_alert.summary + - darktrace.ai_analyst_alert.id + - darktrace.ai_analyst_alert.title + - darktrace.ai_analyst_alert.aia_score + - darktrace.ai_analyst_alert.children + ignore_failure: true + ignore_missing: true + - foreach: + field: darktrace.ai_analyst_alert.related_breaches + if: ctx.darktrace?.ai_analyst_alert?.related_breaches instanceof List && (ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))) + ignore_failure: true + processor: + remove: + field: + - _ingest._value.model_name + ignore_missing: true + ignore_failure: true + - foreach: + field: darktrace.ai_analyst_alert.periods + if: ctx.darktrace?.ai_analyst_alert?.periods instanceof List && (ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))) + ignore_failure: true + processor: + remove: + field: + - _ingest._value.start + - _ingest._value.end + ignore_missing: true + ignore_failure: true + - foreach: + field: darktrace.ai_analyst_alert.breach_devices + if: ctx.darktrace?.ai_analyst_alert?.breach_devices instanceof List && (ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))) + ignore_failure: true + processor: + remove: + field: + - _ingest._value.did + - _ingest._value.mac_address + ignore_missing: true + ignore_failure: true + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/darktrace/data_stream/ai_analyst_alert/fields/agent.yml b/packages/darktrace/data_stream/ai_analyst_alert/fields/agent.yml new file mode 100644 index 00000000000..6e1bac042bc --- /dev/null +++ b/packages/darktrace/data_stream/ai_analyst_alert/fields/agent.yml @@ -0,0 +1,186 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/darktrace/data_stream/ai_analyst_alert/fields/base-fields.yml b/packages/darktrace/data_stream/ai_analyst_alert/fields/base-fields.yml new file mode 100644 index 00000000000..f5f5a863f1d --- /dev/null +++ b/packages/darktrace/data_stream/ai_analyst_alert/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: darktrace +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: darktrace.ai_analyst_alert +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/darktrace/data_stream/ai_analyst_alert/fields/ecs.yml b/packages/darktrace/data_stream/ai_analyst_alert/fields/ecs.yml new file mode 100644 index 00000000000..91f5c279f9e --- /dev/null +++ b/packages/darktrace/data_stream/ai_analyst_alert/fields/ecs.yml @@ -0,0 +1,66 @@ +- external: ecs + name: ecs.version +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.end +- external: ecs + name: event.id +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.reason +- external: ecs + name: event.risk_score +- external: ecs + name: event.risk_score_norm +- external: ecs + name: event.start +- external: ecs + name: event.type +- external: ecs + name: event.url +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.name +- external: ecs + name: log.syslog.appname +- external: ecs + name: log.syslog.facility.code +- external: ecs + name: log.syslog.facility.name +- external: ecs + name: log.syslog.hostname +- external: ecs + name: log.syslog.priority +- external: ecs + name: log.syslog.severity.code +- external: ecs + name: log.syslog.severity.name +- external: ecs + name: log.syslog.version +- external: ecs + name: message +- external: ecs + name: related.hosts +- external: ecs + name: related.ip +- external: ecs + name: rule.name +- external: ecs + name: tags +- external: ecs + name: threat.enrichments.matched.id +- external: ecs + name: threat.group.id diff --git a/packages/darktrace/data_stream/ai_analyst_alert/fields/fields.yml b/packages/darktrace/data_stream/ai_analyst_alert/fields/fields.yml new file mode 100644 index 00000000000..2a6a32bea67 --- /dev/null +++ b/packages/darktrace/data_stream/ai_analyst_alert/fields/fields.yml @@ -0,0 +1,143 @@ +- name: darktrace.ai_analyst_alert + type: group + fields: + - name: activity_id + type: keyword + description: An identifier for the specific activity detected by AI Analyst. If groupByActivity=true , this field should be used to group events together into an incident. + - name: aia_score + type: double + description: The score of the event as classified by AI Analyst - out of 100. + - name: attack_phases + type: long + description: Of the six attack phases, which phases are applicable to the activity. + - name: breach_devices + type: group + fields: + - name: did + type: long + description: The unique device id identifier for the device that triggered the breach. This field is used to group events into device-based incidents within the Threat Visualizer. + - name: hostname + type: keyword + description: The hostname associated with the device, if available. + - name: identifier + type: keyword + description: An identifier for the device used when constructing summaries or reports. May be the device label, hostname or IP, depending on availability. + - name: ip + type: keyword + description: The IP associated with the device. + - name: mac_address + type: keyword + description: The MAC address associated with the device. + - name: sid + type: long + description: The subnet id for the subnet the device is currently located in. + - name: subnet + type: keyword + description: The subnet label for the corresponding subnet, if available. + - name: category + type: keyword + description: The behavior category associated with the incident event. + - name: children + type: keyword + description: One or more unique identifiers that can be used to request this AI Analyst event via the UI or API. Where there is more than one uuid, requests can be made with comma-separated values. + - name: created_at + type: date + description: Timestamp for event creation in epoch time. + - name: current_group + type: keyword + description: The UUID of the current incident this event belongs to. + - name: details + type: flattened + description: An array of multiple sections (sub-arrays) of event information. + - name: group_by_activity + type: boolean + description: Used by pre-v5.2 legacy incident construction. Indicates whether the event should be aggregated by activity or by device to create an incident. When true, the event should be aggregated by activityID, and when false, aggregated by groupingID(s). + - name: group_category + type: keyword + description: The behavior category associated with the incident overall. Relevant for v5.2+ incident construction only. + - name: group_previous_groups + type: keyword + description: If the incident event was part of an incident which was later merged with another, the UUIDs of the incidents before they were merged. + - name: group_score + type: double + description: The current overall score of the incident this event is part of. + - name: grouping_ids + type: keyword + description: Used by pre-v5.2 legacy incident construction. Each entry in the groupingIDs array refers to a device that triggered the activity detection. In single events, should only contain one ID. If groupByActivity=false , this field should be used to group events together into an incident. + - name: id + type: keyword + description: A system field. + - name: incident_event_url + type: group + description: A URL to access the AI Analyst alert in the Threat Visualizer. + fields: + - name: domain + type: keyword + - name: extension + type: keyword + - name: fragment + type: keyword + - name: full + type: keyword + - name: original + type: keyword + - name: password + type: keyword + - name: path + type: keyword + - name: port + type: long + - name: query + type: keyword + - name: scheme + type: keyword + - name: username + type: keyword + - name: is_acknowledged + type: boolean + description: Whether the event has been acknowledged. + - name: is_external_triggered + type: boolean + description: Whether the event was created as a result of an externally triggered AI Analyst investigation. + - name: is_pinned + type: boolean + description: Whether the event, or an incident that the event is associated with, is pinned within the Threat Visualizer user interface. Pinned events will always return regardless of the timeframe specified. + - name: is_user_triggered + type: boolean + description: Whether the event was created as a result of a user-triggered AI Analyst investigation. + - name: periods + type: group + fields: + - name: end + type: date + description: A timestamp for the end of the activity period in epoch time. + - name: start + type: date + description: A timestamp for the start of the activity period in epoch time. + - name: related_breaches + type: group + fields: + - name: model_name + type: keyword + description: The name of the model that breached. + - name: pbid + type: long + description: The policy breach ID unique identifier of the model breach. + - name: threat_score + type: long + description: The breach score of the associated model breach - out of 100. + - name: timestamp + type: date + description: The timestamp at which the model breach occurred in epoch time. + - name: summariser + type: keyword + description: A system field. + - name: summary + type: keyword + description: A textual summary of the suspicious activity. This example is abbreviated. + - name: title + type: keyword + description: A title describing the activity that occurred. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/darktrace/data_stream/ai_analyst_alert/manifest.yml b/packages/darktrace/data_stream/ai_analyst_alert/manifest.yml new file mode 100644 index 00000000000..40bf35b3781 --- /dev/null +++ b/packages/darktrace/data_stream/ai_analyst_alert/manifest.yml @@ -0,0 +1,171 @@ +title: Collect AI Analyst Alert logs from Darktrace +type: logs +streams: + - input: httpjson + title: AI Analyst Alert logs + description: Collect AI Analyst Alert logs via API. + template_path: httpjson.yml.hbs + vars: + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the AI Analyst Alert logs from Darktrace. + multi: false + required: true + show_user: true + default: 24h + - name: interval + type: text + title: Interval + description: Duration between requests to the Darktrace API. + default: 1m + multi: false + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - darktrace_ai_analyst_alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: true + title: Preserve duplicate custom fields + description: Preserve darktrace.ai_analyst_alert fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: tcp + title: AI Analyst Alert logs + description: Collect AI Analyst Alert logs via TCP input. + template_path: tcp.yml.hbs + vars: + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9571 + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + max_message_size: 50KiB + #max_connections: 1 + #framing: delimiter + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - darktrace_ai_analyst_alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: true + title: Preserve duplicate custom fields + description: Preserve darktrace.ai_analyst_alert fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: udp + title: AI Analyst Alert logs + description: Collect AI Analyst Alert logs via UDP input. + template_path: udp.yml.hbs + vars: + - name: listen_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9574 + - name: udp_options + type: yaml + title: Custom UDP Options + multi: false + required: false + show_user: false + default: | + max_message_size: 50KiB + #timeout: 300s + description: Specify custom configuration options for the UDP input. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - darktrace_ai_analyst_alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: true + title: Preserve duplicate custom fields + description: Preserve darktrace.ai_analyst_alert fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/darktrace/data_stream/ai_analyst_alert/sample_event.json b/packages/darktrace/data_stream/ai_analyst_alert/sample_event.json new file mode 100644 index 00000000000..874e417fb28 --- /dev/null +++ b/packages/darktrace/data_stream/ai_analyst_alert/sample_event.json @@ -0,0 +1,241 @@ +{ + "@timestamp": "2021-08-03T14:48:09.240Z", + "agent": { + "ephemeral_id": "a61287e5-6cac-4e83-8354-5cf118335548", + "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.1" + }, + "darktrace": { + "ai_analyst_alert": { + "activity_id": "abcd1234", + "aia_score": 98, + "attack_phases": [ + 5 + ], + "breach_devices": [ + { + "did": 10, + "ip": "81.2.69.144", + "sid": 12, + "subnet": "VPN" + } + ], + "category": "critical", + "children": [ + "eabcdef0-1234-1234-1234-cabcdefghij9" + ], + "created_at": "2021-08-03T14:48:09.240Z", + "current_group": "eabc1234-1234-1234-1234-cabcdefg0011", + "details": [ + [ + { + "contents": [ + { + "type": "device", + "values": [ + { + "did": 10, + "ip": "175.16.199.1", + "sid": 12, + "subnet": "VPN" + } + ] + } + ], + "header": "Breaching Device" + } + ], + [ + { + "contents": [ + { + "key": "Time", + "type": "timestampRange", + "values": [ + { + "end": 1628000141220, + "start": 1627985298683 + } + ] + }, + { + "key": "Number of unique IPs", + "type": "integer", + "values": [ + 16 + ] + }, + { + "key": "Targeted IP ranges include", + "type": "device", + "values": [ + { + "ip": "81.2.69.192" + }, + { + "ip": "175.16.199.1" + }, + { + "ip": "175.16.199.3" + } + ] + }, + { + "key": "Destination port", + "type": "integer", + "values": [ + 22 + ] + }, + { + "key": "Connection count", + "type": "integer", + "values": [ + 40 + ] + }, + { + "key": "Percentage successful", + "type": "percentage", + "values": [ + 100 + ] + } + ], + "header": "SSH Activity" + } + ] + ], + "group_by_activity": false, + "group_category": "critical", + "group_score": 72.9174234, + "grouping_ids": [ + "abcdef12" + ], + "id": "eabc0011-1234-1234-1234-cabcdefg0011", + "is_acknowledged": false, + "is_external_triggered": false, + "is_pinned": true, + "is_user_triggered": false, + "periods": [ + { + "end": "2021-08-03T14:15:41.220Z", + "start": "2021-08-03T10:08:18.683Z" + } + ], + "related_breaches": [ + { + "model_name": "Unusual Activity / Unusual Activity from Re-Activated Device", + "pbid": 1234, + "threat_score": 37, + "timestamp": "2021-08-03T13:25:57.000Z" + } + ], + "summariser": "AdminConnSummary", + "summary": "The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\n\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\n\nConsequently, if this activity was not expected, the security team may wish to investigate further.", + "title": "Extensive Unusual SSH Connections" + } + }, + "data_stream": { + "dataset": "darktrace.ai_analyst_alert", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "snapshot": false, + "version": "8.2.1" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "dataset": "darktrace.ai_analyst_alert", + "duration": [ + 14842537000000 + ], + "end": [ + "2021-08-03T14:15:41.220Z" + ], + "id": "eabc0011-1234-1234-1234-cabcdefg0011", + "ingested": "2022-08-09T07:46:07Z", + "kind": "alert", + "original": "{\"summariser\":\"AdminConnSummary\",\"acknowledged\":false,\"pinned\":true,\"createdAt\":1628002089240,\"attackPhases\":[5],\"title\":\"Extensive Unusual SSH Connections\",\"id\":\"eabc0011-1234-1234-1234-cabcdefg0011\",\"children\":[\"eabcdef0-1234-1234-1234-cabcdefghij9\"],\"category\":\"critical\",\"currentGroup\":\"eabc1234-1234-1234-1234-cabcdefg0011\",\"groupCategory\":\"critical\",\"groupScore\":\"72.9174234\",\"groupPreviousGroups\":null,\"activityId\":\"abcd1234\",\"groupingIds\":[\"abcdef12\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":98,\"summary\":\"The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\\n\\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\\n\\nConsequently, if this activity was not expected, the security team may wish to investigate further.\",\"periods\":[{\"start\":1627985298683,\"end\":1628000141220}],\"breachDevices\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.144\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}],\"relatedBreaches\":[{\"modelName\":\"Unusual Activity / Unusual Activity from Re-Activated Device\",\"pbid\":1234,\"threatScore\":37,\"timestamp\":1627997157000}],\"details\":[[{\"header\":\"Breaching Device\",\"contents\":[{\"key\":null,\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}]}]}],[{\"header\":\"SSH Activity\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1627985298683,\"end\":1628000141220}]},{\"key\":\"Number of unique IPs\",\"type\":\"integer\",\"values\":[16]},{\"key\":\"Targeted IP ranges include\",\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.192\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.3\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null}]},{\"key\":\"Destination port\",\"type\":\"integer\",\"values\":[22]},{\"key\":\"Connection count\",\"type\":\"integer\",\"values\":[40]},{\"key\":\"Percentage successful\",\"type\":\"percentage\",\"values\":[100]}]}]]}", + "reason": "Extensive Unusual SSH Connections", + "risk_score": 98, + "risk_score_norm": 98, + "start": [ + "2021-08-03T10:08:18.683Z" + ], + "type": [ + "info" + ] + }, + "host": { + "id": [ + "10" + ], + "ip": [ + "81.2.69.144" + ] + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.18.0.6:49421" + }, + "syslog": { + "facility": { + "code": 20, + "name": "local4" + }, + "hostname": "example.cloud.darktrace.com", + "priority": 165, + "severity": { + "code": 5, + "name": "Notice" + }, + "version": "1" + } + }, + "message": "The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\n\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\n\nConsequently, if this activity was not expected, the security team may wish to investigate further.", + "related": { + "ip": [ + "81.2.69.144", + "175.16.199.1", + "81.2.69.192", + "175.16.199.3" + ] + }, + "rule": { + "name": [ + "Unusual Activity / Unusual Activity from Re-Activated Device" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "darktrace_ai_analyst_alert" + ], + "threat": { + "enrichments": { + "matched": { + "id": [ + "eabcdef0-1234-1234-1234-cabcdefghij9" + ] + } + }, + "group": { + "id": "eabc1234-1234-1234-1234-cabcdefg0011" + } + } +} \ No newline at end of file diff --git a/packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-common-config.yml b/packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..be41bb0d476 --- /dev/null +++ b/packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields diff --git a/packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model_breach_alert.log b/packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model_breach_alert.log new file mode 100644 index 00000000000..25b22d1a876 --- /dev/null +++ b/packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model_breach_alert.log @@ -0,0 +1,5 @@ +{"model":{"name":"System::System","pid":802,"phid":802,"uuid":"8abcdefh-1234-1234-1234-5abababab","logic":{"data":[1594],"type":"componentList","version":1},"throttle":10,"sharedEndpoints":false,"actions":{"alert":true,"antigena":{},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":[],"interval":0,"delay":0,"sequenced":true,"active":true,"modified":"2022-07-11 11:41:08","activeTimes":{"devices":{},"tags":{},"type":"exclusions","version":2},"autoUpdatable":true,"autoUpdate":true,"autoSuppress":true,"description":"An issue with the system has been detected. This system alert is generated for system information that may merit further investigation. This may be due to things like probes failing to connect.\\n\\nAction: Review the system message. Use the status page to see additional system information that may help with diagnostics.","behaviour":"decreasing","defeats":[],"created":{"by":"System"},"edited":{"by":"Nobody"},"version":16,"priority":3,"category":"Informational","compliance":false},"device":{"did":-1},"triggeredComponents":[{"time":1657678365000,"cbid":5,"cid":1594,"chid":1594,"size":1,"threshold":0,"interval":3600,"logic":{"data":{"left":{"left":"A","operator":"AND","right":"B"},"operator":"OR","right":{"left":{"left":"A","operator":"AND","right":"C"},"operator":"OR","right":{"left":{"left":"A","operator":"AND","right":"D"},"operator":"OR","right":{"left":{"left":"A","operator":"AND","right":"E"},"operator":"OR","right":{"left":"A","operator":"AND","right":"F"}}}}},"version":"v0.1"},"metric":{"mlid":207,"name":"dtsystem","label":"System"},"triggeredFilters":[{"cfid":18136,"id":"A","filterType":"Event details","arguments":{"value":"analyze credential ignore list"},"comparatorType":"does not contain","trigger":{"value":"Probe 175.16.199.1 last contact was 18 minutes ago"}},{"cfid":18137,"id":"B","filterType":"System message","arguments":{"value":"Probe error"},"comparatorType":"is","trigger":{"value":"Probe error"}},{"cfid":18142,"id":"d1","filterType":"Event details","arguments":{},"comparatorType":"display","trigger":{"value":"Probe 175.16.199.1 last contact was 18 minutes ago"}},{"cfid":18143,"id":"d2","filterType":"System message","arguments":{},"comparatorType":"display","trigger":{"value":"Probe error"}}]}],"breachUrl":"https://example.com/#modelbreach/5","pbid":5,"score":0.674,"commentCount":0,"creationTime":1657678365000,"time":1657678366000,"mitreTechniques":[]} +{"model":{"name":"Device::Attack and Recon Tools","pid":135,"phid":1198,"uuid":"8abcdefg-1234-1234-1234-5abcdefg12","logic":{"data":[{"cid":2311,"weight":1},{"cid":2312,"weight":1},{"cid":2315,"weight":1},{"cid":2316,"weight":1},{"cid":2314,"weight":1},{"cid":2310,"weight":1},{"cid":2313,"weight":1}],"targetScore":1,"type":"weightedComponentList","version":1},"throttle":604800,"sharedEndpoints":false,"actions":{"alert":true,"antigena":{},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":["AP: Internal Recon","OT Engineer"],"interval":3600,"delay":0,"sequenced":false,"active":true,"modified":"2022-07-11 11:47:51","activeTimes":{"devices":{},"tags":{},"type":"exclusions","version":2},"autoUpdatable":true,"autoUpdate":true,"autoSuppress":true,"description":"A device is using common penetration testing tools.\\n\\nAction: Review the device to see if it a security device, these can be tagged as such to exclude them from future breaches. Activity from non security devices merit further investigation into what else the device is doing and could be a significant risk within the network.","behaviour":"decreasing","created":{"by":"System"},"edited":{"by":"System"},"version":77,"priority":4,"category":"Suspicious","compliance":false},"device":{"did":7,"ip":"81.2.69.192","ips":[{"ip":"175.16.199.2","timems":1657746000000,"time":"2022-07-13 21:00:00","sid":1}],"sid":1,"hostname":"175.16.199.1","firstSeen":1657544891000,"lastSeen":1657748638000,"typename":"desktop","typelabel":"Desktop","credentials":["dummy"],"tags":[{"tid":66,"expiry":0,"thid":66,"name":"Domain Authenticated","restricted":false,"data":{"auto":false,"color":183,"description":""},"isReferenced":true},{"tid":29,"expiry":0,"thid":29,"name":"Linux","restricted":false,"data":{"auto":false,"color":168,"description":"","visibility":"Public"},"isReferenced":true},{"tid":45,"expiry":0,"thid":45,"name":"New Device","restricted":false,"data":{"auto":false,"color":130,"description":"","visibility":"Public"},"isReferenced":true}]},"triggeredComponents":[{"time":1657748807000,"cbid":6,"cid":2311,"chid":2676,"size":1,"threshold":0,"interval":300,"logic":{"data":{"left":{"left":"A","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"B","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"N","operator":"AND","right":"O"}}}},"operator":"OR","right":{"left":{"left":"C","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"E","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"F","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"G","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"H","operator":"AND","right":{"left":"I","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"K","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"L","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"M","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"N","operator":"AND","right":"P"}}}}}}}}}}}}},"version":"v0.1"},"metric":{"mlid":16,"name":"connections","label":"Connections"},"triggeredFilters":[{"cfid":26781,"id":"H","filterType":"Direction","arguments":{"value":"out"},"comparatorType":"is","trigger":{"value":"out"}},{"cfid":26783,"id":"J","filterType":"Tagged internal source","arguments":{"value":12},"comparatorType":"does not have tag","trigger":{"value":"12","tag":{"tid":12,"expiry":0,"thid":12,"name":"Security Device","restricted":false,"data":{"auto":false,"color":55,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":26787,"id":"N","filterType":"Tagged internal destination","arguments":{"value":12},"comparatorType":"does not have tag","trigger":{"value":"12","tag":{"tid":12,"expiry":0,"thid":12,"name":"Security Device","restricted":false,"data":{"auto":false,"color":55,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":26788,"id":"O","filterType":"User agent","arguments":{"value":"examples"},"comparatorType":"does not match regular expression","trigger":{"value":""}},{"cfid":26789,"id":"P","filterType":"URI","arguments":{"value":"examples"},"comparatorType":"matches regular expression","trigger":{"value":""}},{"cfid":26790,"id":"d1","filterType":"Proxied connection","arguments":{"value":"true"},"comparatorType":"display","trigger":{"value":"false"}},{"cfid":26791,"id":"d10","filterType":"HTTP response code","arguments":{},"comparatorType":"display","trigger":{"value":"0"}},{"cfid":26792,"id":"d2","filterType":"HTTP referrer","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":26793,"id":"d3","filterType":"HTTP method","arguments":{},"comparatorType":"display","trigger":{"value":"GET"}},{"cfid":26794,"id":"d4","filterType":"HTTP X-Forwarded-For","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":26795,"id":"d5","filterType":"URI","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":26796,"id":"d6","filterType":"User agent","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":26797,"id":"d7","filterType":"Destination IP","arguments":{},"comparatorType":"display","trigger":{"value":"81.2.69.144"}},{"cfid":26798,"id":"d8","filterType":"Internal destination device name","arguments":{},"comparatorType":"display","trigger":{"value":"localhost.local"}},{"cfid":26799,"id":"d9","filterType":"Connection hostname","arguments":{},"comparatorType":"display","trigger":{"value":""}}]}],"breachUrl":"https://example.com/#modelbreach/6","pbid":6,"score":0.871,"commentCount":0,"creationTime":1657748815000,"time":1657748808000,"mitreTechniques":[{"technique":"Hardware Additions Mitigation","techniqueID":"T1200"}]} +{"commentCount":0,"pbid":1,"time":1657544649000,"creationTime":1657544659000,"aianalystData":[{"uuid":"1234abcd-1234-1234-1234-123456abcdef","related":[1],"summariser":"BeaconSummary"}],"model":{"name":"Compromise::Beaconing Activity To External Rare","pid":156,"phid":1072,"uuid":"1234abcd-1234-1234-1234-123456abcdef","logic":{"data":[{"cid":2026,"weight":1},{"cid":2024,"weight":1},{"cid":2025,"weight":-100}],"targetScore":1,"type":"weightedComponentList","version":1},"throttle":10800,"sharedEndpoints":false,"actions":{"alert":true,"antigena":{},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":["AP: C2 Comms"],"interval":10800,"delay":0,"sequenced":false,"active":true,"modified":"2022-07-11 11:47:37","activeTimes":{"devices":{},"tags":{},"type":"exclusions","version":2},"autoUpdatable":true,"autoUpdate":true,"autoSuppress":true,"description":"A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\n\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.","behaviour":"incdec1","created":{"by":"System"},"edited":{"by":"System"},"version":23,"priority":2,"category":"Informational","compliance":false},"triggeredComponents":[{"time":1657544648000,"cbid":1,"cid":2026,"chid":2113,"size":11,"threshold":10,"interval":3600,"logic":{"data":{"left":{"left":"A","operator":"AND","right":{"left":"AA","operator":"AND","right":{"left":"AC","operator":"AND","right":{"left":"AD","operator":"AND","right":{"left":"AF","operator":"AND","right":{"left":"AG","operator":"AND","right":{"left":"AH","operator":"AND","right":{"left":"B","operator":"AND","right":{"left":"C","operator":"AND","right":{"left":"D","operator":"AND","right":{"left":"E","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"I","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"K","operator":"AND","right":{"left":"L","operator":"AND","right":{"left":"M","operator":"AND","right":{"left":"N","operator":"AND","right":{"left":"O","operator":"AND","right":{"left":"P","operator":"AND","right":{"left":"S","operator":"AND","right":{"left":"U","operator":"AND","right":{"left":"V","operator":"AND","right":{"left":"X","operator":"AND","right":{"left":"Y","operator":"AND","right":"Z"}}}}}}}}}}}}}}}}}}}}}}}}},"operator":"OR","right":{"left":"A","operator":"AND","right":{"left":"AA","operator":"AND","right":{"left":"AB","operator":"AND","right":{"left":"AE","operator":"AND","right":{"left":"AF","operator":"AND","right":{"left":"AG","operator":"AND","right":{"left":"AH","operator":"AND","right":{"left":"C","operator":"AND","right":{"left":"D","operator":"AND","right":{"left":"E","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"I","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"K","operator":"AND","right":{"left":"L","operator":"AND","right":{"left":"M","operator":"AND","right":{"left":"N","operator":"AND","right":{"left":"O","operator":"AND","right":{"left":"P","operator":"AND","right":{"left":"S","operator":"AND","right":{"left":"U","operator":"AND","right":{"left":"V","operator":"AND","right":{"left":"X","operator":"AND","right":{"left":"Y","operator":"AND","right":"Z"}}}}}}}}}}}}}}}}}}}}}}}}},"version":"v0.1"},"metric":{"mlid":1,"name":"externalconnections","label":"External Connections"},"triggeredFilters":[{"cfid":23426,"id":"A","filterType":"Beaconing score","arguments":{"value":60},"comparatorType":">","trigger":{"value":"100"}},{"cfid":23427,"id":"AA","filterType":"Individual size up","arguments":{"value":0},"comparatorType":">","trigger":{"value":"4382"}},{"cfid":23428,"id":"AB","filterType":"Rare domain","arguments":{"value":95},"comparatorType":">","trigger":{"value":"100"}},{"cfid":23430,"id":"AD","filterType":"Age of destination","arguments":{"value":1209600},"comparatorType":"<","trigger":{"value":"558"}},{"cfid":23431,"id":"AE","filterType":"Age of external hostname","arguments":{"value":1209600},"comparatorType":"<","trigger":{"value":"558"}},{"cfid":23432,"id":"AF","filterType":"Connection hostname","arguments":{"value":"examples"},"comparatorType":"does not match regular expression","trigger":{"value":"example.com"}},{"cfid":23433,"id":"AG","filterType":"ASN","arguments":{"value":"examples"},"comparatorType":"does not match regular expression","trigger":{"value":"AS12345 LOCAL-02"}},{"cfid":23434,"id":"AH","filterType":"JA3 hash","arguments":{"value":"5d41402abc4b2a76b9719d911017c592"},"comparatorType":"does not match","trigger":{"value":"5d41402abc4b2a76b9719d911017c592"}},{"cfid":23435,"id":"B","filterType":"Rare external IP","arguments":{"value":95},"comparatorType":">","trigger":{"value":"100"}},{"cfid":23436,"id":"C","filterType":"Application protocol","arguments":{"value":"1003"},"comparatorType":"is not","trigger":{"value":"1004"}},{"cfid":23437,"id":"D","filterType":"Destination port","arguments":{"value":53},"comparatorType":"!=","trigger":{"value":"443"}},{"cfid":23438,"id":"E","filterType":"Direction","arguments":{"value":"out"},"comparatorType":"is","trigger":{"value":"out"}},{"cfid":23439,"id":"H","filterType":"Destination port","arguments":{"value":137},"comparatorType":"!=","trigger":{"value":"443"}},{"cfid":23440,"id":"I","filterType":"Destination port","arguments":{"value":161},"comparatorType":"!=","trigger":{"value":"443"}},{"cfid":23441,"id":"J","filterType":"Protocol","arguments":{"value":"6"},"comparatorType":"is","trigger":{"value":"6"}},{"cfid":23442,"id":"K","filterType":"ASN","arguments":{"value":"Company"},"comparatorType":"does not contain","trigger":{"value":"AS12345 LOCAL-02"}},{"cfid":23443,"id":"L","filterType":"ASN","arguments":{"value":"Company"},"comparatorType":"does not contain","trigger":{"value":"AS12345 LOCAL-02"}},{"cfid":23444,"id":"M","filterType":"Internal source device type","arguments":{"value":"13"},"comparatorType":"is not","trigger":{"value":"6"}},{"cfid":23445,"id":"N","filterType":"Internal source device type","arguments":{"value":"5"},"comparatorType":"is not","trigger":{"value":"6"}},{"cfid":23446,"id":"O","filterType":"Internal source device type","arguments":{"value":"9"},"comparatorType":"is not","trigger":{"value":"6"}},{"cfid":23447,"id":"P","filterType":"Internal source device type","arguments":{"value":"12"},"comparatorType":"is not","trigger":{"value":"6"}},{"cfid":23448,"id":"S","filterType":"Internal source device type","arguments":{"value":"30"},"comparatorType":"is not","trigger":{"value":"6"}},{"cfid":23449,"id":"U","filterType":"Internal source device type","arguments":{"value":"4"},"comparatorType":"is not","trigger":{"value":"6"}},{"cfid":23450,"id":"V","filterType":"Internal source device type","arguments":{"value":"3"},"comparatorType":"is not","trigger":{"value":"6"}},{"cfid":23451,"id":"X","filterType":"Trusted hostname","arguments":{"value":"false"},"comparatorType":"is","trigger":{"value":"false"}},{"cfid":23452,"id":"Y","filterType":"Tagged internal source","arguments":{"value":26},"comparatorType":"does not have tag","trigger":{"value":"26","tag":{"tid":26,"expiry":0,"thid":26,"name":"No Device Tracking","restricted":false,"data":{"auto":false,"color":5,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":23453,"id":"Z","filterType":"Individual size down","arguments":{"value":0},"comparatorType":">","trigger":{"value":"5862"}},{"cfid":23454,"id":"d1","filterType":"JA3 hash","arguments":{},"comparatorType":"display","trigger":{"value":"5d41402abc4b2a76b9719d911017c592"}},{"cfid":23455,"id":"d2","filterType":"ASN","arguments":{},"comparatorType":"display","trigger":{"value":"AS12345 LOCAL-02"}},{"cfid":23456,"id":"d3","filterType":"Destination IP","arguments":{},"comparatorType":"display","trigger":{"value":"81.2.69.192"}},{"cfid":23457,"id":"d4","filterType":"Connection hostname","arguments":{},"comparatorType":"display","trigger":{"value":"example.com"}}]}],"score":0.674,"device":{"did":3,"ip":"81.2.69.142","sid":1,"firstSeen":1657544089000,"lastSeen":1657544418000,"typename":"desktop","typelabel":"Desktop"}} +{"model":{"name":"Unrestricted Test Model"},"device":{"ip":"175.16.199.1","hostname":"test-device.example.com","macaddress":"00:00:5e:00:53:00","vendor":"Test Vendor","label":"Test Device"},"triggeredComponents":[{"metric":{"label":"Test Metric"},"triggeredFilters":[{"comparatorType":"display","filterType":"Test Metric Filter","trigger":{"value":"Test filter value"}}]}],"breachUrl":"","pbid":123,"score":1,"creationTime":1659692145460,"time":1659692145460,"mitreTechniques":[]} +darktrace {"model":{"description":"Test model used for testing alerting configuration.","created":{"by":"System"},"edited":{"by":"Nobody"},"name":"Unrestricted Test Model","priority":5},"device":{"ip":"175.16.199.1","hostname":"test-device.example.com","macaddress":"00:00:5e:00:53:00","vendor":"Test Vendor","label":"Test Device"},"triggeredComponents":[{"metric":{"label":"Test Metric"},"triggeredFilters":[{"comparatorType":"display","filterType":"Test Metric Filter","trigger":{"value":"Test filter value"}}]}],"breachUrl":"","pbid":123,"score":1,"creationTime":1659692086317,"time":1659692086317,"mitreTechniques":[]} diff --git a/packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model_breach_alert.log-expected.json b/packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model_breach_alert.log-expected.json new file mode 100644 index 00000000000..25d25301556 --- /dev/null +++ b/packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model_breach_alert.log-expected.json @@ -0,0 +1,1285 @@ +{ + "expected": [ + { + "@timestamp": "2022-07-13T02:12:46.000Z", + "darktrace": { + "model_breach_alert": { + "breach_url": { + "domain": "example.com", + "fragment": "modelbreach/5", + "original": "https://example.com/#modelbreach/5", + "path": "/", + "scheme": "https" + }, + "comment": { + "count": 0 + }, + "creation_time": "2022-07-13T02:12:45.000Z", + "model": { + "actions": { + "is_alerting": true, + "is_breach": true, + "is_priority_set": false, + "is_tag_set": false, + "is_type_set": false, + "model": true + }, + "active_times": { + "type": "exclusions", + "version": 2 + }, + "behaviour": "decreasing", + "category": "Informational", + "created": { + "by": "System" + }, + "delay": 0, + "description": "An issue with the system has been detected. This system alert is generated for system information that may merit further investigation. This may be due to things like probes failing to connect.\\n\\nAction: Review the system message. Use the status page to see additional system information that may help with diagnostics.", + "edited": { + "by": "Nobody" + }, + "in_compliance_behavior_category": false, + "interval": 0, + "is_active": true, + "is_auto_suppress": true, + "is_auto_updatable": true, + "is_auto_update": true, + "is_sequenced": true, + "is_shared_endpoints": false, + "logic": { + "data_component_list": [ + 1594 + ], + "type": "componentList", + "version": 1 + }, + "modified": "2022-07-11T11:41:08.000Z", + "name": "System::System", + "phid": 802, + "pid": 802, + "priority": 3, + "throttle": 10, + "uuid": "8abcdefh-1234-1234-1234-5abababab", + "version": 16 + }, + "pbid": 5, + "score": 0.674, + "time": "2022-07-13T02:12:46.000Z", + "triggered_components": [ + { + "cbid": 5, + "chid": 1594, + "cid": 1594, + "interval": 3600, + "logic": { + "data": "{left={left=A, right=B, operator=AND}, right={left={left=A, right=C, operator=AND}, right={left={left=A, right=D, operator=AND}, right={left={left=A, right=E, operator=AND}, right={left=A, right=F, operator=AND}, operator=OR}, operator=OR}, operator=OR}, operator=OR}", + "version": "v0.1" + }, + "metric": { + "label": "System", + "mlid": 207, + "name": "dtsystem" + }, + "size": 1, + "threshold": 0, + "time": "2022-07-13T02:12:45.000Z", + "triggered_filters": [ + { + "arguments": { + "value": "analyze credential ignore list" + }, + "cfid": 18136, + "comparator_type": "does not contain", + "filter_type": "Event details", + "id": "A", + "trigger": { + "value": "Probe 175.16.199.1 last contact was 18 minutes ago" + } + }, + { + "arguments": { + "value": "Probe error" + }, + "cfid": 18137, + "comparator_type": "is", + "filter_type": "System message", + "id": "B", + "trigger": { + "value": "Probe error" + } + }, + { + "cfid": 18142, + "comparator_type": "display", + "filter_type": "Event details", + "id": "d1", + "trigger": { + "value": "Probe 175.16.199.1 last contact was 18 minutes ago" + } + }, + { + "cfid": 18143, + "comparator_type": "display", + "filter_type": "System message", + "id": "d2", + "trigger": { + "value": "Probe error" + } + } + ] + } + ] + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "created": "2022-07-13T02:12:45.000Z", + "kind": "event", + "original": "{\"model\":{\"name\":\"System::System\",\"pid\":802,\"phid\":802,\"uuid\":\"8abcdefh-1234-1234-1234-5abababab\",\"logic\":{\"data\":[1594],\"type\":\"componentList\",\"version\":1},\"throttle\":10,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[],\"interval\":0,\"delay\":0,\"sequenced\":true,\"active\":true,\"modified\":\"2022-07-11 11:41:08\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"An issue with the system has been detected. This system alert is generated for system information that may merit further investigation. This may be due to things like probes failing to connect.\\\\n\\\\nAction: Review the system message. Use the status page to see additional system information that may help with diagnostics.\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"Nobody\"},\"version\":16,\"priority\":3,\"category\":\"Informational\",\"compliance\":false},\"device\":{\"did\":-1},\"triggeredComponents\":[{\"time\":1657678365000,\"cbid\":5,\"cid\":1594,\"chid\":1594,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":\"B\"},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":\"C\"},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":\"D\"},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":\"E\"},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":\"F\"}}}}},\"version\":\"v0.1\"},\"metric\":{\"mlid\":207,\"name\":\"dtsystem\",\"label\":\"System\"},\"triggeredFilters\":[{\"cfid\":18136,\"id\":\"A\",\"filterType\":\"Event details\",\"arguments\":{\"value\":\"analyze credential ignore list\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"Probe 175.16.199.1 last contact was 18 minutes ago\"}},{\"cfid\":18137,\"id\":\"B\",\"filterType\":\"System message\",\"arguments\":{\"value\":\"Probe error\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"Probe error\"}},{\"cfid\":18142,\"id\":\"d1\",\"filterType\":\"Event details\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"Probe 175.16.199.1 last contact was 18 minutes ago\"}},{\"cfid\":18143,\"id\":\"d2\",\"filterType\":\"System message\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"Probe error\"}}]}],\"breachUrl\":\"https://example.com/#modelbreach/5\",\"pbid\":5,\"score\":0.674,\"commentCount\":0,\"creationTime\":1657678365000,\"time\":1657678366000,\"mitreTechniques\":[]}", + "risk_score": 0.674, + "risk_score_norm": 67.4, + "severity": 3, + "start": [ + "2022-07-13T02:12:45.000Z" + ], + "type": [ + "info" + ], + "url": "https://example.com/#modelbreach/5" + }, + "related": { + "user": [ + "System", + "Nobody" + ] + }, + "rule": { + "author": "System", + "category": "Informational", + "description": "An issue with the system has been detected. This system alert is generated for system information that may merit further investigation. This may be due to things like probes failing to connect.\\n\\nAction: Review the system message. Use the status page to see additional system information that may help with diagnostics.", + "name": "System::System", + "uuid": "8abcdefh-1234-1234-1234-5abababab", + "version": "16" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2022-07-13T21:46:48.000Z", + "darktrace": { + "model_breach_alert": { + "breach_url": { + "domain": "example.com", + "fragment": "modelbreach/6", + "original": "https://example.com/#modelbreach/6", + "path": "/", + "scheme": "https" + }, + "comment": { + "count": 0 + }, + "creation_time": "2022-07-13T21:46:55.000Z", + "device": { + "credentials": [ + "dummy" + ], + "did": 7, + "first_seen": "2022-07-11T13:08:11.000Z", + "hostname": "175.16.199.1", + "ip": "81.2.69.192", + "ips": [ + { + "ip": "175.16.199.2", + "sid": 1, + "time": "2022-07-13T21:00:00.000Z", + "timems": "2022-07-13T21:00:00.000Z" + } + ], + "last_seen": "2022-07-13T21:43:58.000Z", + "sid": 1, + "tags": [ + { + "data": { + "auto": false, + "color": 183 + }, + "expiry": 0, + "is_referenced": true, + "name": "Domain Authenticated", + "restricted": false, + "thid": 66, + "tid": 66 + }, + { + "data": { + "auto": false, + "color": 168, + "visibility": "Public" + }, + "expiry": 0, + "is_referenced": true, + "name": "Linux", + "restricted": false, + "thid": 29, + "tid": 29 + }, + { + "data": { + "auto": false, + "color": 130, + "visibility": "Public" + }, + "expiry": 0, + "is_referenced": true, + "name": "New Device", + "restricted": false, + "thid": 45, + "tid": 45 + } + ], + "type_label": "Desktop", + "type_name": "desktop" + }, + "mitre_techniques": [ + { + "id": "T1200", + "name": "Hardware Additions Mitigation" + } + ], + "model": { + "actions": { + "is_alerting": true, + "is_breach": true, + "is_priority_set": false, + "is_tag_set": false, + "is_type_set": false, + "model": true + }, + "active_times": { + "type": "exclusions", + "version": 2 + }, + "behaviour": "decreasing", + "category": "Suspicious", + "created": { + "by": "System" + }, + "delay": 0, + "description": "A device is using common penetration testing tools.\\n\\nAction: Review the device to see if it a security device, these can be tagged as such to exclude them from future breaches. Activity from non security devices merit further investigation into what else the device is doing and could be a significant risk within the network.", + "edited": { + "by": "System" + }, + "in_compliance_behavior_category": false, + "interval": 3600, + "is_active": true, + "is_auto_suppress": true, + "is_auto_updatable": true, + "is_auto_update": true, + "is_sequenced": false, + "is_shared_endpoints": false, + "logic": { + "data_weighted_component_list": [ + { + "cid": 2311, + "weight": 1 + }, + { + "cid": 2312, + "weight": 1 + }, + { + "cid": 2315, + "weight": 1 + }, + { + "cid": 2316, + "weight": 1 + }, + { + "cid": 2314, + "weight": 1 + }, + { + "cid": 2310, + "weight": 1 + }, + { + "cid": 2313, + "weight": 1 + } + ], + "target_score": 1, + "type": "weightedComponentList", + "version": 1 + }, + "modified": "2022-07-11T11:47:51.000Z", + "name": "Device::Attack and Recon Tools", + "phid": 1198, + "pid": 135, + "priority": 4, + "tags": [ + "AP: Internal Recon", + "OT Engineer" + ], + "throttle": 604800, + "uuid": "8abcdefg-1234-1234-1234-5abcdefg12", + "version": 77 + }, + "pbid": 6, + "score": 0.871, + "time": "2022-07-13T21:46:48.000Z", + "triggered_components": [ + { + "cbid": 6, + "chid": 2676, + "cid": 2311, + "interval": 300, + "logic": { + "data": "{left={left=A, right={left=H, right={left=J, right=N, operator=AND}, operator=AND}, operator=AND}, right={left={left=B, right={left=H, right={left=J, right={left=N, right=O, operator=AND}, operator=AND}, operator=AND}, operator=AND}, right={left={left=C, right={left=H, right={left=J, right=N, operator=AND}, operator=AND}, operator=AND}, right={left={left=E, right={left=H, right={left=J, right=N, operator=AND}, operator=AND}, operator=AND}, right={left={left=F, right={left=H, right={left=J, right=N, operator=AND}, operator=AND}, operator=AND}, right={left={left=G, right={left=H, right={left=J, right=N, operator=AND}, operator=AND}, operator=AND}, right={left={left=H, right={left=I, right={left=J, right=N, operator=AND}, operator=AND}, operator=AND}, right={left={left=H, right={left=J, right={left=K, right=N, operator=AND}, operator=AND}, operator=AND}, right={left={left=H, right={left=J, right={left=L, right=N, operator=AND}, operator=AND}, operator=AND}, right={left={left=H, right={left=J, right={left=M, right=N, operator=AND}, operator=AND}, operator=AND}, right={left=H, right={left=J, right={left=N, right=P, operator=AND}, operator=AND}, operator=AND}, operator=OR}, operator=OR}, operator=OR}, operator=OR}, operator=OR}, operator=OR}, operator=OR}, operator=OR}, operator=OR}, operator=OR}", + "version": "v0.1" + }, + "metric": { + "label": "Connections", + "mlid": 16, + "name": "connections" + }, + "size": 1, + "threshold": 0, + "time": "2022-07-13T21:46:47.000Z", + "triggered_filters": [ + { + "arguments": { + "value": "out" + }, + "cfid": 26781, + "comparator_type": "is", + "filter_type": "Direction", + "id": "H", + "trigger": { + "value": "out" + } + }, + { + "arguments": { + "value": 12 + }, + "cfid": 26783, + "comparator_type": "does not have tag", + "filter_type": "Tagged internal source", + "id": "J", + "trigger": { + "tag": { + "data": { + "auto": false, + "color": 55, + "visibility": "Public" + }, + "expiry": 0, + "is_referenced": true, + "name": "Security Device", + "restricted": false, + "thid": 12, + "tid": 12 + }, + "value": "12" + } + }, + { + "arguments": { + "value": 12 + }, + "cfid": 26787, + "comparator_type": "does not have tag", + "filter_type": "Tagged internal destination", + "id": "N", + "trigger": { + "tag": { + "data": { + "auto": false, + "color": 55, + "visibility": "Public" + }, + "expiry": 0, + "is_referenced": true, + "name": "Security Device", + "restricted": false, + "thid": 12, + "tid": 12 + }, + "value": "12" + } + }, + { + "arguments": { + "value": "examples" + }, + "cfid": 26788, + "comparator_type": "does not match regular expression", + "filter_type": "User agent", + "id": "O" + }, + { + "arguments": { + "value": "examples" + }, + "cfid": 26789, + "comparator_type": "matches regular expression", + "filter_type": "URI", + "id": "P" + }, + { + "arguments": { + "value": "true" + }, + "cfid": 26790, + "comparator_type": "display", + "filter_type": "Proxied connection", + "id": "d1", + "trigger": { + "value": "false" + } + }, + { + "cfid": 26791, + "comparator_type": "display", + "filter_type": "HTTP response code", + "id": "d10", + "trigger": { + "value": "0" + } + }, + { + "cfid": 26792, + "comparator_type": "display", + "filter_type": "HTTP referrer", + "id": "d2" + }, + { + "cfid": 26793, + "comparator_type": "display", + "filter_type": "HTTP method", + "id": "d3", + "trigger": { + "value": "GET" + } + }, + { + "cfid": 26794, + "comparator_type": "display", + "filter_type": "HTTP X-Forwarded-For", + "id": "d4" + }, + { + "cfid": 26795, + "comparator_type": "display", + "filter_type": "URI", + "id": "d5" + }, + { + "cfid": 26796, + "comparator_type": "display", + "filter_type": "User agent", + "id": "d6" + }, + { + "cfid": 26797, + "comparator_type": "display", + "filter_type": "Destination IP", + "id": "d7", + "trigger": { + "value": "81.2.69.144" + } + }, + { + "cfid": 26798, + "comparator_type": "display", + "filter_type": "Internal destination device name", + "id": "d8", + "trigger": { + "value": "localhost.local" + } + }, + { + "cfid": 26799, + "comparator_type": "display", + "filter_type": "Connection hostname", + "id": "d9" + } + ] + } + ] + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": [ + "threat", + "network" + ], + "created": "2022-07-13T21:46:55.000Z", + "kind": "alert", + "original": "{\"model\":{\"name\":\"Device::Attack and Recon Tools\",\"pid\":135,\"phid\":1198,\"uuid\":\"8abcdefg-1234-1234-1234-5abcdefg12\",\"logic\":{\"data\":[{\"cid\":2311,\"weight\":1},{\"cid\":2312,\"weight\":1},{\"cid\":2315,\"weight\":1},{\"cid\":2316,\"weight\":1},{\"cid\":2314,\"weight\":1},{\"cid\":2310,\"weight\":1},{\"cid\":2313,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":604800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"AP: Internal Recon\",\"OT Engineer\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-07-11 11:47:51\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"A device is using common penetration testing tools.\\\\n\\\\nAction: Review the device to see if it a security device, these can be tagged as such to exclude them from future breaches. Activity from non security devices merit further investigation into what else the device is doing and could be a significant risk within the network.\",\"behaviour\":\"decreasing\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":77,\"priority\":4,\"category\":\"Suspicious\",\"compliance\":false},\"device\":{\"did\":7,\"ip\":\"81.2.69.192\",\"ips\":[{\"ip\":\"175.16.199.2\",\"timems\":1657746000000,\"time\":\"2022-07-13 21:00:00\",\"sid\":1}],\"sid\":1,\"hostname\":\"175.16.199.1\",\"firstSeen\":1657544891000,\"lastSeen\":1657748638000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\",\"credentials\":[\"dummy\"],\"tags\":[{\"tid\":66,\"expiry\":0,\"thid\":66,\"name\":\"Domain Authenticated\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":183,\"description\":\"\"},\"isReferenced\":true},{\"tid\":29,\"expiry\":0,\"thid\":29,\"name\":\"Linux\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":168,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true},{\"tid\":45,\"expiry\":0,\"thid\":45,\"name\":\"New Device\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":130,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}]},\"triggeredComponents\":[{\"time\":1657748807000,\"cbid\":6,\"cid\":2311,\"chid\":2676,\"size\":1,\"threshold\":0,\"interval\":300,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":\"N\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":\"O\"}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":\"N\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":\"N\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":\"N\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":\"N\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":\"N\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":\"N\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":\"N\"}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":\"N\"}}},\"operator\":\"OR\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":\"P\"}}}}}}}}}}}}},\"version\":\"v0.1\"},\"metric\":{\"mlid\":16,\"name\":\"connections\",\"label\":\"Connections\"},\"triggeredFilters\":[{\"cfid\":26781,\"id\":\"H\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":26783,\"id\":\"J\",\"filterType\":\"Tagged internal source\",\"arguments\":{\"value\":12},\"comparatorType\":\"does not have tag\",\"trigger\":{\"value\":\"12\",\"tag\":{\"tid\":12,\"expiry\":0,\"thid\":12,\"name\":\"Security Device\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":55,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":26787,\"id\":\"N\",\"filterType\":\"Tagged internal destination\",\"arguments\":{\"value\":12},\"comparatorType\":\"does not have tag\",\"trigger\":{\"value\":\"12\",\"tag\":{\"tid\":12,\"expiry\":0,\"thid\":12,\"name\":\"Security Device\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":55,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":26788,\"id\":\"O\",\"filterType\":\"User agent\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"\"}},{\"cfid\":26789,\"id\":\"P\",\"filterType\":\"URI\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"matches regular expression\",\"trigger\":{\"value\":\"\"}},{\"cfid\":26790,\"id\":\"d1\",\"filterType\":\"Proxied connection\",\"arguments\":{\"value\":\"true\"},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"false\"}},{\"cfid\":26791,\"id\":\"d10\",\"filterType\":\"HTTP response code\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"0\"}},{\"cfid\":26792,\"id\":\"d2\",\"filterType\":\"HTTP referrer\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":26793,\"id\":\"d3\",\"filterType\":\"HTTP method\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"GET\"}},{\"cfid\":26794,\"id\":\"d4\",\"filterType\":\"HTTP X-Forwarded-For\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":26795,\"id\":\"d5\",\"filterType\":\"URI\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":26796,\"id\":\"d6\",\"filterType\":\"User agent\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}},{\"cfid\":26797,\"id\":\"d7\",\"filterType\":\"Destination IP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"81.2.69.144\"}},{\"cfid\":26798,\"id\":\"d8\",\"filterType\":\"Internal destination device name\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"localhost.local\"}},{\"cfid\":26799,\"id\":\"d9\",\"filterType\":\"Connection hostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"\"}}]}],\"breachUrl\":\"https://example.com/#modelbreach/6\",\"pbid\":6,\"score\":0.871,\"commentCount\":0,\"creationTime\":1657748815000,\"time\":1657748808000,\"mitreTechniques\":[{\"technique\":\"Hardware Additions Mitigation\",\"techniqueID\":\"T1200\"}]}", + "risk_score": 0.871, + "risk_score_norm": 87.1, + "severity": 4, + "start": [ + "2022-07-13T21:46:47.000Z" + ], + "type": [ + "info", + "connection" + ], + "url": "https://example.com/#modelbreach/6" + }, + "host": { + "id": "7", + "ip": [ + "81.2.69.192" + ], + "type": "desktop" + }, + "related": { + "ip": [ + "175.16.199.1", + "81.2.69.192", + "175.16.199.2" + ], + "user": [ + "System" + ] + }, + "rule": { + "author": "System", + "category": "Suspicious", + "description": "A device is using common penetration testing tools.\\n\\nAction: Review the device to see if it a security device, these can be tagged as such to exclude them from future breaches. Activity from non security devices merit further investigation into what else the device is doing and could be a significant risk within the network.", + "name": "Device::Attack and Recon Tools", + "ruleset": [ + "AP: Internal Recon", + "OT Engineer" + ], + "uuid": "8abcdefg-1234-1234-1234-5abcdefg12", + "version": "77" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ], + "threat": { + "technique": { + "id": [ + "T1200" + ], + "name": [ + "Hardware Additions Mitigation" + ] + } + } + }, + { + "@timestamp": "2022-07-11T13:04:09.000Z", + "darktrace": { + "model_breach_alert": { + "aianalyst_data": [ + { + "related": [ + 1 + ], + "summariser": "BeaconSummary", + "uuid": "1234abcd-1234-1234-1234-123456abcdef" + } + ], + "comment": { + "count": 0 + }, + "creation_time": "2022-07-11T13:04:19.000Z", + "device": { + "did": 3, + "first_seen": "2022-07-11T12:54:49.000Z", + "ip": "81.2.69.142", + "last_seen": "2022-07-11T13:00:18.000Z", + "sid": 1, + "type_label": "Desktop", + "type_name": "desktop" + }, + "model": { + "actions": { + "is_alerting": true, + "is_breach": true, + "is_priority_set": false, + "is_tag_set": false, + "is_type_set": false, + "model": true + }, + "active_times": { + "type": "exclusions", + "version": 2 + }, + "behaviour": "incdec1", + "category": "Informational", + "created": { + "by": "System" + }, + "delay": 0, + "description": "A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\n\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.", + "edited": { + "by": "System" + }, + "in_compliance_behavior_category": false, + "interval": 10800, + "is_active": true, + "is_auto_suppress": true, + "is_auto_updatable": true, + "is_auto_update": true, + "is_sequenced": false, + "is_shared_endpoints": false, + "logic": { + "data_weighted_component_list": [ + { + "cid": 2026, + "weight": 1 + }, + { + "cid": 2024, + "weight": 1 + }, + { + "cid": 2025, + "weight": -100 + } + ], + "target_score": 1, + "type": "weightedComponentList", + "version": 1 + }, + "modified": "2022-07-11T11:47:37.000Z", + "name": "Compromise::Beaconing Activity To External Rare", + "phid": 1072, + "pid": 156, + "priority": 2, + "tags": [ + "AP: C2 Comms" + ], + "throttle": 10800, + "uuid": "1234abcd-1234-1234-1234-123456abcdef", + "version": 23 + }, + "pbid": 1, + "score": 0.674, + "time": "2022-07-11T13:04:09.000Z", + "triggered_components": [ + { + "cbid": 1, + "chid": 2113, + "cid": 2026, + "interval": 3600, + "logic": { + "data": "{left={left=A, right={left=AA, right={left=AC, right={left=AD, right={left=AF, right={left=AG, right={left=AH, right={left=B, right={left=C, right={left=D, right={left=E, right={left=H, right={left=I, right={left=J, right={left=K, right={left=L, right={left=M, right={left=N, right={left=O, right={left=P, right={left=S, right={left=U, right={left=V, right={left=X, right={left=Y, right=Z, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, right={left=A, right={left=AA, right={left=AB, right={left=AE, right={left=AF, right={left=AG, right={left=AH, right={left=C, right={left=D, right={left=E, right={left=H, right={left=I, right={left=J, right={left=K, right={left=L, right={left=M, right={left=N, right={left=O, right={left=P, right={left=S, right={left=U, right={left=V, right={left=X, right={left=Y, right=Z, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=OR}", + "version": "v0.1" + }, + "metric": { + "label": "External Connections", + "mlid": 1, + "name": "externalconnections" + }, + "size": 11, + "threshold": 10, + "time": "2022-07-11T13:04:08.000Z", + "triggered_filters": [ + { + "arguments": { + "value": 60 + }, + "cfid": 23426, + "comparator_type": "\u003e", + "filter_type": "Beaconing score", + "id": "A", + "trigger": { + "value": "100" + } + }, + { + "arguments": { + "value": 0 + }, + "cfid": 23427, + "comparator_type": "\u003e", + "filter_type": "Individual size up", + "id": "AA", + "trigger": { + "value": "4382" + } + }, + { + "arguments": { + "value": 95 + }, + "cfid": 23428, + "comparator_type": "\u003e", + "filter_type": "Rare domain", + "id": "AB", + "trigger": { + "value": "100" + } + }, + { + "arguments": { + "value": 1209600 + }, + "cfid": 23430, + "comparator_type": "\u003c", + "filter_type": "Age of destination", + "id": "AD", + "trigger": { + "value": "558" + } + }, + { + "arguments": { + "value": 1209600 + }, + "cfid": 23431, + "comparator_type": "\u003c", + "filter_type": "Age of external hostname", + "id": "AE", + "trigger": { + "value": "558" + } + }, + { + "arguments": { + "value": "examples" + }, + "cfid": 23432, + "comparator_type": "does not match regular expression", + "filter_type": "Connection hostname", + "id": "AF", + "trigger": { + "value": "example.com" + } + }, + { + "arguments": { + "value": "examples" + }, + "cfid": 23433, + "comparator_type": "does not match regular expression", + "filter_type": "ASN", + "id": "AG", + "trigger": { + "value": "AS12345 LOCAL-02" + } + }, + { + "arguments": { + "value": "5d41402abc4b2a76b9719d911017c592" + }, + "cfid": 23434, + "comparator_type": "does not match", + "filter_type": "JA3 hash", + "id": "AH", + "trigger": { + "value": "5d41402abc4b2a76b9719d911017c592" + } + }, + { + "arguments": { + "value": 95 + }, + "cfid": 23435, + "comparator_type": "\u003e", + "filter_type": "Rare external IP", + "id": "B", + "trigger": { + "value": "100" + } + }, + { + "arguments": { + "value": "1003" + }, + "cfid": 23436, + "comparator_type": "is not", + "filter_type": "Application protocol", + "id": "C", + "trigger": { + "value": "1004" + } + }, + { + "arguments": { + "value": 53 + }, + "cfid": 23437, + "comparator_type": "!=", + "filter_type": "Destination port", + "id": "D", + "trigger": { + "value": "443" + } + }, + { + "arguments": { + "value": "out" + }, + "cfid": 23438, + "comparator_type": "is", + "filter_type": "Direction", + "id": "E", + "trigger": { + "value": "out" + } + }, + { + "arguments": { + "value": 137 + }, + "cfid": 23439, + "comparator_type": "!=", + "filter_type": "Destination port", + "id": "H", + "trigger": { + "value": "443" + } + }, + { + "arguments": { + "value": 161 + }, + "cfid": 23440, + "comparator_type": "!=", + "filter_type": "Destination port", + "id": "I", + "trigger": { + "value": "443" + } + }, + { + "arguments": { + "value": "6" + }, + "cfid": 23441, + "comparator_type": "is", + "filter_type": "Protocol", + "id": "J", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "Company" + }, + "cfid": 23442, + "comparator_type": "does not contain", + "filter_type": "ASN", + "id": "K", + "trigger": { + "value": "AS12345 LOCAL-02" + } + }, + { + "arguments": { + "value": "Company" + }, + "cfid": 23443, + "comparator_type": "does not contain", + "filter_type": "ASN", + "id": "L", + "trigger": { + "value": "AS12345 LOCAL-02" + } + }, + { + "arguments": { + "value": "13" + }, + "cfid": 23444, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "M", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "5" + }, + "cfid": 23445, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "N", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "9" + }, + "cfid": 23446, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "O", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "12" + }, + "cfid": 23447, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "P", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "30" + }, + "cfid": 23448, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "S", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "4" + }, + "cfid": 23449, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "U", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "3" + }, + "cfid": 23450, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "V", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "false" + }, + "cfid": 23451, + "comparator_type": "is", + "filter_type": "Trusted hostname", + "id": "X", + "trigger": { + "value": "false" + } + }, + { + "arguments": { + "value": 26 + }, + "cfid": 23452, + "comparator_type": "does not have tag", + "filter_type": "Tagged internal source", + "id": "Y", + "trigger": { + "tag": { + "data": { + "auto": false, + "color": 5, + "visibility": "Public" + }, + "expiry": 0, + "is_referenced": true, + "name": "No Device Tracking", + "restricted": false, + "thid": 26, + "tid": 26 + }, + "value": "26" + } + }, + { + "arguments": { + "value": 0 + }, + "cfid": 23453, + "comparator_type": "\u003e", + "filter_type": "Individual size down", + "id": "Z", + "trigger": { + "value": "5862" + } + }, + { + "cfid": 23454, + "comparator_type": "display", + "filter_type": "JA3 hash", + "id": "d1", + "trigger": { + "value": "5d41402abc4b2a76b9719d911017c592" + } + }, + { + "cfid": 23455, + "comparator_type": "display", + "filter_type": "ASN", + "id": "d2", + "trigger": { + "value": "AS12345 LOCAL-02" + } + }, + { + "cfid": 23456, + "comparator_type": "display", + "filter_type": "Destination IP", + "id": "d3", + "trigger": { + "value": "81.2.69.192" + } + }, + { + "cfid": 23457, + "comparator_type": "display", + "filter_type": "Connection hostname", + "id": "d4", + "trigger": { + "value": "example.com" + } + } + ] + } + ] + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "category": [ + "network" + ], + "created": "2022-07-11T13:04:19.000Z", + "kind": "event", + "original": "{\"commentCount\":0,\"pbid\":1,\"time\":1657544649000,\"creationTime\":1657544659000,\"aianalystData\":[{\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"related\":[1],\"summariser\":\"BeaconSummary\"}],\"model\":{\"name\":\"Compromise::Beaconing Activity To External Rare\",\"pid\":156,\"phid\":1072,\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"logic\":{\"data\":[{\"cid\":2026,\"weight\":1},{\"cid\":2024,\"weight\":1},{\"cid\":2025,\"weight\":-100}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":10800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"AP: C2 Comms\"],\"interval\":10800,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-07-11 11:47:37\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\\\n\\\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.\",\"behaviour\":\"incdec1\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":23,\"priority\":2,\"category\":\"Informational\",\"compliance\":false},\"triggeredComponents\":[{\"time\":1657544648000,\"cbid\":1,\"cid\":2026,\"chid\":2113,\"size\":11,\"threshold\":10,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AC\",\"operator\":\"AND\",\"right\":{\"left\":\"AD\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AB\",\"operator\":\"AND\",\"right\":{\"left\":\"AE\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"version\":\"v0.1\"},\"metric\":{\"mlid\":1,\"name\":\"externalconnections\",\"label\":\"External Connections\"},\"triggeredFilters\":[{\"cfid\":23426,\"id\":\"A\",\"filterType\":\"Beaconing score\",\"arguments\":{\"value\":60},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23427,\"id\":\"AA\",\"filterType\":\"Individual size up\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"4382\"}},{\"cfid\":23428,\"id\":\"AB\",\"filterType\":\"Rare domain\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23430,\"id\":\"AD\",\"filterType\":\"Age of destination\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23431,\"id\":\"AE\",\"filterType\":\"Age of external hostname\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23432,\"id\":\"AF\",\"filterType\":\"Connection hostname\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"example.com\"}},{\"cfid\":23433,\"id\":\"AG\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23434,\"id\":\"AH\",\"filterType\":\"JA3 hash\",\"arguments\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"},\"comparatorType\":\"does not match\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23435,\"id\":\"B\",\"filterType\":\"Rare external IP\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23436,\"id\":\"C\",\"filterType\":\"Application protocol\",\"arguments\":{\"value\":\"1003\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"1004\"}},{\"cfid\":23437,\"id\":\"D\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":53},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23438,\"id\":\"E\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":23439,\"id\":\"H\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":137},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23440,\"id\":\"I\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":161},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23441,\"id\":\"J\",\"filterType\":\"Protocol\",\"arguments\":{\"value\":\"6\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23442,\"id\":\"K\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23443,\"id\":\"L\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23444,\"id\":\"M\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"13\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23445,\"id\":\"N\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"5\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23446,\"id\":\"O\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"9\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23447,\"id\":\"P\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23448,\"id\":\"S\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"30\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23449,\"id\":\"U\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"4\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23450,\"id\":\"V\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"3\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23451,\"id\":\"X\",\"filterType\":\"Trusted hostname\",\"arguments\":{\"value\":\"false\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"false\"}},{\"cfid\":23452,\"id\":\"Y\",\"filterType\":\"Tagged internal source\",\"arguments\":{\"value\":26},\"comparatorType\":\"does not have tag\",\"trigger\":{\"value\":\"26\",\"tag\":{\"tid\":26,\"expiry\":0,\"thid\":26,\"name\":\"No Device Tracking\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":5,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":23453,\"id\":\"Z\",\"filterType\":\"Individual size down\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"5862\"}},{\"cfid\":23454,\"id\":\"d1\",\"filterType\":\"JA3 hash\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23455,\"id\":\"d2\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23456,\"id\":\"d3\",\"filterType\":\"Destination IP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"81.2.69.192\"}},{\"cfid\":23457,\"id\":\"d4\",\"filterType\":\"Connection hostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"example.com\"}}]}],\"score\":0.674,\"device\":{\"did\":3,\"ip\":\"81.2.69.142\",\"sid\":1,\"firstSeen\":1657544089000,\"lastSeen\":1657544418000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}", + "risk_score": 0.674, + "risk_score_norm": 67.4, + "severity": 2, + "start": [ + "2022-07-11T13:04:08.000Z" + ], + "type": [ + "info", + "connection" + ] + }, + "host": { + "id": "3", + "ip": [ + "81.2.69.142" + ], + "type": "desktop" + }, + "related": { + "ip": [ + "81.2.69.142" + ], + "user": [ + "System" + ] + }, + "rule": { + "author": "System", + "category": "Informational", + "description": "A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\n\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.", + "name": "Compromise::Beaconing Activity To External Rare", + "ruleset": [ + "AP: C2 Comms" + ], + "uuid": "1234abcd-1234-1234-1234-123456abcdef", + "version": "23" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2022-08-05T09:35:45.460Z", + "darktrace": { + "model_breach_alert": { + "creation_time": "2022-08-05T09:35:45.460Z", + "device": { + "hostname": "test-device.example.com", + "ip": "175.16.199.1", + "mac_address": "00-00-5E-00-53-00", + "vendor": "Test Vendor" + }, + "model": { + "name": "Unrestricted Test Model" + }, + "pbid": 123, + "score": 1.0, + "time": "2022-08-05T09:35:45.460Z", + "triggered_components": [ + { + "metric": { + "label": "Test Metric" + }, + "triggered_filters": [ + { + "comparator_type": "display", + "filter_type": "Test Metric Filter", + "trigger": { + "value": "Test filter value" + } + } + ] + } + ] + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "created": "2022-08-05T09:35:45.460Z", + "original": "{\"model\":{\"name\":\"Unrestricted Test Model\"},\"device\":{\"ip\":\"175.16.199.1\",\"hostname\":\"test-device.example.com\",\"macaddress\":\"00:00:5e:00:53:00\",\"vendor\":\"Test Vendor\",\"label\":\"Test Device\"},\"triggeredComponents\":[{\"metric\":{\"label\":\"Test Metric\"},\"triggeredFilters\":[{\"comparatorType\":\"display\",\"filterType\":\"Test Metric Filter\",\"trigger\":{\"value\":\"Test filter value\"}}]}],\"breachUrl\":\"\",\"pbid\":123,\"score\":1,\"creationTime\":1659692145460,\"time\":1659692145460,\"mitreTechniques\":[]}", + "risk_score": 1.0, + "risk_score_norm": 100.0, + "type": [ + "info" + ] + }, + "host": { + "hostname": "test-device.example.com", + "ip": [ + "175.16.199.1" + ], + "mac": "00-00-5E-00-53-00" + }, + "related": { + "hosts": [ + "test-device.example.com" + ], + "ip": [ + "175.16.199.1" + ] + }, + "rule": { + "name": "Unrestricted Test Model" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2022-08-05T09:34:46.317Z", + "darktrace": { + "model_breach_alert": { + "creation_time": "2022-08-05T09:34:46.317Z", + "device": { + "hostname": "test-device.example.com", + "ip": "175.16.199.1", + "mac_address": "00-00-5E-00-53-00", + "vendor": "Test Vendor" + }, + "model": { + "created": { + "by": "System" + }, + "description": "Test model used for testing alerting configuration.", + "edited": { + "by": "Nobody" + }, + "name": "Unrestricted Test Model", + "priority": 5 + }, + "pbid": 123, + "score": 1.0, + "time": "2022-08-05T09:34:46.317Z", + "triggered_components": [ + { + "metric": { + "label": "Test Metric" + }, + "triggered_filters": [ + { + "comparator_type": "display", + "filter_type": "Test Metric Filter", + "trigger": { + "value": "Test filter value" + } + } + ] + } + ] + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "created": "2022-08-05T09:34:46.317Z", + "original": "{\"model\":{\"description\":\"Test model used for testing alerting configuration.\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"Nobody\"},\"name\":\"Unrestricted Test Model\",\"priority\":5},\"device\":{\"ip\":\"175.16.199.1\",\"hostname\":\"test-device.example.com\",\"macaddress\":\"00:00:5e:00:53:00\",\"vendor\":\"Test Vendor\",\"label\":\"Test Device\"},\"triggeredComponents\":[{\"metric\":{\"label\":\"Test Metric\"},\"triggeredFilters\":[{\"comparatorType\":\"display\",\"filterType\":\"Test Metric Filter\",\"trigger\":{\"value\":\"Test filter value\"}}]}],\"breachUrl\":\"\",\"pbid\":123,\"score\":1,\"creationTime\":1659692086317,\"time\":1659692086317,\"mitreTechniques\":[]}", + "risk_score": 1.0, + "risk_score_norm": 100.0, + "severity": 5, + "type": [ + "info" + ] + }, + "host": { + "hostname": "test-device.example.com", + "ip": [ + "175.16.199.1" + ], + "mac": "00-00-5E-00-53-00" + }, + "log": { + "syslog": { + "appname": "darktrace" + } + }, + "related": { + "hosts": [ + "test-device.example.com" + ], + "ip": [ + "175.16.199.1" + ], + "user": [ + "System", + "Nobody" + ] + }, + "rule": { + "author": "System", + "description": "Test model used for testing alerting configuration.", + "name": "Unrestricted Test Model" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + } + ] +} \ No newline at end of file diff --git a/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-httpjson-config.yml b/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-httpjson-config.yml new file mode 100644 index 00000000000..938018884cf --- /dev/null +++ b/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-httpjson-config.yml @@ -0,0 +1,10 @@ +input: httpjson +service: darktrace +vars: + url: http://{{Hostname}}:{{Port}} + public_token: xxxx + private_token: xxxx +data_stream: + vars: + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-tcp-config.yml b/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-tcp-config.yml new file mode 100644 index 00000000000..db13b8d1220 --- /dev/null +++ b/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-tcp-config.yml @@ -0,0 +1,10 @@ +service: darktrace-model_breach_alert-tcp +service_notify_signal: SIGHUP +input: tcp +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9572 + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-tls-config.yml b/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-tls-config.yml new file mode 100644 index 00000000000..0343a55d8d8 --- /dev/null +++ b/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-tls-config.yml @@ -0,0 +1,62 @@ +service: darktrace-model_breach_alert-tls +service_notify_signal: SIGHUP +input: tcp +vars: + listen_address: 0.0.0.0 + ssl: | + key: | + -----BEGIN PRIVATE KEY----- + MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDhCLvLsQAHufsN + U+u1x/CequAUphfXZqLhDo2Eo/holfBS0+ey4bnzPL6lS9NFL5JkLQA2gYESqsXU + /Ru8E76Az1egzMwT3TVAPLVU8NbrxBqeNiQa2m9wC37HQy4qC9OxL28LUoKtFjxS + cD1sa0oikXCJN1a3BSoAf9iiZ/dxz4WVfrNhrzq2JFXjravY84n5ujkZOg45Pg70 + 4vHOeg0rBbIoSNfjDUVZWjwC95K1BMN3msOTL9juv/EDa6BujqCxl+G1nY7JPFDL + SHWis65p+1AAa5xieYDb47vyJ0SSR7lEURTXZOkkM6k5JWfgkATEmGzRxPkOloIT + Xg9ag1OlAgMBAAECggEAEHfPJmzhj68wjB0kFr13AmWG2Hv/Kqg8KzQhbx+AwkaW + u7j+L70NGpvLZ9VQtLNyhxoz9cksZO1SZO/Q48aeHlcOFppmJN3/U6AdtQWa9M35 + FLLpmX16wjxVHsfvzOvopgLOoYl8PqZt66qDFDgVyMnT7na6RdJ+7GJuvBPXq+Bc + vgThvAZitHSAOhnBFYmTMlBi6AzOMMsaFlgE3Xf9v3M0pAKItPRKMhXlC3MyvA/v + jgbra4Ib+0ryohggHheHB3bn3Jgv7iFKoW9OQSePVxacJ+kfr9H+No5g495URzqR + mx/96WCiv3rAh3ct8Sk/C4/3zMC8fUueDJIVjhgw0QKBgQD8NufLINNkIpBrLoCS + 972oFEjZB2u6EusQ7X9raROqpaw26ZSu+zSHeIKCGQ93M3aRb3FpdGeOxgZ095MV + 8a+nlh4stOvHj2Mm5YhTBDUavTC7o9aVR3Od5eTXUpHnaJpNI/uyIcKupeK1UJnV + UlBLeIwo/vJ1gsVrKMMAJkuKbwKBgQDkaWRRd0w2gUIbCTGf203BqXft0VdIiOW7 + +gnkeaNHAf09XljzxMcQzrB8kG63aKVGbJffphEfzxtiJ+HRQVH+7QpKRhU/GHmu + +6OKkxTcxJm5zhoRFxcSi2wG4PWmUGJvc7ss1OJGcaOUxwocCepO7N/jfdDz9Uke + KnA+YWOdKwKBgQDteZkYlojT0QOgF8HyH5gQyUCqMKWLJ0LzxltiPCbLV4Dml1pq + w5Z7M8nWS1hXiTpLx93GSFc1hFkSCwYP9GfK6Lryp0sVtHnMZvTMDbseuSJImwRx + vDwtYQfugg1lEQWwOoBEAiu3m/PxernNtNprpU57T0nlwUK3GkM5QdWAuwKBgQCZ + ZF3GiANapzupxGbbH//8Cr9LqsafI7CEqMpz8WxBh4h16iJ6sq+tDeFgBe8UpOY5 + gTwNKg1d+0w8guQYD3HtbWr3rlEeamVtqfiOW3ArQqyqJ0tCJuuLvK3zgKf35Qv2 + JRaSaPT8sdxVUcXsRoxgLJu+vwPQke1koMN4YRbwuQKBgQDJiZ/WSeqa5oIqkXbn + hjm7RXKaf2oE1U/bNjdSFtdEP7T4vUvvr7Hq2f/jiBLtCE7w16PJjKx9iIq2+jMl + qIY43Sk9bdi5FxtYTHda0hwrbH274P+QVcVs5PXCT0TGktOleHGBlXaaPrxl9iCh + 8tmmxZZYa5aQxEO/lxB9xQKaiQ== + -----END PRIVATE KEY----- + certificate: | + -----BEGIN CERTIFICATE----- + MIIDazCCAlOgAwIBAgIUW5TDu1tJMY2Oa7PsL+BQSmeWqz0wDQYJKoZIhvcNAQEL + BQAwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM + GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTEwMDEwNTAwMjNaFw0yMTEw + MDIwNTAwMjNaMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw + HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB + AQUAA4IBDwAwggEKAoIBAQDhCLvLsQAHufsNU+u1x/CequAUphfXZqLhDo2Eo/ho + lfBS0+ey4bnzPL6lS9NFL5JkLQA2gYESqsXU/Ru8E76Az1egzMwT3TVAPLVU8Nbr + xBqeNiQa2m9wC37HQy4qC9OxL28LUoKtFjxScD1sa0oikXCJN1a3BSoAf9iiZ/dx + z4WVfrNhrzq2JFXjravY84n5ujkZOg45Pg704vHOeg0rBbIoSNfjDUVZWjwC95K1 + BMN3msOTL9juv/EDa6BujqCxl+G1nY7JPFDLSHWis65p+1AAa5xieYDb47vyJ0SS + R7lEURTXZOkkM6k5JWfgkATEmGzRxPkOloITXg9ag1OlAgMBAAGjUzBRMB0GA1Ud + DgQWBBRYUSKDHBBE9Q6fTeTqogicCxcXwDAfBgNVHSMEGDAWgBRYUSKDHBBE9Q6f + TeTqogicCxcXwDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBc + T8B+GpvPy9NQ700LsywRPY0L9IJCKiu6j3TP1tqqSPjAC/cg9ac+bFXuWOu7V+KJ + s09Q/pItq9SLX6UvnfRzTxu5lCBwwGX9cL131mTIu5SmFo7Eks+sorbiIarWDMoC + e+9An3GFpagW+YhOt4BdIM5lTqoeodzganDBsOUZI9aDAj2Yo5h2O7r6Wd12cb6T + mz8vMfB2eG8BxU20ZMfkdERWjiyXHOSBQqeqfkV8d9370gMu5RcJNcIgnbmTRdho + X3HJFiimZVaNjXATqmC/y2A1KXvJdamPLy3mGXkW2cFLoPCdK2OZFUHqiuc1bigA + qEf55SihFqErRMeURPPF + -----END CERTIFICATE----- +data_stream: + vars: + listen_port: 9572 + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-udp-config.yml b/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-udp-config.yml new file mode 100644 index 00000000000..c18b3883870 --- /dev/null +++ b/packages/darktrace/data_stream/model_breach_alert/_dev/test/system/test-udp-config.yml @@ -0,0 +1,10 @@ +service: darktrace-model_breach_alert-udp +service_notify_signal: SIGHUP +input: udp +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9575 + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/darktrace/data_stream/model_breach_alert/agent/stream/httpjson.yml.hbs b/packages/darktrace/data_stream/model_breach_alert/agent/stream/httpjson.yml.hbs new file mode 100644 index 00000000000..478772eb4c0 --- /dev/null +++ b/packages/darktrace/data_stream/model_breach_alert/agent/stream/httpjson.yml.hbs @@ -0,0 +1,51 @@ +config_version: 2 +interval: {{interval}} +request.timeout: 5m +request.method: GET +{{#if proxy_url}} +request.proxy_url: {{proxy_url}} +{{/if}} +{{#if ssl}} +request.ssl: {{ssl}} +{{/if}} +request.url: {{url}}/modelbreaches?expandenums=true&historicmodelonly=true&includeacknowledged=true&includebreachurl=true +request.transforms: + - set: + target: header.DTAPI-Token + value: {{public_token}} + - set: + target: header.DTAPI-Date + value: '[[formatDate (now) "20060102T150405"]]' + - set: + target: url.params.group + value: 'device' + - set: + target: url.params.starttime + value: '[[.cursor.last_execution_datetime]]' + default: '[[(now (parseDuration "-{{initial_interval}}")).UnixMilli]]' + - set: + target: url.params.endtime + value: '[[(now).UnixMilli]]' + - set: + target: header.DTAPI-Signature + value: '[[hmac "sha1" "{{private_token}}" (sprintf "%s?%s\n%s\n%s" .url.Path .url.RawQuery "{{public_token}}" (formatDate (now) "20060102T150405"))]]' +cursor: + last_execution_datetime: + value: '[[toInt .last_event.time]]' +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +{{#if processors}} +processors: +{{processors}} +{{/if}} diff --git a/packages/darktrace/data_stream/model_breach_alert/agent/stream/tcp.yml.hbs b/packages/darktrace/data_stream/model_breach_alert/agent/stream/tcp.yml.hbs new file mode 100644 index 00000000000..b1d260f0f9c --- /dev/null +++ b/packages/darktrace/data_stream/model_breach_alert/agent/stream/tcp.yml.hbs @@ -0,0 +1,26 @@ +host: "{{listen_address}}:{{listen_port}}" +{{#if tcp_options}} +{{tcp_options}} +{{/if}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- syslog: + field: message +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/darktrace/data_stream/model_breach_alert/agent/stream/udp.yml.hbs b/packages/darktrace/data_stream/model_breach_alert/agent/stream/udp.yml.hbs new file mode 100644 index 00000000000..f342c4fa75c --- /dev/null +++ b/packages/darktrace/data_stream/model_breach_alert/agent/stream/udp.yml.hbs @@ -0,0 +1,23 @@ +host: "{{listen_address}}:{{listen_port}}" +{{#if udp_options}} +{{udp_options}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- syslog: + field: message +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/darktrace/data_stream/model_breach_alert/elasticsearch/ingest_pipeline/default.yml b/packages/darktrace/data_stream/model_breach_alert/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..126107e391c --- /dev/null +++ b/packages/darktrace/data_stream/model_breach_alert/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,1446 @@ +--- +description: Pipeline for processing Model Breach Alert logs. +processors: + - set: + field: ecs.version + value: '8.4.0' + - grok: + field: message + patterns: + - "^%{FIELD:log.syslog.appname}\\s*%{GREEDYDATA:message}$" + pattern_definitions: + FIELD: "[a-zA-Z]*" + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - fingerprint: + fields: + - json.time + - json.creationTime + - json.pbid + - json.model.phid + target_field: _id + ignore_missing: true + - set: + field: event.kind + value: alert + if: (['critical','suspicious'].contains(ctx.json?.model?.category?.toLowerCase())) + - set: + field: event.kind + value: event + if: (['compliance','informational'].contains(ctx.json?.model?.category?.toLowerCase())) + - set: + field: event.category + value: [threat] + if: ctx.event?.kind == 'alert' + - set: + field: event.type + value: [info] + - script: + description: Dynamically map event.* fields from metric label. + lang: painless + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + source: + for (component in ctx.json.triggeredComponents) { + if (component?.metric?.label?.toLowerCase().contains('connection')) { + ctx.event?.type?.add('connection'); + if (ctx.event.category == null) { + ctx.event.category = new ArrayList(); + } + ctx.event.category.add('network'); + } + } + - foreach: + field: json.aianalystData + if: ctx.json?.aianalystData instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.related + ignore_failure: true + processor: + convert: + field: _ingest._value + type: long + on_failure: + - remove: + field: _ingest._value + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.aianalystData + target_field: darktrace.model_breach_alert.aianalyst_data + ignore_missing: true + - uri_parts: + field: json.breachUrl + target_field: darktrace.model_breach_alert.breach_url + if: ctx.json?.breachUrl != null + keep_original: true + on_failure: + - remove: + field: json.breachUrl + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: event.url + copy_from: darktrace.model_breach_alert.breach_url.original + ignore_failure: true + - convert: + field: json.commentCount + target_field: darktrace.model_breach_alert.comment.count + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - date: + field: json.creationTime + target_field: darktrace.model_breach_alert.creation_time + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + if: ctx.json?.creationTime != null + on_failure: + - remove: + field: json.creationTime + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: event.created + copy_from: darktrace.model_breach_alert.creation_time + ignore_failure: true + - convert: + field: json.devicescore + target_field: darktrace.model_breach_alert.device_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.device.credentials + target_field: darktrace.model_breach_alert.device.credentials + ignore_missing: true + - convert: + field: json.device.did + target_field: darktrace.model_breach_alert.device.did + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - remove: + field: darktrace.model_breach_alert.device.did + ignore_missing: true + if: ctx.darktrace?.model_breach_alert?.device?.did != null && ctx.darktrace?.model_breach_alert?.device?.did < 0 + - convert: + field: darktrace.model_breach_alert.device.did + target_field: host.id + type: string + ignore_missing: true + on_failure: + - remove: + field: darktrace.model_breach_alert.device.did + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - date: + field: json.device.firstSeen + target_field: darktrace.model_breach_alert.device.first_seen + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + if: ctx.json?.device?.firstSeen != null + on_failure: + - remove: + field: json.device.firstseen + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.device.hostname + target_field: json.device._temp_.hostname_ip + type: ip + ignore_missing: true + on_failure: + - set: + field: host.hostname + copy_from: json.device.hostname + ignore_failure: true + - append: + field: related.ip + value: '{{{json.device._temp_.hostname_ip}}}' + allow_duplicates: false + ignore_failure: true + - rename: + field: json.device.hostname + target_field: darktrace.model_breach_alert.device.hostname + ignore_missing: true + - append: + field: related.hosts + value: '{{{host.hostname}}}' + allow_duplicates: false + ignore_failure: true + - convert: + field: json.device.ip + target_field: darktrace.model_breach_alert.device._temp_.ip + type: ip + ignore_failure: true + - append: + field: host.ip + value: '{{{darktrace.model_breach_alert.device._temp_.ip}}}' + allow_duplicates: false + ignore_failure: true + - convert: + field: json.device.ip6 + target_field: darktrace.model_breach_alert.device._temp_.ip6 + type: ip + ignore_failure: true + - append: + field: host.ip + value: '{{{darktrace.model_breach_alert.device._temp_.ip6}}}' + allow_duplicates: false + ignore_failure: true + - rename: + field: json.device.ip + target_field: darktrace.model_breach_alert.device.ip + ignore_missing: true + - rename: + field: json.device.ip6 + target_field: darktrace.model_breach_alert.device.ip6 + ignore_missing: true + - remove: + field: + - darktrace.model_breach_alert.device._temp_ + ignore_missing: true + - foreach: + field: host.ip + if: ctx.host?.ip instanceof List + ignore_failure: true + processor: + append: + field: related.ip + value: '{{{_ingest._value}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.device.ips + if: ctx.json?.device?.ips instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.ip + target_field: _ingest._value._temp_.ip + type: ip + ignore_failure: true + - foreach: + field: json.device.ips + if: ctx.json?.device?.ips instanceof List + ignore_failure: true + processor: + append: + field: related.ip + value: '{{{_ingest._value._temp_.ip}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.device.ips + if: ctx.json?.device?.ips instanceof List + ignore_failure: true + processor: + date: + field: _ingest._value.timems + target_field: _ingest._value.timems + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + on_failure: + - remove: + field: _ingest._value.timems + ignore_missing: true + - foreach: + field: json.device.ips + if: ctx.json?.device?.ips instanceof List + ignore_failure: true + processor: + date: + field: _ingest._value.time + target_field: _ingest._value.time + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + - 'yyyy-MM-dd HH:mm:ss' + on_failure: + - remove: + field: _ingest._value.time + ignore_missing: true + - foreach: + field: json.device.ips + if: ctx.json?.device?.ips instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.sid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.sid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.device.ips + if: ctx.json?.device?.ips instanceof List + ignore_failure: true + processor: + remove: + field: _ingest._value._temp_ + ignore_missing: true + - rename: + field: json.device.ips + target_field: darktrace.model_breach_alert.device.ips + ignore_missing: true + - date: + field: json.device.lastSeen + target_field: darktrace.model_breach_alert.device.last_seen + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + if: ctx.json?.device?.lastSeen != null + on_failure: + - remove: + field: json.device.lastseen + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - gsub: + field: json.device.macaddress + target_field: darktrace.model_breach_alert.device.mac_address + pattern: '[:.]' + replacement: '-' + ignore_missing: true + - uppercase: + field: darktrace.model_breach_alert.device.mac_address + ignore_missing: true + - set: + field: host.mac + copy_from: darktrace.model_breach_alert.device.mac_address + ignore_failure: true + - convert: + field: json.device.sid + target_field: darktrace.model_breach_alert.device.sid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.device.tags + if: ctx.json?.device?.tags instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.tid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.tid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.device.tags + if: ctx.json?.device?.tags instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.thid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.thid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.device.tags + if: ctx.json?.device?.tags instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.expiry + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.expiry + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.device.tags + if: ctx.json?.device?.tags instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.restricted + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.restricted + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.device.tags + if: ctx.json?.device?.tags instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.isReferenced + target_field: _ingest._value.is_referenced + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.isReferenced + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.device.tags + if: ctx.json?.device?.tags instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.data.auto + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.data.auto + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.device.tags + if: ctx.json?.device?.tags instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.data.color + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.color + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.device.tags + if: ctx.json?.device?.tags instanceof List + ignore_failure: true + processor: + remove: + field: _ingest._value.isReferenced + ignore_missing: true + - rename: + field: json.device.tags + target_field: darktrace.model_breach_alert.device.tags + ignore_missing: true + - rename: + field: json.device.typelabel + target_field: darktrace.model_breach_alert.device.type_label + ignore_missing: true + - rename: + field: json.device.typename + target_field: darktrace.model_breach_alert.device.type_name + ignore_missing: true + - set: + field: host.type + copy_from: darktrace.model_breach_alert.device.type_name + ignore_failure: true + - rename: + field: json.device.vendor + target_field: darktrace.model_breach_alert.device.vendor + ignore_missing: true + - convert: + field: json.acknowledged + target_field: darktrace.model_breach_alert.is_acknowledged + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.mitreTechniques + if: ctx.json?.mitreTechniques instanceof List + ignore_failure: true + processor: + rename: + field: _ingest._value.techniqueID + target_field: _ingest._value.id + ignore_missing: true + - foreach: + field: json.mitreTechniques + if: ctx.json?.mitreTechniques instanceof List + ignore_failure: true + processor: + rename: + field: _ingest._value.technique + target_field: _ingest._value.name + ignore_missing: true + - rename: + field: json.mitreTechniques + target_field: darktrace.model_breach_alert.mitre_techniques + ignore_missing: true + - foreach: + field: darktrace.model_breach_alert.mitre_techniques + if: ctx.darktrace?.model_breach_alert?.mitre_techniques instanceof List + ignore_failure: true + processor: + append: + field: threat.technique.id + value: '{{{_ingest._value.id}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: darktrace.model_breach_alert.mitre_techniques + if: ctx.darktrace?.model_breach_alert?.mitre_techniques instanceof List + ignore_failure: true + processor: + append: + field: threat.technique.name + value: '{{{_ingest._value.name}}}' + allow_duplicates: false + ignore_failure: true + - rename: + field: json.model.actions.antigena.action + target_field: darktrace.model_breach_alert.model.actions.antigena.action + ignore_missing: true + - set: + field: event.action + copy_from: darktrace.model_breach_alert.model.actions.antigena.action + ignore_failure: true + - convert: + field: json.model.actions.antigena.duration + target_field: darktrace.model_breach_alert.model.actions.antigena.duration + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.actions.antigena.confirm + target_field: darktrace.model_breach_alert.model.actions.antigena.is_confirm_by_human_operator + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.actions.antigena.threshold + target_field: darktrace.model_breach_alert.model.actions.antigena.threshold + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.actions.alert + target_field: darktrace.model_breach_alert.model.actions.is_alerting + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.actions.breach + target_field: darktrace.model_breach_alert.model.actions.is_breach + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.actions.setPriority + target_field: darktrace.model_breach_alert.model.actions.is_priority_set + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.actions.setTag + target_field: darktrace.model_breach_alert.model.actions.is_tag_set + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.actions.setType + target_field: darktrace.model_breach_alert.model.actions.is_type_set + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.actions.model + target_field: darktrace.model_breach_alert.model.actions.model + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.activeTimes.version + type: long + ignore_missing: true + on_failure: + - remove: + field: json.model.activeTimes.version + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.model.activeTimes + target_field: darktrace.model_breach_alert.model.active_times + ignore_missing: true + - rename: + field: json.model.behaviour + target_field: darktrace.model_breach_alert.model.behaviour + ignore_missing: true + - rename: + field: json.model.category + target_field: darktrace.model_breach_alert.model.category + ignore_missing: true + - set: + field: rule.category + copy_from: darktrace.model_breach_alert.model.category + ignore_failure: true + - rename: + field: json.model.created.by + target_field: darktrace.model_breach_alert.model.created.by + ignore_missing: true + - append: + field: related.user + value: '{{{darktrace.model_breach_alert.model.created.by}}}' + allow_duplicates: false + ignore_failure: true + - set: + field: rule.author + copy_from: darktrace.model_breach_alert.model.created.by + ignore_failure: true + - foreach: + field: json.model.defeats + if: ctx.json?.model?.defeats instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.defeatID + target_field: _ingest._value.id + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.defeatID + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.model.defeats + if: ctx.json?.model?.defeats instanceof List + ignore_failure: true + processor: + remove: + field: _ingest._value.defeatID + ignore_missing: true + - rename: + field: json.model.defeats + target_field: darktrace.model_breach_alert.model.defeats + ignore_missing: true + - convert: + field: json.model.delay + target_field: darktrace.model_breach_alert.model.delay + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.model.description + target_field: darktrace.model_breach_alert.model.description + ignore_missing: true + - set: + field: rule.description + copy_from: darktrace.model_breach_alert.model.description + ignore_failure: true + - rename: + field: json.model.edited.by + target_field: darktrace.model_breach_alert.model.edited.by + ignore_missing: true + - append: + field: related.user + value: '{{{darktrace.model_breach_alert.model.edited.by}}}' + allow_duplicates: false + ignore_failure: true + - convert: + field: json.model.compliance + target_field: darktrace.model_breach_alert.model.in_compliance_behavior_category + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.interval + target_field: darktrace.model_breach_alert.model.interval + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.active + target_field: darktrace.model_breach_alert.model.is_active + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.autoSuppress + target_field: darktrace.model_breach_alert.model.is_auto_suppress + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.autoUpdatable + target_field: darktrace.model_breach_alert.model.is_auto_updatable + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.autoUpdate + target_field: darktrace.model_breach_alert.model.is_auto_update + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.sequenced + target_field: darktrace.model_breach_alert.model.is_sequenced + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.sharedEndpoints + target_field: darktrace.model_breach_alert.model.is_shared_endpoints + type: boolean + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - script: + description: Dynamically map model.logic.data array using model.logic.type field. + if: ctx.json?.model?.logic?.data instanceof List + lang: painless + ignore_failure: true + params: + componentList: data_component_list + weightedComponentList: data_weighted_component_list + source: + def data = ctx.json.model.logic.data; + if (ctx.json.model.logic?.type != null) { + if (['componentList', 'weightedComponentList'].contains(ctx.json.model.logic?.type)) { + ctx["json"]["model"]["logic"][params.get(ctx.json.model.logic?.type)] = data; + } else { + ctx["json"]["model"]["logic"]["data_" + ctx.json.model.logic?.type] = data; + } + } + ctx.json.model.logic.remove("data"); + - convert: + field: json.model.logic.data_component_list + type: long + ignore_missing: true + on_failure: + - remove: + field: json.model.logic.data_component_list + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.logic.data_weighted_component_list.cid + type: long + ignore_missing: true + on_failure: + - remove: + field: json.model.logic.data_weighted_component_list.cid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.logic.data_weighted_component_list.weight + type: long + ignore_missing: true + on_failure: + - remove: + field: json.model.logic.data_weighted_component_list.weight + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.logic.version + type: long + ignore_missing: true + on_failure: + - remove: + field: json.model.logic.version + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.logic.targetScore + target_field: json.model.logic.target_score + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - remove: + field: json.model.logic.targetScore + ignore_missing: true + - rename: + field: json.model.logic + target_field: darktrace.model_breach_alert.model.logic + ignore_missing: true + - date: + field: json.model.modified + target_field: darktrace.model_breach_alert.model.modified + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + - 'yyyy-MM-dd HH:mm:ss' + if: ctx.json?.model?.modified != null + on_failure: + - remove: + field: json.model.modified + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.model.name + target_field: darktrace.model_breach_alert.model.name + ignore_missing: true + - set: + field: rule.name + copy_from: darktrace.model_breach_alert.model.name + ignore_failure: true + - convert: + field: json.model.phid + target_field: darktrace.model_breach_alert.model.phid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.pid + target_field: darktrace.model_breach_alert.model.pid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.priority + target_field: darktrace.model_breach_alert.model.priority + type: long + ignore_missing: true + on_failure: + - remove: + field: json.model.priority + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: event.severity + copy_from: darktrace.model_breach_alert.model.priority + ignore_failure: true + - rename: + field: json.model.tags + target_field: darktrace.model_breach_alert.model.tags + ignore_missing: true + - set: + field: rule.ruleset + copy_from: darktrace.model_breach_alert.model.tags + ignore_failure: true + - convert: + field: json.model.throttle + target_field: darktrace.model_breach_alert.model.throttle + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.model.userID + target_field: darktrace.model_breach_alert.model.userid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.model.uuid + target_field: darktrace.model_breach_alert.model.uuid + ignore_missing: true + - set: + field: rule.uuid + copy_from: darktrace.model_breach_alert.model.uuid + ignore_failure: true + - convert: + field: json.model.version + target_field: darktrace.model_breach_alert.model.version + type: long + ignore_missing: true + on_failure: + - remove: + field: json.model.version + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: darktrace.model_breach_alert.model.version + target_field: rule.version + type: string + ignore_missing: true + on_failure: + - remove: + field: darktrace.model_breach_alert.model.version + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.pbscore + target_field: darktrace.model_breach_alert.pb_score + type: double + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.pbid + target_field: darktrace.model_breach_alert.pbid + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - convert: + field: json.score + target_field: darktrace.model_breach_alert.score + type: double + ignore_missing: true + on_failure: + - remove: + field: json.score + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: event.risk_score + copy_from: darktrace.model_breach_alert.score + ignore_failure: true + - script: + description: Normalize event.risk_score to event.risk_score_norm + lang: painless + if: ctx.event?.risk_score != null + source: + def normalizedRiskScore = ctx.event.risk_score * 100.0; + ctx.event.risk_score_norm = normalizedRiskScore; + - date: + field: json.time + target_field: darktrace.model_breach_alert.time + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + if: ctx.json?.time != null + on_failure: + - remove: + field: json.time + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + copy_from: darktrace.model_breach_alert.time + ignore_failure: true + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.cbid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.cbid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.chid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.chid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.cid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.cid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.interval + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.interval + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - script: + description: Stringify logic.data field of triggeredComponents array. + lang: painless + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + source: + for (component in ctx.json.triggeredComponents) { + component.logic.data = component?.logic?.data.toString(); + } + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.metric.mlid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.metric.mlid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.size + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.size + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + convert: + field: _ingest._value.threshold + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.threshold + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + date: + field: _ingest._value.time + target_field: _ingest._value.time + formats: + - ISO8601 + - UNIX_MS + - 'MMM dd HH:mm:ss' + on_failure: + - remove: + field: _ingest._value.time + ignore_missing: true + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + append: + field: event.start + value: '{{{_ingest._value.time}}}' + allow_duplicates: false + ignore_failure: true + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + convert: + field: _ingest._value.cfid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.cfid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + rename: + field: _ingest._value.comparatorType + target_field: _ingest._value.comparator_type + ignore_missing: true + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + rename: + field: _ingest._value.filterType + target_field: _ingest._value.filter_type + ignore_missing: true + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + convert: + field: _ingest._value.trigger.tag.data.auto + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.trigger.tag.data.auto + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + convert: + field: _ingest._value.trigger.tag.data.color + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.trigger.tag.data.color + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + convert: + field: _ingest._value.trigger.tag.expiry + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.trigger.tag.expiry + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + convert: + field: _ingest._value.trigger.tag.isReferenced + target_field: _ingest._value.trigger.tag.is_referenced + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.trigger.tag.isReferenced + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + convert: + field: _ingest._value.trigger.tag.restricted + type: boolean + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.trigger.tag.restricted + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + convert: + field: _ingest._value.trigger.tag.thid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.trigger.tag.thid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + convert: + field: _ingest._value.trigger.tag.tid + type: long + ignore_missing: true + on_failure: + - remove: + field: _ingest._value.trigger.tag.tid + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + foreach: + field: _ingest._value.triggeredFilters + ignore_failure: true + processor: + remove: + field: _ingest._value.trigger.tag.isReferenced + ignore_missing: true + - foreach: + field: json.triggeredComponents + if: ctx.json?.triggeredComponents instanceof List + ignore_failure: true + processor: + rename: + field: _ingest._value.triggeredFilters + target_field: _ingest._value.triggered_filters + ignore_missing: true + - rename: + field: json.triggeredComponents + target_field: darktrace.model_breach_alert.triggered_components + ignore_missing: true + - remove: + field: json + ignore_missing: true + - remove: + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + field: + - darktrace.model_breach_alert.time + - darktrace.model_breach_alert.model.actions.antigena.action + - darktrace.model_breach_alert.creation_time + - darktrace.model_breach_alert.score + - darktrace.model_breach_alert.model.priority + - darktrace.model_breach_alert.device.did + - darktrace.model_breach_alert.device.mac_address + - darktrace.model_breach_alert.device.type_name + - darktrace.model_breach_alert.model.created.by + - darktrace.model_breach_alert.model.category + - darktrace.model_breach_alert.model.description + - darktrace.model_breach_alert.model.name + - darktrace.model_breach_alert.model.tags + - darktrace.model_breach_alert.model.uuid + - darktrace.model_breach_alert.model.version + - darktrace.model_breach_alert.mitre_techniques + ignore_failure: true + ignore_missing: true + - foreach: + field: darktrace.model_breach_alert.triggered_components + if: ctx.darktrace?.model_breach_alert?.triggered_components instanceof List && (ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields'))) + ignore_failure: true + processor: + remove: + field: + - _ingest._value.time + ignore_missing: true + ignore_failure: true + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/darktrace/data_stream/model_breach_alert/fields/agent.yml b/packages/darktrace/data_stream/model_breach_alert/fields/agent.yml new file mode 100644 index 00000000000..6e1bac042bc --- /dev/null +++ b/packages/darktrace/data_stream/model_breach_alert/fields/agent.yml @@ -0,0 +1,186 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/darktrace/data_stream/model_breach_alert/fields/base-fields.yml b/packages/darktrace/data_stream/model_breach_alert/fields/base-fields.yml new file mode 100644 index 00000000000..7dd51b599cc --- /dev/null +++ b/packages/darktrace/data_stream/model_breach_alert/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: darktrace +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: darktrace.model_breach_alert +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/darktrace/data_stream/model_breach_alert/fields/ecs.yml b/packages/darktrace/data_stream/model_breach_alert/fields/ecs.yml new file mode 100644 index 00000000000..d719265327f --- /dev/null +++ b/packages/darktrace/data_stream/model_breach_alert/fields/ecs.yml @@ -0,0 +1,76 @@ +- external: ecs + name: ecs.version +- external: ecs + name: event.action +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.risk_score +- external: ecs + name: event.risk_score_norm +- external: ecs + name: event.severity +- external: ecs + name: event.start +- external: ecs + name: event.type +- external: ecs + name: event.url +- external: ecs + name: host.hostname +- external: ecs + name: host.id +- external: ecs + name: host.ip +- external: ecs + name: host.mac +- external: ecs + name: host.type +- external: ecs + name: log.syslog.appname +- external: ecs + name: log.syslog.facility.code +- external: ecs + name: log.syslog.facility.name +- external: ecs + name: log.syslog.hostname +- external: ecs + name: log.syslog.priority +- external: ecs + name: log.syslog.severity.code +- external: ecs + name: log.syslog.severity.name +- external: ecs + name: log.syslog.version +- external: ecs + name: related.hosts +- external: ecs + name: related.ip +- external: ecs + name: related.user +- external: ecs + name: rule.author +- external: ecs + name: rule.category +- external: ecs + name: rule.description +- external: ecs + name: rule.name +- external: ecs + name: rule.ruleset +- external: ecs + name: rule.uuid +- external: ecs + name: rule.version +- external: ecs + name: tags +- external: ecs + name: threat.technique.id +- external: ecs + name: threat.technique.name diff --git a/packages/darktrace/data_stream/model_breach_alert/fields/fields.yml b/packages/darktrace/data_stream/model_breach_alert/fields/fields.yml new file mode 100644 index 00000000000..a9723624791 --- /dev/null +++ b/packages/darktrace/data_stream/model_breach_alert/fields/fields.yml @@ -0,0 +1,428 @@ +- name: darktrace.model_breach_alert + type: group + fields: + - name: aianalyst_data + type: group + fields: + - name: related + type: long + - name: summariser + type: keyword + - name: uuid + type: keyword + - name: breach_url + type: group + description: A link to the specific model breach in the Darktrace Threat Visualizer - the configuration option FQDN must be set for this field to appear. + fields: + - name: domain + type: keyword + - name: extension + type: keyword + - name: fragment + type: keyword + - name: full + type: keyword + - name: original + type: keyword + - name: password + type: keyword + - name: path + type: keyword + - name: port + type: long + - name: query + type: keyword + - name: scheme + type: keyword + - name: username + type: keyword + - name: comment + type: group + fields: + - name: count + type: long + description: The number of comments made against this breach. + - name: creation_time + type: date + description: The timestamp that the record of the breach was created. This is distinct from the “time” field. + - name: device_score + type: double + - name: device + type: group + fields: + - name: credentials + type: keyword + - name: did + type: long + description: The “device id”, a unique identifier. + - name: first_seen + type: date + description: The first time the device was seen on the network. + - name: hostname + type: keyword + description: The current device hostname. + - name: ip + type: keyword + description: The current IP associated with the device. + - name: ip6 + type: keyword + description: Current IPv6 address of this device if applicable, otherwise undefined. + - name: ips + type: group + fields: + - name: ip + type: keyword + description: A historic IP associated with the device. + - name: sid + type: long + description: The subnet id for the subnet the IP belongs to. + - name: time + type: date + description: The time the IP was last seen associated with that device in readable format. + - name: timems + type: date + description: The time the IP was last seen associated with that device in epoch time. + - name: last_seen + type: date + description: The last time the device was seen on the network. + - name: mac_address + type: keyword + description: The current MAC address associated with the device. + - name: sid + type: long + description: The subnet id for the subnet the device is currently located in. + - name: tags + type: group + fields: + - name: data + type: group + fields: + - name: auto + type: boolean + - name: color + type: long + - name: description + type: keyword + - name: visibility + type: keyword + - name: expiry + type: long + - name: is_referenced + type: boolean + - name: name + type: keyword + - name: restricted + type: boolean + - name: thid + type: long + - name: tid + type: long + - name: type_label + type: keyword + description: The device type in readable format. + - name: type_name + type: keyword + description: The device type in system format. + - name: vendor + type: keyword + description: The vendor of the device network card as derived by Darktrace from the MAC address. + - name: is_acknowledged + type: boolean + - name: mitre_techniques + type: group + description: Any mapped MITRE ATT&CK techniques the model corresponds to. + fields: + - name: name + type: keyword + - name: id + type: keyword + - name: model + type: group + fields: + - name: actions + type: group + fields: + - name: antigena + type: group + fields: + - name: action + type: keyword + description: The action to be performed. + - name: duration + type: long + description: The duration in seconds that the antigena action should last for. + - name: is_confirm_by_human_operator + type: boolean + description: Whether the action must be confirmed by a human operator, regardless of the global setting for Human Confirmation mode. + - name: threshold + type: long + description: The breach score threshold (out of 100) over which antigena will take an action. + - name: is_alerting + type: boolean + description: If true, an alert turned on will be pushed out to external systems if conditions for such alerting are met. + - name: is_breach + type: boolean + description: If true, an alert turned on will be pushed out to external systems if conditions for such alerting are met. + - name: is_priority_set + type: boolean + description: If the priority is to be changed on breach, the numeric value it should become. If no priority change action, a false boolean. + - name: is_tag_set + type: boolean + description: If a tag is to be applied on model breach, a single number or array of the system ID for the tag(s) to be applied. If no tag action, a false boolean. + - name: is_type_set + type: boolean + description: If a change device type action is to be applied on model breach, the numeric system ID for the label to be applied. If no change device type action is applied to the model, a false boolean. + - name: model + type: boolean + description: If true, creates an event in the device’s event log without creating an alert/ model breach in the threat tray. + - name: active_times + type: group + fields: + - name: devices + type: flattened + description: The device ids for devices on the list. + - name: tags + type: flattened + description: A system field. + - name: type + type: keyword + description: 'The type of list: “restrictions” indicates a blacklist, “exclusions” a whitelist.' + - name: version + type: long + description: A system field. + - name: behaviour + type: keyword + description: The score modulation function as set in the model editor. + - name: category + type: keyword + description: The behavior category of the model that was breached. + - name: created + type: group + fields: + - name: by + type: keyword + description: Username that created the model. + - name: defeats + type: group + fields: + - name: arguments + type: group + fields: + - name: value + type: keyword + description: The value(s) that must match for the defeat to take effect. + - name: comparator + type: keyword + description: The comparator that the value is compared against the create the defeat. + - name: filtertype + type: keyword + description: The filter the defeat is made from. + - name: id + type: long + description: A unique ID for the defeat. + - name: delay + type: long + description: Minimum delay in seconds after a positive-scoring component has fired before the overall model score is calculated. Only applicable in target score models. + - name: description + type: keyword + description: The optional description of the model. + - name: edited + type: group + fields: + - name: by + type: keyword + description: Username that last edited the model. + - name: userid + type: long + - name: in_compliance_behavior_category + type: boolean + description: Whether the model is in the compliance behavior category. + - name: interval + type: long + description: Where a model contains multiple components, this interval represents the time window in seconds in which all the components should fire for this model to be breached. + - name: is_active + type: boolean + description: Whether the model is enabled or disabled. + - name: is_auto_suppress + type: boolean + description: Whether the model will automatically be suppressed in the case of over-breaching. + - name: is_auto_updatable + type: boolean + description: Whether the model is suitable for auto update. + - name: is_auto_update + type: boolean + description: Whether the model is enabled for auto update. + - name: is_sequenced + type: boolean + description: Whether the components are required to fire in the specified order for the model breach to occur. + - name: is_shared_endpoints + type: boolean + description: For models that contain multiple components that reference an endpoint, this value indicates whether all endpoints should be identical for the model to fire. + - name: logic + type: group + fields: + - name: data_component_list + type: long + description: This will be a list of component ID numbers. + - name: data_weighted_component_list + type: group + description: This model is a weighted type this will be a list of component ID, weight object pairs. + fields: + - name: cid + type: long + - name: weight + type: long + - name: target_score + type: long + - name: type + type: keyword + description: The type of model. + - name: version + type: long + description: A number representing the version of model logic. + - name: modified + type: date + description: Timestamp at which the model was last modified, in a readable format. + - name: name + type: keyword + description: Name of the model that was breached. + - name: phid + type: long + description: The model “policy history” id. Increments when the model is modified. + - name: pid + type: long + description: The “policy id” of the model that was breached. + - name: priority + type: long + description: The model’s priority affects the strength with which it breaches (0-5 scale). + - name: tags + type: keyword + description: A list of tags that have been applied to this model in the Threat Visualizer model editor. + - name: throttle + type: long + description: For an individual device, this is the value in seconds for which this model will not fire again. + - name: uuid + type: keyword + description: A unique ID that is generated on creation of the model. + - name: version + type: long + description: The version of the model. Increments on each edit. + - name: pb_score + type: double + description: The model breach score, represented by a value between 0 and 1. + - name: pbid + type: long + description: The “policy breach ID” of the model breach. + - name: score + type: double + description: The model breach score, represented by a value between 0 and 1. + - name: time + type: date + description: The timestamp when the record was created in epoch time. + - name: triggered_components + type: group + fields: + - name: cbid + type: long + description: The “component breach id”. A unique identifier for the component breach. + - name: chid + type: long + description: The “component history id”. Increments when the component is edited. + - name: cid + type: long + description: The “component id”. A unique identifier. + - name: interval + type: long + description: The timeframe in seconds within which the threshold must be satisfied. + - name: logic + type: group + fields: + - name: data + type: text + description: It representing the logical relationship between component filters. Each filter is given an alphabetical reference and the contents of this field describe the relationship between those filters. + - name: version + type: keyword + description: The version of the component logic. + - name: metric + type: group + fields: + - name: label + type: keyword + description: The metric which data is returned for in readable format. + - name: mlid + type: long + description: The “metric logic” id - unique identifier. + - name: name + type: keyword + description: The metric which data is returned for in system format. + - name: size + type: long + description: The size of the value that was compared in the component. + - name: threshold + type: long + description: The threshold value that the size must exceed for the component to breach. + - name: time + type: date + description: A timestamp in Epoch time at which the components were triggered. + - name: triggered_filters + type: group + fields: + - name: arguments + type: group + fields: + - name: value + type: keyword + description: The value the filtertype should be compared against (using the specified comparator) to create the filter. + - name: cfid + type: long + description: The ‘component filter id’. A unique identifier for the filter as part of a the component. + - name: comparator_type + type: keyword + description: The comparator. A full list of comparators available for each filtertype can be found on the /filtertypes endpoint. + - name: filter_type + type: keyword + description: The filtertype that is used in the filter. A full list of filtertypes can be found on the /filtertypes endpoint. + - name: id + type: keyword + description: A filter that is used in the component logic. All filters are given alphabetical identifiers. Display filters - those that appear in the breach notification - can be identified by a lowercase ‘d’ and a numeral. + - name: trigger + type: group + fields: + - name: tag + type: group + fields: + - name: data + type: group + fields: + - name: auto + type: boolean + - name: color + type: long + - name: description + type: keyword + - name: visibility + type: keyword + - name: expiry + type: long + description: nan + - name: isReferenced + type: boolean + description: nan + - name: name + type: keyword + description: nan + - name: restricted + type: boolean + description: nan + - name: thid + type: long + description: nan + - name: tid + type: long + description: nan + - name: value + type: keyword + description: The actual value that triggered the filter. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/darktrace/data_stream/model_breach_alert/manifest.yml b/packages/darktrace/data_stream/model_breach_alert/manifest.yml new file mode 100644 index 00000000000..ec908d91f93 --- /dev/null +++ b/packages/darktrace/data_stream/model_breach_alert/manifest.yml @@ -0,0 +1,171 @@ +title: Collect Model Breach Alert logs from Darktrace +type: logs +streams: + - input: httpjson + title: Model Breach Alert logs + description: Collect Model Breach Alert logs via API. + template_path: httpjson.yml.hbs + vars: + - name: initial_interval + type: text + title: Initial Interval + description: How far back to pull the Model Breach Alert logs from Darktrace. + multi: false + required: true + show_user: true + default: 24h + - name: interval + type: text + title: Interval + description: Duration between requests to the Darktrace API. + default: 1m + multi: false + required: true + show_user: true + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - darktrace_model_breach_alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: true + title: Preserve duplicate custom fields + description: Preserve darktrace.model_breach_alert fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: tcp + title: Model Breach Alert logs + description: Collect Model Breach Alert logs via TCP input. + template_path: tcp.yml.hbs + vars: + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9572 + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + max_message_size: 50KiB + #max_connections: 1 + #framing: delimiter + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - darktrace_model_breach_alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: true + title: Preserve duplicate custom fields + description: Preserve darktrace.model_breach_alert fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: udp + title: Model Breach Alert logs + description: Collect Model Breach Alert logs via UDP input. + template_path: udp.yml.hbs + vars: + - name: listen_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9575 + - name: udp_options + type: yaml + title: Custom UDP Options + multi: false + required: false + show_user: false + default: | + max_message_size: 50KiB + #timeout: 300s + description: Specify custom configuration options for the UDP input. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - darktrace_model_breach_alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: true + title: Preserve duplicate custom fields + description: Preserve darktrace.model_breach_alert fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/darktrace/data_stream/model_breach_alert/sample_event.json b/packages/darktrace/data_stream/model_breach_alert/sample_event.json new file mode 100644 index 00000000000..e42d6626882 --- /dev/null +++ b/packages/darktrace/data_stream/model_breach_alert/sample_event.json @@ -0,0 +1,583 @@ +{ + "@timestamp": "2022-07-11T13:04:08.000Z", + "agent": { + "ephemeral_id": "a87de6d4-91d9-4fe3-8dc6-f55474c36e5a", + "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.1" + }, + "darktrace": { + "model_breach_alert": { + "aianalyst_data": [ + { + "related": [ + 1 + ], + "summariser": "BeaconSummary", + "uuid": "1234abcd-1234-1234-1234-123456abcdef" + } + ], + "comment": { + "count": 0 + }, + "creation_time": "2022-07-11T13:04:19.000Z", + "device": { + "did": 3, + "first_seen": "2022-07-11T12:54:49.000Z", + "ip": "81.2.69.142", + "last_seen": "2022-07-11T13:00:18.000Z", + "sid": 1, + "type_label": "Desktop", + "type_name": "desktop" + }, + "model": { + "actions": { + "is_alerting": true, + "is_breach": true, + "is_priority_set": false, + "is_tag_set": false, + "is_type_set": false, + "model": true + }, + "active_times": { + "type": "exclusions", + "version": 2 + }, + "behaviour": "incdec1", + "category": "Informational", + "created": { + "by": "System" + }, + "delay": 0, + "description": "A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\n\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.", + "edited": { + "by": "System" + }, + "in_compliance_behavior_category": false, + "interval": 10800, + "is_active": true, + "is_auto_suppress": true, + "is_auto_updatable": true, + "is_auto_update": true, + "is_sequenced": false, + "is_shared_endpoints": false, + "logic": { + "data_weighted_component_list": [ + { + "cid": 2026, + "weight": 1 + }, + { + "cid": 2024, + "weight": 1 + }, + { + "cid": 2025, + "weight": -100 + } + ], + "target_score": 1, + "type": "weightedComponentList", + "version": 1 + }, + "modified": "2022-07-11T11:47:37.000Z", + "name": "Compromise::Beaconing Activity To External Rare", + "phid": 1072, + "pid": 156, + "priority": 2, + "tags": [ + "AP: C2 Comms" + ], + "throttle": 10800, + "uuid": "1234abcd-1234-1234-1234-123456abcdef", + "version": 23 + }, + "pbid": 1, + "score": 0.674, + "time": "2022-07-11T13:04:08.000Z", + "triggered_components": [ + { + "cbid": 1, + "chid": 2113, + "cid": 2026, + "interval": 3600, + "logic": { + "data": "{left={left=A, right={left=AA, right={left=AC, right={left=AD, right={left=AF, right={left=AG, right={left=AH, right={left=B, right={left=C, right={left=D, right={left=E, right={left=H, right={left=I, right={left=J, right={left=K, right={left=L, right={left=M, right={left=N, right={left=O, right={left=P, right={left=S, right={left=U, right={left=V, right={left=X, right={left=Y, right=Z, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, right={left=A, right={left=AA, right={left=AB, right={left=AE, right={left=AF, right={left=AG, right={left=AH, right={left=C, right={left=D, right={left=E, right={left=H, right={left=I, right={left=J, right={left=K, right={left=L, right={left=M, right={left=N, right={left=O, right={left=P, right={left=S, right={left=U, right={left=V, right={left=X, right={left=Y, right=Z, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=OR}", + "version": "v0.1" + }, + "metric": { + "label": "External Connections", + "mlid": 1, + "name": "externalconnections" + }, + "size": 11, + "threshold": 10, + "time": "2022-07-11T13:04:08.000Z", + "triggered_filters": [ + { + "arguments": { + "value": 60 + }, + "cfid": 23426, + "comparator_type": "\u003e", + "filter_type": "Beaconing score", + "id": "A", + "trigger": { + "value": "100" + } + }, + { + "arguments": { + "value": 0 + }, + "cfid": 23427, + "comparator_type": "\u003e", + "filter_type": "Individual size up", + "id": "AA", + "trigger": { + "value": "4382" + } + }, + { + "arguments": { + "value": 95 + }, + "cfid": 23428, + "comparator_type": "\u003e", + "filter_type": "Rare domain", + "id": "AB", + "trigger": { + "value": "100" + } + }, + { + "arguments": { + "value": 1209600 + }, + "cfid": 23430, + "comparator_type": "\u003c", + "filter_type": "Age of destination", + "id": "AD", + "trigger": { + "value": "558" + } + }, + { + "arguments": { + "value": 1209600 + }, + "cfid": 23431, + "comparator_type": "\u003c", + "filter_type": "Age of external hostname", + "id": "AE", + "trigger": { + "value": "558" + } + }, + { + "arguments": { + "value": "examples" + }, + "cfid": 23432, + "comparator_type": "does not match regular expression", + "filter_type": "Connection hostname", + "id": "AF", + "trigger": { + "value": "example.com" + } + }, + { + "arguments": { + "value": "examples" + }, + "cfid": 23433, + "comparator_type": "does not match regular expression", + "filter_type": "ASN", + "id": "AG", + "trigger": { + "value": "AS12345 LOCAL-02" + } + }, + { + "arguments": { + "value": "5d41402abc4b2a76b9719d911017c592" + }, + "cfid": 23434, + "comparator_type": "does not match", + "filter_type": "JA3 hash", + "id": "AH", + "trigger": { + "value": "5d41402abc4b2a76b9719d911017c592" + } + }, + { + "arguments": { + "value": 95 + }, + "cfid": 23435, + "comparator_type": "\u003e", + "filter_type": "Rare external IP", + "id": "B", + "trigger": { + "value": "100" + } + }, + { + "arguments": { + "value": "1003" + }, + "cfid": 23436, + "comparator_type": "is not", + "filter_type": "Application protocol", + "id": "C", + "trigger": { + "value": "1004" + } + }, + { + "arguments": { + "value": 53 + }, + "cfid": 23437, + "comparator_type": "!=", + "filter_type": "Destination port", + "id": "D", + "trigger": { + "value": "443" + } + }, + { + "arguments": { + "value": "out" + }, + "cfid": 23438, + "comparator_type": "is", + "filter_type": "Direction", + "id": "E", + "trigger": { + "value": "out" + } + }, + { + "arguments": { + "value": 137 + }, + "cfid": 23439, + "comparator_type": "!=", + "filter_type": "Destination port", + "id": "H", + "trigger": { + "value": "443" + } + }, + { + "arguments": { + "value": 161 + }, + "cfid": 23440, + "comparator_type": "!=", + "filter_type": "Destination port", + "id": "I", + "trigger": { + "value": "443" + } + }, + { + "arguments": { + "value": "6" + }, + "cfid": 23441, + "comparator_type": "is", + "filter_type": "Protocol", + "id": "J", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "Company" + }, + "cfid": 23442, + "comparator_type": "does not contain", + "filter_type": "ASN", + "id": "K", + "trigger": { + "value": "AS12345 LOCAL-02" + } + }, + { + "arguments": { + "value": "Company" + }, + "cfid": 23443, + "comparator_type": "does not contain", + "filter_type": "ASN", + "id": "L", + "trigger": { + "value": "AS12345 LOCAL-02" + } + }, + { + "arguments": { + "value": "13" + }, + "cfid": 23444, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "M", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "5" + }, + "cfid": 23445, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "N", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "9" + }, + "cfid": 23446, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "O", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "12" + }, + "cfid": 23447, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "P", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "30" + }, + "cfid": 23448, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "S", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "4" + }, + "cfid": 23449, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "U", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "3" + }, + "cfid": 23450, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "V", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "false" + }, + "cfid": 23451, + "comparator_type": "is", + "filter_type": "Trusted hostname", + "id": "X", + "trigger": { + "value": "false" + } + }, + { + "arguments": { + "value": 26 + }, + "cfid": 23452, + "comparator_type": "does not have tag", + "filter_type": "Tagged internal source", + "id": "Y", + "trigger": { + "tag": { + "data": { + "auto": false, + "color": 5, + "visibility": "Public" + }, + "expiry": 0, + "is_referenced": true, + "name": "No Device Tracking", + "restricted": false, + "thid": 26, + "tid": 26 + }, + "value": "26" + } + }, + { + "arguments": { + "value": 0 + }, + "cfid": 23453, + "comparator_type": "\u003e", + "filter_type": "Individual size down", + "id": "Z", + "trigger": { + "value": "5862" + } + }, + { + "cfid": 23454, + "comparator_type": "display", + "filter_type": "JA3 hash", + "id": "d1", + "trigger": { + "value": "5d41402abc4b2a76b9719d911017c592" + } + }, + { + "cfid": 23455, + "comparator_type": "display", + "filter_type": "ASN", + "id": "d2", + "trigger": { + "value": "AS12345 LOCAL-02" + } + }, + { + "cfid": 23456, + "comparator_type": "display", + "filter_type": "Destination IP", + "id": "d3", + "trigger": { + "value": "81.2.69.192" + } + }, + { + "cfid": 23457, + "comparator_type": "display", + "filter_type": "Connection hostname", + "id": "d4", + "trigger": { + "value": "example.com" + } + } + ] + } + ] + } + }, + "data_stream": { + "dataset": "darktrace.model_breach_alert", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "snapshot": false, + "version": "8.2.1" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "created": "2022-07-11T13:04:19.000Z", + "dataset": "darktrace.model_breach_alert", + "ingested": "2022-08-09T07:49:42Z", + "kind": "event", + "original": "{\"commentCount\":0,\"pbid\":1,\"time\":1657544648000,\"creationTime\":1657544659000,\"aianalystData\":[{\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"related\":[1],\"summariser\":\"BeaconSummary\"}],\"model\":{\"name\":\"Compromise::Beaconing Activity To External Rare\",\"pid\":156,\"phid\":1072,\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"logic\":{\"data\":[{\"cid\":2026,\"weight\":1},{\"cid\":2024,\"weight\":1},{\"cid\":2025,\"weight\":-100}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":10800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"AP: C2 Comms\"],\"interval\":10800,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-07-11 11:47:37\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\\\n\\\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.\",\"behaviour\":\"incdec1\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":23,\"priority\":2,\"category\":\"Informational\",\"compliance\":false},\"triggeredComponents\":[{\"time\":1657544648000,\"cbid\":1,\"cid\":2026,\"chid\":2113,\"size\":11,\"threshold\":10,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AC\",\"operator\":\"AND\",\"right\":{\"left\":\"AD\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AB\",\"operator\":\"AND\",\"right\":{\"left\":\"AE\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"version\":\"v0.1\"},\"metric\":{\"mlid\":1,\"name\":\"externalconnections\",\"label\":\"External Connections\"},\"triggeredFilters\":[{\"cfid\":23426,\"id\":\"A\",\"filterType\":\"Beaconing score\",\"arguments\":{\"value\":60},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23427,\"id\":\"AA\",\"filterType\":\"Individual size up\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"4382\"}},{\"cfid\":23428,\"id\":\"AB\",\"filterType\":\"Rare domain\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23430,\"id\":\"AD\",\"filterType\":\"Age of destination\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23431,\"id\":\"AE\",\"filterType\":\"Age of external hostname\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23432,\"id\":\"AF\",\"filterType\":\"Connection hostname\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"example.com\"}},{\"cfid\":23433,\"id\":\"AG\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23434,\"id\":\"AH\",\"filterType\":\"JA3 hash\",\"arguments\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"},\"comparatorType\":\"does not match\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23435,\"id\":\"B\",\"filterType\":\"Rare external IP\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23436,\"id\":\"C\",\"filterType\":\"Application protocol\",\"arguments\":{\"value\":\"1003\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"1004\"}},{\"cfid\":23437,\"id\":\"D\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":53},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23438,\"id\":\"E\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":23439,\"id\":\"H\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":137},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23440,\"id\":\"I\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":161},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23441,\"id\":\"J\",\"filterType\":\"Protocol\",\"arguments\":{\"value\":\"6\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23442,\"id\":\"K\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23443,\"id\":\"L\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23444,\"id\":\"M\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"13\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23445,\"id\":\"N\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"5\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23446,\"id\":\"O\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"9\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23447,\"id\":\"P\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23448,\"id\":\"S\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"30\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23449,\"id\":\"U\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"4\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23450,\"id\":\"V\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"3\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23451,\"id\":\"X\",\"filterType\":\"Trusted hostname\",\"arguments\":{\"value\":\"false\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"false\"}},{\"cfid\":23452,\"id\":\"Y\",\"filterType\":\"Tagged internal source\",\"arguments\":{\"value\":26},\"comparatorType\":\"does not have tag\",\"trigger\":{\"value\":\"26\",\"tag\":{\"tid\":26,\"expiry\":0,\"thid\":26,\"name\":\"No Device Tracking\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":5,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":23453,\"id\":\"Z\",\"filterType\":\"Individual size down\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"5862\"}},{\"cfid\":23454,\"id\":\"d1\",\"filterType\":\"JA3 hash\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23455,\"id\":\"d2\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23456,\"id\":\"d3\",\"filterType\":\"Destination IP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"81.2.69.192\"}},{\"cfid\":23457,\"id\":\"d4\",\"filterType\":\"Connection hostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"example.com\"}}]}],\"score\":0.674,\"device\":{\"did\":3,\"ip\":\"81.2.69.142\",\"sid\":1,\"firstSeen\":1657544089000,\"lastSeen\":1657544418000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}", + "risk_score": 0.674, + "risk_score_norm": 67.4, + "severity": 2, + "start": [ + "2022-07-11T13:04:08.000Z" + ], + "type": [ + "info", + "connection" + ] + }, + "host": { + "id": "3", + "ip": [ + "81.2.69.142" + ], + "type": "desktop" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.18.0.6:42872" + }, + "syslog": { + "facility": { + "code": 20, + "name": "local4" + }, + "hostname": "example.cloud.darktrace.com", + "priority": 165, + "severity": { + "code": 5, + "name": "Notice" + }, + "version": "1" + } + }, + "related": { + "ip": [ + "81.2.69.142" + ], + "user": [ + "System" + ] + }, + "rule": { + "author": "System", + "category": "Informational", + "description": "A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\n\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.", + "name": "Compromise::Beaconing Activity To External Rare", + "ruleset": [ + "AP: C2 Comms" + ], + "uuid": "1234abcd-1234-1234-1234-123456abcdef", + "version": "23" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "darktrace_model_breach_alert" + ] +} \ No newline at end of file diff --git a/packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/test-common-config.yml b/packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/test-common-config.yml new file mode 100644 index 00000000000..be41bb0d476 --- /dev/null +++ b/packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/test-common-config.yml @@ -0,0 +1,4 @@ +fields: + tags: + - preserve_original_event + - preserve_duplicate_custom_fields diff --git a/packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/test-system_status_alert.log b/packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/test-system_status_alert.log new file mode 100644 index 00000000000..950c12c7b48 --- /dev/null +++ b/packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/test-system_status_alert.log @@ -0,0 +1,2 @@ +{"last_updated":1618760651,"uuid":"abcdabcd-1234-1234-1234-3abababcdcd3","priority":43,"priority_level":"medium","hostname":"example-vsensor","ip_address":"175.16.199.1","message":"There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test","name":"advanced_search","acknowledge_timeout":null,"alert_name":"Advanced Search","child_id":1,"last_updated_status":1618760651,"status":"active"} +{"hostname":"local-abc","ip_address":"175.16.199.1","child_id":null,"name":"probe_down-0","priority":98,"priority_level":"critical","alert_name":"Probe Down","status":"Active","message":"The probe 1/175.16.199.1 has lost connection to the Master instance. Please ensure HTTPS bidirectional connectivity exists between the Master and the Probe.\n\nIf you have any issues, please open a ticket using the following link. https://example.com/test","last_updated":1658110810.556194,"last_updated_status":1658110810.556194,"acknowledge_timeout":null,"uuid":"abcd1234-1234-1234-1234-3abababcdcd3","url":"https://example.com/test?value=abcd1234-1234-1234-1234-3abababcdcd3"} diff --git a/packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/test-system_status_alert.log-expected.json b/packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/test-system_status_alert.log-expected.json new file mode 100644 index 00000000000..e1c42b4f11c --- /dev/null +++ b/packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/test-system_status_alert.log-expected.json @@ -0,0 +1,109 @@ +{ + "expected": [ + { + "@timestamp": "2021-04-18T15:44:11.000Z", + "darktrace": { + "system_status_alert": { + "alert_name": "Advanced Search", + "child_id": 1, + "hostname": "example-vsensor", + "ip_address": "175.16.199.1", + "last_updated": "2021-04-18T15:44:11.000Z", + "last_updated_status": "2021-04-18T15:44:11.000Z", + "message": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test", + "name": "advanced_search", + "priority": 43.0, + "priority_level": "medium", + "status": "active", + "uuid": "abcdabcd-1234-1234-1234-3abababcdcd3" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "id": "abcdabcd-1234-1234-1234-3abababcdcd3", + "kind": "alert", + "original": "{\"last_updated\":1618760651,\"uuid\":\"abcdabcd-1234-1234-1234-3abababcdcd3\",\"priority\":43,\"priority_level\":\"medium\",\"hostname\":\"example-vsensor\",\"ip_address\":\"175.16.199.1\",\"message\":\"There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test\",\"name\":\"advanced_search\",\"acknowledge_timeout\":null,\"alert_name\":\"Advanced Search\",\"child_id\":1,\"last_updated_status\":1618760651,\"status\":\"active\"}", + "reason": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test", + "risk_score": 43.0, + "risk_score_norm": 43.0, + "type": [ + "info" + ] + }, + "host": { + "hostname": "example-vsensor", + "ip": "175.16.199.1" + }, + "related": { + "hosts": [ + "example-vsensor" + ], + "ip": [ + "175.16.199.1" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + }, + { + "@timestamp": "2022-07-18T02:20:10.556Z", + "darktrace": { + "system_status_alert": { + "alert_name": "Probe Down", + "hostname": "local-abc", + "ip_address": "175.16.199.1", + "last_updated": "2022-07-18T02:20:10.556Z", + "last_updated_status": "2022-07-18T02:20:10.556Z", + "message": "The probe 1/175.16.199.1 has lost connection to the Master instance. Please ensure HTTPS bidirectional connectivity exists between the Master and the Probe.\n\nIf you have any issues, please open a ticket using the following link. https://example.com/test", + "name": "probe_down-0", + "priority": 98.0, + "priority_level": "critical", + "status": "active", + "url": { + "domain": "example.com", + "original": "https://example.com/test?value=abcd1234-1234-1234-1234-3abababcdcd3", + "path": "/test", + "query": "value=abcd1234-1234-1234-1234-3abababcdcd3", + "scheme": "https" + }, + "uuid": "abcd1234-1234-1234-1234-3abababcdcd3" + } + }, + "ecs": { + "version": "8.4.0" + }, + "event": { + "id": "abcd1234-1234-1234-1234-3abababcdcd3", + "kind": "alert", + "original": "{\"hostname\":\"local-abc\",\"ip_address\":\"175.16.199.1\",\"child_id\":null,\"name\":\"probe_down-0\",\"priority\":98,\"priority_level\":\"critical\",\"alert_name\":\"Probe Down\",\"status\":\"Active\",\"message\":\"The probe 1/175.16.199.1 has lost connection to the Master instance. Please ensure HTTPS bidirectional connectivity exists between the Master and the Probe.\\n\\nIf you have any issues, please open a ticket using the following link. https://example.com/test\",\"last_updated\":1658110810.556194,\"last_updated_status\":1658110810.556194,\"acknowledge_timeout\":null,\"uuid\":\"abcd1234-1234-1234-1234-3abababcdcd3\",\"url\":\"https://example.com/test?value=abcd1234-1234-1234-1234-3abababcdcd3\"}", + "reason": "The probe 1/175.16.199.1 has lost connection to the Master instance. Please ensure HTTPS bidirectional connectivity exists between the Master and the Probe.\n\nIf you have any issues, please open a ticket using the following link. https://example.com/test", + "risk_score": 98.0, + "risk_score_norm": 98.0, + "type": [ + "info" + ], + "url": "https://example.com/test?value=abcd1234-1234-1234-1234-3abababcdcd3" + }, + "host": { + "hostname": "local-abc", + "ip": "175.16.199.1" + }, + "related": { + "hosts": [ + "local-abc" + ], + "ip": [ + "175.16.199.1" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields" + ] + } + ] +} \ No newline at end of file diff --git a/packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-tcp-config.yml b/packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-tcp-config.yml new file mode 100644 index 00000000000..063df1e59b0 --- /dev/null +++ b/packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-tcp-config.yml @@ -0,0 +1,10 @@ +service: darktrace-system_status_alert-tcp +service_notify_signal: SIGHUP +input: tcp +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9573 + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-tls-config.yml b/packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-tls-config.yml new file mode 100644 index 00000000000..81f051da6d4 --- /dev/null +++ b/packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-tls-config.yml @@ -0,0 +1,62 @@ +service: darktrace-system_status_alert-tls +service_notify_signal: SIGHUP +input: tcp +vars: + listen_address: 0.0.0.0 + ssl: | + key: | + -----BEGIN PRIVATE KEY----- + MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDhCLvLsQAHufsN + U+u1x/CequAUphfXZqLhDo2Eo/holfBS0+ey4bnzPL6lS9NFL5JkLQA2gYESqsXU + /Ru8E76Az1egzMwT3TVAPLVU8NbrxBqeNiQa2m9wC37HQy4qC9OxL28LUoKtFjxS + cD1sa0oikXCJN1a3BSoAf9iiZ/dxz4WVfrNhrzq2JFXjravY84n5ujkZOg45Pg70 + 4vHOeg0rBbIoSNfjDUVZWjwC95K1BMN3msOTL9juv/EDa6BujqCxl+G1nY7JPFDL + SHWis65p+1AAa5xieYDb47vyJ0SSR7lEURTXZOkkM6k5JWfgkATEmGzRxPkOloIT + Xg9ag1OlAgMBAAECggEAEHfPJmzhj68wjB0kFr13AmWG2Hv/Kqg8KzQhbx+AwkaW + u7j+L70NGpvLZ9VQtLNyhxoz9cksZO1SZO/Q48aeHlcOFppmJN3/U6AdtQWa9M35 + FLLpmX16wjxVHsfvzOvopgLOoYl8PqZt66qDFDgVyMnT7na6RdJ+7GJuvBPXq+Bc + vgThvAZitHSAOhnBFYmTMlBi6AzOMMsaFlgE3Xf9v3M0pAKItPRKMhXlC3MyvA/v + jgbra4Ib+0ryohggHheHB3bn3Jgv7iFKoW9OQSePVxacJ+kfr9H+No5g495URzqR + mx/96WCiv3rAh3ct8Sk/C4/3zMC8fUueDJIVjhgw0QKBgQD8NufLINNkIpBrLoCS + 972oFEjZB2u6EusQ7X9raROqpaw26ZSu+zSHeIKCGQ93M3aRb3FpdGeOxgZ095MV + 8a+nlh4stOvHj2Mm5YhTBDUavTC7o9aVR3Od5eTXUpHnaJpNI/uyIcKupeK1UJnV + UlBLeIwo/vJ1gsVrKMMAJkuKbwKBgQDkaWRRd0w2gUIbCTGf203BqXft0VdIiOW7 + +gnkeaNHAf09XljzxMcQzrB8kG63aKVGbJffphEfzxtiJ+HRQVH+7QpKRhU/GHmu + +6OKkxTcxJm5zhoRFxcSi2wG4PWmUGJvc7ss1OJGcaOUxwocCepO7N/jfdDz9Uke + KnA+YWOdKwKBgQDteZkYlojT0QOgF8HyH5gQyUCqMKWLJ0LzxltiPCbLV4Dml1pq + w5Z7M8nWS1hXiTpLx93GSFc1hFkSCwYP9GfK6Lryp0sVtHnMZvTMDbseuSJImwRx + vDwtYQfugg1lEQWwOoBEAiu3m/PxernNtNprpU57T0nlwUK3GkM5QdWAuwKBgQCZ + ZF3GiANapzupxGbbH//8Cr9LqsafI7CEqMpz8WxBh4h16iJ6sq+tDeFgBe8UpOY5 + gTwNKg1d+0w8guQYD3HtbWr3rlEeamVtqfiOW3ArQqyqJ0tCJuuLvK3zgKf35Qv2 + JRaSaPT8sdxVUcXsRoxgLJu+vwPQke1koMN4YRbwuQKBgQDJiZ/WSeqa5oIqkXbn + hjm7RXKaf2oE1U/bNjdSFtdEP7T4vUvvr7Hq2f/jiBLtCE7w16PJjKx9iIq2+jMl + qIY43Sk9bdi5FxtYTHda0hwrbH274P+QVcVs5PXCT0TGktOleHGBlXaaPrxl9iCh + 8tmmxZZYa5aQxEO/lxB9xQKaiQ== + -----END PRIVATE KEY----- + certificate: | + -----BEGIN CERTIFICATE----- + MIIDazCCAlOgAwIBAgIUW5TDu1tJMY2Oa7PsL+BQSmeWqz0wDQYJKoZIhvcNAQEL + BQAwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM + GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTEwMDEwNTAwMjNaFw0yMTEw + MDIwNTAwMjNaMEUxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw + HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB + AQUAA4IBDwAwggEKAoIBAQDhCLvLsQAHufsNU+u1x/CequAUphfXZqLhDo2Eo/ho + lfBS0+ey4bnzPL6lS9NFL5JkLQA2gYESqsXU/Ru8E76Az1egzMwT3TVAPLVU8Nbr + xBqeNiQa2m9wC37HQy4qC9OxL28LUoKtFjxScD1sa0oikXCJN1a3BSoAf9iiZ/dx + z4WVfrNhrzq2JFXjravY84n5ujkZOg45Pg704vHOeg0rBbIoSNfjDUVZWjwC95K1 + BMN3msOTL9juv/EDa6BujqCxl+G1nY7JPFDLSHWis65p+1AAa5xieYDb47vyJ0SS + R7lEURTXZOkkM6k5JWfgkATEmGzRxPkOloITXg9ag1OlAgMBAAGjUzBRMB0GA1Ud + DgQWBBRYUSKDHBBE9Q6fTeTqogicCxcXwDAfBgNVHSMEGDAWgBRYUSKDHBBE9Q6f + TeTqogicCxcXwDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBc + T8B+GpvPy9NQ700LsywRPY0L9IJCKiu6j3TP1tqqSPjAC/cg9ac+bFXuWOu7V+KJ + s09Q/pItq9SLX6UvnfRzTxu5lCBwwGX9cL131mTIu5SmFo7Eks+sorbiIarWDMoC + e+9An3GFpagW+YhOt4BdIM5lTqoeodzganDBsOUZI9aDAj2Yo5h2O7r6Wd12cb6T + mz8vMfB2eG8BxU20ZMfkdERWjiyXHOSBQqeqfkV8d9370gMu5RcJNcIgnbmTRdho + X3HJFiimZVaNjXATqmC/y2A1KXvJdamPLy3mGXkW2cFLoPCdK2OZFUHqiuc1bigA + qEf55SihFqErRMeURPPF + -----END CERTIFICATE----- +data_stream: + vars: + listen_port: 9573 + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-udp-config.yml b/packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-udp-config.yml new file mode 100644 index 00000000000..cc4f6b075d4 --- /dev/null +++ b/packages/darktrace/data_stream/system_status_alert/_dev/test/system/test-udp-config.yml @@ -0,0 +1,10 @@ +service: darktrace-system_status_alert-udp +service_notify_signal: SIGHUP +input: udp +vars: + listen_address: 0.0.0.0 +data_stream: + vars: + listen_port: 9576 + preserve_original_event: true + preserve_duplicate_custom_fields: true diff --git a/packages/darktrace/data_stream/system_status_alert/agent/stream/tcp.yml.hbs b/packages/darktrace/data_stream/system_status_alert/agent/stream/tcp.yml.hbs new file mode 100644 index 00000000000..b1d260f0f9c --- /dev/null +++ b/packages/darktrace/data_stream/system_status_alert/agent/stream/tcp.yml.hbs @@ -0,0 +1,26 @@ +host: "{{listen_address}}:{{listen_port}}" +{{#if tcp_options}} +{{tcp_options}} +{{/if}} +{{#if ssl}} +ssl: {{ssl}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- syslog: + field: message +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/darktrace/data_stream/system_status_alert/agent/stream/udp.yml.hbs b/packages/darktrace/data_stream/system_status_alert/agent/stream/udp.yml.hbs new file mode 100644 index 00000000000..f342c4fa75c --- /dev/null +++ b/packages/darktrace/data_stream/system_status_alert/agent/stream/udp.yml.hbs @@ -0,0 +1,23 @@ +host: "{{listen_address}}:{{listen_port}}" +{{#if udp_options}} +{{udp_options}} +{{/if}} +tags: +{{#if preserve_original_event}} + - preserve_original_event +{{/if}} +{{#if preserve_duplicate_custom_fields}} + - preserve_duplicate_custom_fields +{{/if}} +{{#each tags as |tag|}} + - {{tag}} +{{/each}} +{{#contains "forwarded" tags}} +publisher_pipeline.disable_host: true +{{/contains}} +processors: +- syslog: + field: message +{{#if processors}} +{{processors}} +{{/if}} diff --git a/packages/darktrace/data_stream/system_status_alert/elasticsearch/ingest_pipeline/default.yml b/packages/darktrace/data_stream/system_status_alert/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..50abd1f6162 --- /dev/null +++ b/packages/darktrace/data_stream/system_status_alert/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,235 @@ +--- +description: Pipeline for processing System Status Alert logs. +processors: + - set: + field: ecs.version + value: '8.4.0' + - grok: + field: message + patterns: + - "^%{FIELD:log.syslog.appname}\\s*%{GREEDYDATA:message}$" + pattern_definitions: + FIELD: "[a-zA-Z]*" + - rename: + field: message + target_field: event.original + ignore_missing: true + - json: + field: event.original + target_field: json + - fingerprint: + fields: + - json.uuid + - json.last_updated + - json.last_updated_status + - json.message + target_field: _id + ignore_missing: true + - set: + field: event.type + value: [info] + - set: + field: event.kind + value: event + - set: + field: event.kind + value: alert + if: (['active','resolved'].contains(ctx.json?.status?.toLowerCase())) + - date: + field: json.last_updated + target_field: darktrace.system_status_alert.last_updated + formats: + - ISO8601 + - UNIX + - UNIX_MS + - 'MMM dd HH:mm:ss' + if: ctx.json?.last_updated != null + on_failure: + - remove: + field: json.last_updated + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: '@timestamp' + copy_from: darktrace.system_status_alert.last_updated + ignore_failure: true + - rename: + field: json.uuid + target_field: darktrace.system_status_alert.uuid + ignore_missing: true + - set: + field: event.id + copy_from: darktrace.system_status_alert.uuid + ignore_failure: true + - rename: + field: json.message + target_field: darktrace.system_status_alert.message + ignore_missing: true + - set: + field: event.reason + copy_from: darktrace.system_status_alert.message + ignore_failure: true + - convert: + field: json.priority + target_field: darktrace.system_status_alert.priority + type: double + ignore_missing: true + on_failure: + - remove: + field: json.priority + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: event.risk_score + copy_from: darktrace.system_status_alert.priority + ignore_failure: true + - set: + field: event.risk_score_norm + copy_from: darktrace.system_status_alert.priority + ignore_failure: true + - uri_parts: + field: json.url + target_field: darktrace.system_status_alert.url + if: ctx.json?.url != null + keep_original: true + on_failure: + - remove: + field: json.url + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - set: + field: event.url + copy_from: darktrace.system_status_alert.url.original + ignore_failure: true + - rename: + field: json.hostname + target_field: darktrace.system_status_alert.hostname + ignore_missing: true + - convert: + field: darktrace.system_status_alert.hostname + target_field: darktrace.system_status_alert._temp_.hostname_ip + type: ip + ignore_missing: true + on_failure: + - set: + field: host.hostname + copy_from: darktrace.system_status_alert.hostname + ignore_failure: true + - append: + field: related.ip + value: '{{{darktrace.system_status_alert._temp_.hostname_ip}}}' + allow_duplicates: false + ignore_failure: true + - append: + field: related.hosts + value: '{{{host.hostname}}}' + allow_duplicates: false + ignore_failure: true + - convert: + field: json.ip_address + target_field: darktrace.system_status_alert._temp_.ip_address + type: ip + ignore_failure: true + - set: + field: host.ip + copy_from: darktrace.system_status_alert._temp_.ip_address + ignore_failure: true + - append: + field: related.ip + value: '{{{host.ip}}}' + allow_duplicates: false + ignore_failure: true + - rename: + field: json.ip_address + target_field: darktrace.system_status_alert.ip_address + ignore_missing: true + - remove: + field: darktrace.system_status_alert._temp_ + ignore_missing: true + - rename: + field: json.acknowledge_timeout + target_field: darktrace.system_status_alert.acknowledge_timeout + ignore_missing: true + - rename: + field: json.alert_name + target_field: darktrace.system_status_alert.alert_name + ignore_missing: true + - convert: + field: json.child_id + target_field: darktrace.system_status_alert.child_id + type: long + ignore_missing: true + on_failure: + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - date: + field: json.last_updated_status + target_field: darktrace.system_status_alert.last_updated_status + formats: + - ISO8601 + - UNIX + - UNIX_MS + - 'MMM dd HH:mm:ss' + if: ctx.json?.last_updated_status != null + on_failure: + - remove: + field: json.last_updated_status + ignore_missing: true + - append: + field: error.message + value: '{{{_ingest.on_failure_message}}}' + - rename: + field: json.name + target_field: darktrace.system_status_alert.name + ignore_missing: true + - rename: + field: json.priority_level + target_field: darktrace.system_status_alert.priority_level + ignore_missing: true + - lowercase: + field: json.status + target_field: darktrace.system_status_alert.status + ignore_failure: true + - remove: + field: json + ignore_missing: true + - remove: + if: ctx.tags == null || !(ctx.tags.contains('preserve_duplicate_custom_fields')) + field: + - darktrace.system_status_alert.last_updated + - darktrace.system_status_alert.uuid + - darktrace.system_status_alert.message + - darktrace.system_status_alert.priority + ignore_failure: true + ignore_missing: true + - remove: + field: event.original + if: ctx.tags == null || !(ctx.tags.contains('preserve_original_event')) + ignore_failure: true + ignore_missing: true + - script: + description: Drops null/empty values recursively. + lang: painless + source: + boolean dropEmptyFields(Object object) { + if (object == null || object == "") { + return true; + } else if (object instanceof Map) { + ((Map) object).values().removeIf(value -> dropEmptyFields(value)); + return (((Map) object).size() == 0); + } else if (object instanceof List) { + ((List) object).removeIf(value -> dropEmptyFields(value)); + return (((List) object).length == 0); + } + return false; + } + dropEmptyFields(ctx); +on_failure: + - append: + field: error.message + value: '{{{ _ingest.on_failure_message }}}' diff --git a/packages/darktrace/data_stream/system_status_alert/fields/agent.yml b/packages/darktrace/data_stream/system_status_alert/fields/agent.yml new file mode 100644 index 00000000000..6e1bac042bc --- /dev/null +++ b/packages/darktrace/data_stream/system_status_alert/fields/agent.yml @@ -0,0 +1,186 @@ +- name: cloud + title: Cloud + group: 2 + description: Fields related to the cloud or infrastructure the events are coming from. + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' + type: group + fields: + - name: account.id + level: extended + type: keyword + ignore_above: 1024 + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' + example: 666777888999 + - name: availability_zone + level: extended + type: keyword + ignore_above: 1024 + description: Availability zone in which this host is running. + example: us-east-1c + - name: instance.id + level: extended + type: keyword + ignore_above: 1024 + description: Instance ID of the host machine. + example: i-1234567890abcdef0 + - name: instance.name + level: extended + type: keyword + ignore_above: 1024 + description: Instance name of the host machine. + - name: machine.type + level: extended + type: keyword + ignore_above: 1024 + description: Machine type of the host machine. + example: t2.medium + - name: provider + level: extended + type: keyword + ignore_above: 1024 + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. + example: aws + - name: region + level: extended + type: keyword + ignore_above: 1024 + description: Region in which this host is running. + example: us-east-1 + - name: project.id + type: keyword + description: Name of the project in Google Cloud. + - name: image.id + type: keyword + description: Image ID for the cloud instance. +- name: container + title: Container + group: 2 + description: 'Container fields are used for meta information about the specific container that is the source of information. These fields help correlate data based containers from any runtime.' + type: group + fields: + - name: id + level: core + type: keyword + ignore_above: 1024 + description: Unique container id. + - name: image.name + level: extended + type: keyword + ignore_above: 1024 + description: Name of the image the container was built on. + - name: labels + level: extended + type: object + object_type: keyword + description: Image labels. + - name: name + level: extended + type: keyword + ignore_above: 1024 + description: Container name. +- name: host + title: Host + group: 2 + description: 'A host is defined as a general computing instance. ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' + type: group + fields: + - name: architecture + level: core + type: keyword + ignore_above: 1024 + description: Operating system architecture. + example: x86_64 + - name: domain + level: extended + type: keyword + ignore_above: 1024 + description: 'Name of the domain of which the host is a member. For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' + example: CONTOSO + default_field: false + - name: hostname + level: core + type: keyword + ignore_above: 1024 + description: 'Hostname of the host. It normally contains what the `hostname` command returns on the host machine.' + - name: id + level: core + type: keyword + ignore_above: 1024 + description: 'Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`.' + - name: ip + level: core + type: ip + description: Host ip addresses. + - name: mac + level: core + type: keyword + ignore_above: 1024 + description: Host mac addresses. + - name: name + level: core + type: keyword + ignore_above: 1024 + description: 'Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' + - name: os.family + level: extended + type: keyword + ignore_above: 1024 + description: OS family (such as redhat, debian, freebsd, windows). + example: debian + - name: os.kernel + level: extended + type: keyword + ignore_above: 1024 + description: Operating system kernel version as a raw string. + example: 4.4.0-112-generic + - name: os.name + level: extended + type: keyword + ignore_above: 1024 + multi_fields: + - name: text + type: text + norms: false + default_field: false + description: Operating system name, without the version. + example: Mac OS X + - name: os.platform + level: extended + type: keyword + ignore_above: 1024 + description: Operating system platform (such centos, ubuntu, windows). + example: darwin + - name: os.version + level: extended + type: keyword + ignore_above: 1024 + description: Operating system version as a raw string. + example: 10.14.1 + - name: type + level: core + type: keyword + ignore_above: 1024 + description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' + - name: containerized + type: boolean + description: > + If the host is a container. + + - name: os.build + type: keyword + example: "18D109" + description: > + OS build information. + + - name: os.codename + type: keyword + example: "stretch" + description: > + OS codename, if any. + +- name: input.type + type: keyword + description: Input type +- name: log.offset + type: long + description: Log offset diff --git a/packages/darktrace/data_stream/system_status_alert/fields/base-fields.yml b/packages/darktrace/data_stream/system_status_alert/fields/base-fields.yml new file mode 100644 index 00000000000..ba05367fe7d --- /dev/null +++ b/packages/darktrace/data_stream/system_status_alert/fields/base-fields.yml @@ -0,0 +1,20 @@ +- name: data_stream.type + type: constant_keyword + description: Data stream type. +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + type: constant_keyword + description: Data stream namespace. +- name: event.module + type: constant_keyword + description: Event module. + value: darktrace +- name: event.dataset + type: constant_keyword + description: Event dataset. + value: darktrace.system_status_alert +- name: '@timestamp' + type: date + description: Event timestamp. diff --git a/packages/darktrace/data_stream/system_status_alert/fields/ecs.yml b/packages/darktrace/data_stream/system_status_alert/fields/ecs.yml new file mode 100644 index 00000000000..f2acb655a91 --- /dev/null +++ b/packages/darktrace/data_stream/system_status_alert/fields/ecs.yml @@ -0,0 +1,48 @@ +- external: ecs + name: ecs.version +- external: ecs + name: event.category +- external: ecs + name: event.created +- external: ecs + name: event.id +- external: ecs + name: event.kind +- external: ecs + name: event.original +- external: ecs + name: event.reason +- external: ecs + name: event.risk_score +- external: ecs + name: event.risk_score_norm +- external: ecs + name: event.type +- external: ecs + name: event.url +- external: ecs + name: host.hostname +- external: ecs + name: host.ip +- external: ecs + name: log.syslog.appname +- external: ecs + name: log.syslog.facility.code +- external: ecs + name: log.syslog.facility.name +- external: ecs + name: log.syslog.hostname +- external: ecs + name: log.syslog.priority +- external: ecs + name: log.syslog.severity.code +- external: ecs + name: log.syslog.severity.name +- external: ecs + name: log.syslog.version +- external: ecs + name: related.hosts +- external: ecs + name: related.ip +- external: ecs + name: tags diff --git a/packages/darktrace/data_stream/system_status_alert/fields/fields.yml b/packages/darktrace/data_stream/system_status_alert/fields/fields.yml new file mode 100644 index 00000000000..5bd54f4a6be --- /dev/null +++ b/packages/darktrace/data_stream/system_status_alert/fields/fields.yml @@ -0,0 +1,70 @@ +- name: darktrace.system_status_alert + type: group + fields: + - name: acknowledge_timeout + type: keyword + description: When acknowledgement of the alert expires. As alerts are sent externally on creation before acknowledgement is possible, this will be null in almost all cases. + - name: alert_name + type: keyword + description: A human readable name of the alert type. + - name: child_id + type: long + description: For probes (physical or virtual), the unique ID associated with the probe. + - name: hostname + type: keyword + description: The hostname (if known) of the host experiencing the system alert. An exception exists for disconnection notices, where the hostname will be of the master from which the instance has disconnected. + - name: ip_address + type: keyword + description: The IP of the host experiencing the system alert. An exception exists for disconnection notices, where the IP will be of the master from which the instance has disconnected. + - name: last_updated + type: date + description: A timestamp in epoch time that the system alert itself was updated. + - name: last_updated_status + type: date + description: A timestamp in epoch time that the status of the system alert was last updated globally. A status update is distinct from a update to the alert itself. + - name: message + type: keyword + description: A textual description of the system event that has triggered the alert. + - name: name + type: keyword + description: A system name of the alert type. + - name: priority + type: double + description: The numeric criticality associated with the alert. + - name: priority_level + type: keyword + description: 'The criticality of the alert. This value is calculated from the priority value: 0 - 40 low, 41 - 60 medium, 61 - 80 high, 81 - 100 critical.' + - name: status + type: keyword + description: The current status of the alert. Active alerts are ongoing, acknowledged events are those acknowledged on the System Status page, resolved alerts are system alerts that are no longer ongoing. Alerts will only be sent when alert enters the “active” or “resolved” state. + - name: url + type: group + fields: + - name: domain + type: keyword + - name: extension + type: keyword + - name: fragment + type: keyword + - name: full + type: keyword + - name: original + type: keyword + - name: password + type: keyword + - name: path + type: keyword + - name: port + type: long + - name: query + type: keyword + - name: scheme + type: keyword + - name: username + type: keyword + - name: uuid + type: keyword + description: A consistent UUID that can be used to navigate to the specific alert in the Threat Visualizer (https://[instance]/sysstatus/[uuid]). Where an alert is reactivated after resolution due to the issue reoccurring, the UUId will remain consistent across alerts. +- name: log.source.address + type: keyword + description: Source address from which the log event was read / sent from. diff --git a/packages/darktrace/data_stream/system_status_alert/manifest.yml b/packages/darktrace/data_stream/system_status_alert/manifest.yml new file mode 100644 index 00000000000..58220c7cc80 --- /dev/null +++ b/packages/darktrace/data_stream/system_status_alert/manifest.yml @@ -0,0 +1,117 @@ +title: Collect System Status Alert logs from Darktrace +type: logs +streams: + - input: tcp + title: System Status Alert logs + description: Collect System Status Alert logs via TCP input. + template_path: tcp.yml.hbs + vars: + - name: listen_port + type: integer + title: Listen Port + description: The TCP port number to listen on. + multi: false + required: true + show_user: true + default: 9573 + - name: tcp_options + type: yaml + title: Custom TCP Options + multi: false + required: false + show_user: false + default: | + max_message_size: 50KiB + #max_connections: 1 + #framing: delimiter + #line_delimiter: "\n" + description: Specify custom configuration options for the TCP input. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - darktrace_system_status_alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: true + title: Preserve duplicate custom fields + description: Preserve darktrace.system_status_alert fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. + - input: udp + title: System Status Alert logs + description: Collect System Status Alert logs via UDP input. + template_path: udp.yml.hbs + vars: + - name: listen_port + type: integer + title: Listen Port + description: The UDP port number to listen on. + multi: false + required: true + show_user: true + default: 9576 + - name: udp_options + type: yaml + title: Custom UDP Options + multi: false + required: false + show_user: false + default: | + max_message_size: 50KiB + #timeout: 300s + description: Specify custom configuration options for the UDP input. + - name: tags + type: text + title: Tags + multi: true + required: true + show_user: false + default: + - forwarded + - darktrace_system_status_alert + - name: preserve_original_event + required: true + show_user: true + title: Preserve original event + description: Preserves a raw copy of the original event, added to the field `event.original`. + type: bool + multi: false + default: false + - name: preserve_duplicate_custom_fields + required: true + show_user: true + title: Preserve duplicate custom fields + description: Preserve darktrace.system_status_alert fields that were copied to Elastic Common Schema (ECS) fields. + type: bool + multi: false + default: false + - name: processors + type: yaml + title: Processors + multi: false + required: false + show_user: false + description: >- + Processors are used to reduce the number of fields in the exported event or to enhance the event with metadata. This executes in the agent before the logs are parsed. See [Processors](https://www.elastic.co/guide/en/beats/filebeat/current/filtering-and-enhancing-data.html) for details. diff --git a/packages/darktrace/data_stream/system_status_alert/sample_event.json b/packages/darktrace/data_stream/system_status_alert/sample_event.json new file mode 100644 index 00000000000..3ce190226cd --- /dev/null +++ b/packages/darktrace/data_stream/system_status_alert/sample_event.json @@ -0,0 +1,92 @@ +{ + "@timestamp": "2021-04-18T15:44:11.000Z", + "agent": { + "ephemeral_id": "83012cf6-fcfe-431e-b964-8c92c95498b1", + "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.1" + }, + "darktrace": { + "system_status_alert": { + "alert_name": "Advanced Search", + "child_id": 1, + "hostname": "example-vsensor", + "ip_address": "175.16.199.1", + "last_updated": "2021-04-18T15:44:11.000Z", + "last_updated_status": "2021-04-18T15:44:11.000Z", + "message": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test", + "name": "advanced_search", + "priority": 43, + "priority_level": "medium", + "status": "active", + "uuid": "abcdabcd-1234-1234-1234-3abababcdcd3" + } + }, + "data_stream": { + "dataset": "darktrace.system_status_alert", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "snapshot": false, + "version": "8.2.1" + }, + "event": { + "agent_id_status": "verified", + "dataset": "darktrace.system_status_alert", + "id": "abcdabcd-1234-1234-1234-3abababcdcd3", + "ingested": "2022-08-09T07:52:20Z", + "kind": "alert", + "original": "{\"last_updated\":1618760651,\"uuid\":\"abcdabcd-1234-1234-1234-3abababcdcd3\",\"priority\":43,\"priority_level\":\"medium\",\"hostname\":\"example-vsensor\",\"ip_address\":\"175.16.199.1\",\"message\":\"There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test\",\"name\":\"advanced_search\",\"acknowledge_timeout\":null,\"alert_name\":\"Advanced Search\",\"child_id\":1,\"last_updated_status\":1618760651,\"status\":\"active\"}", + "reason": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test", + "risk_score": 43, + "risk_score_norm": 43, + "type": [ + "info" + ] + }, + "host": { + "hostname": "example-vsensor", + "ip": "175.16.199.1" + }, + "input": { + "type": "tcp" + }, + "log": { + "source": { + "address": "172.18.0.6:44918" + }, + "syslog": { + "facility": { + "code": 20, + "name": "local4" + }, + "hostname": "example.cloud.darktrace.com", + "priority": 165, + "severity": { + "code": 5, + "name": "Notice" + }, + "version": "1" + } + }, + "related": { + "hosts": [ + "example-vsensor" + ], + "ip": [ + "175.16.199.1" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "darktrace_system_status_alert" + ] +} \ No newline at end of file diff --git a/packages/darktrace/docs/README.md b/packages/darktrace/docs/README.md new file mode 100644 index 00000000000..9b916acc857 --- /dev/null +++ b/packages/darktrace/docs/README.md @@ -0,0 +1,1470 @@ +# Darktrace + +## Overview + +The [Darktrace](https://darktrace.com/) integration allows you to monitor Alert Logs. Darktrace is a network solution for detecting and investigating emerging cyber-threats that evade traditional security tools. It is powered by Enterprise Immune System technology, which uses machine learning and mathematics to monitor behaviors and detect anomalies in your organization’s network. + +Use the Darktrace integration to collect and parse data from the REST APIs or via Syslog. Then visualise that data in Kibana. + +For example, you could use the data from this integration to know which model is breached and analyse model breaches, and also know about system health, changes in monitored traffic, and any errors experienced by Darktrace Security Modules or probe instances. + +## Data streams + +The Darktrace integration collects logs for three types of events: AI Analyst Alert, Model Breach Alert and System Status Alert. + +**AI Analyst Alert** is generated by investigates, analyzes, and reports upon threats seen within your Darktrace environment; as a starting point, it reviews and investigates all Model Breaches that occur on the system. If behavior which would be of interest to a cyber analyst is detected, an event is created. See Example Schema [here](https://customerportal.darktrace.com/product-guides/main/syslog-aia-json-schema). + +**Model Breach Alert** is generated when a model breach is triggered. A model is used to define a set of conditions which, when met, will alert the system to the occurrence of a particular event or chain of anomalous behavior. Darktrace models are focused on pattern-of-life anomaly detection, potentially malicious behavior, and compliance issues. See Example Schema [here](https://customerportal.darktrace.com/product-guides/main/syslog-json-schema). + +**System Status Alert** keep Darktrace operators informed of system health, changes in monitored traffic, and any errors experienced by Darktrace Security Modules or probe instances. System Status Alerts include details of the originating host, the severity of the event, and links that may be helpful to investigate or resolve the issue. Notifications are sent for active system events and (optionally) on event resolution. See Example Schema [here](https://customerportal.darktrace.com/product-guides/main/syslog-json-system-schema). + +## Requirements + +You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. + +Firewall exceptions to allow communication from the Darktrace master instance to the Syslog server. + +This module has been tested against **Darktrace Threat Visualizer v5.2**. + +## Setup + +### To collect data from Darktrace REST APIs, follow the below steps: + +1. Hostname URL will be your . (Threat Visualizer Console Hostname) +2. Public and Private Token will be generated by following this [Link](https://customerportal.darktrace.com/product-guides/main/api-tokens). + +**Note:** System Status Alert are not supported by REST API. + +### To collect data from Darktrace via Syslog, follow the below steps: + +The user needs to create a different Syslog Forwarder with different ports for each data stream. + +The process for configuring syslog-format alerts is identical for AI Analyst Alerts, Model Breach Alerts and System Status Alerts. Generic configuration guidance is provided below: + +1. Open the Darktrace Threat Visualizer Dashboard and navigate to the **System Config** page. (**Main menu › Admin**). +2. From the left-side menu, select **Modules**, then navigate to the **Workflow Integrations** section and choose **Syslog**. +3. Select **Syslog JSON** tab and click **New** to set up new Syslog Forwarder. +4. Enter the **IP Address**  and **Port** of the Elastic Agent that is running the integration in the **Server** and **Server Port** field respectively. + +For more details, see [Documentation](https://customerportal.darktrace.com/product-guides/main/json-alerts). + +**Note:** + - It is recommended to turn on **Full Timestamps** toggle in **Show Advanced Options** to get the full timestamp instead of the RFC3164-formatted timestamp. + - It is also recommended to turn off **Reduced Message Size** toggle in **Show Advanced Options** to get more information about alerts. + +### After following generic guidance steps, below are the steps for collecting individual logs for all three data streams. + +#### For AI Analyst Alert, below are the suggested configurations to collect all the events of AI Analyst Alert: + +- Configure the following settings in **Show Advanced Options**: + +| Field Name | Value | +| --------------------------------------- | ----------------------------------- | +| Send AI Analyst Alerts | ON | +| Send AI Analyst Alerts Immediately | ON | +| AI Analyst Behavior Filter | Critical, Suspicious and Compliance | +| Minimum AI Analyst Incident Event Score | 0 | +| Minimum AI Analyst Incident Score | 0 | +| Legacy AI Analyst Alerts | OFF | + +#### For Model Breach Alert, below are the suggested configurations to collect all the events of Model Breach Alert: + +- Configure the following settings in **Show Advanced Options**: + +| Field Name | Value | +| ---------------------------- | -------------------------------------------------- | +| Send Model Breach Alerts | ON | +| Model Breach Behavior Filter | Critical, Suspicious, Compliance and Informational | +| Minimum Breach Score | 0 | +| Minimum Breach Priority | 0 | +| Model Expression | N/A | +| Model Tags Expression | N/A | +| Device IP Addresses | N/A | +| Device Tags Addresses | N/A | + +#### For System Status Alert, below are the suggested configurations to collect all the events of System Status Alert: + +- Configure the following settings in **Show Advanced Options**: + +| Field Name | Value | +| ---------------------------------- | ------------- | +| Send System Status Alerts | ON | +| Send Resolved System Status Alerts | ON | +| Minimum System Status Priority | Informational | + +### See more about [Syslog Filters and Optional Settings](https://customerportal.darktrace.com/product-guides/main/syslog-json-alert-settings) + +**Note** : A Fully Qualified Domain Name (FQDN) must be configured for the Darktrace instance in order for links to be included in external alerts. + - An FQDN can be configured from the **System** subsection on the **Settings** tab of the Darktrace **System Config** page. + +### Enabling the integration in Elastic + +1. In Kibana go to **Management > Integrations**. +2. In the "Search for integrations" search bar, type **Darktrace**. +3. Click on **Darktrace** integration from the search results. +4. Click on **Add Darktrace** button to add Darktrace integration. +5. Enable the Integration with either via API or TCP or UDP input. + +## Logs reference + +### ai_analyst_alert + +This is the `ai_analyst_alert` dataset. + +#### Example + +An example event for `ai_analyst_alert` looks as following: + +```json +{ + "@timestamp": "2021-08-03T14:48:09.240Z", + "agent": { + "ephemeral_id": "a61287e5-6cac-4e83-8354-5cf118335548", + "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.1" + }, + "darktrace": { + "ai_analyst_alert": { + "activity_id": "abcd1234", + "aia_score": 98, + "attack_phases": [ + 5 + ], + "breach_devices": [ + { + "did": 10, + "ip": "81.2.69.144", + "sid": 12, + "subnet": "VPN" + } + ], + "category": "critical", + "children": [ + "eabcdef0-1234-1234-1234-cabcdefghij9" + ], + "created_at": "2021-08-03T14:48:09.240Z", + "current_group": "eabc1234-1234-1234-1234-cabcdefg0011", + "details": [ + [ + { + "contents": [ + { + "type": "device", + "values": [ + { + "did": 10, + "ip": "175.16.199.1", + "sid": 12, + "subnet": "VPN" + } + ] + } + ], + "header": "Breaching Device" + } + ], + [ + { + "contents": [ + { + "key": "Time", + "type": "timestampRange", + "values": [ + { + "end": 1628000141220, + "start": 1627985298683 + } + ] + }, + { + "key": "Number of unique IPs", + "type": "integer", + "values": [ + 16 + ] + }, + { + "key": "Targeted IP ranges include", + "type": "device", + "values": [ + { + "ip": "81.2.69.192" + }, + { + "ip": "175.16.199.1" + }, + { + "ip": "175.16.199.3" + } + ] + }, + { + "key": "Destination port", + "type": "integer", + "values": [ + 22 + ] + }, + { + "key": "Connection count", + "type": "integer", + "values": [ + 40 + ] + }, + { + "key": "Percentage successful", + "type": "percentage", + "values": [ + 100 + ] + } + ], + "header": "SSH Activity" + } + ] + ], + "group_by_activity": false, + "group_category": "critical", + "group_score": 72.9174234, + "grouping_ids": [ + "abcdef12" + ], + "id": "eabc0011-1234-1234-1234-cabcdefg0011", + "is_acknowledged": false, + "is_external_triggered": false, + "is_pinned": true, + "is_user_triggered": false, + "periods": [ + { + "end": "2021-08-03T14:15:41.220Z", + "start": "2021-08-03T10:08:18.683Z" + } + ], + "related_breaches": [ + { + "model_name": "Unusual Activity / Unusual Activity from Re-Activated Device", + "pbid": 1234, + "threat_score": 37, + "timestamp": "2021-08-03T13:25:57.000Z" + } + ], + "summariser": "AdminConnSummary", + "summary": "The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\n\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\n\nConsequently, if this activity was not expected, the security team may wish to investigate further.", + "title": "Extensive Unusual SSH Connections" + } + }, + "data_stream": { + "dataset": "darktrace.ai_analyst_alert", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "snapshot": false, + "version": "8.2.1" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "dataset": "darktrace.ai_analyst_alert", + "duration": [ + 14842537000000 + ], + "end": [ + "2021-08-03T14:15:41.220Z" + ], + "id": "eabc0011-1234-1234-1234-cabcdefg0011", + "ingested": "2022-08-09T07:46:07Z", + "kind": "alert", + "original": "{\"summariser\":\"AdminConnSummary\",\"acknowledged\":false,\"pinned\":true,\"createdAt\":1628002089240,\"attackPhases\":[5],\"title\":\"Extensive Unusual SSH Connections\",\"id\":\"eabc0011-1234-1234-1234-cabcdefg0011\",\"children\":[\"eabcdef0-1234-1234-1234-cabcdefghij9\"],\"category\":\"critical\",\"currentGroup\":\"eabc1234-1234-1234-1234-cabcdefg0011\",\"groupCategory\":\"critical\",\"groupScore\":\"72.9174234\",\"groupPreviousGroups\":null,\"activityId\":\"abcd1234\",\"groupingIds\":[\"abcdef12\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":98,\"summary\":\"The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\\n\\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\\n\\nConsequently, if this activity was not expected, the security team may wish to investigate further.\",\"periods\":[{\"start\":1627985298683,\"end\":1628000141220}],\"breachDevices\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.144\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}],\"relatedBreaches\":[{\"modelName\":\"Unusual Activity / Unusual Activity from Re-Activated Device\",\"pbid\":1234,\"threatScore\":37,\"timestamp\":1627997157000}],\"details\":[[{\"header\":\"Breaching Device\",\"contents\":[{\"key\":null,\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}]}]}],[{\"header\":\"SSH Activity\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1627985298683,\"end\":1628000141220}]},{\"key\":\"Number of unique IPs\",\"type\":\"integer\",\"values\":[16]},{\"key\":\"Targeted IP ranges include\",\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.192\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.3\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null}]},{\"key\":\"Destination port\",\"type\":\"integer\",\"values\":[22]},{\"key\":\"Connection count\",\"type\":\"integer\",\"values\":[40]},{\"key\":\"Percentage successful\",\"type\":\"percentage\",\"values\":[100]}]}]]}", + "reason": "Extensive Unusual SSH Connections", + "risk_score": 98, + "risk_score_norm": 98, + "start": [ + "2021-08-03T10:08:18.683Z" + ], + "type": [ + "info" + ] + }, + "host": { + "id": [ + "10" + ], + "ip": [ + "81.2.69.144" + ] + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.18.0.6:49421" + }, + "syslog": { + "facility": { + "code": 20, + "name": "local4" + }, + "hostname": "example.cloud.darktrace.com", + "priority": 165, + "severity": { + "code": 5, + "name": "Notice" + }, + "version": "1" + } + }, + "message": "The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\n\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\n\nConsequently, if this activity was not expected, the security team may wish to investigate further.", + "related": { + "ip": [ + "81.2.69.144", + "175.16.199.1", + "81.2.69.192", + "175.16.199.3" + ] + }, + "rule": { + "name": [ + "Unusual Activity / Unusual Activity from Re-Activated Device" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "darktrace_ai_analyst_alert" + ], + "threat": { + "enrichments": { + "matched": { + "id": [ + "eabcdef0-1234-1234-1234-cabcdefghij9" + ] + } + }, + "group": { + "id": "eabc1234-1234-1234-1234-cabcdefg0011" + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| darktrace.ai_analyst_alert.activity_id | An identifier for the specific activity detected by AI Analyst. If groupByActivity=true , this field should be used to group events together into an incident. | keyword | +| darktrace.ai_analyst_alert.aia_score | The score of the event as classified by AI Analyst - out of 100. | double | +| darktrace.ai_analyst_alert.attack_phases | Of the six attack phases, which phases are applicable to the activity. | long | +| darktrace.ai_analyst_alert.breach_devices.did | The unique device id identifier for the device that triggered the breach. This field is used to group events into device-based incidents within the Threat Visualizer. | long | +| darktrace.ai_analyst_alert.breach_devices.hostname | The hostname associated with the device, if available. | keyword | +| darktrace.ai_analyst_alert.breach_devices.identifier | An identifier for the device used when constructing summaries or reports. May be the device label, hostname or IP, depending on availability. | keyword | +| darktrace.ai_analyst_alert.breach_devices.ip | The IP associated with the device. | keyword | +| darktrace.ai_analyst_alert.breach_devices.mac_address | The MAC address associated with the device. | keyword | +| darktrace.ai_analyst_alert.breach_devices.sid | The subnet id for the subnet the device is currently located in. | long | +| darktrace.ai_analyst_alert.breach_devices.subnet | The subnet label for the corresponding subnet, if available. | keyword | +| darktrace.ai_analyst_alert.category | The behavior category associated with the incident event. | keyword | +| darktrace.ai_analyst_alert.children | One or more unique identifiers that can be used to request this AI Analyst event via the UI or API. Where there is more than one uuid, requests can be made with comma-separated values. | keyword | +| darktrace.ai_analyst_alert.created_at | Timestamp for event creation in epoch time. | date | +| darktrace.ai_analyst_alert.current_group | The UUID of the current incident this event belongs to. | keyword | +| darktrace.ai_analyst_alert.details | An array of multiple sections (sub-arrays) of event information. | flattened | +| darktrace.ai_analyst_alert.group_by_activity | Used by pre-v5.2 legacy incident construction. Indicates whether the event should be aggregated by activity or by device to create an incident. When true, the event should be aggregated by activityID, and when false, aggregated by groupingID(s). | boolean | +| darktrace.ai_analyst_alert.group_category | The behavior category associated with the incident overall. Relevant for v5.2+ incident construction only. | keyword | +| darktrace.ai_analyst_alert.group_previous_groups | If the incident event was part of an incident which was later merged with another, the UUIDs of the incidents before they were merged. | keyword | +| darktrace.ai_analyst_alert.group_score | The current overall score of the incident this event is part of. | double | +| darktrace.ai_analyst_alert.grouping_ids | Used by pre-v5.2 legacy incident construction. Each entry in the groupingIDs array refers to a device that triggered the activity detection. In single events, should only contain one ID. If groupByActivity=false , this field should be used to group events together into an incident. | keyword | +| darktrace.ai_analyst_alert.id | A system field. | keyword | +| darktrace.ai_analyst_alert.incident_event_url.domain | | keyword | +| darktrace.ai_analyst_alert.incident_event_url.extension | | keyword | +| darktrace.ai_analyst_alert.incident_event_url.fragment | | keyword | +| darktrace.ai_analyst_alert.incident_event_url.full | | keyword | +| darktrace.ai_analyst_alert.incident_event_url.original | | keyword | +| darktrace.ai_analyst_alert.incident_event_url.password | | keyword | +| darktrace.ai_analyst_alert.incident_event_url.path | | keyword | +| darktrace.ai_analyst_alert.incident_event_url.port | | long | +| darktrace.ai_analyst_alert.incident_event_url.query | | keyword | +| darktrace.ai_analyst_alert.incident_event_url.scheme | | keyword | +| darktrace.ai_analyst_alert.incident_event_url.username | | keyword | +| darktrace.ai_analyst_alert.is_acknowledged | Whether the event has been acknowledged. | boolean | +| darktrace.ai_analyst_alert.is_external_triggered | Whether the event was created as a result of an externally triggered AI Analyst investigation. | boolean | +| darktrace.ai_analyst_alert.is_pinned | Whether the event, or an incident that the event is associated with, is pinned within the Threat Visualizer user interface. Pinned events will always return regardless of the timeframe specified. | boolean | +| darktrace.ai_analyst_alert.is_user_triggered | Whether the event was created as a result of a user-triggered AI Analyst investigation. | boolean | +| darktrace.ai_analyst_alert.periods.end | A timestamp for the end of the activity period in epoch time. | date | +| darktrace.ai_analyst_alert.periods.start | A timestamp for the start of the activity period in epoch time. | date | +| darktrace.ai_analyst_alert.related_breaches.model_name | The name of the model that breached. | keyword | +| darktrace.ai_analyst_alert.related_breaches.pbid | The policy breach ID unique identifier of the model breach. | long | +| darktrace.ai_analyst_alert.related_breaches.threat_score | The breach score of the associated model breach - out of 100. | long | +| darktrace.ai_analyst_alert.related_breaches.timestamp | The timestamp at which the model breach occurred in epoch time. | date | +| darktrace.ai_analyst_alert.summariser | A system field. | keyword | +| darktrace.ai_analyst_alert.summary | A textual summary of the suspicious activity. This example is abbreviated. | keyword | +| darktrace.ai_analyst_alert.title | A title describing the activity that occurred. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.end | event.end contains the date when the event ended or when the activity was last observed. | date | +| event.id | Unique ID to describe the event. | keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | +| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.appname | The device or application that originated the Syslog message, if available. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | +| log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | +| log.syslog.version | The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. | keyword | +| message | For log events the message field contains the log message, optimized for viewing in a log viewer. For structured logs without an original message field, other fields can be concatenated to form a human-readable summary of the event. If multiple messages exist, they can be combined into one message. | match_only_text | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| rule.name | The name of the rule or signature generating the event. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.enrichments.matched.id | Identifies the _id of the indicator document enriching the event. | keyword | +| threat.group.id | The id of the group for a set of related intrusion activity that are tracked by a common name in the security community. While not required, you can use a MITRE ATT&CK® group id. | keyword | + + +### model_breach_alert + +This is the `model_breach_alert` dataset. + +#### Example + +An example event for `model_breach_alert` looks as following: + +```json +{ + "@timestamp": "2022-07-11T13:04:08.000Z", + "agent": { + "ephemeral_id": "a87de6d4-91d9-4fe3-8dc6-f55474c36e5a", + "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.1" + }, + "darktrace": { + "model_breach_alert": { + "aianalyst_data": [ + { + "related": [ + 1 + ], + "summariser": "BeaconSummary", + "uuid": "1234abcd-1234-1234-1234-123456abcdef" + } + ], + "comment": { + "count": 0 + }, + "creation_time": "2022-07-11T13:04:19.000Z", + "device": { + "did": 3, + "first_seen": "2022-07-11T12:54:49.000Z", + "ip": "81.2.69.142", + "last_seen": "2022-07-11T13:00:18.000Z", + "sid": 1, + "type_label": "Desktop", + "type_name": "desktop" + }, + "model": { + "actions": { + "is_alerting": true, + "is_breach": true, + "is_priority_set": false, + "is_tag_set": false, + "is_type_set": false, + "model": true + }, + "active_times": { + "type": "exclusions", + "version": 2 + }, + "behaviour": "incdec1", + "category": "Informational", + "created": { + "by": "System" + }, + "delay": 0, + "description": "A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\n\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.", + "edited": { + "by": "System" + }, + "in_compliance_behavior_category": false, + "interval": 10800, + "is_active": true, + "is_auto_suppress": true, + "is_auto_updatable": true, + "is_auto_update": true, + "is_sequenced": false, + "is_shared_endpoints": false, + "logic": { + "data_weighted_component_list": [ + { + "cid": 2026, + "weight": 1 + }, + { + "cid": 2024, + "weight": 1 + }, + { + "cid": 2025, + "weight": -100 + } + ], + "target_score": 1, + "type": "weightedComponentList", + "version": 1 + }, + "modified": "2022-07-11T11:47:37.000Z", + "name": "Compromise::Beaconing Activity To External Rare", + "phid": 1072, + "pid": 156, + "priority": 2, + "tags": [ + "AP: C2 Comms" + ], + "throttle": 10800, + "uuid": "1234abcd-1234-1234-1234-123456abcdef", + "version": 23 + }, + "pbid": 1, + "score": 0.674, + "time": "2022-07-11T13:04:08.000Z", + "triggered_components": [ + { + "cbid": 1, + "chid": 2113, + "cid": 2026, + "interval": 3600, + "logic": { + "data": "{left={left=A, right={left=AA, right={left=AC, right={left=AD, right={left=AF, right={left=AG, right={left=AH, right={left=B, right={left=C, right={left=D, right={left=E, right={left=H, right={left=I, right={left=J, right={left=K, right={left=L, right={left=M, right={left=N, right={left=O, right={left=P, right={left=S, right={left=U, right={left=V, right={left=X, right={left=Y, right=Z, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, right={left=A, right={left=AA, right={left=AB, right={left=AE, right={left=AF, right={left=AG, right={left=AH, right={left=C, right={left=D, right={left=E, right={left=H, right={left=I, right={left=J, right={left=K, right={left=L, right={left=M, right={left=N, right={left=O, right={left=P, right={left=S, right={left=U, right={left=V, right={left=X, right={left=Y, right=Z, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=AND}, operator=OR}", + "version": "v0.1" + }, + "metric": { + "label": "External Connections", + "mlid": 1, + "name": "externalconnections" + }, + "size": 11, + "threshold": 10, + "time": "2022-07-11T13:04:08.000Z", + "triggered_filters": [ + { + "arguments": { + "value": 60 + }, + "cfid": 23426, + "comparator_type": "\u003e", + "filter_type": "Beaconing score", + "id": "A", + "trigger": { + "value": "100" + } + }, + { + "arguments": { + "value": 0 + }, + "cfid": 23427, + "comparator_type": "\u003e", + "filter_type": "Individual size up", + "id": "AA", + "trigger": { + "value": "4382" + } + }, + { + "arguments": { + "value": 95 + }, + "cfid": 23428, + "comparator_type": "\u003e", + "filter_type": "Rare domain", + "id": "AB", + "trigger": { + "value": "100" + } + }, + { + "arguments": { + "value": 1209600 + }, + "cfid": 23430, + "comparator_type": "\u003c", + "filter_type": "Age of destination", + "id": "AD", + "trigger": { + "value": "558" + } + }, + { + "arguments": { + "value": 1209600 + }, + "cfid": 23431, + "comparator_type": "\u003c", + "filter_type": "Age of external hostname", + "id": "AE", + "trigger": { + "value": "558" + } + }, + { + "arguments": { + "value": "examples" + }, + "cfid": 23432, + "comparator_type": "does not match regular expression", + "filter_type": "Connection hostname", + "id": "AF", + "trigger": { + "value": "example.com" + } + }, + { + "arguments": { + "value": "examples" + }, + "cfid": 23433, + "comparator_type": "does not match regular expression", + "filter_type": "ASN", + "id": "AG", + "trigger": { + "value": "AS12345 LOCAL-02" + } + }, + { + "arguments": { + "value": "5d41402abc4b2a76b9719d911017c592" + }, + "cfid": 23434, + "comparator_type": "does not match", + "filter_type": "JA3 hash", + "id": "AH", + "trigger": { + "value": "5d41402abc4b2a76b9719d911017c592" + } + }, + { + "arguments": { + "value": 95 + }, + "cfid": 23435, + "comparator_type": "\u003e", + "filter_type": "Rare external IP", + "id": "B", + "trigger": { + "value": "100" + } + }, + { + "arguments": { + "value": "1003" + }, + "cfid": 23436, + "comparator_type": "is not", + "filter_type": "Application protocol", + "id": "C", + "trigger": { + "value": "1004" + } + }, + { + "arguments": { + "value": 53 + }, + "cfid": 23437, + "comparator_type": "!=", + "filter_type": "Destination port", + "id": "D", + "trigger": { + "value": "443" + } + }, + { + "arguments": { + "value": "out" + }, + "cfid": 23438, + "comparator_type": "is", + "filter_type": "Direction", + "id": "E", + "trigger": { + "value": "out" + } + }, + { + "arguments": { + "value": 137 + }, + "cfid": 23439, + "comparator_type": "!=", + "filter_type": "Destination port", + "id": "H", + "trigger": { + "value": "443" + } + }, + { + "arguments": { + "value": 161 + }, + "cfid": 23440, + "comparator_type": "!=", + "filter_type": "Destination port", + "id": "I", + "trigger": { + "value": "443" + } + }, + { + "arguments": { + "value": "6" + }, + "cfid": 23441, + "comparator_type": "is", + "filter_type": "Protocol", + "id": "J", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "Company" + }, + "cfid": 23442, + "comparator_type": "does not contain", + "filter_type": "ASN", + "id": "K", + "trigger": { + "value": "AS12345 LOCAL-02" + } + }, + { + "arguments": { + "value": "Company" + }, + "cfid": 23443, + "comparator_type": "does not contain", + "filter_type": "ASN", + "id": "L", + "trigger": { + "value": "AS12345 LOCAL-02" + } + }, + { + "arguments": { + "value": "13" + }, + "cfid": 23444, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "M", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "5" + }, + "cfid": 23445, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "N", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "9" + }, + "cfid": 23446, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "O", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "12" + }, + "cfid": 23447, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "P", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "30" + }, + "cfid": 23448, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "S", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "4" + }, + "cfid": 23449, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "U", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "3" + }, + "cfid": 23450, + "comparator_type": "is not", + "filter_type": "Internal source device type", + "id": "V", + "trigger": { + "value": "6" + } + }, + { + "arguments": { + "value": "false" + }, + "cfid": 23451, + "comparator_type": "is", + "filter_type": "Trusted hostname", + "id": "X", + "trigger": { + "value": "false" + } + }, + { + "arguments": { + "value": 26 + }, + "cfid": 23452, + "comparator_type": "does not have tag", + "filter_type": "Tagged internal source", + "id": "Y", + "trigger": { + "tag": { + "data": { + "auto": false, + "color": 5, + "visibility": "Public" + }, + "expiry": 0, + "is_referenced": true, + "name": "No Device Tracking", + "restricted": false, + "thid": 26, + "tid": 26 + }, + "value": "26" + } + }, + { + "arguments": { + "value": 0 + }, + "cfid": 23453, + "comparator_type": "\u003e", + "filter_type": "Individual size down", + "id": "Z", + "trigger": { + "value": "5862" + } + }, + { + "cfid": 23454, + "comparator_type": "display", + "filter_type": "JA3 hash", + "id": "d1", + "trigger": { + "value": "5d41402abc4b2a76b9719d911017c592" + } + }, + { + "cfid": 23455, + "comparator_type": "display", + "filter_type": "ASN", + "id": "d2", + "trigger": { + "value": "AS12345 LOCAL-02" + } + }, + { + "cfid": 23456, + "comparator_type": "display", + "filter_type": "Destination IP", + "id": "d3", + "trigger": { + "value": "81.2.69.192" + } + }, + { + "cfid": 23457, + "comparator_type": "display", + "filter_type": "Connection hostname", + "id": "d4", + "trigger": { + "value": "example.com" + } + } + ] + } + ] + } + }, + "data_stream": { + "dataset": "darktrace.model_breach_alert", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "snapshot": false, + "version": "8.2.1" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "network" + ], + "created": "2022-07-11T13:04:19.000Z", + "dataset": "darktrace.model_breach_alert", + "ingested": "2022-08-09T07:49:42Z", + "kind": "event", + "original": "{\"commentCount\":0,\"pbid\":1,\"time\":1657544648000,\"creationTime\":1657544659000,\"aianalystData\":[{\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"related\":[1],\"summariser\":\"BeaconSummary\"}],\"model\":{\"name\":\"Compromise::Beaconing Activity To External Rare\",\"pid\":156,\"phid\":1072,\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"logic\":{\"data\":[{\"cid\":2026,\"weight\":1},{\"cid\":2024,\"weight\":1},{\"cid\":2025,\"weight\":-100}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":10800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"AP: C2 Comms\"],\"interval\":10800,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-07-11 11:47:37\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\\\n\\\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.\",\"behaviour\":\"incdec1\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":23,\"priority\":2,\"category\":\"Informational\",\"compliance\":false},\"triggeredComponents\":[{\"time\":1657544648000,\"cbid\":1,\"cid\":2026,\"chid\":2113,\"size\":11,\"threshold\":10,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AC\",\"operator\":\"AND\",\"right\":{\"left\":\"AD\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AB\",\"operator\":\"AND\",\"right\":{\"left\":\"AE\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"version\":\"v0.1\"},\"metric\":{\"mlid\":1,\"name\":\"externalconnections\",\"label\":\"External Connections\"},\"triggeredFilters\":[{\"cfid\":23426,\"id\":\"A\",\"filterType\":\"Beaconing score\",\"arguments\":{\"value\":60},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23427,\"id\":\"AA\",\"filterType\":\"Individual size up\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"4382\"}},{\"cfid\":23428,\"id\":\"AB\",\"filterType\":\"Rare domain\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23430,\"id\":\"AD\",\"filterType\":\"Age of destination\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23431,\"id\":\"AE\",\"filterType\":\"Age of external hostname\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23432,\"id\":\"AF\",\"filterType\":\"Connection hostname\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"example.com\"}},{\"cfid\":23433,\"id\":\"AG\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23434,\"id\":\"AH\",\"filterType\":\"JA3 hash\",\"arguments\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"},\"comparatorType\":\"does not match\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23435,\"id\":\"B\",\"filterType\":\"Rare external IP\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23436,\"id\":\"C\",\"filterType\":\"Application protocol\",\"arguments\":{\"value\":\"1003\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"1004\"}},{\"cfid\":23437,\"id\":\"D\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":53},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23438,\"id\":\"E\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":23439,\"id\":\"H\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":137},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23440,\"id\":\"I\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":161},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23441,\"id\":\"J\",\"filterType\":\"Protocol\",\"arguments\":{\"value\":\"6\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23442,\"id\":\"K\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23443,\"id\":\"L\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23444,\"id\":\"M\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"13\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23445,\"id\":\"N\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"5\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23446,\"id\":\"O\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"9\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23447,\"id\":\"P\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23448,\"id\":\"S\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"30\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23449,\"id\":\"U\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"4\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23450,\"id\":\"V\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"3\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23451,\"id\":\"X\",\"filterType\":\"Trusted hostname\",\"arguments\":{\"value\":\"false\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"false\"}},{\"cfid\":23452,\"id\":\"Y\",\"filterType\":\"Tagged internal source\",\"arguments\":{\"value\":26},\"comparatorType\":\"does not have tag\",\"trigger\":{\"value\":\"26\",\"tag\":{\"tid\":26,\"expiry\":0,\"thid\":26,\"name\":\"No Device Tracking\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":5,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":23453,\"id\":\"Z\",\"filterType\":\"Individual size down\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"5862\"}},{\"cfid\":23454,\"id\":\"d1\",\"filterType\":\"JA3 hash\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23455,\"id\":\"d2\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23456,\"id\":\"d3\",\"filterType\":\"Destination IP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"81.2.69.192\"}},{\"cfid\":23457,\"id\":\"d4\",\"filterType\":\"Connection hostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"example.com\"}}]}],\"score\":0.674,\"device\":{\"did\":3,\"ip\":\"81.2.69.142\",\"sid\":1,\"firstSeen\":1657544089000,\"lastSeen\":1657544418000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}", + "risk_score": 0.674, + "risk_score_norm": 67.4, + "severity": 2, + "start": [ + "2022-07-11T13:04:08.000Z" + ], + "type": [ + "info", + "connection" + ] + }, + "host": { + "id": "3", + "ip": [ + "81.2.69.142" + ], + "type": "desktop" + }, + "input": { + "type": "udp" + }, + "log": { + "source": { + "address": "172.18.0.6:42872" + }, + "syslog": { + "facility": { + "code": 20, + "name": "local4" + }, + "hostname": "example.cloud.darktrace.com", + "priority": 165, + "severity": { + "code": 5, + "name": "Notice" + }, + "version": "1" + } + }, + "related": { + "ip": [ + "81.2.69.142" + ], + "user": [ + "System" + ] + }, + "rule": { + "author": "System", + "category": "Informational", + "description": "A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\n\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.", + "name": "Compromise::Beaconing Activity To External Rare", + "ruleset": [ + "AP: C2 Comms" + ], + "uuid": "1234abcd-1234-1234-1234-123456abcdef", + "version": "23" + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "darktrace_model_breach_alert" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| darktrace.model_breach_alert.aianalyst_data.related | | long | +| darktrace.model_breach_alert.aianalyst_data.summariser | | keyword | +| darktrace.model_breach_alert.aianalyst_data.uuid | | keyword | +| darktrace.model_breach_alert.breach_url.domain | | keyword | +| darktrace.model_breach_alert.breach_url.extension | | keyword | +| darktrace.model_breach_alert.breach_url.fragment | | keyword | +| darktrace.model_breach_alert.breach_url.full | | keyword | +| darktrace.model_breach_alert.breach_url.original | | keyword | +| darktrace.model_breach_alert.breach_url.password | | keyword | +| darktrace.model_breach_alert.breach_url.path | | keyword | +| darktrace.model_breach_alert.breach_url.port | | long | +| darktrace.model_breach_alert.breach_url.query | | keyword | +| darktrace.model_breach_alert.breach_url.scheme | | keyword | +| darktrace.model_breach_alert.breach_url.username | | keyword | +| darktrace.model_breach_alert.comment.count | The number of comments made against this breach. | long | +| darktrace.model_breach_alert.creation_time | The timestamp that the record of the breach was created. This is distinct from the “time” field. | date | +| darktrace.model_breach_alert.device.credentials | | keyword | +| darktrace.model_breach_alert.device.did | The “device id”, a unique identifier. | long | +| darktrace.model_breach_alert.device.first_seen | The first time the device was seen on the network. | date | +| darktrace.model_breach_alert.device.hostname | The current device hostname. | keyword | +| darktrace.model_breach_alert.device.ip | The current IP associated with the device. | keyword | +| darktrace.model_breach_alert.device.ip6 | Current IPv6 address of this device if applicable, otherwise undefined. | keyword | +| darktrace.model_breach_alert.device.ips.ip | A historic IP associated with the device. | keyword | +| darktrace.model_breach_alert.device.ips.sid | The subnet id for the subnet the IP belongs to. | long | +| darktrace.model_breach_alert.device.ips.time | The time the IP was last seen associated with that device in readable format. | date | +| darktrace.model_breach_alert.device.ips.timems | The time the IP was last seen associated with that device in epoch time. | date | +| darktrace.model_breach_alert.device.last_seen | The last time the device was seen on the network. | date | +| darktrace.model_breach_alert.device.mac_address | The current MAC address associated with the device. | keyword | +| darktrace.model_breach_alert.device.sid | The subnet id for the subnet the device is currently located in. | long | +| darktrace.model_breach_alert.device.tags.data.auto | | boolean | +| darktrace.model_breach_alert.device.tags.data.color | | long | +| darktrace.model_breach_alert.device.tags.data.description | | keyword | +| darktrace.model_breach_alert.device.tags.data.visibility | | keyword | +| darktrace.model_breach_alert.device.tags.expiry | | long | +| darktrace.model_breach_alert.device.tags.is_referenced | | boolean | +| darktrace.model_breach_alert.device.tags.name | | keyword | +| darktrace.model_breach_alert.device.tags.restricted | | boolean | +| darktrace.model_breach_alert.device.tags.thid | | long | +| darktrace.model_breach_alert.device.tags.tid | | long | +| darktrace.model_breach_alert.device.type_label | The device type in readable format. | keyword | +| darktrace.model_breach_alert.device.type_name | The device type in system format. | keyword | +| darktrace.model_breach_alert.device.vendor | The vendor of the device network card as derived by Darktrace from the MAC address. | keyword | +| darktrace.model_breach_alert.device_score | | double | +| darktrace.model_breach_alert.is_acknowledged | | boolean | +| darktrace.model_breach_alert.mitre_techniques.id | | keyword | +| darktrace.model_breach_alert.mitre_techniques.name | | keyword | +| darktrace.model_breach_alert.model.actions.antigena.action | The action to be performed. | keyword | +| darktrace.model_breach_alert.model.actions.antigena.duration | The duration in seconds that the antigena action should last for. | long | +| darktrace.model_breach_alert.model.actions.antigena.is_confirm_by_human_operator | Whether the action must be confirmed by a human operator, regardless of the global setting for Human Confirmation mode. | boolean | +| darktrace.model_breach_alert.model.actions.antigena.threshold | The breach score threshold (out of 100) over which antigena will take an action. | long | +| darktrace.model_breach_alert.model.actions.is_alerting | If true, an alert turned on will be pushed out to external systems if conditions for such alerting are met. | boolean | +| darktrace.model_breach_alert.model.actions.is_breach | If true, an alert turned on will be pushed out to external systems if conditions for such alerting are met. | boolean | +| darktrace.model_breach_alert.model.actions.is_priority_set | If the priority is to be changed on breach, the numeric value it should become. If no priority change action, a false boolean. | boolean | +| darktrace.model_breach_alert.model.actions.is_tag_set | If a tag is to be applied on model breach, a single number or array of the system ID for the tag(s) to be applied. If no tag action, a false boolean. | boolean | +| darktrace.model_breach_alert.model.actions.is_type_set | If a change device type action is to be applied on model breach, the numeric system ID for the label to be applied. If no change device type action is applied to the model, a false boolean. | boolean | +| darktrace.model_breach_alert.model.actions.model | If true, creates an event in the device’s event log without creating an alert/ model breach in the threat tray. | boolean | +| darktrace.model_breach_alert.model.active_times.devices | The device ids for devices on the list. | flattened | +| darktrace.model_breach_alert.model.active_times.tags | A system field. | flattened | +| darktrace.model_breach_alert.model.active_times.type | The type of list: “restrictions” indicates a blacklist, “exclusions” a whitelist. | keyword | +| darktrace.model_breach_alert.model.active_times.version | A system field. | long | +| darktrace.model_breach_alert.model.behaviour | The score modulation function as set in the model editor. | keyword | +| darktrace.model_breach_alert.model.category | The behavior category of the model that was breached. | keyword | +| darktrace.model_breach_alert.model.created.by | Username that created the model. | keyword | +| darktrace.model_breach_alert.model.defeats.arguments.value | The value(s) that must match for the defeat to take effect. | keyword | +| darktrace.model_breach_alert.model.defeats.comparator | The comparator that the value is compared against the create the defeat. | keyword | +| darktrace.model_breach_alert.model.defeats.filtertype | The filter the defeat is made from. | keyword | +| darktrace.model_breach_alert.model.defeats.id | A unique ID for the defeat. | long | +| darktrace.model_breach_alert.model.delay | Minimum delay in seconds after a positive-scoring component has fired before the overall model score is calculated. Only applicable in target score models. | long | +| darktrace.model_breach_alert.model.description | The optional description of the model. | keyword | +| darktrace.model_breach_alert.model.edited.by | Username that last edited the model. | keyword | +| darktrace.model_breach_alert.model.edited.userid | | long | +| darktrace.model_breach_alert.model.in_compliance_behavior_category | Whether the model is in the compliance behavior category. | boolean | +| darktrace.model_breach_alert.model.interval | Where a model contains multiple components, this interval represents the time window in seconds in which all the components should fire for this model to be breached. | long | +| darktrace.model_breach_alert.model.is_active | Whether the model is enabled or disabled. | boolean | +| darktrace.model_breach_alert.model.is_auto_suppress | Whether the model will automatically be suppressed in the case of over-breaching. | boolean | +| darktrace.model_breach_alert.model.is_auto_updatable | Whether the model is suitable for auto update. | boolean | +| darktrace.model_breach_alert.model.is_auto_update | Whether the model is enabled for auto update. | boolean | +| darktrace.model_breach_alert.model.is_sequenced | Whether the components are required to fire in the specified order for the model breach to occur. | boolean | +| darktrace.model_breach_alert.model.is_shared_endpoints | For models that contain multiple components that reference an endpoint, this value indicates whether all endpoints should be identical for the model to fire. | boolean | +| darktrace.model_breach_alert.model.logic.data_component_list | This will be a list of component ID numbers. | long | +| darktrace.model_breach_alert.model.logic.data_weighted_component_list.cid | | long | +| darktrace.model_breach_alert.model.logic.data_weighted_component_list.weight | | long | +| darktrace.model_breach_alert.model.logic.target_score | | long | +| darktrace.model_breach_alert.model.logic.type | The type of model. | keyword | +| darktrace.model_breach_alert.model.logic.version | A number representing the version of model logic. | long | +| darktrace.model_breach_alert.model.modified | Timestamp at which the model was last modified, in a readable format. | date | +| darktrace.model_breach_alert.model.name | Name of the model that was breached. | keyword | +| darktrace.model_breach_alert.model.phid | The model “policy history” id. Increments when the model is modified. | long | +| darktrace.model_breach_alert.model.pid | The “policy id” of the model that was breached. | long | +| darktrace.model_breach_alert.model.priority | The model’s priority affects the strength with which it breaches (0-5 scale). | long | +| darktrace.model_breach_alert.model.tags | A list of tags that have been applied to this model in the Threat Visualizer model editor. | keyword | +| darktrace.model_breach_alert.model.throttle | For an individual device, this is the value in seconds for which this model will not fire again. | long | +| darktrace.model_breach_alert.model.uuid | A unique ID that is generated on creation of the model. | keyword | +| darktrace.model_breach_alert.model.version | The version of the model. Increments on each edit. | long | +| darktrace.model_breach_alert.pb_score | The model breach score, represented by a value between 0 and 1. | double | +| darktrace.model_breach_alert.pbid | The “policy breach ID” of the model breach. | long | +| darktrace.model_breach_alert.score | The model breach score, represented by a value between 0 and 1. | double | +| darktrace.model_breach_alert.time | The timestamp when the record was created in epoch time. | date | +| darktrace.model_breach_alert.triggered_components.cbid | The “component breach id”. A unique identifier for the component breach. | long | +| darktrace.model_breach_alert.triggered_components.chid | The “component history id”. Increments when the component is edited. | long | +| darktrace.model_breach_alert.triggered_components.cid | The “component id”. A unique identifier. | long | +| darktrace.model_breach_alert.triggered_components.interval | The timeframe in seconds within which the threshold must be satisfied. | long | +| darktrace.model_breach_alert.triggered_components.logic.data | It representing the logical relationship between component filters. Each filter is given an alphabetical reference and the contents of this field describe the relationship between those filters. | text | +| darktrace.model_breach_alert.triggered_components.logic.version | The version of the component logic. | keyword | +| darktrace.model_breach_alert.triggered_components.metric.label | The metric which data is returned for in readable format. | keyword | +| darktrace.model_breach_alert.triggered_components.metric.mlid | The “metric logic” id - unique identifier. | long | +| darktrace.model_breach_alert.triggered_components.metric.name | The metric which data is returned for in system format. | keyword | +| darktrace.model_breach_alert.triggered_components.size | The size of the value that was compared in the component. | long | +| darktrace.model_breach_alert.triggered_components.threshold | The threshold value that the size must exceed for the component to breach. | long | +| darktrace.model_breach_alert.triggered_components.time | A timestamp in Epoch time at which the components were triggered. | date | +| darktrace.model_breach_alert.triggered_components.triggered_filters.arguments.value | The value the filtertype should be compared against (using the specified comparator) to create the filter. | keyword | +| darktrace.model_breach_alert.triggered_components.triggered_filters.cfid | The ‘component filter id’. A unique identifier for the filter as part of a the component. | long | +| darktrace.model_breach_alert.triggered_components.triggered_filters.comparator_type | The comparator. A full list of comparators available for each filtertype can be found on the /filtertypes endpoint. | keyword | +| darktrace.model_breach_alert.triggered_components.triggered_filters.filter_type | The filtertype that is used in the filter. A full list of filtertypes can be found on the /filtertypes endpoint. | keyword | +| darktrace.model_breach_alert.triggered_components.triggered_filters.id | A filter that is used in the component logic. All filters are given alphabetical identifiers. Display filters - those that appear in the breach notification - can be identified by a lowercase ‘d’ and a numeral. | keyword | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.auto | | boolean | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.color | | long | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.description | | keyword | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.data.visibility | | keyword | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.expiry | nan | long | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.isReferenced | nan | boolean | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.name | nan | keyword | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.restricted | nan | boolean | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.thid | nan | long | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.tag.tid | nan | long | +| darktrace.model_breach_alert.triggered_components.triggered_filters.trigger.value | The actual value that triggered the filter. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.action | The action captured by the event. This describes the information in the event. It is more specific than `event.category`. Examples are `group-add`, `process-started`, `file-created`. The value is normally defined by the implementer. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | +| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float | +| event.severity | The numeric severity of the event according to your event source. What the different severity values mean can be different between sources and use cases. It's up to the implementer to make sure severities are consistent across events from the same source. The Syslog severity belongs in `log.syslog.severity.code`. `event.severity` is meant to represent the severity according to the event source (e.g. firewall, IDS). If the event source does not publish its own severity, you may optionally copy the `log.syslog.severity.code` to `event.severity`. | long | +| event.start | event.start contains the date when the event started or when the activity was first observed. | date | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.appname | The device or application that originated the Syslog message, if available. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | +| log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | +| log.syslog.version | The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| related.user | All the user names or other user identifiers seen on the event. | keyword | +| rule.author | Name, organization, or pseudonym of the author or authors who created the rule used to generate this event. | keyword | +| rule.category | A categorization value keyword used by the entity using the rule for detection of this event. | keyword | +| rule.description | The description of the rule generating the event. | keyword | +| rule.name | The name of the rule or signature generating the event. | keyword | +| rule.ruleset | Name of the ruleset, policy, group, or parent category in which the rule used to generate this event is a member. | keyword | +| rule.uuid | A rule ID that is unique within the scope of a set or group of agents, observers, or other entities using the rule for detection of this event. | keyword | +| rule.version | The version / revision of the rule being used for analysis. | keyword | +| tags | List of keywords used to tag each event. | keyword | +| threat.technique.id | The id of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name | The name of technique used by this threat. You can use a MITRE ATT&CK® technique, for example. (ex. https://attack.mitre.org/techniques/T1059/) | keyword | +| threat.technique.name.text | Multi-field of `threat.technique.name`. | match_only_text | + + +### system_status_alert + +This is the `system_status_alert` dataset. + +#### Example + +An example event for `system_status_alert` looks as following: + +```json +{ + "@timestamp": "2021-04-18T15:44:11.000Z", + "agent": { + "ephemeral_id": "83012cf6-fcfe-431e-b964-8c92c95498b1", + "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "name": "docker-fleet-agent", + "type": "filebeat", + "version": "8.2.1" + }, + "darktrace": { + "system_status_alert": { + "alert_name": "Advanced Search", + "child_id": 1, + "hostname": "example-vsensor", + "ip_address": "175.16.199.1", + "last_updated": "2021-04-18T15:44:11.000Z", + "last_updated_status": "2021-04-18T15:44:11.000Z", + "message": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test", + "name": "advanced_search", + "priority": 43, + "priority_level": "medium", + "status": "active", + "uuid": "abcdabcd-1234-1234-1234-3abababcdcd3" + } + }, + "data_stream": { + "dataset": "darktrace.system_status_alert", + "namespace": "ep", + "type": "logs" + }, + "ecs": { + "version": "8.4.0" + }, + "elastic_agent": { + "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "snapshot": false, + "version": "8.2.1" + }, + "event": { + "agent_id_status": "verified", + "dataset": "darktrace.system_status_alert", + "id": "abcdabcd-1234-1234-1234-3abababcdcd3", + "ingested": "2022-08-09T07:52:20Z", + "kind": "alert", + "original": "{\"last_updated\":1618760651,\"uuid\":\"abcdabcd-1234-1234-1234-3abababcdcd3\",\"priority\":43,\"priority_level\":\"medium\",\"hostname\":\"example-vsensor\",\"ip_address\":\"175.16.199.1\",\"message\":\"There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test\",\"name\":\"advanced_search\",\"acknowledge_timeout\":null,\"alert_name\":\"Advanced Search\",\"child_id\":1,\"last_updated_status\":1618760651,\"status\":\"active\"}", + "reason": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test", + "risk_score": 43, + "risk_score_norm": 43, + "type": [ + "info" + ] + }, + "host": { + "hostname": "example-vsensor", + "ip": "175.16.199.1" + }, + "input": { + "type": "tcp" + }, + "log": { + "source": { + "address": "172.18.0.6:44918" + }, + "syslog": { + "facility": { + "code": 20, + "name": "local4" + }, + "hostname": "example.cloud.darktrace.com", + "priority": 165, + "severity": { + "code": 5, + "name": "Notice" + }, + "version": "1" + } + }, + "related": { + "hosts": [ + "example-vsensor" + ], + "ip": [ + "175.16.199.1" + ] + }, + "tags": [ + "preserve_original_event", + "preserve_duplicate_custom_fields", + "forwarded", + "darktrace_system_status_alert" + ] +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Event timestamp. | date | +| cloud.account.id | The cloud account or organization id used to identify different entities in a multi-tenant environment. Examples: AWS account id, Google Cloud ORG Id, or other unique identifier. | keyword | +| cloud.availability_zone | Availability zone in which this host is running. | keyword | +| cloud.image.id | Image ID for the cloud instance. | keyword | +| cloud.instance.id | Instance ID of the host machine. | keyword | +| cloud.instance.name | Instance name of the host machine. | keyword | +| cloud.machine.type | Machine type of the host machine. | keyword | +| cloud.project.id | Name of the project in Google Cloud. | keyword | +| cloud.provider | Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. | keyword | +| cloud.region | Region in which this host is running. | keyword | +| container.id | Unique container id. | keyword | +| container.image.name | Name of the image the container was built on. | keyword | +| container.labels | Image labels. | object | +| container.name | Container name. | keyword | +| darktrace.system_status_alert.acknowledge_timeout | When acknowledgement of the alert expires. As alerts are sent externally on creation before acknowledgement is possible, this will be null in almost all cases. | keyword | +| darktrace.system_status_alert.alert_name | A human readable name of the alert type. | keyword | +| darktrace.system_status_alert.child_id | For probes (physical or virtual), the unique ID associated with the probe. | long | +| darktrace.system_status_alert.hostname | The hostname (if known) of the host experiencing the system alert. An exception exists for disconnection notices, where the hostname will be of the master from which the instance has disconnected. | keyword | +| darktrace.system_status_alert.ip_address | The IP of the host experiencing the system alert. An exception exists for disconnection notices, where the IP will be of the master from which the instance has disconnected. | keyword | +| darktrace.system_status_alert.last_updated | A timestamp in epoch time that the system alert itself was updated. | date | +| darktrace.system_status_alert.last_updated_status | A timestamp in epoch time that the status of the system alert was last updated globally. A status update is distinct from a update to the alert itself. | date | +| darktrace.system_status_alert.message | A textual description of the system event that has triggered the alert. | keyword | +| darktrace.system_status_alert.name | A system name of the alert type. | keyword | +| darktrace.system_status_alert.priority | The numeric criticality associated with the alert. | double | +| darktrace.system_status_alert.priority_level | The criticality of the alert. This value is calculated from the priority value: 0 - 40 low, 41 - 60 medium, 61 - 80 high, 81 - 100 critical. | keyword | +| darktrace.system_status_alert.status | The current status of the alert. Active alerts are ongoing, acknowledged events are those acknowledged on the System Status page, resolved alerts are system alerts that are no longer ongoing. Alerts will only be sent when alert enters the “active” or “resolved” state. | keyword | +| darktrace.system_status_alert.url.domain | | keyword | +| darktrace.system_status_alert.url.extension | | keyword | +| darktrace.system_status_alert.url.fragment | | keyword | +| darktrace.system_status_alert.url.full | | keyword | +| darktrace.system_status_alert.url.original | | keyword | +| darktrace.system_status_alert.url.password | | keyword | +| darktrace.system_status_alert.url.path | | keyword | +| darktrace.system_status_alert.url.port | | long | +| darktrace.system_status_alert.url.query | | keyword | +| darktrace.system_status_alert.url.scheme | | keyword | +| darktrace.system_status_alert.url.username | | keyword | +| darktrace.system_status_alert.uuid | A consistent UUID that can be used to navigate to the specific alert in the Threat Visualizer (https://[instance]/sysstatus/[uuid]). Where an alert is reactivated after resolution due to the issue reoccurring, the UUId will remain consistent across alerts. | keyword | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | Data stream namespace. | constant_keyword | +| data_stream.type | Data stream type. | constant_keyword | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.created | event.created contains the date/time when the event was first read by an agent, or by your pipeline. This field is distinct from @timestamp in that @timestamp typically contain the time extracted from the original event. In most situations, these two timestamps will be slightly different. The difference can be used to calculate the delay between your source generating an event, and the time when your agent first processed it. This can be used to monitor your agent's or pipeline's ability to keep up with your event source. In case the two timestamps are identical, @timestamp should be used. | date | +| event.dataset | Event dataset. | constant_keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data coming in at a regular interval or not. | keyword | +| event.module | Event module. | constant_keyword | +| event.original | Raw text message of entire event. Used to demonstrate log integrity or where the full log message (before splitting it up in multiple parts) may be required, e.g. for reindex. This field is not indexed and doc_values are disabled. It cannot be searched, but it can be retrieved from `_source`. If users wish to override this and index this field, please see `Field data types` in the `Elasticsearch Reference`. | keyword | +| event.reason | Reason why this event happened, according to the source. This describes the why of a particular action or outcome captured in the event. Where `event.action` captures the action from the event, `event.reason` describes why that action was taken. For example, a web proxy with an `event.action` which denied the request may also populate `event.reason` with the reason why (e.g. `blocked site`). | keyword | +| event.risk_score | Risk score or priority of the event (e.g. security solutions). Use your system's original value here. | float | +| event.risk_score_norm | Normalized risk score or priority of the event, on a scale of 0 to 100. This is mainly useful if you use more than one system that assigns risk scores, and you want to see a normalized value across all systems. | float | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| event.url | URL linking to an external system to continue investigation of this event. This URL links to another system where in-depth investigation of the specific occurrence of this event can take place. Alert events, indicated by `event.kind:alert`, are a common use case for this field. | keyword | +| host.architecture | Operating system architecture. | keyword | +| host.containerized | If the host is a container. | boolean | +| host.domain | Name of the domain of which the host is a member. For example, on Windows this could be the host's Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host's LDAP provider. | keyword | +| host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | +| host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | +| host.ip | Host ip addresses. | ip | +| host.mac | Host mac addresses. | keyword | +| host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | +| host.os.build | OS build information. | keyword | +| host.os.codename | OS codename, if any. | keyword | +| host.os.family | OS family (such as redhat, debian, freebsd, windows). | keyword | +| host.os.kernel | Operating system kernel version as a raw string. | keyword | +| host.os.name | Operating system name, without the version. | keyword | +| host.os.name.text | Multi-field of `host.os.name`. | text | +| host.os.platform | Operating system platform (such centos, ubuntu, windows). | keyword | +| host.os.version | Operating system version as a raw string. | keyword | +| host.type | Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment. | keyword | +| input.type | Input type | keyword | +| log.offset | Log offset | long | +| log.source.address | Source address from which the log event was read / sent from. | keyword | +| log.syslog.appname | The device or application that originated the Syslog message, if available. | keyword | +| log.syslog.facility.code | The Syslog numeric facility of the log event, if available. According to RFCs 5424 and 3164, this value should be an integer between 0 and 23. | long | +| log.syslog.facility.name | The Syslog text-based facility of the log event, if available. | keyword | +| log.syslog.hostname | The hostname, FQDN, or IP of the machine that originally sent the Syslog message. This is sourced from the hostname field of the syslog header. Depending on the environment, this value may be different from the host that handled the event, especially if the host handling the events is acting as a collector. | keyword | +| log.syslog.priority | Syslog numeric priority of the event, if available. According to RFCs 5424 and 3164, the priority is 8 \* facility + severity. This number is therefore expected to contain a value between 0 and 191. | long | +| log.syslog.severity.code | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different numeric severity value (e.g. firewall, IDS), your source's numeric severity should go to `event.severity`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `event.severity`. | long | +| log.syslog.severity.name | The Syslog numeric severity of the log event, if available. If the event source publishing via Syslog provides a different severity value (e.g. firewall, IDS), your source's text severity should go to `log.level`. If the event source does not specify a distinct severity, you can optionally copy the Syslog severity to `log.level`. | keyword | +| log.syslog.version | The version of the Syslog protocol specification. Only applicable for RFC 5424 messages. | keyword | +| related.hosts | All hostnames or other host identifiers seen on your event. Example identifiers include FQDNs, domain names, workstation names, or aliases. | keyword | +| related.ip | All of the IPs seen on your event. | ip | +| tags | List of keywords used to tag each event. | keyword | diff --git a/packages/darktrace/img/darktrace-logo.svg b/packages/darktrace/img/darktrace-logo.svg new file mode 100644 index 00000000000..dd926f62920 --- /dev/null +++ b/packages/darktrace/img/darktrace-logo.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/packages/darktrace/img/darktrace-screenshot.png b/packages/darktrace/img/darktrace-screenshot.png new file mode 100644 index 0000000000000000000000000000000000000000..c78dc5bd31ef1ddb9ba27fec7e3a68aec296423d GIT binary patch literal 75879 zcmZU*1yq$?^F9nBAW|YyQc5G;98#sFq`Tut9XbvzC>_!b5`xm*-F>9v(B0kn-8|3x z{$Bn5d%@?jtDBJ_-pJ+ifR5S1t-EOi=yB!F_Qd>5vqSm5zQj~CCTuYnBlPh zR~^Ll6G+(_`LO`!gAyyP`YnpbvT%j4=QubK(jSx7=}hPzX08d~j0@LN&EgVVoZ!Us z2A*9R29KZKap{++3$)~NrG)h=0CU+9fviCvh(0_h!i+eux@;O;o^3Yn83^dAy=TrI z(P8-O)_kwxpNA>Pm1as{5gFM;pU{GP|o<0{Uaru#?4uY5a2 zjn!5dtf=Li$G<8M9LHuN{Kq6aoYhg4haAE;H;hj^9##?h7#U^3p~m8Vf49c$-{)ny z1{EMx>(_~f1?Y>CQ!jg>U9&+UDboA!feYS?g>d+;xni=)gVAx!QmaUQU{F8E zi%XiOu)5`cD>D*mmUwZ^Kp6b+{PO<3UP{_bg~;*PeUsfkLY=ulx!E7J?%n>Qnf7A@ z-8}@vs=h4OEFv?Buw+grI6^)K5s`FOMWz-NAbL)nF}40N&FS^?S%?zoL%q$nl*F%? z-|f91^+HcO1OQ8GYcMX@)gEFW6b;B^qcO*60lPX#P8r^R;vR%ZVMNHmoBxlfVek9< z>onMH+7&LKC){euuI>pM*3qSS+v0Z&hH>v{G~V83bIgOwRD9c)ymE1$$9h47zcj)c zEHrKx!8ad4UltY8b>aGim=j$#yma=OC0BEd>x>+S++;WVRwRNS#ZSKQZ)}^Fr@#Xi zZ9bY368a4pH)wH%bI%FQfx6`e^yPJhptR{~MF-r1PJrK;N2?KDTwba;)4006n1%2_ zs;>J%xp$yrfweRmq5`JL5%rXK(XB&CNPTYIIk(FrF@_1+@aU?0DP2*WEsx8)8kYpt>YYAW z;EI8=+?(R+>)lBZBSf7PdU0`Tl%rJ$$D9YoL$*wp>}sB%LDtx_6OY|bp#?2aK`(}V zcZYyIN|a}ws!X|YB77+p+#KCEpOER-B>luIhidvH$c~fGiPQEmNy4&kwFk_lgigl^ zCO?sL^%$=wjWpX%k7bPG>v5yqT;S z{7DpcTJO^3E;Pvf1lxKVDgOEp!>`fAIJ%*dZ?gVm&rHeJev0LMt@WO)wwm2l&aJh`uC1EX^a!*mL#J%1*Wj3op6J}~h;Y2T>FPXHk#gHh4Rc<~dBI44{}N!UMG zmb9@$Uk1G;TwVz9C*%EP73LQ0>!RJU$M~~F<9E7xR9{`@< zLXJu5P9UuaKOkwefc9NchH~nXt(%S1dyVyRf@9h^T)$k zr|;BQC85w4B3cQQuo)D+n(ZAfwn8o z#`hfI(J=Oa2f_H)w_WKN zLh^uyOd6BP2q=|0X2xV?QFYW21EF%0VGU+k?r~zCo+$k1#u25oDJgYFto6G^iIrS) zG>zj!sU7Q5eS+7cXwUjG_q}@UvD0qXUf|$>h)>IuW;x7cx7Hcb*i}moDz3hYV(Wo| zGDu(!5?DzVrBRgr(JSrZP_*yyGfaW?QOOD(g(t-(1tzE4f$q9V$ce&fJOc`;6JT)5 zHwy{-<+m&Zb-R+L_M#+FUBvYb1qRE{PCxZl9_et8t@!6x)R+AjLU&&a!5FVk>0T3&tz(6iYs>3u4sJOT zt)xop8At8TRa-gPIgi1Gn7ZSl)F9_8_2pF;t3xLJ+8XvdpzZPRIixS27*SKH+x0(Pj4Y?{*SW#w5z1*rcs6J?-tWTh(% zTb8{q;h50)V6ZlS+Qj;bu0+9hT+1ytXTrEUNW9E)m|!G%%Om=nTDoiPKzvx$QrAAG zs*y``US9dOEc-UVG33PYrj4v`MM_mjud2hjq_)SE8&dVzN=EG>peO$h0RSRjYd_=n`@yogWY3A_1x(!;`PYSK7q$evmq-}`(-K9w z5kT$=9;ENUF#Q)~gDdo$glK{*bBo6mUGOyId_Ex~n|c}5f7L{Lo6pE70-Syp4sDgtToL3BC+AX}vhj zpE5@e9s5ud%KT>owuNE%IGuk`IPw?f%f~E<+eM(RuQ^%TL`d zYGU>tcQ3$|1fhi{*FcrTjK>B2b!LiK_LV5tkITnk1bl44K6#Vbz{gNP_2Y?U+JNCw zf6NZIz%3yzK~dM@r%{QK6?ZijXT-*iFX0+7RkCWzux^@~5w&?uhU-9t$==}Ow6)Xl zIpdxe)*iYj{8iKj#KK>N1@Yxqz*3e+PR`#aPAzBlvf=aFhvUX;+fdJ;x*Zuksn$t< zs7c%yc+QH>4{h11zH!L@&}gsISwm1L7Og_~yh51x42K!&e6O(!>mQ{WPUtbh#_W9h z48O}K+;btXrbNAAFE28?D<^yvdUVXFI~CE}1%nyt4(zAFJYnKZW$&;Q*9P>5_+a}+ zro$LZda&UaS?H4qDxqi=l`w&j&)AEbcfuC;A)QRiS;|T(@iC!ZpcU zm#0B_g#zP@wZUCcM*$mpd#7dDcZZvT^AjYr`;iF^VPc1wgTLpQDJXV-oRyDVgoVdy zHxu6dM$fOkbDnA9jmV;B(l#9DU0Y`|UUBZ*IM>I=F1-4NDrx96Q#NT)6!LU=h+y7m z8o@XEcY1qMQ5^0*j3;TVA#B(KYoF&e(e}q%cU8l!;HdTXpJ=3r)4(BI z{u}jm>PJ#2*aFdQiQyPz9_J#lVO5dWcOLB~2$S7#qi00KZN>bZhs`2rkNr~?-&x-w zn5|5;xb6y!-}4ebdNX-jRZw3-5uP~WxQ2;FqRx)R;53e~qaoFLpN-RSBz;F{foyuT z(7o;ghEb6Phf{}yh{L;^OKvP6&YHjIKG3*zxZ3StS)TcAyIgPgydbgv)@TKykJ4Sa zzFdCdgyl=TRtjSHY*11#9|n|=>%EpYlTZ3lMv}PLKmSmgquTprGSgU}050Ns)>2Nr zKW3WKQifH$kj<$ZlK3vHp-}79O+?ed+DQu`yp@RaR+f8UKm4{xLq_)q@7NmCpTS@w z-_dw533F69ZQ?K?bBTO0`%A?RnQ*vSN$8R2KnKL$kZ9QXsnJf~1&zmRBXMxaWswF3 zbWK`Sjy#0Yh$_!{l0N)26&FE#jxF4P#p?C#q|6TddCBaxKoxfP0=e!4Wo!iI%jbRN zn>hWRUZgcfZ5n0lks#~NGW%fgU1RBJ{7-pxqi|YVIJ(S}0fW<%x?KPFefstsaO`Hf zZpswaJwon4y}L6UvNFH1xt@`ijg@ZEeG+gCx4dH$8*jYs^k&HF*}T^PtPF#$Z>gdv z%4JnuCr3s{x9=4$-P{q$u~6@N$%;JmyYTO(p}RhHRCTD$VU7SFAu9>vJTKX!@A^7e zMO3Q>47pWd4B+QF(JjSUOp{?I-=;D=04gUg2&i+I@PpUyqko<~5O2oAr`!I*_YVpaS zE2)?`%DlTi>*ACxKwESmQ5{`|31njinEy84-@bgJz}ee3!83E0u&EnXMFTe`LDxMi z_fQ|w5jZw`iR!5l=S;e}4QxDB751l_#wTRSLTK<-V@0y6$V*j}k+mk7lUNKV9%uJi zlGV)c;>%OZe!4ziDc@gSzMyojZGue`y#&TjC+F|4p6+*rm+YzxcQG4pTZD78PxeNx zXsis$G_4E3mbTC9#P5WH2&zo=t zm5Ym%gDawu9ri5`RoTQ9E=p{~?jV!FRG{#EYMhU>W9ho-oDbrSs@U(s#T0eB%>U)( z{t~Hv<=V(>tgFY3k<5bH?Z%Eft-sBdu}gy7`9|ZGiIRe%fB+$M|2x;`SS%>XV0Vp| zLCcAMLe=O~454Ly^GhW4yn8D~AN{=b^_G;+g4`rdlYyTd+mecrUWIk=d{N@K`rx9z z49=LM=l%4yIz}JCf>7u4PHE?I#b}&JFD=nqG6u3f?_q)Bb!BJf@ia$W2Dl=VB?Y>W zXKLL2Aq{%Y0Br-OU&p?CH||7LxzTuAY#a(k;hgy5V}IX*QEv+Vnr6qv)JtUlanYZI zWIC7Z^{0poYmAg8MKNa9kcA&oICBIDyq3_nB)-?)R`5sJ{c@BPo==UmLkrQjamK%k z#KDFo16c`Gr*Ay4E8yMThNnA3^}2*@D^j=g2tG;q%lb6^QV2WlcZG;zNgBtE>(j%! z!KqXjsL8LNJ`e+6ufhY1)fx2@<4vXgx67X2{yxs1aUwW=j$J91?K6Cq3W*KVeYry5)%8aOi>?jFVDd!CzR4-TdqIy?&87wRci z?GTuU&#LZZT7e^2th&xb+HXZACa0opXv>^M*{u{w@Iw7CEtAcZ8s#XT^N#IsbW`NQ zpLEWNl6g5$S1#h#)K!tf zM}AInTVBmWM=Bz@7)%e=mHAr^S)%H1Jd4T>ru>%+taBX;j*HhzaI2Zib@f7L6?kqe zzk_SJ$~SA^;CpQF6GBAW5GY+_V4!^u9I_nFKs&r$$5EcsEr;j`&ny%iTZa^Rur;9;$8Ps} zRQaU)&XS?#kYgL~#JvD4)#l{3xb0%0zEa9P89qt+Vq$F;<4xrX+irx^9J&z?uo>L| zo1#F*Z^fYjYV?}rQ1RH6uPYL2<;Vw9;^43qGY1PGW#sXA8(F`s3%#3hshG7$(-moq zb^c-qLzLhhU7Hgabf1~HPa);zPBoBL>PfaLrnjI74?CTm*i>>Hx4z(s_Fa0U*M!S7 zyM8))oqv=XVew_m)GVA)v9ao7%PEdRD+m8T+x z%YjtBvu>CnH%yk(Shy%>{w*ak0p4C7C8^o~3sae;!XgwbOI#Lsb810lbrT)8=TLmL z9g=N(^$B2m%(C*e2BXj?a6#)hknrND$okZo99^T`qjl(kAIC|g;3<9&ER@o|h5RK} z#X2Y5*?4+fMHuz35=PH;k=VPty=j{rjjn>MtZ7@455`WTukfvkUC(|oMH-CYx)@%$ zP@rY2Wx4MCb6=sDlBt>eBg17OVV!8i_~V3qk3zA1AATvRlVYV6G7Y=_Hz`_`-?odR zj)tvHl9a7^^@~8S{n(m9mQq$>hqmLQWQ4?sI0fqA#kMl3V50#EA{o!0i+HDvrOGGX zI3J^g?F2>yla~AYDt^$El{pA_xt~i{HVWfvnLnpz3V>qTr|$0xQJIoNOQm%eO>Z&x638@X`u`Cc27ZY7E9KZ14 z9$&QGuja5t4Xx<7)kRjGJh z{=G4-@mC`GZqKWc)UGv_aUQ4|w4_a%{JDEv%vXbzh*E0IPHdW7WRcRVoqMy-2F^l* zUtpD`ehD*dwYtzDHMiPxTE1-CurJg0&Usgcx&Hi>;1Ui&RMteH)@Gov$-4^FROIHF zymX`p@ru0HF8-FY#$>!Xf@>hnPLJs)a8{A3;|{AG^;;AeIaJLw=p@0nr;gx)p6{-! zmswHZLe45=jjG*L8PmMV@jUr|EPnE8JX`l}nR#M46YDn+v7F$EzfC0Q$&D>ab+j}r zI()oqY^^aEHDY>jMOJ(@sfJkp6Z#6?C;#Fs@SRyC+hNLvw+_I zpi*4gUn2l_mywNifluQUQcj&sO&3^6vaI1xao9w$Yhn$S7mpo#Qs>VxwJhf6OFi~( z%X;0!#X^5%`+DN`KBa+4_5^nfwFi`?}*k{?uSi)h=b@!hDh5e!p3w+#;HzFbq| z>9<|3Gt(M;nbcg0>_{8a&A(Qn@9;91X115(x@{}xo;8Bi zg2Y};K(0g2I#X}-)e^pSi>s_m*#wsO{P81}*_yB~#D452EmW-p4P7@wjq?#T5Ip*J zj>~l3&X6#p{*CJdCu@w#nC(f8`}~QZO3}^`@R7HuX(uDCpdsr}rSbD6lp*T_#zw-l z=F&|z*?9*WQtPHvN!Qba^JC<5Hcr#(bqf`g@u6e&ON@Hku8$}kf)Z;fEM=TRy(5J@ z&#NI_kFsf~7B}=ff`c4chti2|E>jmzf@_0?*XQ=9vP0vp@7R}e248t@y1L%p2{vkS zVlm)^B(O(p;BjmaI1=QAr!Izne#RCtk@5<&J&qE9P5ops zeI6_UW@Ujqqg=}|EFc4Q^YML-fqf})-JNV! zU_hqkX&)*Xl>wb{%>9c48H*djK-1H3@L{BFg_=&9TbK{=^?I@44Be7mDcf$vW125w zhYL&VHIP|GKXFXMjm*Fo7}cdy>CKu+ncbQ&e)z)Yy5&53Ws)fJFmQ-qge*S=)TRf0 zCiRlUmMt?teh)Uh8qN{2X5U&|a){B_OIcRg_JeENz@)$7m{8pDbJd-^yYa7LegIa_ zbp|U**uqO0DJ;6C1dr_~QNUl2ze+T;*UvC9Kq-Ii8P;@yU=vPN zVX0lYViTqIJswo<_i++NnqDD60o@(HJkykJNyd)WhYG<%qeSiUI{lrHWA(a2XeVd&asP*tW*eu* z8&;7_6r6KKT}LwWQ3?CbRhP{q3ZI^`G~@m=6Pe@-)Y7)Dv4(niM%+Ej9t|_W3=d-wSZ{NKgb%+<@f}Xb^laFO3o3TJA!4b}i{005l2w+Y3OCNlv;@CdejG zyCdc2e#^LQXj;5^5>sJq=AkD;!C~ab!FeWhmrT?(-2NpyoaJDwYP{DogX4`REOEl1 zKZ{-D-AFstN8rklaTjyB&MsK3sz5 zDYYTj%i?T%5u!d`_hdz#5|=w87S$d{?#wJ#sRZhvt`>g#y;Yb$MNOe;jHcsE7wcL& zonoa4+wP#P5UT#=UfXJY$?Kvkfb;_Q+xT_%uOAzwlDJ;SUSg06Bwq_-7#-$*4Ji=^ z{FK0@)g@|bB$bk<-jw+2F2t<+8XQv;vXg?>nrr>-LozIQd#6#@qS?8zs*}xmb@_`I zuWve=^Wl1i%X3(1lMcW_vPf%)#h^L1Os?83+SUBb&7~>@2Qv$sJNqGyk0&!FqlkM~ z$jY$-sA64*&~I$}+Kz{DJ@^(OVusg)hB9d&3B_+DsA6qP8n{{^HJfauWq;kdMWndK zvaFsK(OjJ99PPt3I&s7IEy`71vao1~Z@jVbPH4dBcw5TygGY?>d%cD0iIbVf03GcH zpjCJv#Umu&gEIAld5*F8igE?h7uyHbLIi#*R(bVMfkc}!&eKYBx z!GVq9+o@s3sZY=_5wo2cBwyMN9G%)2v5EeSi;CU+`YM|J3VppezU~_rd|ZMvTDI-g z?5~OvD0%bqOEqtgdRNTVv&0bb?Qx@e|Rgg<9j|JYEW3 zN#Q$_@2p-D05R1nlZJ)sW%0hxph5u_%R0YAO8BE)XcA1r;ULAVMi;#tK|v-ys`*PS zbIzd?P)@B}GA8cUpz_!`2=sYrG*zuIqL=@!M4nz-+uxovFQrhpF&v8eBBsNevIE>S z?g@yH@T55D>bynP`pqT7zXl>E2qj3aC1 z8LgB0lzuJ09P7(o1x`7^?rB+|;qYyqLv10W=_6i<>0D!26wOGRk&BH2h6r=NTQxu~ z6JhRU6%dueHXRgIRK$v&cs$jMPDTl1N3u|l_se+(xH2WAD(R6M&bxQ-)EV&^@ujU| zb8~YuU^S^whUjb34V6`W1`XhrX0im}It@E7bVQfBII0 z%!A8&TY#OV0Ou5bg12Bk{6$SXC*8D@K0k0_Au7t}trta~Ewx-{{?JO4MTF^!7nAw$ z3(eNYD&T+Gi%Q2<63S_MyB@?8DBz~Zj41!x^zt?FeSsez(Dwr@Lw1D!|JMZ=eVo5+R224dTW#uo zI)FgC`B}xKA@4JRujtlZb~!>5>mzKAy zKB1E6B~5mE8C{pGT$@Y?Az&Vv9g=_r*51=_f33+^W7!{tBX8+lwCW*>ABljUiB^tzFt4u_~%-^#(tVF^rDD|uC zsGp=f8n(axR==1$Q}j1>1N4YNb;aX!#bfH-ID*wFLf!c2Gb$+FxCG)82tSo4FrIR4L#p5>ld}j0e3l>Nlq=le%dK1 ztY#lL;MIIx-QoR+@zz-V8QU$Ny~_T_R*^>=&!2lYrR|mDMFgk))yB6zgq9iIKuvq` zs~SN|jGkHr?@fOybyDW@q|AV#vs5YpDsM>2Bf=T}XoFk6kuvFz5^wb;ohChZp)~W>~3OrYtkbQOdSXRxVc6wzND5>CCQi#=|Fo`JFcT*w@byDI4ST z-Uo7s7a9(61p(S5e{}$wA^#I4UZ|-YEcY0>dmYhnFLUPPy?My6%>g+Qg=OvXmUByAFZo98>TwX zfQGP+rHR*lPBpS`QXsWo9v_soi7W0gLpE^+0`@!t%biqPR7II3uZ;hY2J-cwrj=yr zrOnCurWCWPoUj)L8AeX;r2}_?tw+{-w+U@#Kb^VPg^lFwXbbPX^ATyAE+CzKkF-hl zQgZmSNHibAl=3%`t-!VutiAq#z1!*a4c*;(1 z<9@Qgsa~$Se4ar3Hw|kYg0o;T6Sl_<;W*=E@<~;Tou3z9 z5K@ycI44&@V*wXeGX(1ersUP0tenmH5R1SuUy8Q`mA{0y2eF^h|q;W17LqFuASCKmJ_VF?}3BJ ztLz%d@V?Ggz6n6n)1;q@uD^(_D6UNmVFEzrzXLR%oSh`{gBEIWFE=L`-7<9a9Pbl6 zpaT~Eec@v(<(1v(&pOuL55*UkRhM=WSWnuP_Ln|x_HgUS{eX)(^`PC=^2Ag~cxL>j z8)KcKup4xs{iC^ATk)tbXiB*_EiDM0&RNCL!Jb))8I0#vf;MD5YRRl(qsc*&el}Ijsp|;CH4iCfy^!kB|=j z%L|6Cd!4+Cc2Vg$d--bVW zJ(*?&@}G9sXe8m)>DEGRq@<}Qa6Th@KmY9vid7V#{qnD~8LSGKqHpA_jmuy134`>S zbnM#MTHZ4|d8NomE!tjbLj~2s2&G|nA_vFTcZG^z6J)V2ti}A?Ec+_ST8HpF<((Fhzds)bcobo5~zRN0sScLsg8HL~NomeDo27bhFA9cH0H z-&=ni(&>uKBq|C5-oN}mW08H9gx>y}`wDHTw44LrJ6aNFx6K3R0~zPdga{c%;zRqn zi|)5AecGTU)%=uNgm0IQ>@nh?5@%V;@~eaji88MR9_cyCda&?A&S|R~(NxK5FtJg4 z^J_(2Oe!fKK4q6ggDOXGXzuhT>PmM2h%ab|*g*OV>_*OYTt@w`hXFqwzS+e^$%o(c zTY%6b$_D`WCSXln&wZ{M*j^KK-Hk1;-q>c<%yq=6Q-2?egb)UO9A)N zY4^?DW$QlL)4dS5!^kgbp1q4*uV>GU3p`RDK(?~Y02A(}pbZ^7^6mp<9INww?cQJ| zYrfpICSviOL+Mpn1M9haphUG|1XG=T)SmNNI^w_2@nFO9D zB^kFzG8NY{2*X9g*c5dM7dokPrMfMwMO0H!v5FW6g8coRMIjMa1mZ+^_QvFEC#%c& zjd+ES(0fXMj;iCat^37ZoaO4v#;%tyoIN(D>AioFwOI1TPmJfmX`Y6%3-R7i`pc!Q z+<8tIo?nfG1lJX7)##Nwrro|Fi6lS?kCK}H8*mk?-EV#Flr95c52)} zk++nnoohDm zP}*A8PYkKOcYf?#$ne1_bO*M9y1q2wlkVmF=!TFGr!_EW1V{zeWsVjsAnLF65oNyq z8Gg1R6GHLXfgKsw=3>mWf1*f9f4c;T-G`@A0w;o4nAYy^80=q^T+R|~a9p@P^6{~) zOE&f>iyc<_8j^IkkEu)iVkR)%Xz#V@&h5pe8;iunWyKD(d{zW0@Co`-8zr<__BeTB z`MphUY4SOihrB@=`;x0T?hg6S#c(lZN>}!Z|3wss_zzXVEa4`{XDumje(OG#!&_ln zsO5zu9Py6Jr5s{ES&5}DLkr&sW^%UP-If_y`CX_yegjjQ#M*BI(t(ZIQ@w&aawlsY z5iv8{yjV9enEuU;tfzqEj(d@!f36Ma@}wJfv)|$%r$$6NOM+u2Q5*HgOGbR6wkpU# zu8UA`co8MNyw}|ags{iB=8$WQC*{wlD`@313%hk)dk3@I3DC;@^bgAp0C+oj25VXZ zGMm^h-`%vk6ja>159f_YTIKyoC{C+D%*fTexS0+P>~lB(4~IScmQ?Er+iUB4Um_SayW`M2+8)VZVUdv85c{=5#d938?(m$j${s!)Iy-6k zL-9eU;iuTn4obiqRU2}DyoY7R0~uLq-lUl0zY+W@t|7rAq4`Tm-5GMf>vb?7taj8= zI>j6MG(Uy!I9TtN*Z}DMZe->yN5}htg$4HL^ER-3?C&>Z(fqOYw8p2fA#+3U6X7Z~ zEno;@R6qOD(h#4Z5vvMK0t^WiWO9-@Fbo<4jsKGi5p@oJ9NQ{fe z;zV%&h0)7FIdIwDKoR%oIDm|eP|c-d%AWLm0shg_>3mNNXjFSn_O|Hr#Bk>PtM_$h zSr*1#d|w@lJmlYgkFg!OPbqB3=$WpJ%?$zy7P72`-((bHln?d2LydoMnIU{XL7c4U85>sHyr zyN0_FX&2K@#hFPI>)nPW3;X-wo7`wvn3-;Ah!~`TMADf{>F`|&3%Dlt-M-gye!l)> zfzm~Xi2ShIM~rN=FkA_G`xiq$+^iWr2MEXj=nQsSe5bv(YENM0!8|hHEOr^q%Wyg1 zjq?Rr^C3RkrT%S*wFZ&-vhC55Fo<6=Y8SR~3Fr{H*{5%{osQx48o{~kh+q@-ciqEc zAZ0YlxqfXaS>Bjo@*(G@0b*yGp3tfAV-){`0so>UCr|?CH57>CLUBBFrMT&@@jZK4 zKKWPF74JGux^VHwKt;qy#J*}qNc;SS1?N<%b6vLI^0|>z0$C#&6@VG@);Hc-duapB zi$)~~VXa14?k6u%8|OP!c;*$ZHLn*N9zWJ35?&^HUnl;|V|T#)Z0nKd%oWZ=xL3e3 zDtnFLB-6zuk6s3$tr#IKLtioR537170wG*pRo&Jg4|)MMmlrtWzr!Gr0m+n@`as9% zf5-YP!?og6-lJXWHVrfV-O+@N_#}WM)h~HAUdF;RcT2njy?$9g&hqM6X8B_`2sZ*! z5qaCd`Jf@dJCs>p#}TgnaM<<`D-)X@Y(W%t#9mw2i~`68xWgJwAMJvG?k)|EtAWB~}p%Ycam-fdpZ&rQ+wtd0LRs6$*|dH-$E zVcQ;A&+C94FDDpCmJ5D|*h3Alw~ZHY!yv0mhi%eb`m?LwOq|{T$Cs7LJ7c=-P*O_# z$4`5J7AV{r{{DrkZ)#@>Zb#hdfJrER8-sT+a$z0vuFGe*9$Zpc}FXG%L>C8Fa*4bo~ zewis%vTB47WGboP)jKZmlMy>msyXcq4GrK#lzsmbIwW)CY_9bgT}uw7gvVt;8Zw|O zO?U6a%-Cp;&g~h&1eb0cboMVI>X+spQdX@kw%zh92jY|MDgWYBkF9~0_b^Xi=)%07 z!NeN&=1fHn%;ZvI;p!)|C2vVi=)~62+D~?ubA6PuqWXlp6aXfGD26}$nV`Et*Jq;4 zNl(w59XPT=t7n;a{LhCA&hbQbI3nkejH(a!65=5|;$rlG(a|uTLY&A7b3XvDjRIiq zF0}bo9&ADfUc`a;nFf@D4m&s3wv$thJw8X8KlFcXE2=K?&xB81Y5u5LlewzQN;6r* zvu1Pvk`_pvX1FvO@bSpnHOw~*A1*!HQ0o&|6TBF2Npp5C9kzx;_dHO3|B%=>UAOD? z{LpY;@ z@4YR4?Jnyg`RcY7xvZ*P?rR@ZcVb!5G>>&7WDk^C42=UoHwM~LuwN1CQkhtL9qY;wn6!Ffh z^Qrq=H6TT6+xLmqo`#*(#3gto-u=W&`Gb5A6VrY-2sB}m(GgtP({ z$HV}V>Y*o|y~bKmen*Dt{Db|D$IEc9S5_vqE*cjKx+y+PtM(A6DfXTeDWQEY_lDL4`?P2j=JT3$ zk_OcZkQxt2~{1bLr?!4*?65gf`yAQ3Ll zH32C_E&GNbxywo#66adQ;WBJ!sAZgz6q>4sa#hYmQ`+bD-TmK7N0_zdCu|=oXyZvy zn-TL(QU5bBLVIPeQxzG!LDdQ|ZA#&H*A40JQ8{P#6H@I#;`HyDNfwlel+=RKBl1lr z#mEJ~>l88R1x#G#m<}g&ERDJO1yb@my0q4;`c5wpQ1z*q{v&pw_^ha1tH`uzVuz0P zozj4A!%;Z@*tl|D{_C&3MBH*{J?K)%(b zYnBaaeV>WI&9nk1~XAUMeKNf<*{}~_aHR03E z(5>eUdTORlFXF%dD15)FrOHrb6ItpX7AyE#AzlAt;4h*#$$VPebsTRdN;H^WrX=OR zvCezxp8B&tP{acJs-oK6*OS#WyA)TkKMV=OCHa3^2Qe{?xn|b3?+~)Slh*m6>w1ur zOFvJOH;}I1T;!ZqD*>Bpc>D03r|W*g03LNxQ_U5r*+kQX7t6nHdvcF>BI)5T(Rb!y z?u3D0_&*a%C*JBZP1T9b={N7tZ5a9C3|FcYnNPMCZBE)3Mt7Ji_0U?I&7V2eUV!f- z$M$|7p<1hq6)r~$o7;sK@l38p4?sT2F3-_rN$~n%6j;sVBnK&{#0raZqgz}elpT!x z*F`SgOVEAK=^f82%p7>w&ENY*(AxRnqLxa*YzMDX}s`L=reVp4?;Qjs||x)rPN z7!G&s@FK^XY8funX_fus6BlL&9Wl4y*gbgb8`Ea0|83znmKUSacxk=6`>gy=WdQZK z9QVYIDl0yXl}d0K9+f28%xpfr@W^GH`gv+Clvm$M8IvGfDlt(4XM7nO^RxHNl`G}%n zk@){HGD|Fk70AxEj`LSr-=CN2N5`}s52uOGL5Yo~r zCEd+{fOJX2z`%XSbN+Jf{cz`Z&KLLIZ>)F4^Q^V@CbjtYAm$@2m>>2lx4z<>PTt&4 ztfu|`a%6ljX@@p=g|3L~+M#JSwz(6)!7BVcSUt$(fL2EMh-;al9)x_|o_TPguXPbt zmhqD-*;}4{9eMwc$I$zlnu+sgc!)Pverf&l^YJppGljnOhh$r$YTgjaF`B)S<&LFDf|xJ-46r^KLRNQ)mqI$AA+*^ zpVA@)tjaE$5#t=*SUwj5N!2dIpBT~t(#CuII#15HHqo^bMO(6z%AwVd@ky3$czc|G!wH!f9+Y-C z3Xxec4YuMPLLOCAg>a6i#@2UNQ7?LsGP+JC*7)MDhroU*;qPB)q96D@k)DA;LuGCe z$LEzg(B^o*dXqK?iswHAi{!E>XA~pX$;iC3L%S3Tt7I#vfrP}#{4)9Sop;=D_U>QY zeHUKEvs$>CgiD^t^Pyous@&p7>g5e<3l+CM8#vXoueX1%fU7(HZ%rhzPz)E(LF&XC zqcD^~;a*7%zEgXJL1+vn)MIIuui{&rL@MO1BX+TTF>{NIj*0lL5Ff17Tsp1% zRWrqpRl~q1y(RJTpDvhYLbMpb@1)M8{XJ~YBDy<6;T{RYH*rBA#2y;bH+S_{Ew@{V z@T+GwFXR)t(zo?DIEslLDr(2&PasX&zCxUaZnCwL4AID!fnbH-prBB!z7ZB$X6}=l zeldC%^>Sa^z8hvimOD4uhT-LTl^EZ(oSjsN&unG&7>r;1pYe@d#=L-o`gOR|1&|y{UDuUwojsWF!ISQr>`9dUw6%k-Zh&? z5;!M~@TkR7V=wdl)t}T9;LAf}q>osdT!5RN-CCxN5-moq+yepMoZ>?Hc3vdGPdv>9Jl^K;*pKPL9UIk{v9xKV< z`o-g(KPU6cvxyRK89jk4)p!IBcaG+-pWKt!8d?wMBLgzH^10-gDSzvCZUaU*0qOg) zQ4?$Cz^I81|FiV*&7xtyY$=Q-cfti!!;(`gKAzk$vY7I0A;n#-pFr+V-oq^EORcn%ZCGn$JTNUm(BaY>!H=y26l|2sR;juB%r^0l@bnp`L!dTEh78hX^ID(kNee}(G_{X<)jls_VW-LG78s3cN zBO|gf_u2f9s(q)$g*l;hq;AK;4#vb`1m%cQq!s+mUOJex(0Yt+WZ)9=!V#mJqZcVu zU6@++XljSkzb6_EpFDx>R3%Vft+!M~(^TNN1B;xybsQX{e-J8#|II0SUaKR9QwUq2s$ts4t$Oz)yX7_SdlN zdcx8+Se;-8F5Mw-v8+d8#ZkEpT4xGBz-H+Z5)i{Qd%*1m2>o@3L`#oK&77KO$PL_H z$C@exN>r1}S()VnB}FM{e$8?ESde(7Ch+e$%}oJimC~fdh;s7_2RUrdMPg<|ldlH1YcNL58tHisY!wzyp$MG_^^aI4#1=M!(i6HR!L-+zkO& zCdM^vfPb}pokxK2uf>(YvQ<}8fkR-P&@>`D-NgQMVNd+VWPZ%`);uL|@gGo%@I!Tu zfsp`*9(&j9U3sNl3W$N@ir!zuFC^1pP+}(SQ1Lbq=XwOS5VOSA=%!jgR3!EYP>yPB zODFti|Ji1wKH0>8mKA0-5?2{IqAUknMOuB_xqNEU=F^@p zH1$Voumf&fjEpgC0B!*W!qzg$mjIHfSFZ&?AOMT?j9_CI6GH=Tz{{{90bZ=E)`i-& zI<&h0G&d!Ko*h++D@&VifwE{0Z zHcAQ%8bzd+Y7i5j3zN=%b?3?^HAnS7r{J~BwdB=I`GpOE1VrmS&fVFm*Vu)Ys1-Af zBnzLE*A{5`i2V%Wz`;3Y{?V(d*ndY>)HS~~los(Tlm50cHpDyGY};*k?hs?vQ(x-t z44+Jt#~2WVKlMwK?H-O7%mpx1tSciEr;jx)EN!2XcjW_PO26Bdmt$X3BR0+@tf=)z zs_i{W_4@}>(1B&e_cf=bK~6jEZJjH&&x8~7$(UJ@g^Vd@p*lL-DDat&%;NzqHf{H9 z9MnkljLM4_u0y*3H$GEVRxZ=gs(dOhx?7izun?ryR8-6h43xs`{Ol~$tKGV4?cIFn zVAM>b%=`CrMkRaQL5_e+3U*A!53h=zIuNF^cRiFDWvS2vicePBq@Ck^GaUKdq)5yZ zsIcRBgGW@&5j=j!U`UMDA_`={Z? z{;VNQ=61FFeKRDhai%fL{x=$m2jvnbS&TUWvy{K=D_&nW$AjMY@ycyzNYiwx&+c;uK!$NPZqIYCa^K;?_FjJtl^sELZU z!OTxgaloA$P!w}O0%G;aG>)hJQPWYQ@Y+;ih3%S;s2N1@=&p1$6B*vYn}*U-;hM8n z&AqNN=^E`m8Zf(fW8IoH`oP&sO*0{qhIW^Q1XH(!@!zw$!uqLY%hCbWIT#12J|2wA<3dB|UkRxO*G z+pWnTPR$?)Z|iED<Cd=P2$|Q{DC}h5<9Ywfu9+GW9l?RS-B&9XB*O~F{RoGGxPpjX^b1kuvf(wr0eR+(%1nR1QPpw=@2uE>wZf$w(#L; z5HnJBgmDyzL3@zocOK7IjGTuJ`iExCHQJdqsQdu^DH?h4+K594m#AzV)?K%XP8CQKb<;B*$OoF8O41gpxg1Xiw9*Kezh!G&H;`qCzaPV*>ZhNZSN$5H zUOX(}<)-3xuz5qMtqmcf2!)zA9|IwzXBAk6ik#Z2J~J#U<#gJv>K&~cTx1p!(o{n{ z*Rk=h+1FZZOu|-34P9w(f29+K z)cyS6!Gq=8_K3Yn-E%F`>J``VjoF!T?OJ%fhUTPeA~o=Hq0g1#a-a=FZMVKskpyuY zzlsN3D1Ysz&Q1R+q;_YDsu&}1S5(n6v;oTn>b1xs3$Hg>XRb4}+=i{(3=bZ>3@=a% z0@JO%-RS=r?A0CZV~S+|<9azy2` z&w=nW2GZ5=Aoj4qS^o9dw{P9G_Zwqa1Ox=u-FbMN>?LhS;wO>$i;K~6ZDSkoq~nju zQHdZ++3;=rb-eS$)aUt*j)NcbvsxgP*XQgm(nxXtq4ZLs``Z`6WF+v!Zj-^hoUZ<# z>jiRc8%XuE8dsW2*bpLVJo1U*2|ZxXdLRmC(NFA&TOGCB{+bOqDjkF)D4gW0{stmf z#e8K`t__cpSH(2N$qxk2vEv7_6vgC&LEl4mUF%l^^s->e4rPC$kn$`3rx}vOeo1Q% z^KGFYb6*1Hyev&kO`Ts*fGcE;+Di}E?4)O6=aU3M$&~^h0@*78UX;SU?g_!J3~gMI zye90|_0mDA?*LDIN?{H4kpKY6_Eq7g+DB$8rkp{SF^)DGE(vf9H@jmZBQxnj$Zi$B zxoIazW$#$}{jgI>DLg89akb?cu%>!O0fE!adnpe5R219~Ge`#^z=KLdOTwxuYOuDDq@)mXj?-)SG>O#x?hr`o zVZ{}}heCSs1uFjb1Bn`wU*!GtL0;DGzS%pKc`GhpA`!qu_O8pj)zWwwl)%;mXTnX# zKBvW#&q^Vin=i`>tp1Q|12}@!ZAH~(qN$iUuc)ZMG)8B`QO4fBG(^M|_Uw;SHUIw3 zjv_H>cqNu^##O!6ImSPUg$xfiE?w*=%xf@F&Lky^?}Z1N8@d#8_9N8kQu+#D zD?n`O_tg5+gAQEdyF(z&^dS1ze_z|^oAw|^Ej6YLJtx&oYw3M-{UpvN(JsHiWwDM; z_*z$YcfWH3nst05iM9m&BO}PMyFzqib=abDtY_>o9uF_iN{cbe9&!tws)uIpFaRd8 zM-v~ie5p}1wf5Y$IQo%CUT2E%_Pf_Ln-d7&^@bLDdxWftFv=-PbL^ZmA2@0?L|BBj zi&=`H2LS*_-AjJH74CV34T#u=g2O%5x_adba%WIzcn(er*Yfc2^>jWIMj?@hj%$KQ z7Z(EHgc_K)X3x*Ax(*hUkORts__hS1{2a)5ssQW2ftq8?6qm&u>)FSdEoH-4hi-y} z?>Bn-lSCU;<9s=5oU{|Vv!$1GGi`L==v0Z&h77I@$=e)zp<2mvwo`8bumN1(ee|!z zwWvk={f^U_Cl1NhsD3A;>z~=#q%>l`Sy!0-`e~#JQX#)~hbgLc)`lvJPJ&4qw)@02zu!6tOoKxqQyrFr1~tTN z*fTSB=c#vg0=ms#*)~{USlT6r)l32uOL1^&sv!HC`T)tDUu)Ut&L6X>g)7={HkLq) zT}fF|X)Xbr zo1D|=<_&%CUQoRVh;MCupsJ=S$z7SAuEckC#4C^_m*g=*Ub7c|BV$M5b3GDanyj79 zn1Yh8x}gExaTVHI&Is+?+QmQuMHoyfvXdmk4z!_qqduOuiXQ1V0roZ zD?6s{A}Pr(@DDwW%k~&}iF?HtSyKu49ouxOG#gr1_;(*2%@SI)Y20oNRekZI1^}n0_avO0oLslF)c2Zi_rBAfMUAEBM1_T=Zt2?PVL*ljgxWqrKDuAhvug&krWl&cU3VoJJKIzYedKmpR5H>zvl9)$O>Bo#X&9G0m1ma;~8?P*2E+?$41QN@8*ggs`u|V7=_znlzav5>)2G8BK6pIc;Nw^>z z5Zp{qvXX~~M9zHOGyynZgW-{3XTctjCSc^#E*70avrr3Lt&)P`CP4Lqz}=!IB@UM- zXmyxs>vx^iHKwf59&Jxs%?`pQo!y;IwvpW_EsxW29i37)uvVzG=Vu^B--_w4Ch6JpkMIwIWCaFU~2 zKv6t40bfz!cCsI{W0^Vm{h9Ex@3+)xmqQPiC&_Y4WPI@89)Y#sfXd}E5FmS=&kS@K zX8Tj0fHi;Dp~S4H(z8aprG-+E+OTTUY2`F1GAW6;KXEXJbY(!gks3agubPruQ1>KV z01*DIvBvP|a1swjc42WAcjjI2{GY!Okk_uZVQI`K@XY^Sd-r(jS8)tZ5&-;izV+jE zA?wM?TRhxUs288p(iB_P`23O#dlKiPBDnbHEX~c?Ja)TW^xLeazPtwfGw6*Dh~}HX zH=&j@hV|QsWs?dp6!wh{pmi9q(&UG~;ix5Hs66%-aOS-t@0&&ptf-;&5?_@KE7gAr z9FiIWnw0$4K&TQiEqTRl-~9XY{J}ahCw`(v;%uTJP%0{Vb8~MOm9+{Fd#V7aMW4K$;D%Bc@(n*kKP0{ zZ+Tz}h{5&JJ+*=KEqWm12fE>YOblIXAEsF*F) zyM4#9bA4$z9UI@7CwhUJ4*a}UdHoUl%;dtKyi0yVnm7+ng?`&da<2SN2Sx^l{JWy; z>t8xLm|g0p*?I|qBlO(}>5nN@qVAA#TK&k}lkwcK`Ze?hRkJl50x9W!j8{=vnOE4I zQGdc*ZZT@TFej5WL<37w!@9~($E>OlEoM56!>Wtptc4@_ry@fRd$sYG=rv9~& zpJA1jQwoDl-?{p-61}nx$mROzlx7-l6}3Gm7V=#boPdj_530$CtilM!wDK|15f$P)4DG;Si%!& zUG*Mq2{Miv_g^{f7~gAB2&+;C`WgILqp)5aWn2~5WJEAa0&y8 zt0$uqSa6VfPyq@vIOwnxFE_|lP?WHJNlw1f(b0h?WZfNaP>n3qj;~Ei6Hnl^!WUxW zDJBb4qc3k)pPTM@%VH$;zrQpRlZZ$H$L=b$JJ90Yn=RqHI8c_1iWk zv_}?VmL?`AD@=PEKF{y$?nZ`%^<`nwW_#tO&mW?G1br)Y|dD z{-1?1{^S$7bOn;2YR@oUUYHfVQPI!xR@+_f#-20KTY`3zvb@~o+ zFtM*Dd(=WK=KKy+V5kBxDF94pqm#rV6esD)q{ji z1xnzx+GQrx4rBg4ILF5rl04=jCGEUM8+xjld~opDP~x5hJFAx}tw-I1^)U{^7kPI@ zPoq1*DGEm=CKf<%xA{|(f~@P$8JZ7A3)O|1RTkTGOZRKeK1s?2o5_LA2w6U9eNOxN zH7lr%Mlk;50`(jwwSh}l=WU!J{!xJA&WE5io*7DmNq1O0Q%^R%UM(!R5#w!&UY_0} z#Q2rH&RWl6S{*m#XDmGQd1k9dvhn=0pBt0onn2ysB*KuxEytqh4Lk$YI80XTE^)0ct_p*`F20XEmKKU zOTXwC&5l0P-R}V(b4l-o=`*pST016w=p13!&|xI|kKgDtDO*`D>+MUhsi#z|Ufn(3 z+iFW5Xry(^mmIB_+z{LXuz93?+=3+NIb(`rUGyUtrgY1ol-KEmqFRN2P(yEWUhtmd z>qmfw(^yTP=Fy->=QZlH`P1D&ibQZFbNr^4C`QIS@Gi3?+tU(_?G8%)HtXq~Jhu8% zn8!)_uHyk;Z(rEG}tzWjCw-n?T4Qw+FSjf|{J66Pkzj zPJ3Vkb;zCEBeeDCBbi7+8;EC+XUu>iEG0W+iyY~xK9iJuwzg0m*CsOxW!$l+fIv*j z6bI5{tgP}BGkOuI5MEFvq`g6L50jpHzY&7v2r6L9bq+m4Aj%%L?_;=fCwuLyb|_T8 zZNic_$>D&HyYOMDRcMC3M*p28m)5+}-=TCsm)f$aoHE(!eou+i>cn?uoyVPT$T{Np{O3Y&J;|unBjfJ&4i?aCK2h1^n7;W$E9NrME&yz-|l$Dk3 zMI;n$?OP6-L-dGV)x7k1(({>@$cVn*6c1-9l#V5qN4IN zt!u9Y+WAjm8|h6Jv8rGg~EpvCCt$qm%B^U_-IpuGMefX4>!hQAwXLAFDIum5&5 zNiEildqZ-$!Ob&=Tv11n!_f5;jq6W&B(s^Q^RLY7_2IG;=N{)PhvzxuT-nb(tN}PE zl9HDn?6q!$0(@1n4tG;of(s_qtVoWo*2d`GPv|BY#yHu-5+sNBnRg%wf9yu(q}Ra> zD5r><@3+Tz@1Neo@fELDijc*>diUUq7F)N#@iPVn1{m6}8$*ebJ69Z6^Uv$GL~FJw zKxht>s#KPX%Se;JEjQm)tEj3vG!p@=-X_U8+7mu0>rtA->3uXfvG@sT67h)Sb)g!$ z-*!vAN<2%;`Wpy}1KbJ{la5m*ZMg*nTB@o%!pUX8(9tM$(ZTIDS{6jqp$pbt(Fkv7 zf!Z3W*YvxmX}z0iO0sfSnzLO~BrPZoKw%H!O5d_MG*#CR3fBgHE%W=7DWWownV?!I zcK2>dZ_eqIWyCyIfN@lms_Xi8iw5eu{jqyPfN0F3{mQ9LQsHi|sHU&miu)*l`Sri& zI$h`TOjWg!75>q3Im$V`CpB!fdy^PeIeCi3|HFs9QdMn~>Dx-!BQ>BfKw3a%$7oOd z_FfJFCU2knAXhcKTH(5v5~Ko{dyJ?qw^M0@+p)WcRV%kz@1nZ+!a-S{#=RAA&7mA+N`v|lY+>Nd%|5BkpZ{kr3PvW(nN(T^$ zpoU%Ap_<#s%;$kDSOr(eYp3)6WZHVVu~Sb5WYz++NGLGmG{`Et3EiToHfoeOG*5Q8gM@qtBSeqwkI zuPp6tO`dr3$G|`f5>^1yX*VDUe|{WY<`wPw3qXCgSzA8o!7ty`3o?|99R{iC?dv6>t2^Z+XJeP;dNe{CZVmkx^j= zpxHFwRUk5tTQVKArNsWHEhXKX*c>wVGM`R751#Y?Tr;?4Ds(A;?sbn*&%hM|pdSA& zb?%uyEF06u0cO2#s67tO%;2JVv-!higm#9~pR&PC^0+!s1YBhB5E(wmUh1$; z^St!EB!Ll&Bnc%I-R(Fc?@rXBBHmkHG^N;}ufXSvN<c&Of@8$S!tCHKMK)f?Xvc&$ z7!3kdf^&MN`;BF=!KWi36OySe2D#rNUN~G>-b2nCX%; zXCJSYsh3SrX)B3&orsX>hQl{0E3Jd8Nca9H-LV3aTqZq(??;jO&k@Xxg7V$BkdGZg zOs2j(+xPz>gD$n;He94aeqL`(K^~0?#B=OYuoiw=Rc9TdR!_=$oua!GEo#=%GjcBX z`HUT0y@lLQqqpkUHtp^Yj&pF_Lb0KHfhH5FscdG@4;SmEyV(fnI+$!W+Qd2ZtJWCy zx8 z$25%T6kIK?QN2-h@~bN@_eK#Ji~1m()#KO@>4tQ!m^*F-k;4 z7$Vg>I60gJBSe92Z#@WQTzp>LvlvVR9cU9vb%VjpG;8UpGwkSUxWu#6rb-%9sRhpY zT#deQ*n3poXnl**qVZ-vbnoYPO{d+Pp{vP*ZYW-}EVW0SL#HPx!~2pso(C0c++Hg@ zf+u{M<+j^W-JP?bzPHs7F*bX@U4U!Lc>>e8;rfgg-)r2 ze}}Gd&+jhXov|2h_0mSL(CDNiw#c$c&ul|nMmV*Z8W*kfrQkX|ogB5!Gx?{6PX>>z+|EHVC$`6*kT5MbmXgK1f`jp-K2c0>G zv^x1#y3<9)l!>HT#W=c8UQHG2^;E|*LW`|OHj{OMV%+5vt`8j`VfA{!1pi5 zIW6Qbx3*~@SQwyOxP<#gis3t|{Nmvns_I*7CST4eUWbj(3jpm&&rbl_1MB03#tXin zBjn1|Yo>=PJ$I^ib!BYvxC4P~r#=^Gsk6YW46K=9^Ozyo*{A)zfpF+ zS)_zi7fqEP-T#>YYcTrr6V0Oo);J?wY{%3oF^KAUOj#a&I76w=yVq|I=%K6w>XB&540e_mtqOPUy= zGa4wH7cYALhE=1yv~6ZEjLuJ*d63Q-$$Yr(PVLm{BF|I5RzjLd>TFNFVr zRu+Pkt)H;RRl7{?yr$LoONG_ARK4zegkSHlaFy`Wfjl!=3O$=OllaW zJwZ$~+N=y=rr?8dvH;|yw&BXvD+e`JK4&2j%_g0mEZ|Ggx}Q>hURNH`(}y!t{mfLp z{e1OmL}2;Pen}p5d*gCHY0!Sxch>Mk3YP(L4cpk>FNgZ448+7(WMHlc z)GUo3$E!9f1d%+SJrO|X)YShP1>ZUgtuU+QUJEz|n=&~f1SaXIShbZAncuE1Qbd}~ zHY6Mry@pAX6@(PsYAJ|5HA z+!FUce$f{SdQ-qFib~hjc$F^q3BAZNVP@nQ29Q_l0@-_-*gg$3F|y--;=Np^Ss=(^ znn|U`{2-O_=sJ)J=I8C%`WTNo!s%W31_5Z!Up9S^wFGlyZZp0ld;w3{_P(1;mh!l%CxB_mb&)gGzSp=OK;jwy&(0vJw9=&lj&8luyL!vxyM_Xf^ZZH>!BW&1h2|z99$1fWBaydk%j3%gu>Tvy@69%jwt61(-V? zVqOdR?`tQZq@xm+n7wW83&e9bgnp7LK1Ngx&f;{7$m&!D16;uGD@3pAm6PkYHw=@n zWN+N%jNr8Ap%(xz=!i95P$ul=pYQG@#R@5@1+@UoYoHb0omO3)VO*uafK~64^5~zT zfDdelc6rB11qG0mXkM;^Nkv>K9$1?vXh{3_mMdWe?~JGuguB+sAO^4G3<6DdmM-^Q z@JT&yfqSNzI}uu#Au>WbX^QZ`AB6!!T(FKSvGfTNrgws4FvJqqn~duTg9PKRJ016X zimtfc{>u~b#3BalRk=Y|H<;<=+u@QrQcHVS#7go=tx!$a zUT%euc35-Ew<>u=*{yR+rBeX5pDQVswV-lSr8(VuKuk4Ujh@Z>?RAUq(LRqNy1Jas zIogd%Wk@QaKh}=lG>2I%))e(tpwK!gYbWS`EkKMmYB6}Q8@si`d?JGy*ZZOLhwIaX zTD+TAzs8CE6({QR+jrdf(98v@zL;@Y@K0fOL@9q$lWTH3q z7FnD6bw&|0z&@c5@xX;@{40p%c_o86?!uYJ*dDU>G6g1kwBl7uU&&j~?fz92 zh#)(IWD}CSp8)$S`LEJ(9=ETrGzPF0|Fax^kR>n~9Y#w&oTj`tR4c%nXD)NJN|=_hyfLsng!>vh3c z&u(AbbOTBdV+}s)%AY_tkp|&!@ngugFzIy%>z3YgzQ^ zO3xR}^6AI$!2yN##r|3ci%h+FG2AnA@M@&X*HTJU;#va^#9A1 zq)Ig18gw$;G!r0eyS40er8&o}=c^r%NIwCN7}>>)avx<^a-KSyfT#QLp&V@8G>_G; zAH-s2B>vA`0v@>xNxPT%w8o2`k#mAm@>YBKzsv%phJJdnZ^~yWU)RzA z?5qzfL4P%WJuN;=L@ZkzK{o{c_!rD{kF)j7Wb7+V2+0_8%!9ylf)@(aXXSfKiQDb#7!csyuAlEz zkcnO)>kn3FQ*-8-0WSFSb4<7=@gDlR#^d*~ef)u$KlYxBiyaizpSo){OR#r~{(qT2 z2&1K?y{HGfmkbaNsvOU>&YIFOIs9ecrTQy>598}~E_?~ntc8`6W5Zv1crrhOrGq{U zYU7YHHAN9^C_o&sFK&e<069c(U6mBVOO=Oy_%Iymua#uYxK>0vA1UUh3NB_LnhOBeE#i(A_T?}raffvqPFPXXPf zb#J)RlJiXH4utUs&Bni*hd@jTbIeBxuO=hN2D2M!9!2!xJ`Bia)X+ynvTDY(@(j z2mbu{4e_ABFp$c&pU&J&KU7i+(Mzk9Hz`S2C51$9sII0y88;BLseV&87xu)B@SzBu zDimEt-^7otSh*mqRv3Hq3Oew~=J3aYoQjslj=AQ{cA!Lf=DV(P-V~fuEb6HSW&Gia zKv`L(4sR-Qlg>(mXyf)Ww?B1esl%4ZDo3+unekH9Wn z&r4>Q6=v?L2Woy82aY8ybAMeRl`zF!2b+zY{dM%&&X6=Gp2SMim8421&*K9@>hTKA z*YBG&WDZC9%yy;EGxkHz{VN;Jir{sPibc(rjlo~eo^z}44}lG1Hx8&HM)H0JO8>G{ z^(rdj&#dx1xPkUqNkGjNR-~mMQ`{#OPmB|!_C|Woo=+RL@f__0-T8g2x;NB``gwjP zr(2{^9O)wwTMS6Q8bQ^lt%yhMoA$5? zc9LhT(Y}+;D`lef86{<=tEZEV#ZKoaTGX<$m%{n>dns}v%LUl$=mwp0b?UR4M+O!% z&7N_n{*EOHuNbe==Lp)SR!F*$j=1bGccvOnkeZ7cZ=rSgKX``SKp|g-290%_`l!g&}^`gy}y5_-qqoZ z-EqNiH!3zM&4!O;Er@Tlon*dGpv>f<+uq~$$K{7MDTp2i8Sv$Y{CxM6R`hRIFq)5_ zOk66p#aTL#hI!Ya=|i_JTPqK%ii0z>1M#$N)D>NLnh_b;+Hj0b@!+O><;(CZ+HfB~ z9Uka@o5fSR0`x+o#oX!S{(`1Olq$cRP!)lSzA+pXZVieu8J5OfBo2 zh|m|SoYfE-<%8wfQXxa`_59Ag?wUr}A){tw;*2hM4QMWin%QN+iQ%9#vaz9IaK2Ar zNwuA&n8jEur01kxmbFIkY&D5cMceM>HhDLajc;fq?;t=j zf}ROsyL>%~Fed`}*a;|_>>8iU2e@f@6PE3j{Vw$v|N0+@N5|JA6(pbI+ZPPR?IzC- z`zwrb9QD?Ctu*SM0oyU(`#8AQ(s8)geU+ApLr8+IC@%k9m!tMhXjMmCY-%I=kP>x* zu*v_8V&Qqy(K7Mnhj{)u@~HmW8c90Fh(XSz5I}EJXXG^wBVt zU_R@4nbg&)je%;>I-T&nX~V{-Q3oyj3MbU>_L-I6dBpZPtm1l9z>$X@T~(qv>n@? zdog>3(~@_XwpelFQ~uA=9IZ#XN$Qg`EJ~|k?)Y(>;#ev2wW8DMO|>0Syq2l0?&q~q zT|Hq)VwpLfAs5vOw-iebf@+7-w|00vHvJtH!1gAmkHtvQzpi#r5nBpVq{L-6ik!IN zC%#FhZ@)>2C@Cxc#Kj>F6&QCt*Y!l8;x$@wa?GY!N12!yg}%sjDs80E2_EfN;T~b% zJXA-07Pn_$T%G*L&{1n!(7?)U-A}yTLnu0uR@^x3e7?T~e3`Tm^1NX}(8|N3B7EnB zWoynsVvrKHwl|wj8W|Z=xbEh^b!9BtGp@}3pV2;<& z8v#K;bLzSeVFc8QTCmbvWt8As;Zo$0jKBrp^L(Q>Hh}x#X?7O9yrqPVQJ4$Td`!5C0OcE6++9OTc6^YcKSKf*bPQN^T~7zi@}Je zjW*>|em?R<)q#I(fR~9;8gBY{+rmN6Xv_-eVuX1W3meaCx4^1Zvtu2X1FF91Mz5l? zB@+0To}q6p6p!`mM087DXhzo;W=>hg@hbEBYgb6-tDssblAPB*O8t;ovlWmHiQXCn z_QPB^%Um6POJeZQ2Kk^j8M|ijtaf5ux#=;tCCZqB7tIL`Z)^}x&^@KauZ4w&s8bCM z2#8|rNBL}2)NHvNst664z*nAEJ^^IsVKucJ`F-&ld#V>9Kp2!#d?<)g()l{1E9Q^V zxEjv%-uCw!#5Xp~Hb)P`1j2twNttasyIpUp$)8949PI__p((KRQE?Mz38Tp{L`aeX z)$BT34qjQcra22y*aBhhfo;^;Y43UCfFFU%^z->hF3<8?rJRm+b9(-r4$U>(`?Dw9 zizi&a4o47aJqVuA(-+WcG{%XU&*bQK08=#e(kP^x*;GVtQxtkGL$%L#Yoi40UnVS2 zPgN>Asea?ImeqXR1H4i1%uyLElxEN^RD{*b!#AIW&|F>d!^mk$j^p_Gp`ie>`=nyM z*lVzV$D^b6NXyF8E)JEVnOpEZZDL0h5$X0#AW&LbWCcA&4IdopI-_$kZxs{h`Z0fU zX_=A?)8P5%*Eb*Qmv;Ka2&roOsi=!4|FWCR64!HaEsa1hVQ1N)nC)BRl^;F!Ah5LG zBz05j6w#=Z1U_wOETLHOtYtn@kYB#-K)pj?0N1XH#@#?Kr3NlY9h^8-I`f_l`W_UYr(dcy6rXwnHQl6adO4U(Otyi?tl|{!d_~9zL z%7_8J5woF+8ATcQf+ubSm|(q-%=h9CfGN)(G)`pp%fxI{+qNXz2p|3@eu&HtR>Vm=*4liApThAv<#dUY zSjQ_%CP6j@y+VzjEGS-N+| zgzt}AAS&E;O$9Y7)iZ2jv%3@}qJ&MpVDLluFU0ODTKCb&8LKV~HGjxbqMO|zic+ze zs#1tKKV=j&9T^7DCx4<$H{|G*fPr?JQ!G5;!4x0g-eC#$)r!;2^TNdK49Ax5Ua*_J z014$c)V%Ozt5v8Z^H2P+osSSK@|zHB$^N4G=+F_9st6Z&7Gr{^lHTOZ_l8<7JPwW&-xk%+5LDd!?1K{^XW&BES!a@F@?T; zMNVPy$0c%JWdQdbyx!D@@1hWUA9(_y!K0Zt&dh%>*PVp*=-x>xgg#f4Kt9 z!H31w2|7&*O4gz+Sqv;9!q0(YsK+3fjq`Puk2RZ8#5#x69`&2WJAB*^nfNp_Y~qXL z&woch=xNl>^WAx>eMA6&vB8|d{zAS}cxH)cY~Iw3-cR~uK<;W_)Vz`)<0cd3i7+ht z=9da zmzSicZ=zq!a0?Hq+L@hDR;go2SH{NnoplM=IGT-nrpT8tL8ZvUZd3482?I%&z93ZY z@SY+W#6I(GaCa*N=uqDbZ^|cvtq*vBLiw}ZPzsMGZU&=lNv+L1JuaDr=4vPHo`?9d zPwLk$^$C&lIN?Vdzs9}%*5>OG+7o=1Vt8~Ep-aLC+AX|oqmAEtZVA~c^pN=*#s2B5 zM1yQP%*;$duCeQ(Bxnikb9fh%MsGgj<6AmuRXYB5<0^Pt2>fS%V)~r*1*G182G>l! zkP&7$oW6A92wU(}Hf{>dNgP2$nmF=Pd7&~1_sCs}lJhP%+R+y1NVKpFY0eT$gFk!_ z|1Ro+W-Rkq`jJy04(id96)Qih1U&;ahtr+8z=wSO2`mM=_0`p8`vz-tYV~1yPXhrN zR&E50qFwvk`2yMi!`>i<7XT?Jf|+xtho7$|U6LO{TvB$aMd1f*+p zsdVRvQ5GN|ph!sfV1sP}8$A$F5D-RejBp^*Oqvm+{xA3bum0Z8=j#2;?LFr_=Q&S& zpEwNX!p)nM)Ft+k@O3E>aYYp2r=tJEkE!?V2@F~J^r;Gz$6xd~%M`elKJ>)^c-77C zY?=L$F9E2okdxu5?aMzP4zW?vKEIvEv3&kVEj9lq2VplH7{$5%dmWE%4}0Mq%@M!R zhqW~GT+9FY@=tAXZwjX054VfHsiw>wjBTct8c|L}qE*{0K1*HzkT$m`R2rMiI|iZv zKzIGbe90fgqF39$MC3vPtBR33MN9^#*^NO9(Wd=k3*9K;5!XP2tGmX>?UrxJu)E@sEX4 zo#}d|D*y;_W=}Q<`@fL}ErU8ImE^7MZnmg(TcVllM^i4R7q2+5y66}M9-I4VH-0;p zvShXdPCTFdlTA`Yo75fq{N@UHUvyWFAPN@e7chUToyXbTsQubZ2d_}?@-d##`{a)z z50AdC8hxEt!MZ_K$!^Nne{=h0D5k(KeT&HTPUc5^;49e|fZdwhR#FhV&;V@S>2?51 z;-Lxu>krT5G24$G6Z3c+Z-fSiVBkVEJlyT%U`_xq6MUd`pw zD*)8{hGx_7&-~x8YamhqTvI?y)WU=wELbiFWbREYp4V3c*|&AZV&no0A-SS@-Da5* zwtC6cG=;B!b0ZA`(9S9E&3Wal*|WauH?mt1y%YisG#1^bYb#u0UNKw|PxFv^Y;ea{maSzzW1ZBxb>-b0H>6CCvp#U#B^bnhVM1p zUw-TnUGQuT#-2B72Y|7uzh0#d4rS8;Dl)(H&tbaD`kt-^sU#+)0oYvRvBe_ljzN91 zT!cBWCit4v*GnQEI7t96#=n=P4{~-1(~6w=!W)xZS?q9P6ZD4~^L(n&zz(_G4U2ON zqpVBfU7aZxJ(U{l#u7O};UBq|{>DKTdV>?R7f=9$YX!C68t1zC4lVrD_W2*O@PB>7 zO~0j6Wxb+wCQRZRhJ+aq~_ci4V9ur7r=y~0p4 zgMFblr46m7AW0*8{m-0aqmr+R+GOXVHjMpEmQZFUsyWIi`FvctAjs4obRu5#ZKL2| zM*ie-K!T66;9zS0gBasV>Bb9|-%ifY{5h3A?8Caonow=c1cXZIHV1M_85L;C-QPQ< zfi9&l**QgT@7rD^oB%7LB7=|r~D|GYDr zXE=xbT?zsaJnOXk@HLtFI+SfplN1$7{SbInp^PNOwTrlmR#jR8z$^mtt_9sGdjqVpz*K3fkw(WS-1kK(w9s)IdG-UrxmpdHYviv>~ zPlOLm|694P+m~|E&)YJq5sFO1*L-pZ|XcaFWp->ACV{%>Mph^ykv9v*eSq zk7z+t-Ub-dJel*F6w;dQ?T~ykURwFKJU}z z^}aM9^hCbcKMd{@*Kc?k2o`VO!C#{ZNa}a`W@-$~?9#7Z2^Lk{iVqtN1o=wSlCB-F znK|RlZ40jf7=2&CR=jpf0Zo4GWG_7pKk|k0**ffT^t<9<{Za{#sP?oMEpo>Y$m*iG zYj;U&peEu)|LqGFEIG`;TOJJHF`$i=_L%q-Aisy^MwPI3^keiqbWl=_4ba9k;acX} zqqEO_jqlYrH(#f_4uq;U!zdK`R`GYP=d;`%Cd>$k%^Z&*otY~`o2L{NwCW_CRVyLus$U7)vHz}VxY-1jtK(%I-O?)?lX53Nh+?>e>E;t3u{X^Vk@sQ3#&+_7U>M;A5Vpv@^D6AP|`uN zd6SP#{DnUJd8}o3vZF=8xYp}-Qw+e8!1j)*3389!?CHa&z9xCS!|`iI3lFB~rky-| zDlEnPrfmW=jZg!=mL=7)Fa%-|=K-LrzYw{{v4sq zQ>*AUyPfxWT~D`}$C(K>95O7$#Zct#>%Nt{*Zzi_b+zc(`0IZ7MwH5%3lC2iCZ2qH zws%@KMdY0_O#?7AXg>7uOc``xDYYOID$_%JEe<4&&_Eg(@S((V1`?@KdM2wF_Fibuf>yLS9dSHMc9t1Z!D_mt69v(^+jldKp$?bS%_2 zLKAu@R$52%#^*TX6DH? zQ!)%9-A4I6Rvl>o9(tmy85oloYyI?`vZ{v{0!Yi=PvfOMSs<#JY3t+;d4J{XUk;hA zJe~sA|2|uD!F3smawLm%)Ajv4MI+yDdmpo4`#pfsYgrwG_@OjxG#IY3pZonKGV$56 z{F)!gSPll(_teFe+|TPY_*i%>Yo3l@^P9v=^0Y~+&X~2`X8ItUk;bgdhv+xI<`vOx zPItKEGt5j501o{|`yF8BG}qjOyN$wM=mQ0>fG|KWOkUd$)uoIAl`ZKK>b|~}alQs9 z;JwGSijEdQ29UTLR#_;l5cvPSgMta9Dh?eesu`q zTdDV@^K}$tiMAo<~E~<*otW-Mkh3Sm5uoL$02W#n{iBJh6zO(c|{6uVGm+ zP33W9aeMMiVf5m$^iID+fH$*;k%x`0J;ErcUPg7?)SvI*IE<}nu6fw4jlDRx^tv`6 zBR3QQ8i!Iqd8>uRBr;`Pn`{zzDSrOF2GEQ-e=axto?7bTci4nID8;LcL2sMd&>W5Y zb;?_T92fRlFKO$EOFC}MONT$aqA|bwPK``nN6}CxlylypWJy9iF+2hMf_N>s5W@FVhLU9kVs|P8gTfsxXW%KtCxP{WNdx{YpuOPzg#_6 z69A^S89CEBRrv_)nB_XzG5=j5%_UT(1`+z)x8`+0xFc%f(refC8_cztEsY%wPkLTt zO3l%FE)CR;2L;~J^^L$(F6w~Jqj&IdjdWrCG&pCJB9uf1A zW!21Caw+-K+_{#B2Cp=(5Q;7-us4>oW7%Dv@A2Gr52M@C^0EkTa88X<1W5s<_fo@Z zBG_7Aq)D~f%Qlc5r45{&=1+7CWA?NTSLo;`FYm{`gm_+F#E484+lJCTnSX+%oVNTm!F9IyI>3FctK$TFML(2z|>Viu@!07B5cy1 z{$;eO#JVd7IyS3k;51k$sErBya^A9`0qr{ubzFMWQLXBpj?JIpU1C)i(jvO=YHOq6 zXhriKr6$$L-A#8*RY_{HVOLO%1n#HV=HXeYeXRDYDvM8Jp6X_qdL6qO% zO7*mcrrTLU3vF^(om4yKQ!U`;8+GF&muj#v+UPJf%@53WjxbXZE2h^se|fs#ke3ja zThG%_?sC|k=Cd$kHO+E+!u|TVaY4h`&2yQS^$*l8l95Xu&g44AmA+YhZ4-2Xc~+L? z%^JChQR9*-u=eJ9T=Ea;B_Vo+bRJxyt{}A-JCtCnbTHajuwVt8c?_cE(qu3s5J4PB zPlMG}fiVl86X#eXn~awo8Rrv{f7G{t?Mk|aj#uF3e}GmpeLHu@(ne)mbR`S9T2|pu zlGcpYQB(Mo_M;rM7RQPXATgNy5_R>mSS-g6fm_3?Yb5W}t{tk-;#Tx0@VGrh-}jib zmzRj1I8x0R>C>dqu^3nyQ}G7dVkGR0JrKC+_KlSp<}CEV2TL6>%eCjWww188hOd42 zC~vnl6+PJkrE>tcrU{q(4s&VK{Z-L7VFMdALY3HRV{1|+KqyaNMGoTF_}aVThQ4~H zntg+8-qxwWYl&6k)xg-xPR1j=_W6255Zv53Np4fQg{+*f+ru8#4PGq@48 zp0S~J2a&@aj-`>^C~2%;4ukN%t^Ya}OLYq+YQHjbqsT*hQpm&&kqMiT;cz!| za#avl|MLlN{Okm&{G30lYq{9~(lHaf@r0Q(jj2X&rP;`Hf`4I^A$-fRq-k`J(oirrcq;omfy!2Fz^dgKyY@n%DKBTd-;XapsNzDrKP5T54)|OSf z9kaoWAJ7*vAztYi5MzEl1^uDC6|r6i)rAWv5Le8ePE-|{cGofrPt6@2{N;i*>h}Ftb zAg;EivG`X;-h$l_6ZwF@rPOsB1&Y$5toKX|R&$5)nk*iu)w+z2YGFd8?>II=MMG6r zR^CmMifbdy3Sh=`St?0BidZX_g_w8CeS_TIcyf|5vQ}ZNSJY>YRlv@cQx>hEhWlPf zyZyZ&1Se{op&^3I3&f4JlS{B6%`V{w0pN)MxUW?tRl`#SZK&VV@NmO4MH`NX?}-g! zl8^>#nH`uP&3RJoT-nM&nz2pem#~uC;z~_?evT6vmSrQg-%^JV#%s+F=e)+27+|9P zgS9yPHj9x_ia*HR2bilKjFArOJLG&ImI`yYSRmtYyWL`>gv=(DK>l zdnDO|SVp0MM^jS`UhABtM?G%9ky0*$#oKpRIb2!XGDqXxVMHTTLYShyE4BtZ#WuO4 znH<=hA2X*^SmG@_@Ev+k>7KEixut~NbWQCVQY<_7j@$6Xo-l z7|cu2iZihD3?GkTF(|EK-d=1_$TL%Oie?D#vm-B4n6eM!YTRSeCj8$b=^J|iU4LyP z>+qtR;h6c`r6=~If2WgfxyCS{ue3mo&S(`E!-}NVpp5}-N!eOjzTFnV<)Y>vjPi6d zN=K$haDjA?yzO?_u8?j*x}YiAa;G>3y))VAw`^G$r%b8bfW@b` zWFyC%6Ve+U!1L8Vw^?8=pH)XUKU>d)ioK;-cqgR-otu*B^8wTBL@zw z0_W3>+huw!3NbArgucC_3jR5!uc2=xgL|J~Rp!)4$}>q2D&{097$-SX8|&2MgzN0H zK_N{?ig`rrvSFdQc_lq$E&12{xTEMav)+MZ`j!Fw&LhPy$!Kp(T5}34N+`GQ*GZVL zdo2`;)jN;6^(xp}x@9MSIZPWaG*JK}eisZXi=M?NoS(pZ(i*K9-!zdtICtQA=ujV4 zR8qO^=DBbZ=-aBl5&=nfKn*&#SfS=}1#zm)qPE-_~p((|onv z>W`FGYW$lqB!11>!>rsq<7+F?JoLF6P2+h-p`_d7drHBJ;A@X27hXQlw2K(0OTRzX1reo2>zxb(oSS?Le#0wju*ZNb|nwfQfDhW{j}g`mG)l+j4NMMG+p|3d4ftcyhq&9b>2b@ z4WuhJ>=9ToKFP+82hMJvin;@EQ6ZLxnP#=vb^ZgtIAcdtFaG5vO}N2sx~*fP7=C_5 zXNX=#5qEE^#+7Mlgg zRXLNO;HVlE3NjD`0U7RUV4K{LY1r*DKKY>eIA^o@kIG4cT}Nf<5-ct=H~pnR#9QTl z(6mTv7#q_rKCUHym<;`N_$%;B8bpL*84FojKoV<$6yqnX@XKp^&v;VxhW6KE z0&;_}TtaoKSwW!1<%L1aJoZ+yjr<2lOs=gdGOle(iozcPd7>ICI2#Pww6pCAc4$~H znMG#bBa61#QE&@7Bl73o0E44pD*tlo-Q5YN1X zH+xYUxD&$K6j45;R2YI<8d?$>$J5vAxtextOPR0+OhM?z{hbuIp3T~&@zB3jAFs5u znoA&t@PFV2{Fh$!KuwVb8HU3~vJICEYTIH`SZHM0=IzA+jDXXs(Hp!oo&~=sT zT-FixS7V57yXCDn(csRg!4_xw5ieX=DJ>O z^-VqcoWrv5aHll&Qd75jo|5`8Qx*kTZ=1KXu5AeIMzpuQp#`!hxm_}s6}fW(Hc$lb z(n{52f5#+klME^wV>wcXtR+Dfb305nQ;nF`f=dLSDi@)AMZ zBU~bdj6E@VodsQSGSi}K#w$PugcA;D)ID>oV6{U0x#kn^*<2_pK)&3MRLL$9iF8%`Q@o=T*$xAtWfgJ-7j@Pgy4V7)}y&WYTRB% z(BdM_@iUn#?xY4lF1lHjfH1xpY0C_v&Xa8!$r`#bKzU+5PJ-Z-LwHlr+ZYWWZPrxd zka1nAIz#Cb>z1M%k|pK$&!=W>LMqMD4}a+bowC(PHWqNA%4q+72so-KhxsM1>yjI@ z2?QNJ<>qOc+kU}K3m=BS)ufdd21J=+32t0@wI+@dszqXKV&Nb-A_lu2R%N-;3G1)t zY)QJ3O|jO^zTr7;c_WEf^pl=k^7{VFHaX0+p5MK_iB2RE@j${WlWWV=Z#sDWOs1l9Zg|#Al35p=N4A<0d2edHr2#NsH~3%V~R0Nb;#6f+m~OGhG?u_lOFU zft~~F^m?SgBk#?@5XOa4Mn!03<}`s@8ojs-9UEIPN$nWh-5qk-XaJ8c!$AGflw_#u z=H1Tl$sno508DPMQ>?n3O8rd8)%Ng_9%^YE#j@F}$}2mC7^qSsm-`}BPC%dPf{6kDl#_qJnjbIS9(>B74KqY&(j zpk=LQrcr*=s=8c?5%j3%`)cpS8b2u-$8rC1H>DciCYI)X z{)2V?33{7B)efAI(;&FfJ$AW^qaubF{CrTmWZ#`-ep$iUwamEdo7=(X3xHL_Uj!?+ zmpbsOzy+3c+b?2lUgbbMB^ELKHYm?f#lag_TfTzp5o8wFe3J&HE54;4Yy8RbF{|EC zLX;5Yvwb%jJVa?Ir0jA6+&_%79vQlnYLW)DZlQ2`-aFF--;gB6V4J`0p&xw@UO*5m zO)OzmV4?ea=qFQjp2*z7NXQJ%@@Uc8#KRg|C|!EDq=wnssK1?J*|6#isR(F_i0IjQ zMIk(NQrzdq`b6gD?k$|M43+)$B5=k1;^OFAWNG^XGc4U@OXCV^rCbX~@~uaP_LtuwN=Amy z(+0UcS-Y937@5)aiRE1+1+_VyT8?@2>tRBZZ$>iLA$HboAT{XvM!?i34e*x+0KvJf zM?CCAM2RWltAvVPWoHKWC?)`xzu$&A3VnRIR)@0ApK~^ukIfPrm`O?(tcG!4nfr^h zhtGlUEzNXwa#WlwEToR@yDZA(C9~1ND-a8)hxm0nX`{f{xww z8$AQBv-n(o@?Mr)OLmvq%e-$QY>Vib#Ef`(I6F-;^<1fY;D4SKCi`=DXkfQqVG}xpoB25sOi(HnYQUm`gArj&yplf$oAQy!Vjk1-yJ4^Y&=?aC22x{z~~knsOQKK0y--lesxGy*^*E)8(nO2JDB;jU>U3#JF9!8!hg;? z#UEn-HC?#x=N`!tvZ2NIg=}2mr_FeJaHBEM@c^>ezA`Q;B$+eh1QZQdc;_;PSfqVslan zTY)|u;5sOJiii+_D&$&(syaN&tqB?Fl&OdtFFz+EnilkVnxQ7YME?-|5QlJWIO8#J zFu}$OXH==>T~|KdZ_BVG4Y3LTgb1vVu|0eG8$ec_F`Xzs_u{nsYBqBw)o1FUFv>_N zd_@Fs;js{}?Y~59w?lil%7CNw>Q{#RO0V6*v!+zb)oCr0fZ%`JpQgFj7U41Kv-Cq> z$I|9Me!QN;2Q)#Up^PHvqp%GKAh*Z5C4<@&v5nMbB!(rSxb!N{82!9= zE1}dOHZ8*Xx+c4P_%kTOFLi-tEzg7CcY=Vhb}KL*OaF$Sj?AhE(q?%%G=)gZCM};{ zzOZ`B1GM5}8xpQ3Hx|aCOe*^6h$CYYgeaTtgXpUL>+RFP#AWXRQMxmNjGdFO-nz1j z>t+FAGax3Qs``TJSdv#L1;D_BH2@LzK{i{UmX;wmhq~p12G$^2=uHB+l`Aj$+W^UI z7QBC8IyO6k(adT|p@ZrhMA#E?Cb+QTFGPozCpYEwSJ_o!5B!X7Ea6ud8pjF#}fi>2IZlI=6VIC=L>m~Dt#lV1a=^h4uu zvzATT)--es^X1Ez*|Tb3UZHMQ11CSi<|x6_nEIJzn3w<%{`i589cl#A^nF`S8PkOv z$4K~lk26j#0>yCoR>2l*fEBbNo^>=*#VtU_Zv`EzF`AFJ2q14ytH=aN;06ru zQe3ip9OtH)@5y{uW5{qE0ib!R_udm~o@QAK|0mp&-{Jl?r^NQS?E}qx{V0#C$lB09 z0i*nFS9q6Yni}@s5KR%r^LL^P@KssQKj{;|&}{hk#hxf`0qSwY7+B-!w~GL_0T2b~ zL1_Fr4gGrJpPtm1=~dofk$xIZ%xa;{0-Ta$c z^_V8Yx@0in(JtZdvt`%&cE;9$f-vP{r(dUr!x?u>SY7%adnYi2 zxChiVo5n1@INFlL=k%@P^m|OIMDjV$xaqk>1Xb9$uHDhnMhl5tS9d*kM=M}tI^ca= z<(bGQoKO#_@BQvGH2E^u|0UJ@LB&&tKKU~=eYHCkPq*+OAPwhnxc~kuU<}X{ijmiq zeCp68X83vO5WhY`Ux86tzd9rO$uDU3)(`LWHc;9aY(F4<-Pk@gZT^kx8#FCVcKC0y z-(@uAUM(LrL%G>ufn*XlGs?v!#Rzjp;0g)r8#RslC$uq?2*QwzzK{Z_R6o#EGx_He zk1k!Xpo)m8+%3_1`=vPlQKq>MosaoL&eP0e|L4WV+^g<;l`lpuF?NmaaQ1g-diaLS z*SJ6*X9HcV-PjhQsK^Qs{@Q_|m#k#a5ocy-UsqC7N zUXkA=yvj&Pv1}tijp3R!wE-5IK8d&gl>i&!+3JUaTcW^&u)o9>y{POpx+5qR>anjxI)rsX@UT;Y?jzGn?n{R|5g#>Bt-4h2zL zW+9Z3W&7mf$%CKZkyWOdl6nUqCW(#>6QQ{_ddMBR&B@QD-6?6G>^AIHz4F{@RT86e$1uu%xw6u3_yNa*HxJ(YC7}KAJ_owI zCnU%(S8ov3P`-G0r~GZ86bE`ti9n)+9DNA{ALV+}tMwSPMC6vjv(PYn3KzB0K9e|t zESS7QS{vfPIIP`2*zcT^Ozjo8O6R&;^<^|{h7VQr&q<}BS!FXzzV0fJh2QEtv6RT@ zKF}q&a@#6Ul=G^VJ7FIp1tdI0tau?@7yA-6(#ne_95vMj3z*6~^JSQ1uMx0$Ar?O42C*tV8}ZHN|Gs)#z-xdOvx9 zBo>4TyRcgha1rkEL0`b`Ea@jM^1nC}U_m}OeQ(rfWM|&{8OjWUGmghXn=?x0}g8m*C7fFzElsltTU(mVa|~5LjH! z!;TaI2ggRVGj?c%X=s1;LoWN3WdHRR#ttw>Lb{l=b`cX@WI5gkEgxlZ4c`chdcSju z=KU!XQgJHJSRh{Ewg3@4Bb#{R?FZ$(&LmhtrR}Lxs*v>zR?6gdiv~1gmRCr8r0HtM z+Y72t*RsQDt{Nm+FspW2cCe*Rwe{(Z$u~TmzE>Un(ux;&wHFH~Gb|dT?i=pjH^g1w zN}FL~X2{vU)0k``yhv#2J_#*&JPLgAp+hRRZ zsN6tt_cFXG%->{%x}55Eo|v-%c?%jKCqYV3;xiVA}dxCz> z$X4T%t9;h|s)WKVUiERGZ-Jb;(-N6qozdZbcWwIBZ3xW|vn*L$Y|-~FO2}4w0IhgR z931>;w+W|9c}8jwPbvkvtMDYkf^So`HlMNhsS{Gtc%j^fi=m9lg^Z+aFWnM}#pTRW z9qG~)m7Ox>^=I1xVe6Bv9!AC%1VWVlGEjUt(3cZIbLZgiPq$xZsFODD%uPqiQzVe& zF0jo(r$1wvjFd%}u{tw#os-*G13j5d?Dpsoouw9yM-jB4;%;S0Zd62SdJ+U58h%U= zEoXu`H{xp;zG&Qo;pIiFF3k&@_#g>oy*A8Y(II=^Tu_gwpM1+70a3ccbtF zAH%{IDs!uwy#7UcJLEH4<;5uW|~w6|GwaEXj45d9$7Ey zZX=M61(YYRDM7+jqn!^Ox^mA3(rHQAqK7xSH=jIVtP=TC&IY`z&YOIzCyN*{bQ;0a z`9`NLoAS7I)4lp=U1>0)R)SGzCntd@H%AdCJB$7VNI^?@cjusf#Le_Ruugy!<*|@x z-*%kIgX3k>)8fJ^F0GsRE78!v6NJoQ_ie*7UgomP!Bt_tsGBCm(>wVQn~aeaI&Ma~ zo;GfFb@xd^VkUDxP2k>MW;Vv=JZ)JhKJzk!(b}wOWK(L{=US--Cm|5>gr|~l+FSU%2|iFYgb!ZWh!a?V>JPKfrZIN!@eGE zn>kO2pTc&H(gH-HZIi@ojVj<9z2on{g@{hh%tk}wNR z5uO%>r!C2|cb8H=uU=GA3A|4X6wYuRivD&t_R=Yu{bE3p|GQ!u12?2KAQuqYtNxb@fbScy*t)=(aJ|Q!fvnMXiZ^FByE+~c zxLH@D&*0)3UOqmG(IRImIDR2e5zdn4W619peI!~FO{(4yr*3L& z`gz=i-5)1ElxhWYCTw%RwfTU@JehLe(3vZX4LN|DF6q7&FcDsf%%klX(!Pux&AZy4 z>KPvpN)*II7mB+Kouujgnc%Mb|Acs|ufx0najnun+W05|aoW5>Kbq_d_UX2V>~J6H zyi-+5w*I2Aw^<~15UZ|#^$oefkyD9X98)0yC#@A!0e6;l-nYfQ<{F$>jx-h1+Z43; zTHfS*j;72>^1lkDodG~igztXUZfJ34?HRdL?Z?JRI($8TP~XxY&9Rd9_`RFQ%0OmM zExCRrQgc@aUNL1?U8Tmxj~dr0teE=7XY!34if!D)X+*$0-yQfXE7Ro5fB627ISnjg zLO?e0bk#W}qB zH&W(X_M=!ThRaIQZTUMy7k`LFBBh8;x^KmM3R8=>+CSWQtQvYLRl-=_SlDIEp@k}O zj)e8e5p`WKdT)WD`QiR&2p%)QP|!=dz=iLwJi#pZ$h0J{qIppoENY7=xY;Nb5Qh5H z42(%uQ{R2dtJ&=8~o6cIt}8!^hAE{oVps zV1p&z^%~tWBmoJZ<&oNSF?Z8@w1DlR1(tSvCp^7Lu@`eUF>X|@+Z4ydkg>q#yjO)1 z|8b&#(es(&kVWC07Z38<#N5aZD)g2~4n}vd`y1Y5Qr^MyWh$b@$ltm46PP|u678~w zYZ2K7ck6X%P^IqpfRIz)n$oT;5sfFPd0PDKQgXr8DtldX;MJ169DnP!H=-89`LSW@ zYxj}DbEa+~rDfrX7%cyz0%OJS?O3-Rbc=E_q!0jT3{pa}lzGWjS$4<^F4K;q$m7 z6Yf3l2|R*(_mu7hE|s}D5%6`elm=SnPGMLo5VkZ`pCFS;ymN;O`oE`G6DjhSX!5_A z|JT{$u8D%YRKd#j^3YxB1u)Y?y1&}AI`~tx`I$JDO~_4Zbbs9!Wb&g^FDwXMvdMtSgQ2Lor1~$j0ZMX+eZs3Zr%FL@H5Rj3JsLD7F1~D zN<6!Avwr8=b&QBPyd>Q^wAWY6ZnQX8N2jeGRIlf$_Zd;q4DrbF%4spG4MG@wz3q5K z()~pKP~U(4lL0t6s)>tBF<;~|w#tINrtq)(k4c-&IJfRLJHjMFe?GlqOW;bJ3&o^% zAvtTD7wZ-1Qu)S=kL?|Bn``%(2#r14;0H;OODOP64tIZhZIecS^y~)vpyUNlYkV1S zNmc4X#jGj71^opt*gH!CRsdU`UgMZu1@8PIN|%9X$x8MxY--^>(a^`}s5MB-> zRj9d(4pwg;yu6AgGK5q{jhv;rofzQ?=2!216Zv$>u+Jb*Geo& z_(?Di&E0eTzsbT3oFB6%FMt+9%3l!KL|>m|vb>h=1$T1Mgu(SJL(v=%z_;hk?4U?y z4*VzvMCns4`o`8{2S(iTFO|t z_NyXxT8<2kKe5E_Ze`$lX4iRp;;bybRQ$5e*~(tP@c{b6Za^tsdY+nCLYFfGWV4oW z{g#a&MKdH9n_`)>MpCDr2WsjE_(B^VP)NjM@B?w9nl+y}HyAez@na>Y~o{za62%l_y(@sqUSZN-*r(FKAQ~hUy`wBiSrUjW6a-JFK{yrqKqtL_> zJmWdKJ{4&kC|EFrlQK(Hc;M$9k&n?4Nm5yy(0`n%IluTgTMC_7nluTvkxBkx~-dbJsvfnv`#r zOMNzE>mLJ5kmnXKz3A--%XCsio}ckKf)obcyqmCx%tZiq!f~)jyUFH(?Dz~v-@y#R zGwPcC0^*gM_q710cvGH%=Eup5xrl!NG(Z4<6ZyxREJJaPLD$06k=Cf2lZxN08uT=R zl#7~Ajius>9aztI>G1~mbWbgs*ZoYHT|$;dKp+@w1z^@Cp~ zTHN0k!t4xpSvbtK=~7U$nWzLktCmEcph=BVkUrMJfR2xQgE>##iZ$EZm~4}DDL1Hm zLyTuUi07j2O_=e?!M>1Drni}fVwJ?Yls$oqj+xB>bG0YuyvbKb$^M`RGNf$_?38gH zu~B)O7Q2$vTg70)vj&D=+!@K9LZpw>G6$DfoEDx5O1DX)fF#Uir0sAp*3v_kP z=Kn3?6lF}%o7iy@L{9ogIabZR^Yh0$C43s21u92zfP4aKJ~CT8uukMD_m?W586)$diL}5B zH{w`4wX+|&{u=zH{d!SIqjuiR%(|raVOu?LDbDHx6I?L~vz_lTHiVF|D{s@#oBvo) z#LmS=^cV9W=o0Nps10Q`E8oe#fvf8GXmM&+KSI*Q{d3b7_msGV`9`}PbdB;pn6fkh z&Cw4t!>O$5141@VBBB?#Gy2y683Py-$ro$_$M!ZWkEptck+8-K_FEdm@neN>lmuYC z7(uIHULAvX4!Ylpu;WUxKqZ#!3%J*SZSAg~O(?|?Xm15nC0x0%__5%oWg{eN798k8 z>2j1GALQ?t%=&+P>n?A`SLe-{wiZA-ErXd-9-=GNg2Jg{nB|6A@@ftL<___&aZBmw zgY*QY+_H{ZwSgS$8x847?yMeZs6Vi%NmWya*y%k#}A>81=!E!h1qmj z(aQ0scb`3dk}d`s>5w=j=xmV;t*uIWsVc6knhX*it%_5VOKg!T?{M#(gS^!WJuqDP zv?!NY?$Mj96{b>#-zc%A0M}aSh}u>D3r}ep^$LDf45=7c2QZ6jLba#!tgTh-E*!%} z^Kk-z6OSMs<RG}=j1Q@>(99C#D zFp6=yorQ1VB*7=F!3m?EJkFm5?(+rw?cJu5#2VA^pEp+q#cG%F_WDYwXsUcdg1*ba zXsX{;vq>NGXCLeNFPzaa2HK}i`~Rg0Ed0dao5|C9%^k8!!<*#x&d8R)Zw4PP%!9>R z=Z@F+FB)g*O^wLEG{Gpi9R@R7qCk&q>i=DvF7dWwrjy!i5f{a&+}Sj^*$n{*Q`Bpl zz5{F{K2I~4la|+kRoF9R+I@8Es|@~oy}=Sm2ymibjIszD1Lo_Zd6U*`XUjQJ(@^_| zfY*Oe?EEmX`$2~PLeFPP!ju?U#?%%uYk()q(mZ_!Z_sR{%-Agcav2;Y2pz-0?C0F4 zqA}D3dwp_dx#-|qdw#S}YZ&cG=c5^*CGe+$AKzrKc4ADK2O17nqHj!&B+;IP0`Svm z{cAo0yVhdW_3!@y8*#vWKW+Ee)LmE3lyqq*E%rc@H;y-J==^D>3(adQ)p4D`r#TVd z6gMihzMAz=fUfuNs^h6imlZ}d(5ETf-wVc-tO8b6jwHTk9K;0;Mipe9 z%Iem-)j5&KUagl_JeClL(|_&DQD7e0zb3U<^m zpG{k-_i(m1UrM;Q#8og7c|Gt;Y5J=}0<#%h^zU`Ru-LKG4Y=d%-ae53|DaRToYts# ze`$LAUQ^<8ao=Bs>UzJ3KPGb^RF&p3dxbp0YNe9aYkGlny)JN0asqe>&cYinmoPiX zTfQI@dbte}{Nt&x(~VP4OW}~;zHnEKW1$)2){05x%LI843jkp`91s9d&)8%BWuVFi zV7)PPb~)iIgHy*3GFnVk$xZQG{8uG0=psGUk-Fq4>vPF_?}Qdur}!N*qn9m$W1s5; zpQO?M<7u$$y(@y0Mdqys_LBt!?hwIJask$0dXYG34BT=2J|;*keXSwd?s^^pxT zCSJB`?DgVa=o2s<3tKQtBrir)a)}_k3A0;Yjy0@Z;cv@l8UUq_-Tf3%OF#&) z)g>Z0lSrtUEH8txeO|~u$B}BH4Zexjod943U=cgi&~7}T=8d-lYow2MAyer2Po z%m^pBn&yc{tAy4MLo&GSW8yRXR-?R9DY^@X<2IRv_pGYF-8Bf>AI;NDuCP{@XSB`&Q?B8KfIQsPg&@r;}5*sz{4nH0WYQDUA+o^xo0Bfsw2Br>?IAmaJI~0M=XARjehV*efOUD< zimqQW2nv0Wbd^I;Q>n>mplklwp%N9}uwdUUCB8bZ)R9xcJ@vP|o%<2i*p~d#f z%9{LXH=U1?=rG$HK19W(D8Mgr8;YM&g18nE$yaE8aQwEqtnl_qe0>hgG|@St7GCO{{_~gqc^b!izlX?rB3Hx3C0oXmAdzCI zVgK;FK&gHY5VlX9{UY0`UAhx|VFHq8&>>_^tjp!FxUg zRRq9R1^=C>A5GK03YS+x)b4DReZFcwLCWW>Jb|*mI{*NY-rK)G-_xYHc zdE};}QOehpc!GPlsZcE~PF|ULL!M4gKAWA`I$dXtdO>qH;WtG5BU|0ynCgWSwMbk7 zGwpngj-rpVu=sNR+bEI=*w({bGs(;>fDLHyfBojfUign;h{Jrok=j=AgI&N4MCbDs zp87woz5*)h=X-k*0ma~}B8?byNp~sI-Lj<8oeR=fphyTvcf(S$z#@&Ji*znXqe$)2 zDgDl(;_v_NIi7M8OuFYGb}4ocwYS? z2%%7#Wl9E2xLWXKR((@Tafso?(@t6P*AvZff>as!MT9-HFT40!$3T&}3tL_=(N4R^ z?m8jFkon)Y(SRQMHt=GId+JUcyY0Ix&h9U;B|nzJBdl*W+gm|CsGoMd17jr}{I2YR zaZ6x?VOfO&H(Oz=FAB>n6bweH7Jg$(gbn?xa~+3L(7!kkaN7HzZ4eA8Y!<31%)OKjPp;n z|H*qx=_rt`1Csp%=q+#YrF)g=;LSd%v>}aEMlrx&vr&(tDJ}vHhrks9oTjBt8}Ov_ zeGnFQ$@{03nq7ATIH#5=)&CyRWm+w@l|V+uA2;$&s!xEQZZG-uHVCoE|GK)eq4wVE z$GS{?+<+)hneV1|XBK80vXJ0_)KTh)M+;De&Fd|D)ryRc4yc=e?M>k}a?}B)fS>z7h(MEX4UyY3;}fIt#mVioBhT*nYgISXDr2&Xh7%Ckt`1-&Z_bg0F}WD zglmArPA-a&zu;cAp|Pm(a2_={X9_u;|FB}~F!+Yf1j2o^a|nx2!FEGiU<{)!KWl=_ zpjgjn%AQu1y=4aq(Q6i{Y9lyD>~+=uLK%alk-rk9U-V zC{JkL#9z#py}~pU}^< z{%lJ3la)WRd%hqt%X{b3B_5MQ>Hi?ky10CFF5OwNqk#=*m1RyWhdzBX*QOnvU)r;e zfj`!={nz`MV68!DV#01$c*&hY^>?>g`7ROM?zfu*aQ%LU(1z44(u-gDo-;)Vw;A*& z4N(VW$P4j}5A<#}yB4aOdl7XArD0`Qm$u~UFBHzzIR5D^Q$Z$f0C@nN-|tPed7=Xa zc|#|pcgb`YP2uO?!$?4F*er!!@}|X?aPMp*`<*5RSmi8un9 zh96UoEH^fv^Nb>O*vTwFNm#9jc(|trxRycf`0*RV7WAlN?Y&$Z)}&6G?xW_K$NhvV zDmh!xX%YnyzEk2>4t=?O`uqbjY6&sg!~vU&JLsfjb{iG#w7ZjQ+^`3`&Dl`;JRV!y z{3NgZbJ{$=lfGjQK^#0)H?vMafS(JdYe*w-BdUrRK`XbV5$jOMSL)9)2r~jY!FKhs z!vCM@-4SAeXp`ubG%1&yd4)mkPVrX1b!^{ z0-Grl>y?7;-=g}HPHOU^XwO4Ohx>pvg&ij9)(iFC8N%LVehuigZ8E~Z4Jq015&V)_ZE5C1$>&@5)B7S&@S{nU0u9g~L9~nlDZl0a%C2ip*N<^Sf&| zs@Wf3f>=HH>nK+XUc~e-e|`@vm{y7kNQe?+b6y)KdhuJ!*{h#VT!A>to*G;_R|deT z*+elYe2?@Bd&DwjZSr^kfYs-(eWAh8X2vamPLero_*M&Sb90_sn3I>{dzgV>h27}S zK=zhx5#qKc4}gu-2m#1%Ps1+$`o@7Bxn6|;$t)b$_wlcj)2{_=FC<^+wA*QvT`D%O^ea~7d-y7{ zvs9;dD^9?fx~23mefc(?DcQfTdNBy(CmU^o`G%LX6z!_qa!8|j+v%Uff7gl}mrfkw zhNS;EMKZphUG3{XNu;l;TWQIEOwSm9{RlY1@Wl|4jW7Q}gf5+~que%q5dR|!oa?Xk zQb_{;i^1XWk2DITt|Qmy+HXNtz5jLMy^)?MBT+s0av=#(MZP$kmb*l{aTo`9TtE|$ z>(5W;?HWK%6Ut*)iq$ge!3x{9F1wr2t0Kg+-vHzL;1(7)5frBl(>XJ2S^Q8WbH({? z0%d8oIkesFG>v4-lofhn;jP@=sB@6IkkhvDgR+aG4-rN~SmxD&aMasb{+E?Z5*>&t ziJu=zkS&D&w=3$?h6-8LEK5qEK-(k+Cn$9NJ`W%tHV$b_MS=`i*i8S4e4HY*e3zhX z+Om7YoaN--Q?PoK^B{0^dBae3*ycgIWGcV`kv|Py2I@i`Y^>~iaHEv(8ED(x8sQnn z!bqRkTiMJ1UhY+zzjK|A0vU-P1eSL{i4GN6YfP}@-^I;{7+E<2CAc1q%Pv&M~ z|JDNh1=su?F@;%L(Te08rCCjR;Pl9vWx~If89yTDP3$(qFda4IRN44D-ew%WzEWz| z)G|W#3}b&8yE^azC*PM@n?C-GAG!i*a{D{;fmAb!p!R`QRRwSrU~c}?)Z)trW&nsR zu?szahW4!$uu`j}r(=+%jM_%Yz4HvgVJ4%>I+^FgFMufkR^mQju!$b7Qv`OOlF7F3 zmP8g0jM2MMs-_H0Zu;o2>~3s3?K2oWUp6tfQG7a6GsFn-7B&5Tmw&#$^_B7hLn zj(@6r-{wSZR+Z6$HXB|_X4BDaGbRR&6G(?JHD%V6t|##)<+Fep)XjXWm-!ZFlG?bk zmBMQ!${VK5RkgIfIxku(3YtN`odzwHuuFSuYH8X{ z7nyIUVYUsNdNN-c;fmHyUbBWKj3qR@=&8uqn)F%z;7UpHlH|^YuR=OV>w>${J)deU z0RRtV!nucE50r|eAQ~1ic%sen>pWG1t9X*ZA~6Ohz0Q+K156d z-AH4#^R5|M`ImgQZtl@!~r4OD+#E>2aaSDHo>1-3Xvf7bYJC zN4*tQ&j(vdM7QeqPs_vK1X(2Zi?7_z$oI`)ZkhE7iT5~#Q186~dzjLy zz|cUajoH;K-NP#MX*24bvVx$&_n{#jIJ!x<8<~>ei>xaI(NgRLn++E3vXusl2TA;YX)TQhJY)jT6WX~j7j7OGGW8Ep#vRvIaOP)30>S!PXn zfOmoM2Llquh4x1>C@0hU@(g$@)24NXj%SoQWXcr!8z<%Ivq5~&yW@!5ROKnA6cV5Ik!d#^3Z zzHw_Kz0me8HrpF$Wm7V%LA1wXp4{V|#)B9}MzfJhpB0vtqtzWrpSDH4-+hJTM6=Gu zSXxqvAxdgBysFagXf3`8b!!)u0cI8ooy5RMA@N!kc6}ZdRSQnXLnaG8lL7Kcr49EB z^-81YE0KJ5AD?k<)BmZ+ZOdj7XNeOIUHv+Hox|JZ;Dddf-G6g=g4c#(94_F@o*Ud= zWyD#iC@ijMC`9r|Tm|(wF)?xCrbMcIn+FXC^qWf7Nzpz8!u%Wc)9f%UU{CL5b4Eh$;`mCPR=_W!G%c=&gWvyH znn^&Ph%ey6L9HY`0Z=7u%O^Mk3~c0){e2{swdpe_L_%|r(}pu{sJ~mRw06QPZ`o(k zhm=c2LDS8x{LE7+;ov`%sILuuoF=X?3132+?!5Iqr3cfyFF-ZIkc+yEtB1y&>UU&= z{J7Y1R#`u(0?_Vy#$^hfot@Bf@0^Zk6=*ZpLku|c4EJJwZpIF~7*QekVxafGzO4HC z#n+*N#Z0tW3KyF6+D5WrMsgs?ll1@P2mwd&j5US@3IxygvJ9Z>Aa0pODkFvxrFW0UkMmMW7bRx43?^K&BsL5h3rye6 z03pD=0ySGjah(SsgVoZ4KMKd1z_oK9s-uv=o3Dl;1ZvEH;qI`ApwfY#42BTB;P zI>Pu1u!WdlEF08dJZqv9{yfXjA#1Xx6 zyliC-u5LL@p=18<;`}wb~pJs7N-e%b83kmG(D_fiSuap<}iK%S>#0bf9{8P{vg0zVKMzOG!;^Ei{(HsK}H{ z{d909lva|^jn!P&Kh`?InAuoQOH1w%OJip(jTG@f6=@*A3RxV*5b2S z*tk8q*Qs_~!m|)6u@_0gOu=p!@JEGLW0H+l!JN;|Ryv3X@Ml~cx}o@rAp-B0%&=%q zoa0z}z(L=nt*NtoRE2x%73e5(Ye1{pW&y#lmnHdYtmCLW?P#FXu6eK0 z`&VRIf%;U0?C*i4Yp-AK9_11gN&1vHc~zrZTbaPpIqNffoE>qXq#NzR1kf`a$E9M@h0MROO>3 zR(=5i>&cIIYPK=$=x^WBYpj2c$^4#&K-M@bFr`w!$Te4I|BhH>hfD70MSX|;2VpLU zo47pzwc^V@E28MJ0cM4^ISz)aEDX^spsro!)1!!Me`aCkcQZYFe91~IcI3eDQ_XxR z!PPC|Ud%Xjkgxd55oj@drh z65&RpH=N86^UGhoU{0wXQ_7@}VA$~ZFT0nl^VVzqVb09&tn_GCM?LcDhK`*$L~22p zkDp5pYzml#ogLuPi@Kx7=w^dA@B!}Bm)Zr2mG$fI!+Kwld3Y}DlSr_(voh0MPT6w9 z>&KmeYvMU67`h-%c2UrIT^wc8l4~NUdbD3@7Ielk(BxLU%PH{h@$TQj$Mvlm^v$+Z z@NlKA6PG?VcB%E~nP`Mr&${L`O4B@hZi-^DG7faw2EI!J&wI@W+HkV?-D_)yML zI*Iic%hgy96=f7DF~RkVsfT=*n$?9!lXr7>urKeI2Mlsul=)Oncj2ru$Zuavm72=l zs5Z8A;~t{h;w(yiL_r+Gdq}!!_`u-M!#k#lF=YsMvekum7hK6U6svXNA%6jGTk z0aDawARXuby?+ikt3WDs@@$~hbidj!{cb29FSixk@`sK9*Zdwl`%A&7j1v*+CTQ8=SIN}=!PL*tSI3W z`Tx9+0?*`6zeNGu`TyypHP}$b=QT!@UIR8SoS5ckjU%T+rV4^ecjOYN*F&2%UUuR* zF;mr3PR#bK(hdB4%Z=M%Cw^S|FCUnHWeGf3yUa@?R)lbh?q4T*Zp2$?7S zIMeI&zaLR(`f)9ud<2#}5(1ujbeg5izjCix+q0q-kg}_}um_myeAb}cn`HUP?}?MT zq(9h$0qgUmKh|yK%oOjxDL@oubOP+On(G4I7yS4BcSTHy0Bc)AI0O#3%gX$QFQ9F% zynh|~^p=!MnWH3Y7%$zM9d7qX5(;V1y5=c9ibRh}g8gLl3JJ=(-SzKvTGTdMVMY=C ze~_1(o&KHnpfmY5+VwFMfh0P9(E=&0m|7CC%u?Sae-+f#HuLhmh?T>KA5Eq1Iu2(5 z65faQ%I|T+^Oj`iY!&0!ybY8;5Z8Q6Qbkbq=!9!Z?A`t2(b|my~U&MT3f+d{Cj<9U2v{={j)w&PgsdH4N!i(vw?`=+7_dbw@G!rJ~n|uUfwkwh7-#if{?&!EdDr~EKHX4BB6O` zB>mDzyw@fjv#dZRX=S25_`S zBqpJbWghp}$1T|jy9<1i4?!K1kYA>Ux&~9aJL8-uDMSb!e@%Vh{2mbLt`FRk+2YCe z0;22P;SO}pxA)(R=_S~!%0^jG4rgSToJ*Z!N$LzsRzD|%Eb`O4>782WZaF_kVMaPq zs*&7Hf;J<(d(y42Q`Km9+xbsqYxC5H*|S%f)QOL{ChoG*jF9Zk=m&GEYJ% z#+KDD+|w8Qr(wT2ZJ|x6dnmPD+#5E-Y823EF;WMsO%3?2V-&DtA?N4obe#S;a9N~rj;M{BM2mGE6!{FZ_|C#jsWuU{2p(%*We=1m;k`=a#l>Nztx z)|41C16P{S73L-v1uFztpUm%XCpDbket+{=yt^OS#rg6XUh6}IgTbz^F>Y6BCp@EM zWG)*rm9|nGaIbrD@;KnPy2#_DI@Cj7&mCh#%u@?b(@-$;?^&Gb^g>HWQ#(tuK# z3zqw|e?YI$w8+&;e-M$F0je(#+(W?}_GTuWwxxHeYMgI<$F8*I0Z_50fz9?pztw{@ z2Q*K>ZlEu?f?Lqc;a2a)JCMM;sBz_yM;{NjrT##i5S6d41G*vtNM3yPWXx?Bw2UH7 zIvXgePEFajPQ?L4D0AR5{s{dFNC?H>4@{G7Ll{Ys`2IizrO$F0XvHs)q`x}lgHZ*2 zQV-XpzOGO}oL?bKA70PMpX7!#{j)1B@XzPrw=`#QlkvdegEqru@<<4?@u}T$Y2%UA zn$|gK-ksjog4&~#P`&Qd>P&yDK-dlk^#?+TgB{paBJ}owxcYv{Mg1Hbn^`%(G|t ztFu3WLHzIMapz>;U6efl6Qy|eQym>%;J;oOf4*$3is%AANUxsR3i*cD2)O>0)6Zp0 z9TE4C-`#IQj)h`#c3TO-$5QvEw7@A5xR?4__+L4UC8t0~EwXz&LcjbDbu#ePMgX3QV`{+;OnJG;|BzY#S$ zMP-+kpoxOq?U_gwVi>Hh`YOtZh&M&Su77rEZ-OKs*U5Lz(P3q5;q;m5IxjM9BlLhh zY!d1rRpEL=1_^KekfcC;`Q@e@-IKV-3>tu^QXvsvf9F`gK&3wzIn>~3q<8q7h0@Gi zU$z%80YE$n`zfnSm=uVGkoP|}eKjN0q*RECBt1_gXSrlqE)22{)m|%n5?Y}QEpB!4 zROsmlZzjENnD`b+cD9DUB=Z1>Ey_&PqV@%4o(u!KnR@1_-)FEi}nZ!wV_m6 zGBVYO;bh=6p6#b}NW@zdWkjDtSpfNx? z&{lGX{%{p*XFXK4a2Mxqoy8RhQvUQ5I0NB*N47uSZ8$c^ znVHMgAY+;YB#_kQBMFUymkqr|r+AL3#lG4jC*%uN00a1vS5`8P!OYqC8M z7nx9aQy)TW#cjY58x#IpImCqc@Y2HGFLPiG8lA|h5j;?64B)AR{a-4Sj z3##{Y2Vho{Me_aTK=H~2KcZDTVU@9o^IrD9FY;NLwFNNEwJr;T(mnpl^Mvb$l zft}2Sy`R=)xr50ds;8M;2ocx*k*5Z%P?5&+E1r<{!1;Mi%Q5^W1;AVX9^BM>OqL6b z-WJyeL?vR#`izg>|NWfCYyrMkpm??!^i^HTwmGNf(Wi?9>;OVQxGYaSrt^a}sfT(4 zmF?Wgif3;Ua2PlhI$5!}Lxf~}5r5pZv-X8HYQAWT2t4`3=pu0S#{>yvN?X{U2%;{8 z-1cOPY5zsrtmlVs^TqWR<+SJ3b8AaK z>UJ9ZCT3v%O+Skl#@cz!0jKnY>*fck=3;S?-EGz+=M7RxTkHWkTc6fz4c(o8_W`g z42mMfL|j2jk?jCjuW2&C0N@q^9P7k_*WOnd*3Xw!gaQMX?X5Gf=Y-qDM6QVvLqZKs zl_0qS_)F15%L0k3JHT&f^iXj0!!GfXn$rPYDgLJk46UXQ1Xbe;-ghqBHa#Rm(2n;A zX}vc6hMUyoe?r=ZTfv&31>%Rvu4hrV!Q3MsB{G(ia6po;_&)w4r(CRLI?6r5F`Yp2 zoUf9-6T~crFyh>JujwHO-~xH+=W0fTzhONun&j~64_r{s*31^@bqdg;{3rx2RB^Sv)h z9Fj{Q`#ooxD4UtVtxr=I7do>yU*`FL2aoYerN2Yj`21HsD-_-+u_MxGMiZyanOEAl znUCCDS`!U%s`ImoRk=b}Q6?pymKab#rFa#{1h7-#W$u2{7srLae?>HXl(7q4 z@dRAt3IVXcHlZSQ&Ze^_%zLI%2hOZ!dz4HWB74WbJ_*cU@67Od$HB3^4FqQi0mim(T_rZxxX!dYu7e`QW!x+Wjwf@ z)-RL(2aI<=mx@v$6eof*4#0t$m{dX?q7Afl^fOwc6Du8?8LK(<7XDxy|8v0MmZTKD zoVf;mAk{Z!Uf)%iI1el@v-h-P_4G$=D6CRiiSHXS2V|B2>u0+9_0W1~>z$$%SR@5h z9n7TLZDwiT>dqZr*Dq;ILmRToR+L#8awHtpi>=Yv2AF7wo=CJ#n|ZiboqU$hL5gy{ zZ|ViAn-%~~^bPa+5yW@dZh~TjPj**v&FTuM7QRbNB(&UT*JctSAqan^S73ki7R1*RoD2`e|5)r5LFPIZg#yczYaTd z0+6O5GG_PrGIlCDKnM&WFdth|Fwiq7*5}PzNIG_@GWPMS?1BoltjM3(M+jv5ync9z zLww2bYY_mhWHLB4;iF8Qdio#|B!x8j13iE$K)Fh#H)cEDT7=c!_>)HAntkaY7r^Bb zo_r}bwtSP@d8FcVl(%QQF95^1!O@tHd2rkG{85*eY>$cD&H9xqV|4du2`J)l=JBxj z0{C3&X=e1F_`QjoK~;XmF`>J!rHMJoWFjBek7Nb_7)(zs>r~Q{o7tYK$eHqQ^J#l(fkAl5Ukv(!s&HdXf{lKz4jI7%LxhAsW#mvzdiwF5 zhsTnxK+=XNvGW*D0(%QPD*5BbcYrFH9=-BtgVI|XIy(^qRpgz=DIm--7r4ggETC-Jx>>KkmsQVqB3Ft+f@ zs#>`rBfr;~k*_Ap0`CAaif!^?*5u)l3x~L8#%xzA2w|o^xG#-l9oOuGa~hUr5_`V( znKB!u&MhR&ux+A}>_{)3)iKg9xeyC3rup%cns^8mX0Z7aF?T&8&f3&eUC_{{+J1Cf z6!_ceL^F1yQ7$787%oqIxK9~(LG!6uSy;{mJI00e8iAMWs=N424?pU2hl+sH10MD3 z8oABL)T|>mbc}Q|y1F7cIP`NL?gGS0qLQ!M==x&}uqOkH3&Z zDD15JepFD>&#o~`5e^!@7ybd%2 zm+cK3sz!+K7J*ePiHeG!jKrap{vT-X?rbl`vn_K1(1Zp&nA60vXXtbkt#ZKzT5!hF zEekrdA+`jqzh@BJm`Tf~*FL@?mYD=Hux;oO#6e7?WUa2#+c~eO?9}2E@WyqR(}=)& z{r8m}`z0E5^2^Wi@N=?T6ABw3xQN7woJLVVpaw|IAYsee4zL_tJmS4J69cXFk7i|! z@|VL8bosa;CcgfS*L!J8u+nUfb7^T=!$v`Q#b>9JRgLi=oQOu3nPOm@*2vXJFV>=< zHcu~7{@cpKCXE?aukoGHU>z-^f`tCjgK&HRQEcxP_YoP8FDzfWYct(s+&CQyFF|7~ zx4&D6tX!+wr=5xSMtWd8O@5J&JI_rrLnTDa)C5;BGjx-AR?B-Cn&b7v51OIQ`zqjH zXH>SkTBHAt-mzTmkRy$ka(mRvnsv4`jpMHIy%mzlz|u_{p4i z>o(!ri%Wx>1<{q3go@sx+ISN;!-imF2g)b?#woSAqTDD7DpB zZuY425Hnibh+B|b$o9KEvBfEhd3_=~MZ56gf=y8}XG2B-HB&FgP~i>BZgplF5I8$) zhfmML**FJsJEhy-jyo?|5EBSHYJ5v%94HL+v&MrkQ*evsQ!}~ev&8n?MHXoXa87$> zUz?qEg>J0!6no9H@OLE@eEuAS@7TRbVms4K*MrJ4(Y6?U&{;EM`-L@FHxF?BNwM|W zL(7LL_j9;A8@6m?)ND1o2UUv?zDTnc7xtm@jC&4tCi2@@u2nAO#CR`F5WQ2%;XkZV zLVvJEvX4fIsg0WG=L`kxzTF1L@V6lqFdr6(!DJ{z?RhTth4?IM%@r1EOIih4jyYF9 zj#1dMUm8Hv`se4Q`8M{|AC4T15$mWWWs*1SXesoKjh5(v?kQ+WM5E#Rbm)=bxB|y* zK6GblZixc9o+=^ZC+fixr&wrz ze;n@;v>O(KS&F80CVll{=InFDr6mmyuAG@;|A<^8pR&yB)7Z?O_e=920)T3BKgFr% zwYsF~igUsDZ5?d-Hf^-DP4s{jS8x9I-y7NZThFR{iR3KSOc)u;jhU!3aug^Ww-aFQm&`Zu{n5TRL@=~4l(tK>qfYbJ!1t-q8GM*GZYS8+xy*TnuI=q-0JU_ znIfQtNsyd)|j8lk-~%O z+iOYdmr2_<1Ihz;xfeVJ^5{ubw3>H@wM$JElnd#6?`v_IWOjDf7ioL0H0*i78j#S| z*I^yZa-xet8SgcG0K|bjpOWXwr;)gq5|)214+&4XP0H# z+Eu3;TY2qd^}{B5`ILT>4S^b`v~^SbHIf(Z%`Xz*5udk`9Gvo*lD0+rG`2jKbXK-g zLUb3C@a#ibbCtDsVl#&GY6l(FbMs6}4-cM3>Zkh%I%(wwNEPVUyMFqZfr1BFCZ}$F z_f(AXC?3AaM5B50Y83sY<%PkL%A^XLVWp8W*Rbpi!nNf}YW@#-25WoZ7_|C(r5ph= zexn|?-FuxQwJ!NjsT5*agv&G}_vcOE$Sfm{IS%#lMH|GTw3SorfHrFsjcpKByXH-@ z-l>Tj3Ys-lCXo+(eYHYzOUakLi=(FXdLiF3halr9Up-WwIAdOtT*V>;-8VNFaezSO`z~ickd*aT}u_sJx0@NDaGdhjYPq zQpAR|6jWZqN1(Ea6*>+aA-eQ4v#xS}`P{OWPtr8i5cuK1ImssGM-6Z}3w5)78 z$6ZEkmvb-gR+k>_9Kw_MbyS72ukVcIl^@Rwz#8^)jSm+Np?eD?H@3Fe_+~!lJ36H1 z3`Qvupn4IVkU;#k%Ot;5)Ku9noM9`H#R@ytX8CgQQ*zwZLgoC5TupHU(cp&fUL)m? z-mEW#hFY-nYL|92rNeWP@JC0==+1-^hr7iCNOBV`A>&L#)~tyo(cl{xZ>Y;oX~kj} z-Pg_=-nf7*D8nb~d9tJT=LxV25A9|fd zjYd7sbM&%Wppmu5DDZ{xy&D*R%RB_op_PX#1*5CURH$()Bjm`Drc^LNLpy${kFig$tC0Upw3 z=}x=*a?8Y>c9+YC!g`$Oe(*cXaqqBXQz zimk$DiLritvQcCDS-A8vbs?)BK#97Nzh2Y`I%qk~sj7$^v-78j>*+RWw1nx+uLT?- z{rA3iD?|ZbSM)~mm|G^AXj!;+d2NpGQLp_MtQ~r&S}W4r5X`&gxF2y0>atfDv4#$F zZXqTQen+D)5H`Qw2MJtjIeOE5I73d~x*>Kc0A{2Ia@aWx8Yayr)Q&T|-yy#1Hb<7V zeymtGHRUKu$;`h6ACi18mK%OK4kSK}@pp?ntO(!1j2g|t0MImq=TOOfYdbH`Ev%NiEL^2N0 z5!sBU4G1zyX1{F6#hz0Y5M&18FSrt5hyzjEg`C>^GfF@#(e4#&AhgAys{0Jw9KMsC z>+4>?4FM#bg(4`ga6?no9~B0ZvcATQN%~iTwQ2)`U26l*L%#cV&YNnizj!3PfG3ur zd#l28dN3nRG{aa&%OIxPd<*4A!ltW(>i|Qy7Em3cx*Muo`3mI8#ZODb6}L8R*T1}h zb;&tK(_Z{ak%h5|j)_;#D-j%OCl(SpR+G$*&3SV*_WV5Kmcw%9h6CY81>E}Ui<>&%O_m9!|Iey)c-AZIH@IT z%Ghq~d17D{cmHFcIXgJQ*;nE&*g)H9iB{KJa?^wanz*JG!u)Et`a4U>#)?MP*ek2# z*p{o+${qcaKE3|%)9b{?*%-y-8pC??kL%pk(f}yUg(J!I_Y(&|e76KGzZW}AvwC=6 z3-iKVX~Vv7aMIBr$D&ri_NJh~HY08On4z&+z~Me- zWu&;R^%^)5D45V=skcw^@GXF~jnmi9wmeKs$nVwJ>er^_1l09^;HZf|uD}d;sz=l7 zuhk_2mlx69RduiDN&%vo6xPNwp@bdr$ssGspuNfeZ<$ z`8GR*l>ax+AIKdHa!XU@7iY`8P4{iZ>+Q0<%WWE`(_g(4x&_iU?mCCsU+^CRW*0&X ziNpM{C(Oivc?G&*3%HNQ6~inmPp56st07Hw>x4$y zGS~Wva;?U(8qL~1e1Ex5Lh4sSFql0XVC`6D&z?N&G&v0+Ww-<0Q_j+u_2?q&g%==n)&SWxR$C$qO3Usuknm722PdzvGWUwK{g_J2n7<4 zl0moHDrPK5l?HL&v>pbi{vOB(!f#XL2w#8*apHz2bRL+2(#Ex1a0kigyH;*`~K+H}G@>D-fnJStb^hsJ<>BTj84IS%Xv&j_t5LT)ER!4K>d``>khZ~YdDbGHd zt%&1#9dJZ$(q|><7EG4rGx%s_8xYM8{XdKXq7XcI3!wx#A!(iz1;w>sk$o$Mq!vtkn&xtMCFVi_SOGYc{8o0!v z=@@U+$h1zPwq^;)V~7t|;wpo(wI${}`A7rvuk}R1$vD`Zv}KrCM``wP_okneNCZY( zWIug+?{H6$Wd07Fe;Q)A$R9R&*fujkRbj=WUtfk%SsE?}=U>V9=c(u@C@6!nAU2Z# zY4P!Tut#oP%;_ihXw^zjBEKDj0td%69TO9u0gB1vWkJ4z9R1_7cQbxONE)QJU$2y0kay!2R^ z$U-7p6NTMs6v2hi7VQEY0Y@@1vG1&p>W1O@`8}wxBtEMyc7o@4#fH_2D0!_sWb6BE z+>Z1>7kW?`7x5X^|KhTdy10UxyF*Wi_-KVFZ+_j}9xaL0TZd5A``n!>gLWCmE%4aVd~AGA$=txJAII&{WM=+Hfxq{C289)#y2t8BIx6GqC)mBhvC zp=;}QiNa=y4XZhgL&tkQ1f;ra?lecgHCo5i< zES3`)vh_Q@(P;MlqIGEO!ly)C6_#Rc{hRc6IMoRu$s#yQm`rcR&S8Xj*told?``v? zaHP)SO|FWa7EeMC25pD#?=LhN_iQZraB$V{XY)!w!YUS9+VIP>=EwS*t)}M@)?JI2 z54YkZ@?coOd9~$VMPl9k&%vbt%c+h=?%y@_V{_(GeeOkwAHBOBxq8KIYzI5J@I9EW zUoBu;DW%c9ENVtUp|2>Mau0hqKy}wpb?4xhu|nT0hr#B2mfHMA+CFberS;SM8R`CO zZzioL#)f&K9QU6m!LS^HtkJFE111&Dskuls4H>WM373sgpn2&S46FG5*apCXmX}$amH!sSmXfv=jEk|qJVks zOGwB)B_nP$7<<^At;d zhLCz#4ieyc6X|>MhF3(V0888?ggY4_P|Gy5*XvDp@3`b%!H+dfSVyuzUv`-6ZFpgE zZ?u|t7Qx2cd@EC2K}Gfh4vx;mo^R=T#s&pLlTWmqilD_46UJb*V_&NfpQY(c{+KJd~{6(Hp7rdgEAk1pV^3_nOaloTQtEQs2mV$u0++C-ANA zE}iD}z2#cnE5n(vL!W^Z1(ueHN`g)vS&OIdscyS;Dh%4`W~x3)>Ys%K_IIy~f)>n- zr2UG45Vwf!Rv8GMU8tuCb83=zPjykjrl{%zPQF; z# z?^C#KskLZ=jgG&j%|p?fY@Ra9NUeQcWDl+h43cWH1_5M>j~B&!Rk&iG8HO}`y-S{eE6L) zb~qz$$8l&|yR?Rv#bT^(vJAz3hsBy>$!DfKnT-tv{Q# zAin>RynuNCb&6F}H{mQcTEMFx9?hBCu}336-e{Z-qr_|1HL%G6rI2V+m3+ScbYEY4 z2TLB^2Prn9-@p{~Wa`c+MGV0w0ND5ovJK;gDs4thON~d$b?o*%3z?Dzr6jVB40VTZ zr`b>=Xh6*%sFwuQk+`xJs#49bKePoQruN?j$#H`MFVgrL`2x)CrS+dSTya_f5?N0T zWkvh(M|v9Nu=_jK?WR?(%fBZ21?)v_L*Ert(--7g-v?#6p!AzTRqD}pESQr=r)V}^ zijopMF;i8F_{#u|lI=aO=kzRd)gwGT^`$nodH|v-)(Yp0gPNC&QnQTL)bH(I?sUEl z6S;?esf4Cc$`_8+R{5YU&`yRALE-jE{C;r}3ZpdL*b8PKYAW#$RH&@jb>(h&fo1?C zUsB$&k*hHg)jAwWSni)t#&lR!vNN2y!tne`4AC7{64{uGGVd-vAVt!?w3h>=;Q80y znicV;0s-d@`-^TNq4?otKZWjnAr-?M@;DkBE%@bw3V^8Zs8{rU|v^?coF+4s?6r#7X${XH3Y5f5-0G#awPyl=_!?fxrE%I-^C zJ8{E#bEfX;d-*Z5FW$>L266VGM;^}MlJa@8(m*ExH#dkuf5U98%q;|=Wd zOiKmsSGl=O_x$I!bq;23^Ja(NlZ~=F^*QF`*ODV2f%9ZQuskC}COhTKg*@ABsVO?Z z<)J4fyn$P@!*wykA;SL`wM@3E~v z_Xs`)kL@3rS@@>#ts-#I#?38yOP~{wGtj`}HpN-fUi|S&~I>3fC&XjXqUzf9hekNx9Ldp5NWh zw(HmlVB7FvB8d(6f&khE8@YtD-u*DQaqNh()L?YwoP^zKB)RTt}mi})ojczx2T ze75%F?)gnp|vd$@?2>{R=9Y6p8 literal 0 HcmV?d00001 diff --git a/packages/darktrace/kibana/dashboard/darktrace-6bd3c320-13b2-11ed-bdc1-9f13147efcf8.json b/packages/darktrace/kibana/dashboard/darktrace-6bd3c320-13b2-11ed-bdc1-9f13147efcf8.json new file mode 100644 index 00000000000..fdabfd6f8c1 --- /dev/null +++ b/packages/darktrace/kibana/dashboard/darktrace-6bd3c320-13b2-11ed-bdc1-9f13147efcf8.json @@ -0,0 +1,513 @@ +{ + "attributes": { + "description": "Darktrace System Status Alerts Overview.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.system_status_alert\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1b85280d-b235-4523-b782-fd77e9046901", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3702c81f-57cb-4f31-bb86-97827dab7021", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "1b85280d-b235-4523-b782-fd77e9046901": { + "columnOrder": [ + "426426da-2361-40d0-a759-2591bdf082c9" + ], + "columns": { + "426426da-2361-40d0-a759-2591bdf082c9": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "3702c81f-57cb-4f31-bb86-97827dab7021", + "key": "darktrace.system_status_alert.status", + "negate": false, + "params": { + "query": "active" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "darktrace.system_status_alert.status": "active" + } + } + } + ], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.system_status_alert\"" + }, + "visualization": { + "accessor": "426426da-2361-40d0-a759-2591bdf082c9", + "layerId": "1b85280d-b235-4523-b782-fd77e9046901", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "5f64c3c5-4d59-4abb-a6ab-234a1ee66151", + "w": 24, + "x": 0, + "y": 0 + }, + "panelIndex": "5f64c3c5-4d59-4abb-a6ab-234a1ee66151", + "title": "Number of Active Alerts [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-f27d6430-9a24-4f7b-86b0-43950b6f2393", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "f27d6430-9a24-4f7b-86b0-43950b6f2393": { + "columnOrder": [ + "ecdeb1b2-48c5-4966-bca9-0f228a2916f3", + "11c181af-dff4-4a0a-ad2e-0846bd66affe" + ], + "columns": { + "11c181af-dff4-4a0a-ad2e-0846bd66affe": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "event.id" + }, + "ecdeb1b2-48c5-4966-bca9-0f228a2916f3": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Priority Level", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "11c181af-dff4-4a0a-ad2e-0846bd66affe", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "darktrace.system_status_alert.priority_level" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.system_status_alert\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "ecdeb1b2-48c5-4966-bca9-0f228a2916f3" + ], + "layerId": "f27d6430-9a24-4f7b-86b0-43950b6f2393", + "layerType": "data", + "legendDisplay": "default", + "metric": "11c181af-dff4-4a0a-ad2e-0846bd66affe", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "e7b10ecb-271a-4010-9947-9597225acd58", + "w": 24, + "x": 24, + "y": 0 + }, + "panelIndex": "e7b10ecb-271a-4010-9947-9597225acd58", + "title": "Distribution of System Status Alerts by Priority Level [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b1042ac5-75bd-48e1-9c8c-4ab507402159", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "b1042ac5-75bd-48e1-9c8c-4ab507402159": { + "columnOrder": [ + "7deb2674-d025-43e9-b627-7c8e4a3d3ba6", + "72135a2c-712d-421e-8e29-8a5c82f557be" + ], + "columns": { + "72135a2c-712d-421e-8e29-8a5c82f557be": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "event.id" + }, + "7deb2674-d025-43e9-b627-7c8e4a3d3ba6": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Hostname", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "72135a2c-712d-421e-8e29-8a5c82f557be", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.hostname" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.system_status_alert\"" + }, + "visualization": { + "columns": [ + { + "columnId": "7deb2674-d025-43e9-b627-7c8e4a3d3ba6", + "isTransposed": false + }, + { + "columnId": "72135a2c-712d-421e-8e29-8a5c82f557be", + "isTransposed": false + } + ], + "layerId": "b1042ac5-75bd-48e1-9c8c-4ab507402159", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "77e3df19-769a-414a-b96b-dbb37169629d", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "77e3df19-769a-414a-b96b-dbb37169629d", + "title": "Top 10 Hostname with Highest System Status Alerts [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-607d2de2-df5d-4503-90e0-4ac42323c46e", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "607d2de2-df5d-4503-90e0-4ac42323c46e": { + "columnOrder": [ + "dafa285e-d83f-4d93-af67-4b6b7a7437f3", + "4ba339dd-9edb-445a-a121-43092d3b33a5" + ], + "columns": { + "4ba339dd-9edb-445a-a121-43092d3b33a5": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "event.id" + }, + "dafa285e-d83f-4d93-af67-4b6b7a7437f3": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Alert Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "4ba339dd-9edb-445a-a121-43092d3b33a5", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "darktrace.system_status_alert.name" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.system_status_alert\"" + }, + "visualization": { + "columns": [ + { + "columnId": "dafa285e-d83f-4d93-af67-4b6b7a7437f3", + "isTransposed": false + }, + { + "columnId": "4ba339dd-9edb-445a-a121-43092d3b33a5", + "isTransposed": false + } + ], + "layerId": "607d2de2-df5d-4503-90e0-4ac42323c46e", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "7d794103-85bd-4669-b9bc-b9223d2eba5c", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "7d794103-85bd-4669-b9bc-b9223d2eba5c", + "title": "Top 10 Alert Name with Highest System Status Alerts [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 23, + "i": "00e77d89-2b5e-4f2d-bc08-f7d1ce5165dd", + "w": 48, + "x": 0, + "y": 30 + }, + "panelIndex": "00e77d89-2b5e-4f2d-bc08-f7d1ce5165dd", + "panelRefName": "panel_00e77d89-2b5e-4f2d-bc08-f7d1ce5165dd", + "type": "search", + "version": "8.2.1" + } + ], + "timeRestore": false, + "title": "[Logs Darktrace] System Status Alerts Overview", + "version": 1 + }, + "coreMigrationVersion": "8.2.1", + "id": "darktrace-6bd3c320-13b2-11ed-bdc1-9f13147efcf8", + "migrationVersion": { + "dashboard": "8.2.0" + }, + "references": [ + { + "id": "logs-*", + "name": "5f64c3c5-4d59-4abb-a6ab-234a1ee66151:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5f64c3c5-4d59-4abb-a6ab-234a1ee66151:indexpattern-datasource-layer-1b85280d-b235-4523-b782-fd77e9046901", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "5f64c3c5-4d59-4abb-a6ab-234a1ee66151:3702c81f-57cb-4f31-bb86-97827dab7021", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e7b10ecb-271a-4010-9947-9597225acd58:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e7b10ecb-271a-4010-9947-9597225acd58:indexpattern-datasource-layer-f27d6430-9a24-4f7b-86b0-43950b6f2393", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77e3df19-769a-414a-b96b-dbb37169629d:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77e3df19-769a-414a-b96b-dbb37169629d:indexpattern-datasource-layer-b1042ac5-75bd-48e1-9c8c-4ab507402159", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7d794103-85bd-4669-b9bc-b9223d2eba5c:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7d794103-85bd-4669-b9bc-b9223d2eba5c:indexpattern-datasource-layer-607d2de2-df5d-4503-90e0-4ac42323c46e", + "type": "index-pattern" + }, + { + "id": "darktrace-fbf9cfc0-13b3-11ed-bdc1-9f13147efcf8", + "name": "00e77d89-2b5e-4f2d-bc08-f7d1ce5165dd:panel_00e77d89-2b5e-4f2d-bc08-f7d1ce5165dd", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/darktrace/kibana/dashboard/darktrace-da768d80-1399-11ed-bdc1-9f13147efcf8.json b/packages/darktrace/kibana/dashboard/darktrace-da768d80-1399-11ed-bdc1-9f13147efcf8.json new file mode 100644 index 00000000000..bf5cb00e86e --- /dev/null +++ b/packages/darktrace/kibana/dashboard/darktrace-da768d80-1399-11ed-bdc1-9f13147efcf8.json @@ -0,0 +1,1528 @@ +{ + "attributes": { + "description": "Darktrace Model Breach Alerts Overview.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.model_breach_alert\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-16c69f2e-ffe0-4393-9d91-dece311e3f0f", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "16c69f2e-ffe0-4393-9d91-dece311e3f0f": { + "columnOrder": [ + "099298f5-fc58-4473-860e-84bc44f2e387" + ], + "columns": { + "099298f5-fc58-4473-860e-84bc44f2e387": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "darktrace.model_breach_alert.pbid" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.model_breach_alert\"" + }, + "visualization": { + "accessor": "099298f5-fc58-4473-860e-84bc44f2e387", + "layerId": "16c69f2e-ffe0-4393-9d91-dece311e3f0f", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "14e3bf5d-011f-48d2-83a9-fc62d707cdd1", + "w": 15, + "x": 0, + "y": 0 + }, + "panelIndex": "14e3bf5d-011f-48d2-83a9-fc62d707cdd1", + "title": "Number of Alerts [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8d4cd3ff-fd36-462e-ae82-826554dc847d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "88df79e3-51ce-46c3-b8da-6522f6dc9e40", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "8d4cd3ff-fd36-462e-ae82-826554dc847d": { + "columnOrder": [ + "861dc1ff-427e-4512-bb2c-e28d3f7564b2" + ], + "columns": { + "861dc1ff-427e-4512-bb2c-e28d3f7564b2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "rule.uuid" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "88df79e3-51ce-46c3-b8da-6522f6dc9e40", + "key": "darktrace.model_breach_alert.model.is_active", + "negate": false, + "params": { + "query": true + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "darktrace.model_breach_alert.model.is_active": true + } + } + } + ], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.model_breach_alert\"" + }, + "visualization": { + "accessor": "861dc1ff-427e-4512-bb2c-e28d3f7564b2", + "layerId": "8d4cd3ff-fd36-462e-ae82-826554dc847d", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "07f13cdd-3a86-40e5-914f-8f50c695b6ee", + "w": 15, + "x": 15, + "y": 0 + }, + "panelIndex": "07f13cdd-3a86-40e5-914f-8f50c695b6ee", + "title": "Number of Active Models [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-a4c3d027-4533-411a-b9f1-26f0a4fedb66", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "a4c3d027-4533-411a-b9f1-26f0a4fedb66": { + "columnOrder": [ + "1ea9479b-4db9-4215-97d9-1d7a275176ab", + "36c1f412-cfb7-4ea0-b9c9-a323c72e800d" + ], + "columns": { + "1ea9479b-4db9-4215-97d9-1d7a275176ab": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Category", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "36c1f412-cfb7-4ea0-b9c9-a323c72e800d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "rule.category" + }, + "36c1f412-cfb7-4ea0-b9c9-a323c72e800d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "darktrace.model_breach_alert.pbid" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.model_breach_alert\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "1ea9479b-4db9-4215-97d9-1d7a275176ab" + ], + "layerId": "a4c3d027-4533-411a-b9f1-26f0a4fedb66", + "layerType": "data", + "legendDisplay": "default", + "metric": "36c1f412-cfb7-4ea0-b9c9-a323c72e800d", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "1fafffde-be8a-4e46-bc58-a52db1e94931", + "w": 18, + "x": 30, + "y": 0 + }, + "panelIndex": "1fafffde-be8a-4e46-bc58-a52db1e94931", + "title": "Distribution of Model Breach Alerts by Model Category [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-8a0016c8-0623-4e96-a007-240f0bfe88c2", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "8a0016c8-0623-4e96-a007-240f0bfe88c2": { + "columnOrder": [ + "55131f02-db30-408f-8795-9cfee8f6758b", + "b5b19414-8d46-4957-b69a-7a57518551fe" + ], + "columns": { + "55131f02-db30-408f-8795-9cfee8f6758b": { + "customLabel": true, + "dataType": "number", + "isBucketed": true, + "label": "Model Priority", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "b5b19414-8d46-4957-b69a-7a57518551fe", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.severity" + }, + "b5b19414-8d46-4957-b69a-7a57518551fe": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "darktrace.model_breach_alert.pbid" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.model_breach_alert\"" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "b5b19414-8d46-4957-b69a-7a57518551fe" + ], + "layerId": "8a0016c8-0623-4e96-a007-240f0bfe88c2", + "layerType": "data", + "seriesType": "bar_stacked", + "xAccessor": "55131f02-db30-408f-8795-9cfee8f6758b" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "ddcd6a80-5ab0-4522-b984-022b7da2d4b0", + "w": 24, + "x": 0, + "y": 15 + }, + "panelIndex": "ddcd6a80-5ab0-4522-b984-022b7da2d4b0", + "title": "Distribution of Model Breach Alerts by Model Priority [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-267ebe2d-c964-48cf-9c9a-1a1fb09f6e3c", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "267ebe2d-c964-48cf-9c9a-1a1fb09f6e3c": { + "columnOrder": [ + "c2ee5623-973c-416f-80b0-bae47d66f83b", + "8630c019-3e7e-4734-b1c2-1a82f39fb7fc" + ], + "columns": { + "8630c019-3e7e-4734-b1c2-1a82f39fb7fc": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "darktrace.model_breach_alert.pbid" + }, + "c2ee5623-973c-416f-80b0-bae47d66f83b": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Model Behaviour", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "8630c019-3e7e-4734-b1c2-1a82f39fb7fc", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "darktrace.model_breach_alert.model.behaviour" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.model_breach_alert\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "c2ee5623-973c-416f-80b0-bae47d66f83b" + ], + "layerId": "267ebe2d-c964-48cf-9c9a-1a1fb09f6e3c", + "layerType": "data", + "legendDisplay": "default", + "metric": "8630c019-3e7e-4734-b1c2-1a82f39fb7fc", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "44710442-b7b8-413a-9e52-4d7ba519a296", + "w": 24, + "x": 24, + "y": 15 + }, + "panelIndex": "44710442-b7b8-413a-9e52-4d7ba519a296", + "title": "Distribution of Model Breach Alerts by Model Behaviour [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-26e0acea-9274-411a-91a3-8537b1e00aff", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "26e0acea-9274-411a-91a3-8537b1e00aff": { + "columnOrder": [ + "ac9a1bc1-8890-4297-a82e-6f975d9175aa", + "b451b0a8-806d-4d37-85c6-85c98330a533" + ], + "columns": { + "ac9a1bc1-8890-4297-a82e-6f975d9175aa": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Model Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "b451b0a8-806d-4d37-85c6-85c98330a533", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "rule.name" + }, + "b451b0a8-806d-4d37-85c6-85c98330a533": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Model Breach Score", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "event.risk_score" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.model_breach_alert\"" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "ac9a1bc1-8890-4297-a82e-6f975d9175aa", + "isTransposed": false, + "summaryRow": "none" + }, + { + "columnId": "b451b0a8-806d-4d37-85c6-85c98330a533", + "isTransposed": false + } + ], + "layerId": "26e0acea-9274-411a-91a3-8537b1e00aff", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "747c1919-e215-4b97-9d8b-8ee528c1deaa", + "w": 24, + "x": 0, + "y": 30 + }, + "panelIndex": "747c1919-e215-4b97-9d8b-8ee528c1deaa", + "title": "Top 10 Model Breach Alerts by Highest Model Breach Score [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-adde69bc-fda5-4560-8a54-202ca975652f", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "adde69bc-fda5-4560-8a54-202ca975652f": { + "columnOrder": [ + "c78a709f-ef66-4dbc-a1f2-070cb2116e4d", + "ead17241-a253-4c78-917d-8ff1249061df" + ], + "columns": { + "c78a709f-ef66-4dbc-a1f2-070cb2116e4d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Model Name", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "ead17241-a253-4c78-917d-8ff1249061df", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "rule.name" + }, + "ead17241-a253-4c78-917d-8ff1249061df": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "darktrace.model_breach_alert.pbid" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.model_breach_alert\"" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "c78a709f-ef66-4dbc-a1f2-070cb2116e4d", + "isTransposed": false, + "width": 574 + }, + { + "columnId": "ead17241-a253-4c78-917d-8ff1249061df", + "isTransposed": false + } + ], + "layerId": "adde69bc-fda5-4560-8a54-202ca975652f", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "aca1678c-d3d8-478e-a09c-dfdd86a5b3f7", + "w": 24, + "x": 24, + "y": 30 + }, + "panelIndex": "aca1678c-d3d8-478e-a09c-dfdd86a5b3f7", + "title": "Top 10 Model Name with Highest Model Breach [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-0c7a50df-8359-42ff-806d-a22eb35b597a", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "0c7a50df-8359-42ff-806d-a22eb35b597a": { + "columnOrder": [ + "729d6a4f-b1ba-47be-817a-2f2bf8b6f39c", + "a0c3e6c0-52a2-4fc6-ac35-ff0ee67d1515" + ], + "columns": { + "729d6a4f-b1ba-47be-817a-2f2bf8b6f39c": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Device Type", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "a0c3e6c0-52a2-4fc6-ac35-ff0ee67d1515", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.type" + }, + "a0c3e6c0-52a2-4fc6-ac35-ff0ee67d1515": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "darktrace.model_breach_alert.pbid" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.model_breach_alert\"" + }, + "visualization": { + "columns": [ + { + "columnId": "729d6a4f-b1ba-47be-817a-2f2bf8b6f39c", + "isTransposed": false + }, + { + "columnId": "a0c3e6c0-52a2-4fc6-ac35-ff0ee67d1515", + "isTransposed": false + } + ], + "layerId": "0c7a50df-8359-42ff-806d-a22eb35b597a", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "19b3fa09-6280-430a-9046-a613dfde3696", + "w": 24, + "x": 0, + "y": 45 + }, + "panelIndex": "19b3fa09-6280-430a-9046-a613dfde3696", + "title": "Top 10 Device Type with Highest Model Breach [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-7bd679f9-8a5b-4906-beaa-750102e3a26f", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "7bd679f9-8a5b-4906-beaa-750102e3a26f": { + "columnOrder": [ + "13359fdf-964f-441c-8d49-dcacd44d74a9", + "d0c28963-3b20-44ed-bd81-668ccef65e64" + ], + "columns": { + "13359fdf-964f-441c-8d49-dcacd44d74a9": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Vendor", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "d0c28963-3b20-44ed-bd81-668ccef65e64", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "darktrace.model_breach_alert.device.vendor" + }, + "d0c28963-3b20-44ed-bd81-668ccef65e64": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "darktrace.model_breach_alert.pbid" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.model_breach_alert\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "13359fdf-964f-441c-8d49-dcacd44d74a9" + ], + "layerId": "7bd679f9-8a5b-4906-beaa-750102e3a26f", + "layerType": "data", + "legendDisplay": "default", + "metric": "d0c28963-3b20-44ed-bd81-668ccef65e64", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "185e6cd3-4cf8-45fd-937e-77abd9e6aad7", + "w": 24, + "x": 24, + "y": 45 + }, + "panelIndex": "185e6cd3-4cf8-45fd-937e-77abd9e6aad7", + "title": "Distribution of Model Breach Alerts by Targeted Vendor [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-c8ea502e-ae28-47dd-9b90-484d50083243", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "c8ea502e-ae28-47dd-9b90-484d50083243": { + "columnOrder": [ + "0e81fce6-dd05-4dcb-9cc1-1bfedfd001d1", + "dbd63d7d-3048-4f3e-a068-d891e14f517b" + ], + "columns": { + "0e81fce6-dd05-4dcb-9cc1-1bfedfd001d1": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Device Host ID", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "dbd63d7d-3048-4f3e-a068-d891e14f517b", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.id" + }, + "dbd63d7d-3048-4f3e-a068-d891e14f517b": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "darktrace.model_breach_alert.pbid" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.model_breach_alert\"" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "0e81fce6-dd05-4dcb-9cc1-1bfedfd001d1", + "isTransposed": false + }, + { + "columnId": "dbd63d7d-3048-4f3e-a068-d891e14f517b", + "isTransposed": false + } + ], + "layerId": "c8ea502e-ae28-47dd-9b90-484d50083243", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "7c6faaf4-5d0c-49a1-b1d2-605f18e675b0", + "w": 24, + "x": 24, + "y": 60 + }, + "panelIndex": "7c6faaf4-5d0c-49a1-b1d2-605f18e675b0", + "title": "Top 10 Device Host ID with Highest Model Breach [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-88c07c59-c625-4652-8156-54991d0869d8", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "88c07c59-c625-4652-8156-54991d0869d8": { + "columnOrder": [ + "3fdb34e6-9e66-42b8-8705-ce15282352a8", + "0f644c53-93f7-450a-ab4a-2d08a26251a7" + ], + "columns": { + "0f644c53-93f7-450a-ab4a-2d08a26251a7": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "darktrace.model_breach_alert.pbid" + }, + "3fdb34e6-9e66-42b8-8705-ce15282352a8": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Antigena Action", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "0f644c53-93f7-450a-ab4a-2d08a26251a7", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.action" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.model_breach_alert\"" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "0f644c53-93f7-450a-ab4a-2d08a26251a7" + ], + "layerId": "88c07c59-c625-4652-8156-54991d0869d8", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "3fdb34e6-9e66-42b8-8705-ce15282352a8" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "889bb859-0938-46a4-b078-30f5fedd10a7", + "w": 24, + "x": 0, + "y": 60 + }, + "panelIndex": "889bb859-0938-46a4-b078-30f5fedd10a7", + "title": "Distribution of Model Breach Alerts by Antigena Action [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-68e57e92-bad9-44bd-8022-16b46d218096", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "68e57e92-bad9-44bd-8022-16b46d218096": { + "columnOrder": [ + "e320a021-5c16-4d5f-889a-f88e29cc8fd2", + "e9f48d2b-6578-4b41-afdb-3070764712b2" + ], + "columns": { + "e320a021-5c16-4d5f-889a-f88e29cc8fd2": { + "customLabel": true, + "dataType": "date", + "isBucketed": true, + "label": "Timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "ignoreTimeRange": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "@timestamp" + }, + "e9f48d2b-6578-4b41-afdb-3070764712b2": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Median of Model Throttle", + "operationType": "median", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "darktrace.model_breach_alert.model.throttle" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.model_breach_alert\"" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "e9f48d2b-6578-4b41-afdb-3070764712b2" + ], + "layerId": "68e57e92-bad9-44bd-8022-16b46d218096", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "e320a021-5c16-4d5f-889a-f88e29cc8fd2", + "yConfig": [ + { + "axisMode": "auto", + "forAccessor": "e9f48d2b-6578-4b41-afdb-3070764712b2" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 19, + "i": "c6560c58-be58-4718-abed-0356a2ba3b09", + "w": 48, + "x": 0, + "y": 75 + }, + "panelIndex": "c6560c58-be58-4718-abed-0356a2ba3b09", + "title": "Model Throttle Over Time [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "enhancements": {}, + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [ + { + "enabled": true, + "id": "1", + "params": { + "customLabel": "Tag Cloud", + "emptyAsNull": false, + "field": "darktrace.model_breach_alert.pbid" + }, + "schema": "metric", + "type": "cardinality" + }, + { + "enabled": true, + "id": "2", + "params": { + "customLabel": "Mitre Techniques", + "field": "threat.technique.name", + "missingBucket": false, + "missingBucketLabel": "Missing", + "order": "desc", + "orderBy": "1", + "otherBucket": false, + "otherBucketLabel": "Other", + "size": 10 + }, + "schema": "segment", + "type": "terms" + } + ], + "searchSource": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.model_breach_alert\"" + } + } + }, + "description": "", + "id": "", + "params": { + "maxFontSize": 72, + "minFontSize": 18, + "orientation": "single", + "palette": { + "name": "default", + "type": "palette" + }, + "scale": "linear", + "showLabel": true + }, + "title": "", + "type": "tagcloud", + "uiState": {} + } + }, + "gridData": { + "h": 23, + "i": "12736f17-d97c-4f4c-a66b-5eba7c2fec9c", + "w": 48, + "x": 0, + "y": 94 + }, + "panelIndex": "12736f17-d97c-4f4c-a66b-5eba7c2fec9c", + "title": "Top Mitre Techniques [Logs Darktrace]", + "type": "visualization", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 23, + "i": "e9b4f5f5-d478-403d-a78e-9e39ad3486f0", + "w": 48, + "x": 0, + "y": 117 + }, + "panelIndex": "e9b4f5f5-d478-403d-a78e-9e39ad3486f0", + "panelRefName": "panel_e9b4f5f5-d478-403d-a78e-9e39ad3486f0", + "type": "search", + "version": "8.2.1" + } + ], + "timeRestore": false, + "title": "[Logs Darktrace] Model Breach Alerts Overview", + "version": 1 + }, + "coreMigrationVersion": "8.2.1", + "id": "darktrace-da768d80-1399-11ed-bdc1-9f13147efcf8", + "migrationVersion": { + "dashboard": "8.2.0" + }, + "references": [ + { + "id": "logs-*", + "name": "14e3bf5d-011f-48d2-83a9-fc62d707cdd1:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "14e3bf5d-011f-48d2-83a9-fc62d707cdd1:indexpattern-datasource-layer-16c69f2e-ffe0-4393-9d91-dece311e3f0f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "07f13cdd-3a86-40e5-914f-8f50c695b6ee:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "07f13cdd-3a86-40e5-914f-8f50c695b6ee:indexpattern-datasource-layer-8d4cd3ff-fd36-462e-ae82-826554dc847d", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "07f13cdd-3a86-40e5-914f-8f50c695b6ee:88df79e3-51ce-46c3-b8da-6522f6dc9e40", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1fafffde-be8a-4e46-bc58-a52db1e94931:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1fafffde-be8a-4e46-bc58-a52db1e94931:indexpattern-datasource-layer-a4c3d027-4533-411a-b9f1-26f0a4fedb66", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ddcd6a80-5ab0-4522-b984-022b7da2d4b0:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ddcd6a80-5ab0-4522-b984-022b7da2d4b0:indexpattern-datasource-layer-8a0016c8-0623-4e96-a007-240f0bfe88c2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "44710442-b7b8-413a-9e52-4d7ba519a296:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "44710442-b7b8-413a-9e52-4d7ba519a296:indexpattern-datasource-layer-267ebe2d-c964-48cf-9c9a-1a1fb09f6e3c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "747c1919-e215-4b97-9d8b-8ee528c1deaa:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "747c1919-e215-4b97-9d8b-8ee528c1deaa:indexpattern-datasource-layer-26e0acea-9274-411a-91a3-8537b1e00aff", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aca1678c-d3d8-478e-a09c-dfdd86a5b3f7:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "aca1678c-d3d8-478e-a09c-dfdd86a5b3f7:indexpattern-datasource-layer-adde69bc-fda5-4560-8a54-202ca975652f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "19b3fa09-6280-430a-9046-a613dfde3696:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "19b3fa09-6280-430a-9046-a613dfde3696:indexpattern-datasource-layer-0c7a50df-8359-42ff-806d-a22eb35b597a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "185e6cd3-4cf8-45fd-937e-77abd9e6aad7:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "185e6cd3-4cf8-45fd-937e-77abd9e6aad7:indexpattern-datasource-layer-7bd679f9-8a5b-4906-beaa-750102e3a26f", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7c6faaf4-5d0c-49a1-b1d2-605f18e675b0:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7c6faaf4-5d0c-49a1-b1d2-605f18e675b0:indexpattern-datasource-layer-c8ea502e-ae28-47dd-9b90-484d50083243", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "889bb859-0938-46a4-b078-30f5fedd10a7:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "889bb859-0938-46a4-b078-30f5fedd10a7:indexpattern-datasource-layer-88c07c59-c625-4652-8156-54991d0869d8", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c6560c58-be58-4718-abed-0356a2ba3b09:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "c6560c58-be58-4718-abed-0356a2ba3b09:indexpattern-datasource-layer-68e57e92-bad9-44bd-8022-16b46d218096", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "12736f17-d97c-4f4c-a66b-5eba7c2fec9c:kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + }, + { + "id": "darktrace-31a3f8a0-13a3-11ed-bdc1-9f13147efcf8", + "name": "e9b4f5f5-d478-403d-a78e-9e39ad3486f0:panel_e9b4f5f5-d478-403d-a78e-9e39ad3486f0", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/darktrace/kibana/dashboard/darktrace-eb643d20-13a5-11ed-bdc1-9f13147efcf8.json b/packages/darktrace/kibana/dashboard/darktrace-eb643d20-13a5-11ed-bdc1-9f13147efcf8.json new file mode 100644 index 00000000000..b0cec601476 --- /dev/null +++ b/packages/darktrace/kibana/dashboard/darktrace-eb643d20-13a5-11ed-bdc1-9f13147efcf8.json @@ -0,0 +1,981 @@ +{ + "attributes": { + "description": "Darktrace AI Analyst Alerts Overview.", + "hits": 0, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.ai_analyst_alert\"" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": false, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1f84b818-192c-4dca-b929-1884e060576b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6f5adda0-d13e-48e5-aead-37e6448b922a", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "1f84b818-192c-4dca-b929-1884e060576b": { + "columnOrder": [ + "367e5418-6e25-45f2-b5fc-6ddd3618b869" + ], + "columns": { + "367e5418-6e25-45f2-b5fc-6ddd3618b869": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "6f5adda0-d13e-48e5-aead-37e6448b922a", + "key": "darktrace.ai_analyst_alert.is_user_triggered", + "negate": false, + "params": { + "query": true + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "darktrace.ai_analyst_alert.is_user_triggered": true + } + } + } + ], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.ai_analyst_alert\"" + }, + "visualization": { + "accessor": "367e5418-6e25-45f2-b5fc-6ddd3618b869", + "layerId": "1f84b818-192c-4dca-b929-1884e060576b", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 13, + "i": "e28c7c69-2ae8-46fd-b361-38be020491a8", + "w": 16, + "x": 0, + "y": 0 + }, + "panelIndex": "e28c7c69-2ae8-46fd-b361-38be020491a8", + "title": "Count of User Triggered AI Analyst Investigation [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1f84b818-192c-4dca-b929-1884e060576b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "68dafc9f-9ed2-4ef9-8587-14dba4241364", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "1f84b818-192c-4dca-b929-1884e060576b": { + "columnOrder": [ + "367e5418-6e25-45f2-b5fc-6ddd3618b869" + ], + "columns": { + "367e5418-6e25-45f2-b5fc-6ddd3618b869": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "68dafc9f-9ed2-4ef9-8587-14dba4241364", + "key": "darktrace.ai_analyst_alert.is_external_triggered", + "negate": false, + "params": { + "query": true + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "darktrace.ai_analyst_alert.is_external_triggered": true + } + } + } + ], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.ai_analyst_alert\"" + }, + "visualization": { + "accessor": "367e5418-6e25-45f2-b5fc-6ddd3618b869", + "layerId": "1f84b818-192c-4dca-b929-1884e060576b", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 13, + "i": "be1b9c5a-2ea0-48ac-8ad6-221769ff83f9", + "w": 16, + "x": 16, + "y": 0 + }, + "panelIndex": "be1b9c5a-2ea0-48ac-8ad6-221769ff83f9", + "title": "Count of Externally Triggered AI Analyst Investigation [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-1f84b818-192c-4dca-b929-1884e060576b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fb69f35b-439b-47fc-b942-15dc9d439f8b", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "1f84b818-192c-4dca-b929-1884e060576b": { + "columnOrder": [ + "367e5418-6e25-45f2-b5fc-6ddd3618b869" + ], + "columns": { + "367e5418-6e25-45f2-b5fc-6ddd3618b869": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "fb69f35b-439b-47fc-b942-15dc9d439f8b", + "key": "darktrace.ai_analyst_alert.is_acknowledged", + "negate": false, + "params": { + "query": true + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "darktrace.ai_analyst_alert.is_acknowledged": true + } + } + } + ], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.ai_analyst_alert\"" + }, + "visualization": { + "accessor": "367e5418-6e25-45f2-b5fc-6ddd3618b869", + "layerId": "1f84b818-192c-4dca-b929-1884e060576b", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 13, + "i": "034d5870-b571-4276-9fad-1495a3665eed", + "w": 16, + "x": 32, + "y": 0 + }, + "panelIndex": "034d5870-b571-4276-9fad-1495a3665eed", + "title": "Count of Acknowledged AI Analyst Alerts [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-66afac91-ca1e-4a4a-ab0d-e18a2903ace7", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "66afac91-ca1e-4a4a-ab0d-e18a2903ace7": { + "columnOrder": [ + "6e2b5d5b-0584-412f-a87f-b60279d2173d", + "8f546d14-cc1d-4d80-8cec-8e326bfd19d1" + ], + "columns": { + "6e2b5d5b-0584-412f-a87f-b60279d2173d": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Behavior Category", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "8f546d14-cc1d-4d80-8cec-8e326bfd19d1", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 5 + }, + "scale": "ordinal", + "sourceField": "darktrace.ai_analyst_alert.category" + }, + "8f546d14-cc1d-4d80-8cec-8e326bfd19d1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.ai_analyst_alert\"" + }, + "visualization": { + "layers": [ + { + "categoryDisplay": "default", + "groups": [ + "6e2b5d5b-0584-412f-a87f-b60279d2173d" + ], + "layerId": "66afac91-ca1e-4a4a-ab0d-e18a2903ace7", + "layerType": "data", + "legendDisplay": "default", + "metric": "8f546d14-cc1d-4d80-8cec-8e326bfd19d1", + "nestedLegend": false, + "numberDisplay": "percent" + } + ], + "shape": "pie" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsPie" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "65f35405-87eb-4a98-a0c2-2e3c7426cb28", + "w": 24, + "x": 0, + "y": 13 + }, + "panelIndex": "65f35405-87eb-4a98-a0c2-2e3c7426cb28", + "title": "Distribution of AI Analyst Alerts by Behavior Category [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-effe003f-604a-49a3-a903-d4d2c75df944", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "effe003f-604a-49a3-a903-d4d2c75df944": { + "columnOrder": [ + "937bae71-7159-4e35-87cf-dc372875ad59", + "049804ee-f3a4-474f-8e76-d4c3e0eb77af" + ], + "columns": { + "049804ee-f3a4-474f-8e76-d4c3e0eb77af": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "event.id" + }, + "937bae71-7159-4e35-87cf-dc372875ad59": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Summariser", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "049804ee-f3a4-474f-8e76-d4c3e0eb77af", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": true, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "darktrace.ai_analyst_alert.summariser" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.ai_analyst_alert\"" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "049804ee-f3a4-474f-8e76-d4c3e0eb77af" + ], + "layerId": "effe003f-604a-49a3-a903-d4d2c75df944", + "layerType": "data", + "position": "top", + "seriesType": "bar_stacked", + "showGridlines": false, + "xAccessor": "937bae71-7159-4e35-87cf-dc372875ad59" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "bar_stacked", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "8882d78e-7df8-4d33-b7b5-e21f5d25dfe7", + "w": 24, + "x": 24, + "y": 13 + }, + "panelIndex": "8882d78e-7df8-4d33-b7b5-e21f5d25dfe7", + "title": "Distribution of AI Analyst Alerts by Summariser [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-dea45bd8-269e-48c4-98d3-fc47717ae139", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "dea45bd8-269e-48c4-98d3-fc47717ae139": { + "columnOrder": [ + "71a3581e-24ae-48d8-958d-c574488b2f48", + "e6083dcb-9465-4007-a133-569f31fe732d" + ], + "columns": { + "71a3581e-24ae-48d8-958d-c574488b2f48": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Alert Title", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "e6083dcb-9465-4007-a133-569f31fe732d", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.reason" + }, + "e6083dcb-9465-4007-a133-569f31fe732d": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Risk Score", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "event.risk_score" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.ai_analyst_alert\"" + }, + "visualization": { + "columns": [ + { + "alignment": "left", + "columnId": "71a3581e-24ae-48d8-958d-c574488b2f48", + "isTransposed": false + }, + { + "columnId": "e6083dcb-9465-4007-a133-569f31fe732d", + "isTransposed": false + } + ], + "layerId": "dea45bd8-269e-48c4-98d3-fc47717ae139", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "6b003410-fd00-4dc5-b9c7-8bd1f711ffbe", + "w": 24, + "x": 0, + "y": 28 + }, + "panelIndex": "6b003410-fd00-4dc5-b9c7-8bd1f711ffbe", + "title": "Top 10 AI Analyst Alerts with Highest Score [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-3bb3b1dd-30aa-46d6-8a14-32c14c706f47", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "3bb3b1dd-30aa-46d6-8a14-32c14c706f47": { + "columnOrder": [ + "266f7f3a-5f46-40c5-a716-b2aab1d49d51", + "36e2011c-141b-412b-a5fd-e5e9c62183ad" + ], + "columns": { + "266f7f3a-5f46-40c5-a716-b2aab1d49d51": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Hostname", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "36e2011c-141b-412b-a5fd-e5e9c62183ad", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "size": 10 + }, + "scale": "ordinal", + "sourceField": "host.hostname" + }, + "36e2011c-141b-412b-a5fd-e5e9c62183ad": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "event.id" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.ai_analyst_alert\"" + }, + "visualization": { + "columns": [ + { + "columnId": "266f7f3a-5f46-40c5-a716-b2aab1d49d51", + "isTransposed": false + }, + { + "columnId": "36e2011c-141b-412b-a5fd-e5e9c62183ad", + "isTransposed": false + } + ], + "layerId": "3bb3b1dd-30aa-46d6-8a14-32c14c706f47", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 15, + "i": "930d2983-f872-4001-ba45-b44aee791167", + "w": 24, + "x": 24, + "y": 28 + }, + "panelIndex": "930d2983-f872-4001-ba45-b44aee791167", + "title": "Top 10 BreachDevices Hostname with Highest AI Analyst Alerts [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-9eda772e-1fbd-4296-a543-8bbd18b2359a", + "type": "index-pattern" + } + ], + "state": { + "datasourceStates": { + "indexpattern": { + "layers": { + "9eda772e-1fbd-4296-a543-8bbd18b2359a": { + "columnOrder": [ + "45d996c5-b696-4fff-8f83-78473cc7798f", + "252b0567-f0b1-4677-b6d8-e9d7a229431a" + ], + "columns": { + "252b0567-f0b1-4677-b6d8-e9d7a229431a": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Group Score", + "operationType": "max", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "darktrace.ai_analyst_alert.group_score" + }, + "45d996c5-b696-4fff-8f83-78473cc7798f": { + "customLabel": true, + "dataType": "string", + "isBucketed": true, + "label": "Alert Title", + "operationType": "terms", + "params": { + "missingBucket": false, + "orderBy": { + "columnId": "252b0567-f0b1-4677-b6d8-e9d7a229431a", + "type": "column" + }, + "orderDirection": "desc", + "otherBucket": false, + "parentFormat": { + "id": "terms" + }, + "secondaryFields": [], + "size": 10 + }, + "scale": "ordinal", + "sourceField": "event.reason" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.ai_analyst_alert\"" + }, + "visualization": { + "columns": [ + { + "columnId": "252b0567-f0b1-4677-b6d8-e9d7a229431a", + "isTransposed": false + }, + { + "columnId": "45d996c5-b696-4fff-8f83-78473cc7798f", + "isTransposed": false, + "width": 551 + } + ], + "layerId": "9eda772e-1fbd-4296-a543-8bbd18b2359a", + "layerType": "data" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsDatatable" + }, + "enhancements": {}, + "hidePanelTitles": false + }, + "gridData": { + "h": 18, + "i": "7e4d0098-0cc8-403d-aaca-92758d697950", + "w": 48, + "x": 0, + "y": 43 + }, + "panelIndex": "7e4d0098-0cc8-403d-aaca-92758d697950", + "title": "Top 10 AI Analyst Alerts with Highest Group Score [Logs Darktrace]", + "type": "lens", + "version": "8.2.1" + }, + { + "embeddableConfig": { + "enhancements": {} + }, + "gridData": { + "h": 23, + "i": "4ce4eb50-af35-423a-b20f-61a715aa4388", + "w": 48, + "x": 0, + "y": 61 + }, + "panelIndex": "4ce4eb50-af35-423a-b20f-61a715aa4388", + "panelRefName": "panel_4ce4eb50-af35-423a-b20f-61a715aa4388", + "type": "search", + "version": "8.2.1" + } + ], + "timeRestore": false, + "title": "[Logs Darktrace] AI Analyst Alerts Overview", + "version": 1 + }, + "coreMigrationVersion": "8.2.1", + "id": "darktrace-eb643d20-13a5-11ed-bdc1-9f13147efcf8", + "migrationVersion": { + "dashboard": "8.2.0" + }, + "references": [ + { + "id": "logs-*", + "name": "e28c7c69-2ae8-46fd-b361-38be020491a8:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e28c7c69-2ae8-46fd-b361-38be020491a8:indexpattern-datasource-layer-1f84b818-192c-4dca-b929-1884e060576b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "e28c7c69-2ae8-46fd-b361-38be020491a8:6f5adda0-d13e-48e5-aead-37e6448b922a", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "be1b9c5a-2ea0-48ac-8ad6-221769ff83f9:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "be1b9c5a-2ea0-48ac-8ad6-221769ff83f9:indexpattern-datasource-layer-1f84b818-192c-4dca-b929-1884e060576b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "be1b9c5a-2ea0-48ac-8ad6-221769ff83f9:68dafc9f-9ed2-4ef9-8587-14dba4241364", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "034d5870-b571-4276-9fad-1495a3665eed:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "034d5870-b571-4276-9fad-1495a3665eed:indexpattern-datasource-layer-1f84b818-192c-4dca-b929-1884e060576b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "034d5870-b571-4276-9fad-1495a3665eed:fb69f35b-439b-47fc-b942-15dc9d439f8b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "65f35405-87eb-4a98-a0c2-2e3c7426cb28:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "65f35405-87eb-4a98-a0c2-2e3c7426cb28:indexpattern-datasource-layer-66afac91-ca1e-4a4a-ab0d-e18a2903ace7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8882d78e-7df8-4d33-b7b5-e21f5d25dfe7:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "8882d78e-7df8-4d33-b7b5-e21f5d25dfe7:indexpattern-datasource-layer-effe003f-604a-49a3-a903-d4d2c75df944", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6b003410-fd00-4dc5-b9c7-8bd1f711ffbe:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "6b003410-fd00-4dc5-b9c7-8bd1f711ffbe:indexpattern-datasource-layer-dea45bd8-269e-48c4-98d3-fc47717ae139", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "930d2983-f872-4001-ba45-b44aee791167:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "930d2983-f872-4001-ba45-b44aee791167:indexpattern-datasource-layer-3bb3b1dd-30aa-46d6-8a14-32c14c706f47", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7e4d0098-0cc8-403d-aaca-92758d697950:indexpattern-datasource-current-indexpattern", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "7e4d0098-0cc8-403d-aaca-92758d697950:indexpattern-datasource-layer-9eda772e-1fbd-4296-a543-8bbd18b2359a", + "type": "index-pattern" + }, + { + "id": "darktrace-c0e40350-13aa-11ed-bdc1-9f13147efcf8", + "name": "4ce4eb50-af35-423a-b20f-61a715aa4388:panel_4ce4eb50-af35-423a-b20f-61a715aa4388", + "type": "search" + } + ], + "type": "dashboard" +} \ No newline at end of file diff --git a/packages/darktrace/kibana/search/darktrace-31a3f8a0-13a3-11ed-bdc1-9f13147efcf8.json b/packages/darktrace/kibana/search/darktrace-31a3f8a0-13a3-11ed-bdc1-9f13147efcf8.json new file mode 100644 index 00000000000..b520d9b6d92 --- /dev/null +++ b/packages/darktrace/kibana/search/darktrace-31a3f8a0-13a3-11ed-bdc1-9f13147efcf8.json @@ -0,0 +1,44 @@ +{ + "attributes": { + "columns": [ + "darktrace.model_breach_alert.pbid", + "rule.category", + "rule.name", + "event.risk_score", + "host.id" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.model_breach_alert\"" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "Model Breach Alerts Essential Details [Logs Darktrace]" + }, + "coreMigrationVersion": "8.2.1", + "id": "darktrace-31a3f8a0-13a3-11ed-bdc1-9f13147efcf8", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/darktrace/kibana/search/darktrace-c0e40350-13aa-11ed-bdc1-9f13147efcf8.json b/packages/darktrace/kibana/search/darktrace-c0e40350-13aa-11ed-bdc1-9f13147efcf8.json new file mode 100644 index 00000000000..726cefb46b2 --- /dev/null +++ b/packages/darktrace/kibana/search/darktrace-c0e40350-13aa-11ed-bdc1-9f13147efcf8.json @@ -0,0 +1,44 @@ +{ + "attributes": { + "columns": [ + "event.id", + "event.reason", + "darktrace.ai_analyst_alert.related_breaches.pbid", + "darktrace.ai_analyst_alert.attack_phases", + "event.risk_score" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.ai_analyst_alert\"" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "AI Analyst Alerts Essential Details [Logs Darktrace]" + }, + "coreMigrationVersion": "8.2.1", + "id": "darktrace-c0e40350-13aa-11ed-bdc1-9f13147efcf8", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/darktrace/kibana/search/darktrace-fbf9cfc0-13b3-11ed-bdc1-9f13147efcf8.json b/packages/darktrace/kibana/search/darktrace-fbf9cfc0-13b3-11ed-bdc1-9f13147efcf8.json new file mode 100644 index 00000000000..49cb80e2e20 --- /dev/null +++ b/packages/darktrace/kibana/search/darktrace-fbf9cfc0-13b3-11ed-bdc1-9f13147efcf8.json @@ -0,0 +1,45 @@ +{ + "attributes": { + "columns": [ + "event.id", + "darktrace.system_status_alert.last_updated_status", + "host.ip", + "darktrace.system_status_alert.alert_name", + "event.risk_score", + "darktrace.system_status_alert.status" + ], + "description": "", + "grid": {}, + "hideChart": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"darktrace.system_status_alert\"" + } + } + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "title": "System Status Alerts Essential Details [Logs Darktrace]" + }, + "coreMigrationVersion": "8.2.1", + "id": "darktrace-fbf9cfc0-13b3-11ed-bdc1-9f13147efcf8", + "migrationVersion": { + "search": "8.0.0" + }, + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search" +} \ No newline at end of file diff --git a/packages/darktrace/manifest.yml b/packages/darktrace/manifest.yml new file mode 100644 index 00000000000..c3b0197f6b7 --- /dev/null +++ b/packages/darktrace/manifest.yml @@ -0,0 +1,136 @@ +format_version: 1.0.0 +name: darktrace +title: Darktrace +version: 0.1.0 +license: basic +description: Collect logs from Darktrace with Elastic Agent. +type: integration +categories: + - security +conditions: + kibana.version: ^8.2.1 +screenshots: + - src: /img/darktrace-screenshot.png + title: Darktrace Model Breach Alert Dashboard Screenshot + size: 600x600 + type: image/png +icons: + - src: /img/darktrace-logo.svg + title: Darktrace Logo + size: 32x32 + type: image/svg+xml +policy_templates: + - name: darktrace + title: Darktrace logs + description: Collect logs from Darktrace. + inputs: + - type: httpjson + title: Collect Darktrace logs via API + description: Collecting Darktrace logs via API. + vars: + - name: url + type: text + title: URL + description: Darktrace console URL. + required: true + - name: public_token + type: password + title: Public API Token + description: Public API Token. + required: true + - name: private_token + type: password + title: Private API Token + description: Private API Token. + required: true + - name: proxy_url + type: text + title: Proxy URL + multi: false + required: false + show_user: false + description: URL to proxy connections in the form of http[s]://:@:. Please ensure your username and password are in URL encoded format. + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - type: tcp + title: Collect Darktrace logs via TCP + description: Collecting Darktrace logs via TCP. + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for TCP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost + - name: ssl + type: yaml + title: SSL Configuration + description: i.e. certificate_authorities, supported_protocols, verification_mode etc. + multi: false + required: false + show_user: false + default: | + #certificate_authorities: + # - | + # -----BEGIN CERTIFICATE----- + # MIIDCjCCAfKgAwIBAgITJ706Mu2wJlKckpIvkWxEHvEyijANBgkqhkiG9w0BAQsF + # ADAUMRIwEAYDVQQDDAlsb2NhbGhvc3QwIBcNMTkwNzIyMTkyOTA0WhgPMjExOTA2 + # MjgxOTI5MDRaMBQxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEB + # BQADggEPADCCAQoCggEBANce58Y/JykI58iyOXpxGfw0/gMvF0hUQAcUrSMxEO6n + # fZRA49b4OV4SwWmA3395uL2eB2NB8y8qdQ9muXUdPBWE4l9rMZ6gmfu90N5B5uEl + # 94NcfBfYOKi1fJQ9i7WKhTjlRkMCgBkWPkUokvBZFRt8RtF7zI77BSEorHGQCk9t + # /D7BS0GJyfVEhftbWcFEAG3VRcoMhF7kUzYwp+qESoriFRYLeDWv68ZOvG7eoWnP + # PsvZStEVEimjvK5NSESEQa9xWyJOmlOKXhkdymtcUd/nXnx6UTCFgnkgzSdTWV41 + # CI6B6aJ9svCTI2QuoIq2HxX/ix7OvW1huVmcyHVxyUECAwEAAaNTMFEwHQYDVR0O + # BBYEFPwN1OceFGm9v6ux8G+DZ3TUDYxqMB8GA1UdIwQYMBaAFPwN1OceFGm9v6ux + # 8G+DZ3TUDYxqMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAG5D + # 874A4YI7YUwOVsVAdbWtgp1d0zKcPRR+r2OdSbTAV5/gcS3jgBJ3i1BN34JuDVFw + # 3DeJSYT3nxy2Y56lLnxDeF8CUTUtVQx3CuGkRg1ouGAHpO/6OqOhwLLorEmxi7tA + # H2O8mtT0poX5AnOAhzVy7QW0D/k4WaoLyckM5hUa6RtvgvLxOwA0U+VGurCDoctu + # 8F4QOgTAWyh8EZIwaKCliFRSynDpv3JTUwtfZkxo6K6nce1RhCWFAsMvDZL8Dgc0 + # yvgJ38BRsFOtkRuAGSf6ZUwTO8JJRRIFnpUzXflAnGivK9M13D5GEQMmIl6U9Pvk + # sxSmbIUfc2SGJGCJD4I= + # -----END CERTIFICATE----- + - type: udp + title: Collect Darktrace logs via UDP + description: Collecting Darktrace logs via UDP. + vars: + - name: listen_address + type: text + title: Listen Address + description: The bind address to listen for UDP connections. Set to `0.0.0.0` to bind to all available interfaces. + multi: false + required: true + show_user: true + default: localhost +owner: + github: elastic/security-external-integrations From 36a61696f00a77f6a908d2ab4fa15e855ca6a925 Mon Sep 17 00:00:00 2001 From: vinit-elastic Date: Tue, 16 Aug 2022 13:16:33 +0530 Subject: [PATCH 2/5] Update changelog file --- packages/darktrace/changelog.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/darktrace/changelog.yml b/packages/darktrace/changelog.yml index 0da913124e3..f66c5d70aad 100644 --- a/packages/darktrace/changelog.yml +++ b/packages/darktrace/changelog.yml @@ -1,6 +1,6 @@ # newer versions go on top -- version: "0.1.0" +- version: '0.1.0' changes: - - description: Initial draft of the package + - description: Initial Release. type: enhancement - link: https://github.com/elastic/integrations/pull/1 # FIXME Replace with the real PR link + link: https://github.com/elastic/integrations/pull/4001 From 54e142b80b9c7cf8d2d425ad08f0dbf12cc314bb Mon Sep 17 00:00:00 2001 From: vinit-elastic Date: Tue, 13 Sep 2022 18:34:52 +0530 Subject: [PATCH 3/5] updated the file names for the pipeline test --- ...st_alert.log => test-ai-analyst-alert.log} | 0 ...> test-ai-analyst-alert.log-expected.json} | 0 .../ai_analyst_alert/sample_event.json | 10 +++--- ..._alert.log => test-model-breach-alert.log} | 0 ...test-model-breach-alert.log-expected.json} | 0 .../model_breach_alert/sample_event.json | 10 +++--- ...alert.log => test-system-status-alert.log} | 0 ...est-system-status-alert.log-expected.json} | 0 .../system_status_alert/sample_event.json | 12 +++---- packages/darktrace/docs/README.md | 32 +++++++++---------- 10 files changed, 32 insertions(+), 32 deletions(-) rename packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/{test-ai_analyst_alert.log => test-ai-analyst-alert.log} (100%) rename packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/{test-ai_analyst_alert.log-expected.json => test-ai-analyst-alert.log-expected.json} (100%) rename packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/{test-model_breach_alert.log => test-model-breach-alert.log} (100%) rename packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/{test-model_breach_alert.log-expected.json => test-model-breach-alert.log-expected.json} (100%) rename packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/{test-system_status_alert.log => test-system-status-alert.log} (100%) rename packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/{test-system_status_alert.log-expected.json => test-system-status-alert.log-expected.json} (100%) diff --git a/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/test-ai_analyst_alert.log b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/test-ai-analyst-alert.log similarity index 100% rename from packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/test-ai_analyst_alert.log rename to packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/test-ai-analyst-alert.log diff --git a/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/test-ai_analyst_alert.log-expected.json b/packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/test-ai-analyst-alert.log-expected.json similarity index 100% rename from packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/test-ai_analyst_alert.log-expected.json rename to packages/darktrace/data_stream/ai_analyst_alert/_dev/test/pipeline/test-ai-analyst-alert.log-expected.json diff --git a/packages/darktrace/data_stream/ai_analyst_alert/sample_event.json b/packages/darktrace/data_stream/ai_analyst_alert/sample_event.json index 874e417fb28..9f911a74c5e 100644 --- a/packages/darktrace/data_stream/ai_analyst_alert/sample_event.json +++ b/packages/darktrace/data_stream/ai_analyst_alert/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2021-08-03T14:48:09.240Z", "agent": { - "ephemeral_id": "a61287e5-6cac-4e83-8354-5cf118335548", - "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "ephemeral_id": "4ac4165f-8807-44a4-8cbf-19c4ec914665", + "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.2.1" @@ -147,7 +147,7 @@ "version": "8.4.0" }, "elastic_agent": { - "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", "snapshot": false, "version": "8.2.1" }, @@ -164,7 +164,7 @@ "2021-08-03T14:15:41.220Z" ], "id": "eabc0011-1234-1234-1234-cabcdefg0011", - "ingested": "2022-08-09T07:46:07Z", + "ingested": "2022-09-13T09:53:57Z", "kind": "alert", "original": "{\"summariser\":\"AdminConnSummary\",\"acknowledged\":false,\"pinned\":true,\"createdAt\":1628002089240,\"attackPhases\":[5],\"title\":\"Extensive Unusual SSH Connections\",\"id\":\"eabc0011-1234-1234-1234-cabcdefg0011\",\"children\":[\"eabcdef0-1234-1234-1234-cabcdefghij9\"],\"category\":\"critical\",\"currentGroup\":\"eabc1234-1234-1234-1234-cabcdefg0011\",\"groupCategory\":\"critical\",\"groupScore\":\"72.9174234\",\"groupPreviousGroups\":null,\"activityId\":\"abcd1234\",\"groupingIds\":[\"abcdef12\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":98,\"summary\":\"The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\\n\\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\\n\\nConsequently, if this activity was not expected, the security team may wish to investigate further.\",\"periods\":[{\"start\":1627985298683,\"end\":1628000141220}],\"breachDevices\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.144\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}],\"relatedBreaches\":[{\"modelName\":\"Unusual Activity / Unusual Activity from Re-Activated Device\",\"pbid\":1234,\"threatScore\":37,\"timestamp\":1627997157000}],\"details\":[[{\"header\":\"Breaching Device\",\"contents\":[{\"key\":null,\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}]}]}],[{\"header\":\"SSH Activity\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1627985298683,\"end\":1628000141220}]},{\"key\":\"Number of unique IPs\",\"type\":\"integer\",\"values\":[16]},{\"key\":\"Targeted IP ranges include\",\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.192\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.3\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null}]},{\"key\":\"Destination port\",\"type\":\"integer\",\"values\":[22]},{\"key\":\"Connection count\",\"type\":\"integer\",\"values\":[40]},{\"key\":\"Percentage successful\",\"type\":\"percentage\",\"values\":[100]}]}]]}", "reason": "Extensive Unusual SSH Connections", @@ -190,7 +190,7 @@ }, "log": { "source": { - "address": "172.18.0.6:49421" + "address": "172.18.0.7:40244" }, "syslog": { "facility": { diff --git a/packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model_breach_alert.log b/packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model-breach-alert.log similarity index 100% rename from packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model_breach_alert.log rename to packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model-breach-alert.log diff --git a/packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model_breach_alert.log-expected.json b/packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model-breach-alert.log-expected.json similarity index 100% rename from packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model_breach_alert.log-expected.json rename to packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model-breach-alert.log-expected.json diff --git a/packages/darktrace/data_stream/model_breach_alert/sample_event.json b/packages/darktrace/data_stream/model_breach_alert/sample_event.json index e42d6626882..86288ae1920 100644 --- a/packages/darktrace/data_stream/model_breach_alert/sample_event.json +++ b/packages/darktrace/data_stream/model_breach_alert/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2022-07-11T13:04:08.000Z", "agent": { - "ephemeral_id": "a87de6d4-91d9-4fe3-8dc6-f55474c36e5a", - "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "ephemeral_id": "7c606731-92cd-4bb6-90c1-cdaacf255188", + "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.2.1" @@ -502,7 +502,7 @@ "version": "8.4.0" }, "elastic_agent": { - "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", "snapshot": false, "version": "8.2.1" }, @@ -513,7 +513,7 @@ ], "created": "2022-07-11T13:04:19.000Z", "dataset": "darktrace.model_breach_alert", - "ingested": "2022-08-09T07:49:42Z", + "ingested": "2022-09-13T09:59:33Z", "kind": "event", "original": "{\"commentCount\":0,\"pbid\":1,\"time\":1657544648000,\"creationTime\":1657544659000,\"aianalystData\":[{\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"related\":[1],\"summariser\":\"BeaconSummary\"}],\"model\":{\"name\":\"Compromise::Beaconing Activity To External Rare\",\"pid\":156,\"phid\":1072,\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"logic\":{\"data\":[{\"cid\":2026,\"weight\":1},{\"cid\":2024,\"weight\":1},{\"cid\":2025,\"weight\":-100}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":10800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"AP: C2 Comms\"],\"interval\":10800,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-07-11 11:47:37\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\\\n\\\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.\",\"behaviour\":\"incdec1\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":23,\"priority\":2,\"category\":\"Informational\",\"compliance\":false},\"triggeredComponents\":[{\"time\":1657544648000,\"cbid\":1,\"cid\":2026,\"chid\":2113,\"size\":11,\"threshold\":10,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AC\",\"operator\":\"AND\",\"right\":{\"left\":\"AD\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AB\",\"operator\":\"AND\",\"right\":{\"left\":\"AE\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"version\":\"v0.1\"},\"metric\":{\"mlid\":1,\"name\":\"externalconnections\",\"label\":\"External Connections\"},\"triggeredFilters\":[{\"cfid\":23426,\"id\":\"A\",\"filterType\":\"Beaconing score\",\"arguments\":{\"value\":60},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23427,\"id\":\"AA\",\"filterType\":\"Individual size up\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"4382\"}},{\"cfid\":23428,\"id\":\"AB\",\"filterType\":\"Rare domain\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23430,\"id\":\"AD\",\"filterType\":\"Age of destination\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23431,\"id\":\"AE\",\"filterType\":\"Age of external hostname\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23432,\"id\":\"AF\",\"filterType\":\"Connection hostname\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"example.com\"}},{\"cfid\":23433,\"id\":\"AG\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23434,\"id\":\"AH\",\"filterType\":\"JA3 hash\",\"arguments\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"},\"comparatorType\":\"does not match\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23435,\"id\":\"B\",\"filterType\":\"Rare external IP\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23436,\"id\":\"C\",\"filterType\":\"Application protocol\",\"arguments\":{\"value\":\"1003\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"1004\"}},{\"cfid\":23437,\"id\":\"D\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":53},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23438,\"id\":\"E\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":23439,\"id\":\"H\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":137},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23440,\"id\":\"I\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":161},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23441,\"id\":\"J\",\"filterType\":\"Protocol\",\"arguments\":{\"value\":\"6\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23442,\"id\":\"K\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23443,\"id\":\"L\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23444,\"id\":\"M\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"13\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23445,\"id\":\"N\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"5\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23446,\"id\":\"O\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"9\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23447,\"id\":\"P\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23448,\"id\":\"S\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"30\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23449,\"id\":\"U\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"4\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23450,\"id\":\"V\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"3\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23451,\"id\":\"X\",\"filterType\":\"Trusted hostname\",\"arguments\":{\"value\":\"false\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"false\"}},{\"cfid\":23452,\"id\":\"Y\",\"filterType\":\"Tagged internal source\",\"arguments\":{\"value\":26},\"comparatorType\":\"does not have tag\",\"trigger\":{\"value\":\"26\",\"tag\":{\"tid\":26,\"expiry\":0,\"thid\":26,\"name\":\"No Device Tracking\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":5,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":23453,\"id\":\"Z\",\"filterType\":\"Individual size down\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"5862\"}},{\"cfid\":23454,\"id\":\"d1\",\"filterType\":\"JA3 hash\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23455,\"id\":\"d2\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23456,\"id\":\"d3\",\"filterType\":\"Destination IP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"81.2.69.192\"}},{\"cfid\":23457,\"id\":\"d4\",\"filterType\":\"Connection hostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"example.com\"}}]}],\"score\":0.674,\"device\":{\"did\":3,\"ip\":\"81.2.69.142\",\"sid\":1,\"firstSeen\":1657544089000,\"lastSeen\":1657544418000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}", "risk_score": 0.674, @@ -539,7 +539,7 @@ }, "log": { "source": { - "address": "172.18.0.6:42872" + "address": "172.18.0.7:57859" }, "syslog": { "facility": { diff --git a/packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/test-system_status_alert.log b/packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/test-system-status-alert.log similarity index 100% rename from packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/test-system_status_alert.log rename to packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/test-system-status-alert.log diff --git a/packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/test-system_status_alert.log-expected.json b/packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/test-system-status-alert.log-expected.json similarity index 100% rename from packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/test-system_status_alert.log-expected.json rename to packages/darktrace/data_stream/system_status_alert/_dev/test/pipeline/test-system-status-alert.log-expected.json diff --git a/packages/darktrace/data_stream/system_status_alert/sample_event.json b/packages/darktrace/data_stream/system_status_alert/sample_event.json index 3ce190226cd..b7aa69a6f81 100644 --- a/packages/darktrace/data_stream/system_status_alert/sample_event.json +++ b/packages/darktrace/data_stream/system_status_alert/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2021-04-18T15:44:11.000Z", "agent": { - "ephemeral_id": "83012cf6-fcfe-431e-b964-8c92c95498b1", - "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "ephemeral_id": "6043d9a9-f622-4d79-b15f-8f83b1f845af", + "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.2.1" @@ -32,7 +32,7 @@ "version": "8.4.0" }, "elastic_agent": { - "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", "snapshot": false, "version": "8.2.1" }, @@ -40,7 +40,7 @@ "agent_id_status": "verified", "dataset": "darktrace.system_status_alert", "id": "abcdabcd-1234-1234-1234-3abababcdcd3", - "ingested": "2022-08-09T07:52:20Z", + "ingested": "2022-09-13T10:02:04Z", "kind": "alert", "original": "{\"last_updated\":1618760651,\"uuid\":\"abcdabcd-1234-1234-1234-3abababcdcd3\",\"priority\":43,\"priority_level\":\"medium\",\"hostname\":\"example-vsensor\",\"ip_address\":\"175.16.199.1\",\"message\":\"There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test\",\"name\":\"advanced_search\",\"acknowledge_timeout\":null,\"alert_name\":\"Advanced Search\",\"child_id\":1,\"last_updated_status\":1618760651,\"status\":\"active\"}", "reason": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test", @@ -55,11 +55,11 @@ "ip": "175.16.199.1" }, "input": { - "type": "tcp" + "type": "udp" }, "log": { "source": { - "address": "172.18.0.6:44918" + "address": "172.18.0.7:39566" }, "syslog": { "facility": { diff --git a/packages/darktrace/docs/README.md b/packages/darktrace/docs/README.md index 9b916acc857..bfe91fa79be 100644 --- a/packages/darktrace/docs/README.md +++ b/packages/darktrace/docs/README.md @@ -119,8 +119,8 @@ An example event for `ai_analyst_alert` looks as following: { "@timestamp": "2021-08-03T14:48:09.240Z", "agent": { - "ephemeral_id": "a61287e5-6cac-4e83-8354-5cf118335548", - "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "ephemeral_id": "4ac4165f-8807-44a4-8cbf-19c4ec914665", + "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.2.1" @@ -265,7 +265,7 @@ An example event for `ai_analyst_alert` looks as following: "version": "8.4.0" }, "elastic_agent": { - "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", "snapshot": false, "version": "8.2.1" }, @@ -282,7 +282,7 @@ An example event for `ai_analyst_alert` looks as following: "2021-08-03T14:15:41.220Z" ], "id": "eabc0011-1234-1234-1234-cabcdefg0011", - "ingested": "2022-08-09T07:46:07Z", + "ingested": "2022-09-13T09:53:57Z", "kind": "alert", "original": "{\"summariser\":\"AdminConnSummary\",\"acknowledged\":false,\"pinned\":true,\"createdAt\":1628002089240,\"attackPhases\":[5],\"title\":\"Extensive Unusual SSH Connections\",\"id\":\"eabc0011-1234-1234-1234-cabcdefg0011\",\"children\":[\"eabcdef0-1234-1234-1234-cabcdefghij9\"],\"category\":\"critical\",\"currentGroup\":\"eabc1234-1234-1234-1234-cabcdefg0011\",\"groupCategory\":\"critical\",\"groupScore\":\"72.9174234\",\"groupPreviousGroups\":null,\"activityId\":\"abcd1234\",\"groupingIds\":[\"abcdef12\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":98,\"summary\":\"The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\\n\\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\\n\\nConsequently, if this activity was not expected, the security team may wish to investigate further.\",\"periods\":[{\"start\":1627985298683,\"end\":1628000141220}],\"breachDevices\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.144\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}],\"relatedBreaches\":[{\"modelName\":\"Unusual Activity / Unusual Activity from Re-Activated Device\",\"pbid\":1234,\"threatScore\":37,\"timestamp\":1627997157000}],\"details\":[[{\"header\":\"Breaching Device\",\"contents\":[{\"key\":null,\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}]}]}],[{\"header\":\"SSH Activity\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1627985298683,\"end\":1628000141220}]},{\"key\":\"Number of unique IPs\",\"type\":\"integer\",\"values\":[16]},{\"key\":\"Targeted IP ranges include\",\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.192\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.3\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null}]},{\"key\":\"Destination port\",\"type\":\"integer\",\"values\":[22]},{\"key\":\"Connection count\",\"type\":\"integer\",\"values\":[40]},{\"key\":\"Percentage successful\",\"type\":\"percentage\",\"values\":[100]}]}]]}", "reason": "Extensive Unusual SSH Connections", @@ -308,7 +308,7 @@ An example event for `ai_analyst_alert` looks as following: }, "log": { "source": { - "address": "172.18.0.6:49421" + "address": "172.18.0.7:40244" }, "syslog": { "facility": { @@ -489,8 +489,8 @@ An example event for `model_breach_alert` looks as following: { "@timestamp": "2022-07-11T13:04:08.000Z", "agent": { - "ephemeral_id": "a87de6d4-91d9-4fe3-8dc6-f55474c36e5a", - "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "ephemeral_id": "7c606731-92cd-4bb6-90c1-cdaacf255188", + "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.2.1" @@ -990,7 +990,7 @@ An example event for `model_breach_alert` looks as following: "version": "8.4.0" }, "elastic_agent": { - "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", "snapshot": false, "version": "8.2.1" }, @@ -1001,7 +1001,7 @@ An example event for `model_breach_alert` looks as following: ], "created": "2022-07-11T13:04:19.000Z", "dataset": "darktrace.model_breach_alert", - "ingested": "2022-08-09T07:49:42Z", + "ingested": "2022-09-13T09:59:33Z", "kind": "event", "original": "{\"commentCount\":0,\"pbid\":1,\"time\":1657544648000,\"creationTime\":1657544659000,\"aianalystData\":[{\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"related\":[1],\"summariser\":\"BeaconSummary\"}],\"model\":{\"name\":\"Compromise::Beaconing Activity To External Rare\",\"pid\":156,\"phid\":1072,\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"logic\":{\"data\":[{\"cid\":2026,\"weight\":1},{\"cid\":2024,\"weight\":1},{\"cid\":2025,\"weight\":-100}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":10800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"AP: C2 Comms\"],\"interval\":10800,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-07-11 11:47:37\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\\\n\\\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.\",\"behaviour\":\"incdec1\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":23,\"priority\":2,\"category\":\"Informational\",\"compliance\":false},\"triggeredComponents\":[{\"time\":1657544648000,\"cbid\":1,\"cid\":2026,\"chid\":2113,\"size\":11,\"threshold\":10,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AC\",\"operator\":\"AND\",\"right\":{\"left\":\"AD\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AB\",\"operator\":\"AND\",\"right\":{\"left\":\"AE\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"version\":\"v0.1\"},\"metric\":{\"mlid\":1,\"name\":\"externalconnections\",\"label\":\"External Connections\"},\"triggeredFilters\":[{\"cfid\":23426,\"id\":\"A\",\"filterType\":\"Beaconing score\",\"arguments\":{\"value\":60},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23427,\"id\":\"AA\",\"filterType\":\"Individual size up\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"4382\"}},{\"cfid\":23428,\"id\":\"AB\",\"filterType\":\"Rare domain\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23430,\"id\":\"AD\",\"filterType\":\"Age of destination\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23431,\"id\":\"AE\",\"filterType\":\"Age of external hostname\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23432,\"id\":\"AF\",\"filterType\":\"Connection hostname\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"example.com\"}},{\"cfid\":23433,\"id\":\"AG\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23434,\"id\":\"AH\",\"filterType\":\"JA3 hash\",\"arguments\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"},\"comparatorType\":\"does not match\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23435,\"id\":\"B\",\"filterType\":\"Rare external IP\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23436,\"id\":\"C\",\"filterType\":\"Application protocol\",\"arguments\":{\"value\":\"1003\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"1004\"}},{\"cfid\":23437,\"id\":\"D\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":53},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23438,\"id\":\"E\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":23439,\"id\":\"H\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":137},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23440,\"id\":\"I\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":161},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23441,\"id\":\"J\",\"filterType\":\"Protocol\",\"arguments\":{\"value\":\"6\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23442,\"id\":\"K\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23443,\"id\":\"L\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23444,\"id\":\"M\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"13\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23445,\"id\":\"N\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"5\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23446,\"id\":\"O\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"9\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23447,\"id\":\"P\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23448,\"id\":\"S\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"30\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23449,\"id\":\"U\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"4\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23450,\"id\":\"V\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"3\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23451,\"id\":\"X\",\"filterType\":\"Trusted hostname\",\"arguments\":{\"value\":\"false\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"false\"}},{\"cfid\":23452,\"id\":\"Y\",\"filterType\":\"Tagged internal source\",\"arguments\":{\"value\":26},\"comparatorType\":\"does not have tag\",\"trigger\":{\"value\":\"26\",\"tag\":{\"tid\":26,\"expiry\":0,\"thid\":26,\"name\":\"No Device Tracking\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":5,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":23453,\"id\":\"Z\",\"filterType\":\"Individual size down\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"5862\"}},{\"cfid\":23454,\"id\":\"d1\",\"filterType\":\"JA3 hash\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23455,\"id\":\"d2\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23456,\"id\":\"d3\",\"filterType\":\"Destination IP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"81.2.69.192\"}},{\"cfid\":23457,\"id\":\"d4\",\"filterType\":\"Connection hostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"example.com\"}}]}],\"score\":0.674,\"device\":{\"did\":3,\"ip\":\"81.2.69.142\",\"sid\":1,\"firstSeen\":1657544089000,\"lastSeen\":1657544418000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}", "risk_score": 0.674, @@ -1027,7 +1027,7 @@ An example event for `model_breach_alert` looks as following: }, "log": { "source": { - "address": "172.18.0.6:42872" + "address": "172.18.0.7:57859" }, "syslog": { "facility": { @@ -1288,8 +1288,8 @@ An example event for `system_status_alert` looks as following: { "@timestamp": "2021-04-18T15:44:11.000Z", "agent": { - "ephemeral_id": "83012cf6-fcfe-431e-b964-8c92c95498b1", - "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "ephemeral_id": "6043d9a9-f622-4d79-b15f-8f83b1f845af", + "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.2.1" @@ -1319,7 +1319,7 @@ An example event for `system_status_alert` looks as following: "version": "8.4.0" }, "elastic_agent": { - "id": "f2e6fbf4-2afd-4fa7-9d64-0b2e6b2af9f7", + "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", "snapshot": false, "version": "8.2.1" }, @@ -1327,7 +1327,7 @@ An example event for `system_status_alert` looks as following: "agent_id_status": "verified", "dataset": "darktrace.system_status_alert", "id": "abcdabcd-1234-1234-1234-3abababcdcd3", - "ingested": "2022-08-09T07:52:20Z", + "ingested": "2022-09-13T10:02:04Z", "kind": "alert", "original": "{\"last_updated\":1618760651,\"uuid\":\"abcdabcd-1234-1234-1234-3abababcdcd3\",\"priority\":43,\"priority_level\":\"medium\",\"hostname\":\"example-vsensor\",\"ip_address\":\"175.16.199.1\",\"message\":\"There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test\",\"name\":\"advanced_search\",\"acknowledge_timeout\":null,\"alert_name\":\"Advanced Search\",\"child_id\":1,\"last_updated_status\":1618760651,\"status\":\"active\"}", "reason": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test", @@ -1342,11 +1342,11 @@ An example event for `system_status_alert` looks as following: "ip": "175.16.199.1" }, "input": { - "type": "tcp" + "type": "udp" }, "log": { "source": { - "address": "172.18.0.6:44918" + "address": "172.18.0.7:39566" }, "syslog": { "facility": { From 8a93f8ec6965c27dcd0c174485118e864960ce47 Mon Sep 17 00:00:00 2001 From: vinit-elastic Date: Fri, 30 Sep 2022 22:46:05 +0530 Subject: [PATCH 4/5] Update request.timeout parameter, tag & user guide --- packages/darktrace/_dev/build/build.yml | 2 +- packages/darktrace/_dev/build/docs/README.md | 8 ---- .../_dev/deploy/docker/docker-compose.yml | 22 ++++----- .../_dev/deploy/docker/files/config.yml | 4 +- .../agent/stream/httpjson.yml.hbs | 4 +- .../ai_analyst_alert/fields/agent.yml | 13 ++--- .../data_stream/ai_analyst_alert/manifest.yml | 24 ++++++---- .../ai_analyst_alert/sample_event.json | 12 ++--- .../agent/stream/httpjson.yml.hbs | 4 +- .../model_breach_alert/fields/agent.yml | 10 ++-- .../model_breach_alert/manifest.yml | 24 ++++++---- .../model_breach_alert/sample_event.json | 12 ++--- .../system_status_alert/fields/agent.yml | 13 ++--- .../system_status_alert/manifest.yml | 8 ++-- .../system_status_alert/sample_event.json | 12 ++--- packages/darktrace/docs/README.md | 48 ++++++++----------- 16 files changed, 108 insertions(+), 112 deletions(-) diff --git a/packages/darktrace/_dev/build/build.yml b/packages/darktrace/_dev/build/build.yml index 2254d90483c..8d9e4bf7ac8 100644 --- a/packages/darktrace/_dev/build/build.yml +++ b/packages/darktrace/_dev/build/build.yml @@ -1,3 +1,3 @@ dependencies: ecs: - reference: git@v8.4.0-rc1 + reference: git@v8.4.0 diff --git a/packages/darktrace/_dev/build/docs/README.md b/packages/darktrace/_dev/build/docs/README.md index eeeb8975149..691837cee99 100644 --- a/packages/darktrace/_dev/build/docs/README.md +++ b/packages/darktrace/_dev/build/docs/README.md @@ -97,14 +97,6 @@ For more details, see [Documentation](https://customerportal.darktrace.com/produ **Note** : A Fully Qualified Domain Name (FQDN) must be configured for the Darktrace instance in order for links to be included in external alerts. - An FQDN can be configured from the **System** subsection on the **Settings** tab of the Darktrace **System Config** page. -### Enabling the integration in Elastic - -1. In Kibana go to **Management > Integrations**. -2. In the "Search for integrations" search bar, type **Darktrace**. -3. Click on **Darktrace** integration from the search results. -4. Click on **Add Darktrace** button to add Darktrace integration. -5. Enable the Integration with either via API or TCP or UDP input. - ## Logs reference ### ai_analyst_alert diff --git a/packages/darktrace/_dev/deploy/docker/docker-compose.yml b/packages/darktrace/_dev/deploy/docker/docker-compose.yml index 7d4d2e2a612..1eba57d48f2 100644 --- a/packages/darktrace/_dev/deploy/docker/docker-compose.yml +++ b/packages/darktrace/_dev/deploy/docker/docker-compose.yml @@ -1,59 +1,59 @@ version: '2.3' services: darktrace-ai_analyst_alert-tls: - image: docker.elastic.co/observability/stream:v0.7.0 + image: docker.elastic.co/observability/stream:v0.8.0 volumes: - ./sample_logs:/sample_logs:ro command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9571 -p=tls --insecure /sample_logs/ai_analyst_alert.log darktrace-ai_analyst_alert-tcp: - image: docker.elastic.co/observability/stream:v0.7.0 + image: docker.elastic.co/observability/stream:v0.8.0 volumes: - ./sample_logs:/sample_logs:ro command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9571 -p=tcp /sample_logs/ai_analyst_alert.log darktrace-ai_analyst_alert-udp: - image: docker.elastic.co/observability/stream:v0.7.0 + image: docker.elastic.co/observability/stream:v0.8.0 volumes: - ./sample_logs:/sample_logs:ro command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9574 -p=udp /sample_logs/ai_analyst_alert.log darktrace-model_breach_alert-tls: - image: docker.elastic.co/observability/stream:v0.7.0 + image: docker.elastic.co/observability/stream:v0.8.0 volumes: - ./sample_logs:/sample_logs:ro command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9572 -p=tls --insecure /sample_logs/model_breach_alert.log darktrace-model_breach_alert-tcp: - image: docker.elastic.co/observability/stream:v0.7.0 + image: docker.elastic.co/observability/stream:v0.8.0 volumes: - ./sample_logs:/sample_logs:ro command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9572 -p=tcp /sample_logs/model_breach_alert.log darktrace-model_breach_alert-udp: - image: docker.elastic.co/observability/stream:v0.7.0 + image: docker.elastic.co/observability/stream:v0.8.0 volumes: - ./sample_logs:/sample_logs:ro command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9575 -p=udp /sample_logs/model_breach_alert.log darktrace-system_status_alert-tls: - image: docker.elastic.co/observability/stream:v0.7.0 + image: docker.elastic.co/observability/stream:v0.8.0 volumes: - ./sample_logs:/sample_logs:ro command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9573 -p=tls --insecure /sample_logs/system_status_alert.log darktrace-system_status_alert-tcp: - image: docker.elastic.co/observability/stream:v0.7.0 + image: docker.elastic.co/observability/stream:v0.8.0 volumes: - ./sample_logs:/sample_logs:ro command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9573 -p=tcp /sample_logs/system_status_alert.log darktrace-system_status_alert-udp: - image: docker.elastic.co/observability/stream:v0.7.0 + image: docker.elastic.co/observability/stream:v0.8.0 volumes: - ./sample_logs:/sample_logs:ro command: log --start-signal=SIGHUP --delay=5s --addr elastic-agent:9576 -p=udp /sample_logs/system_status_alert.log darktrace: - image: docker.elastic.co/observability/stream:v0.7.0 + image: docker.elastic.co/observability/stream:v0.8.0 hostname: darktrace ports: - 8080 volumes: - ./files:/files:ro environment: - PORT: "8080" + PORT: '8080' command: - http-server - --addr=:8080 diff --git a/packages/darktrace/_dev/deploy/docker/files/config.yml b/packages/darktrace/_dev/deploy/docker/files/config.yml index d2f4b9e218b..6f06f666c65 100644 --- a/packages/darktrace/_dev/deploy/docker/files/config.yml +++ b/packages/darktrace/_dev/deploy/docker/files/config.yml @@ -1,12 +1,12 @@ rules: - path: /modelbreaches - methods: ["GET"] + methods: ['GET'] responses: - status_code: 200 body: | [{"model":{"name":"Device::Attack and Recon Tools","pid":135,"phid":1198,"uuid":"8abcdefg-1234-1234-1234-5abcdefg12","logic":{"data":[{"cid":2311,"weight":1},{"cid":2312,"weight":1},{"cid":2315,"weight":1},{"cid":2316,"weight":1},{"cid":2314,"weight":1},{"cid":2310,"weight":1},{"cid":2313,"weight":1}],"targetScore":1,"type":"weightedComponentList","version":1},"throttle":604800,"sharedEndpoints":false,"actions":{"alert":true,"antigena":{},"breach":true,"model":true,"setPriority":false,"setTag":false,"setType":false},"tags":["AP: Internal Recon","OT Engineer"],"interval":3600,"delay":0,"sequenced":false,"active":true,"modified":"2022-07-11 11:47:51","activeTimes":{"devices":{},"tags":{},"type":"exclusions","version":2},"autoUpdatable":true,"autoUpdate":true,"autoSuppress":true,"description":"A device is using common penetration testing tools.\\n\\nAction: Review the device to see if it a security device, these can be tagged as such to exclude them from future breaches. Activity from non security devices merit further investigation into what else the device is doing and could be a significant risk within the network.","behaviour":"decreasing","created":{"by":"System"},"edited":{"by":"System"},"version":77,"priority":4,"category":"Suspicious","compliance":false},"device":{"did":7,"ip":"81.2.69.192","ips":[{"ip":"175.16.199.2","timems":1657746000000,"time":"2022-07-13 21:00:00","sid":1}],"sid":1,"hostname":"localhost.local","firstSeen":1657544891000,"lastSeen":1657748638000,"typename":"desktop","typelabel":"Desktop","credentials":["dummy"],"tags":[{"tid":66,"expiry":0,"thid":66,"name":"Domain Authenticated","restricted":false,"data":{"auto":false,"color":183,"description":""},"isReferenced":true},{"tid":29,"expiry":0,"thid":29,"name":"Linux","restricted":false,"data":{"auto":false,"color":168,"description":"","visibility":"Public"},"isReferenced":true},{"tid":45,"expiry":0,"thid":45,"name":"New Device","restricted":false,"data":{"auto":false,"color":130,"description":"","visibility":"Public"},"isReferenced":true}]},"triggeredComponents":[{"time":1657748807000,"cbid":6,"cid":2311,"chid":2676,"size":1,"threshold":0,"interval":300,"logic":{"data":{"left":{"left":"A","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"B","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"N","operator":"AND","right":"O"}}}},"operator":"OR","right":{"left":{"left":"C","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"E","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"F","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"G","operator":"AND","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"H","operator":"AND","right":{"left":"I","operator":"AND","right":{"left":"J","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"K","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"L","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"M","operator":"AND","right":"N"}}},"operator":"OR","right":{"left":"H","operator":"AND","right":{"left":"J","operator":"AND","right":{"left":"N","operator":"AND","right":"P"}}}}}}}}}}}}},"version":"v0.1"},"metric":{"mlid":16,"name":"connections","label":"Connections"},"triggeredFilters":[{"cfid":26781,"id":"H","filterType":"Direction","arguments":{"value":"out"},"comparatorType":"is","trigger":{"value":"out"}},{"cfid":26783,"id":"J","filterType":"Tagged internal source","arguments":{"value":12},"comparatorType":"does not have tag","trigger":{"value":"12","tag":{"tid":12,"expiry":0,"thid":12,"name":"Security Device","restricted":false,"data":{"auto":false,"color":55,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":26787,"id":"N","filterType":"Tagged internal destination","arguments":{"value":12},"comparatorType":"does not have tag","trigger":{"value":"12","tag":{"tid":12,"expiry":0,"thid":12,"name":"Security Device","restricted":false,"data":{"auto":false,"color":55,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":26788,"id":"O","filterType":"User agent","arguments":{"value":"examples"},"comparatorType":"does not match regular expression","trigger":{"value":""}},{"cfid":26789,"id":"P","filterType":"URI","arguments":{"value":"examples"},"comparatorType":"matches regular expression","trigger":{"value":""}},{"cfid":26790,"id":"d1","filterType":"Proxied connection","arguments":{"value":"true"},"comparatorType":"display","trigger":{"value":"false"}},{"cfid":26791,"id":"d10","filterType":"HTTP response code","arguments":{},"comparatorType":"display","trigger":{"value":"0"}},{"cfid":26792,"id":"d2","filterType":"HTTP referrer","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":26793,"id":"d3","filterType":"HTTP method","arguments":{},"comparatorType":"display","trigger":{"value":"GET"}},{"cfid":26794,"id":"d4","filterType":"HTTP X-Forwarded-For","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":26795,"id":"d5","filterType":"URI","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":26796,"id":"d6","filterType":"User agent","arguments":{},"comparatorType":"display","trigger":{"value":""}},{"cfid":26797,"id":"d7","filterType":"Destination IP","arguments":{},"comparatorType":"display","trigger":{"value":"81.2.69.144"}},{"cfid":26798,"id":"d8","filterType":"Internal destination device name","arguments":{},"comparatorType":"display","trigger":{"value":"localhost.local"}},{"cfid":26799,"id":"d9","filterType":"Connection hostname","arguments":{},"comparatorType":"display","trigger":{"value":""}}]}],"breachUrl":"https://example.com/#modelbreach/6","pbid":6,"score":0.871,"commentCount":0,"creationTime":1657748815000,"time":1657748808000,"mitreTechniques":[{"technique":"Hardware Additions Mitigation","techniqueID":"T1200"}]}] - path: /aianalyst/incidentevents - methods: ["GET"] + methods: ['GET'] responses: - status_code: 200 body: | diff --git a/packages/darktrace/data_stream/ai_analyst_alert/agent/stream/httpjson.yml.hbs b/packages/darktrace/data_stream/ai_analyst_alert/agent/stream/httpjson.yml.hbs index 7a5327f9c6b..7f34d9e5ec4 100644 --- a/packages/darktrace/data_stream/ai_analyst_alert/agent/stream/httpjson.yml.hbs +++ b/packages/darktrace/data_stream/ai_analyst_alert/agent/stream/httpjson.yml.hbs @@ -1,6 +1,5 @@ config_version: 2 interval: {{interval}} -request.timeout: 5m request.method: GET {{#if proxy_url}} request.proxy_url: {{proxy_url}} @@ -9,6 +8,9 @@ request.proxy_url: {{proxy_url}} request.ssl: {{ssl}} {{/if}} request.url: {{url}}/aianalyst/incidentevents?includeacknowledged=true&includeincidenteventurl=true +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} request.transforms: - set: target: header.DTAPI-Token diff --git a/packages/darktrace/data_stream/ai_analyst_alert/fields/agent.yml b/packages/darktrace/data_stream/ai_analyst_alert/fields/agent.yml index 6e1bac042bc..10023a11743 100644 --- a/packages/darktrace/data_stream/ai_analyst_alert/fields/agent.yml +++ b/packages/darktrace/data_stream/ai_analyst_alert/fields/agent.yml @@ -163,21 +163,18 @@ description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean - description: > + description: >- If the host is a container. - - name: os.build type: keyword - example: "18D109" - description: > + example: '18D109' + description: >- OS build information. - - name: os.codename type: keyword - example: "stretch" - description: > + example: 'stretch' + description: >- OS codename, if any. - - name: input.type type: keyword description: Input type diff --git a/packages/darktrace/data_stream/ai_analyst_alert/manifest.yml b/packages/darktrace/data_stream/ai_analyst_alert/manifest.yml index 40bf35b3781..6e056b2c96d 100644 --- a/packages/darktrace/data_stream/ai_analyst_alert/manifest.yml +++ b/packages/darktrace/data_stream/ai_analyst_alert/manifest.yml @@ -9,7 +9,7 @@ streams: - name: initial_interval type: text title: Initial Interval - description: How far back to pull the AI Analyst Alert logs from Darktrace. + description: How far back to pull the AI Analyst Alert logs from Darktrace. NOTE:- Supported units for this parameter are h/m/s. multi: false required: true show_user: true @@ -17,11 +17,19 @@ streams: - name: interval type: text title: Interval - description: Duration between requests to the Darktrace API. + description: Duration between requests to the Darktrace API. NOTE:- Supported units for this parameter are h/m/s. default: 1m multi: false required: true show_user: true + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. NOTE:- Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s - name: tags type: text title: Tags @@ -30,7 +38,7 @@ streams: show_user: false default: - forwarded - - darktrace_ai_analyst_alert + - darktrace-ai_analyst_alert - name: preserve_original_event required: true show_user: true @@ -41,7 +49,7 @@ streams: default: false - name: preserve_duplicate_custom_fields required: true - show_user: true + show_user: false title: Preserve duplicate custom fields description: Preserve darktrace.ai_analyst_alert fields that were copied to Elastic Common Schema (ECS) fields. type: bool @@ -88,7 +96,7 @@ streams: show_user: false default: - forwarded - - darktrace_ai_analyst_alert + - darktrace-ai_analyst_alert - name: preserve_original_event required: true show_user: true @@ -99,7 +107,7 @@ streams: default: false - name: preserve_duplicate_custom_fields required: true - show_user: true + show_user: false title: Preserve duplicate custom fields description: Preserve darktrace.ai_analyst_alert fields that were copied to Elastic Common Schema (ECS) fields. type: bool @@ -144,7 +152,7 @@ streams: show_user: false default: - forwarded - - darktrace_ai_analyst_alert + - darktrace-ai_analyst_alert - name: preserve_original_event required: true show_user: true @@ -155,7 +163,7 @@ streams: default: false - name: preserve_duplicate_custom_fields required: true - show_user: true + show_user: false title: Preserve duplicate custom fields description: Preserve darktrace.ai_analyst_alert fields that were copied to Elastic Common Schema (ECS) fields. type: bool diff --git a/packages/darktrace/data_stream/ai_analyst_alert/sample_event.json b/packages/darktrace/data_stream/ai_analyst_alert/sample_event.json index 9f911a74c5e..fa6272b4acc 100644 --- a/packages/darktrace/data_stream/ai_analyst_alert/sample_event.json +++ b/packages/darktrace/data_stream/ai_analyst_alert/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2021-08-03T14:48:09.240Z", "agent": { - "ephemeral_id": "4ac4165f-8807-44a4-8cbf-19c4ec914665", - "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", + "ephemeral_id": "82482032-e103-4c45-a00e-103ac604f4ae", + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.2.1" @@ -147,7 +147,7 @@ "version": "8.4.0" }, "elastic_agent": { - "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", "snapshot": false, "version": "8.2.1" }, @@ -164,7 +164,7 @@ "2021-08-03T14:15:41.220Z" ], "id": "eabc0011-1234-1234-1234-cabcdefg0011", - "ingested": "2022-09-13T09:53:57Z", + "ingested": "2022-09-30T11:36:06Z", "kind": "alert", "original": "{\"summariser\":\"AdminConnSummary\",\"acknowledged\":false,\"pinned\":true,\"createdAt\":1628002089240,\"attackPhases\":[5],\"title\":\"Extensive Unusual SSH Connections\",\"id\":\"eabc0011-1234-1234-1234-cabcdefg0011\",\"children\":[\"eabcdef0-1234-1234-1234-cabcdefghij9\"],\"category\":\"critical\",\"currentGroup\":\"eabc1234-1234-1234-1234-cabcdefg0011\",\"groupCategory\":\"critical\",\"groupScore\":\"72.9174234\",\"groupPreviousGroups\":null,\"activityId\":\"abcd1234\",\"groupingIds\":[\"abcdef12\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":98,\"summary\":\"The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\\n\\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\\n\\nConsequently, if this activity was not expected, the security team may wish to investigate further.\",\"periods\":[{\"start\":1627985298683,\"end\":1628000141220}],\"breachDevices\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.144\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}],\"relatedBreaches\":[{\"modelName\":\"Unusual Activity / Unusual Activity from Re-Activated Device\",\"pbid\":1234,\"threatScore\":37,\"timestamp\":1627997157000}],\"details\":[[{\"header\":\"Breaching Device\",\"contents\":[{\"key\":null,\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}]}]}],[{\"header\":\"SSH Activity\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1627985298683,\"end\":1628000141220}]},{\"key\":\"Number of unique IPs\",\"type\":\"integer\",\"values\":[16]},{\"key\":\"Targeted IP ranges include\",\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.192\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.3\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null}]},{\"key\":\"Destination port\",\"type\":\"integer\",\"values\":[22]},{\"key\":\"Connection count\",\"type\":\"integer\",\"values\":[40]},{\"key\":\"Percentage successful\",\"type\":\"percentage\",\"values\":[100]}]}]]}", "reason": "Extensive Unusual SSH Connections", @@ -190,7 +190,7 @@ }, "log": { "source": { - "address": "172.18.0.7:40244" + "address": "192.168.128.5:49066" }, "syslog": { "facility": { @@ -224,7 +224,7 @@ "preserve_original_event", "preserve_duplicate_custom_fields", "forwarded", - "darktrace_ai_analyst_alert" + "darktrace-ai_analyst_alert" ], "threat": { "enrichments": { diff --git a/packages/darktrace/data_stream/model_breach_alert/agent/stream/httpjson.yml.hbs b/packages/darktrace/data_stream/model_breach_alert/agent/stream/httpjson.yml.hbs index 478772eb4c0..8201241e037 100644 --- a/packages/darktrace/data_stream/model_breach_alert/agent/stream/httpjson.yml.hbs +++ b/packages/darktrace/data_stream/model_breach_alert/agent/stream/httpjson.yml.hbs @@ -1,6 +1,5 @@ config_version: 2 interval: {{interval}} -request.timeout: 5m request.method: GET {{#if proxy_url}} request.proxy_url: {{proxy_url}} @@ -9,6 +8,9 @@ request.proxy_url: {{proxy_url}} request.ssl: {{ssl}} {{/if}} request.url: {{url}}/modelbreaches?expandenums=true&historicmodelonly=true&includeacknowledged=true&includebreachurl=true +{{#if http_client_timeout}} +request.timeout: {{http_client_timeout}} +{{/if}} request.transforms: - set: target: header.DTAPI-Token diff --git a/packages/darktrace/data_stream/model_breach_alert/fields/agent.yml b/packages/darktrace/data_stream/model_breach_alert/fields/agent.yml index 6e1bac042bc..1f754679d06 100644 --- a/packages/darktrace/data_stream/model_breach_alert/fields/agent.yml +++ b/packages/darktrace/data_stream/model_breach_alert/fields/agent.yml @@ -163,21 +163,19 @@ description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean - description: > + description: >- If the host is a container. - - name: os.build type: keyword - example: "18D109" + example: '18D109' description: > OS build information. - name: os.codename type: keyword - example: "stretch" - description: > + example: 'stretch' + description: >- OS codename, if any. - - name: input.type type: keyword description: Input type diff --git a/packages/darktrace/data_stream/model_breach_alert/manifest.yml b/packages/darktrace/data_stream/model_breach_alert/manifest.yml index ec908d91f93..1f16664378b 100644 --- a/packages/darktrace/data_stream/model_breach_alert/manifest.yml +++ b/packages/darktrace/data_stream/model_breach_alert/manifest.yml @@ -9,7 +9,7 @@ streams: - name: initial_interval type: text title: Initial Interval - description: How far back to pull the Model Breach Alert logs from Darktrace. + description: How far back to pull the Model Breach Alert logs from Darktrace. NOTE:- Supported units for this parameter are h/m/s. multi: false required: true show_user: true @@ -17,11 +17,19 @@ streams: - name: interval type: text title: Interval - description: Duration between requests to the Darktrace API. + description: Duration between requests to the Darktrace API. NOTE:- Supported units for this parameter are h/m/s. default: 1m multi: false required: true show_user: true + - name: http_client_timeout + type: text + title: HTTP Client Timeout + description: Duration before declaring that the HTTP client connection has timed out. NOTE:- Valid time units are ns, us, ms, s, m, h. + multi: false + required: true + show_user: false + default: 30s - name: tags type: text title: Tags @@ -30,7 +38,7 @@ streams: show_user: false default: - forwarded - - darktrace_model_breach_alert + - darktrace-model_breach_alert - name: preserve_original_event required: true show_user: true @@ -41,7 +49,7 @@ streams: default: false - name: preserve_duplicate_custom_fields required: true - show_user: true + show_user: false title: Preserve duplicate custom fields description: Preserve darktrace.model_breach_alert fields that were copied to Elastic Common Schema (ECS) fields. type: bool @@ -88,7 +96,7 @@ streams: show_user: false default: - forwarded - - darktrace_model_breach_alert + - darktrace-model_breach_alert - name: preserve_original_event required: true show_user: true @@ -99,7 +107,7 @@ streams: default: false - name: preserve_duplicate_custom_fields required: true - show_user: true + show_user: false title: Preserve duplicate custom fields description: Preserve darktrace.model_breach_alert fields that were copied to Elastic Common Schema (ECS) fields. type: bool @@ -144,7 +152,7 @@ streams: show_user: false default: - forwarded - - darktrace_model_breach_alert + - darktrace-model_breach_alert - name: preserve_original_event required: true show_user: true @@ -155,7 +163,7 @@ streams: default: false - name: preserve_duplicate_custom_fields required: true - show_user: true + show_user: false title: Preserve duplicate custom fields description: Preserve darktrace.model_breach_alert fields that were copied to Elastic Common Schema (ECS) fields. type: bool diff --git a/packages/darktrace/data_stream/model_breach_alert/sample_event.json b/packages/darktrace/data_stream/model_breach_alert/sample_event.json index 86288ae1920..87660729767 100644 --- a/packages/darktrace/data_stream/model_breach_alert/sample_event.json +++ b/packages/darktrace/data_stream/model_breach_alert/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2022-07-11T13:04:08.000Z", "agent": { - "ephemeral_id": "7c606731-92cd-4bb6-90c1-cdaacf255188", - "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", + "ephemeral_id": "572d7663-c480-491f-b06f-96f0330cf942", + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.2.1" @@ -502,7 +502,7 @@ "version": "8.4.0" }, "elastic_agent": { - "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", "snapshot": false, "version": "8.2.1" }, @@ -513,7 +513,7 @@ ], "created": "2022-07-11T13:04:19.000Z", "dataset": "darktrace.model_breach_alert", - "ingested": "2022-09-13T09:59:33Z", + "ingested": "2022-09-30T11:39:13Z", "kind": "event", "original": "{\"commentCount\":0,\"pbid\":1,\"time\":1657544648000,\"creationTime\":1657544659000,\"aianalystData\":[{\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"related\":[1],\"summariser\":\"BeaconSummary\"}],\"model\":{\"name\":\"Compromise::Beaconing Activity To External Rare\",\"pid\":156,\"phid\":1072,\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"logic\":{\"data\":[{\"cid\":2026,\"weight\":1},{\"cid\":2024,\"weight\":1},{\"cid\":2025,\"weight\":-100}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":10800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"AP: C2 Comms\"],\"interval\":10800,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-07-11 11:47:37\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\\\n\\\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.\",\"behaviour\":\"incdec1\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":23,\"priority\":2,\"category\":\"Informational\",\"compliance\":false},\"triggeredComponents\":[{\"time\":1657544648000,\"cbid\":1,\"cid\":2026,\"chid\":2113,\"size\":11,\"threshold\":10,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AC\",\"operator\":\"AND\",\"right\":{\"left\":\"AD\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AB\",\"operator\":\"AND\",\"right\":{\"left\":\"AE\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"version\":\"v0.1\"},\"metric\":{\"mlid\":1,\"name\":\"externalconnections\",\"label\":\"External Connections\"},\"triggeredFilters\":[{\"cfid\":23426,\"id\":\"A\",\"filterType\":\"Beaconing score\",\"arguments\":{\"value\":60},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23427,\"id\":\"AA\",\"filterType\":\"Individual size up\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"4382\"}},{\"cfid\":23428,\"id\":\"AB\",\"filterType\":\"Rare domain\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23430,\"id\":\"AD\",\"filterType\":\"Age of destination\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23431,\"id\":\"AE\",\"filterType\":\"Age of external hostname\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23432,\"id\":\"AF\",\"filterType\":\"Connection hostname\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"example.com\"}},{\"cfid\":23433,\"id\":\"AG\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23434,\"id\":\"AH\",\"filterType\":\"JA3 hash\",\"arguments\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"},\"comparatorType\":\"does not match\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23435,\"id\":\"B\",\"filterType\":\"Rare external IP\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23436,\"id\":\"C\",\"filterType\":\"Application protocol\",\"arguments\":{\"value\":\"1003\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"1004\"}},{\"cfid\":23437,\"id\":\"D\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":53},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23438,\"id\":\"E\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":23439,\"id\":\"H\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":137},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23440,\"id\":\"I\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":161},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23441,\"id\":\"J\",\"filterType\":\"Protocol\",\"arguments\":{\"value\":\"6\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23442,\"id\":\"K\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23443,\"id\":\"L\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23444,\"id\":\"M\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"13\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23445,\"id\":\"N\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"5\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23446,\"id\":\"O\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"9\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23447,\"id\":\"P\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23448,\"id\":\"S\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"30\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23449,\"id\":\"U\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"4\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23450,\"id\":\"V\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"3\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23451,\"id\":\"X\",\"filterType\":\"Trusted hostname\",\"arguments\":{\"value\":\"false\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"false\"}},{\"cfid\":23452,\"id\":\"Y\",\"filterType\":\"Tagged internal source\",\"arguments\":{\"value\":26},\"comparatorType\":\"does not have tag\",\"trigger\":{\"value\":\"26\",\"tag\":{\"tid\":26,\"expiry\":0,\"thid\":26,\"name\":\"No Device Tracking\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":5,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":23453,\"id\":\"Z\",\"filterType\":\"Individual size down\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"5862\"}},{\"cfid\":23454,\"id\":\"d1\",\"filterType\":\"JA3 hash\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23455,\"id\":\"d2\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23456,\"id\":\"d3\",\"filterType\":\"Destination IP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"81.2.69.192\"}},{\"cfid\":23457,\"id\":\"d4\",\"filterType\":\"Connection hostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"example.com\"}}]}],\"score\":0.674,\"device\":{\"did\":3,\"ip\":\"81.2.69.142\",\"sid\":1,\"firstSeen\":1657544089000,\"lastSeen\":1657544418000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}", "risk_score": 0.674, @@ -539,7 +539,7 @@ }, "log": { "source": { - "address": "172.18.0.7:57859" + "address": "192.168.128.5:60206" }, "syslog": { "facility": { @@ -578,6 +578,6 @@ "preserve_original_event", "preserve_duplicate_custom_fields", "forwarded", - "darktrace_model_breach_alert" + "darktrace-model_breach_alert" ] } \ No newline at end of file diff --git a/packages/darktrace/data_stream/system_status_alert/fields/agent.yml b/packages/darktrace/data_stream/system_status_alert/fields/agent.yml index 6e1bac042bc..10023a11743 100644 --- a/packages/darktrace/data_stream/system_status_alert/fields/agent.yml +++ b/packages/darktrace/data_stream/system_status_alert/fields/agent.yml @@ -163,21 +163,18 @@ description: 'Type of host. For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' - name: containerized type: boolean - description: > + description: >- If the host is a container. - - name: os.build type: keyword - example: "18D109" - description: > + example: '18D109' + description: >- OS build information. - - name: os.codename type: keyword - example: "stretch" - description: > + example: 'stretch' + description: >- OS codename, if any. - - name: input.type type: keyword description: Input type diff --git a/packages/darktrace/data_stream/system_status_alert/manifest.yml b/packages/darktrace/data_stream/system_status_alert/manifest.yml index 58220c7cc80..1f115305dc3 100644 --- a/packages/darktrace/data_stream/system_status_alert/manifest.yml +++ b/packages/darktrace/data_stream/system_status_alert/manifest.yml @@ -34,7 +34,7 @@ streams: show_user: false default: - forwarded - - darktrace_system_status_alert + - darktrace-system_status_alert - name: preserve_original_event required: true show_user: true @@ -45,7 +45,7 @@ streams: default: false - name: preserve_duplicate_custom_fields required: true - show_user: true + show_user: false title: Preserve duplicate custom fields description: Preserve darktrace.system_status_alert fields that were copied to Elastic Common Schema (ECS) fields. type: bool @@ -90,7 +90,7 @@ streams: show_user: false default: - forwarded - - darktrace_system_status_alert + - darktrace-system_status_alert - name: preserve_original_event required: true show_user: true @@ -101,7 +101,7 @@ streams: default: false - name: preserve_duplicate_custom_fields required: true - show_user: true + show_user: false title: Preserve duplicate custom fields description: Preserve darktrace.system_status_alert fields that were copied to Elastic Common Schema (ECS) fields. type: bool diff --git a/packages/darktrace/data_stream/system_status_alert/sample_event.json b/packages/darktrace/data_stream/system_status_alert/sample_event.json index b7aa69a6f81..31283fa03ac 100644 --- a/packages/darktrace/data_stream/system_status_alert/sample_event.json +++ b/packages/darktrace/data_stream/system_status_alert/sample_event.json @@ -1,8 +1,8 @@ { "@timestamp": "2021-04-18T15:44:11.000Z", "agent": { - "ephemeral_id": "6043d9a9-f622-4d79-b15f-8f83b1f845af", - "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", + "ephemeral_id": "5b042cea-01fa-47a2-ab0f-ac1f7baa6bd2", + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.2.1" @@ -32,7 +32,7 @@ "version": "8.4.0" }, "elastic_agent": { - "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", "snapshot": false, "version": "8.2.1" }, @@ -40,7 +40,7 @@ "agent_id_status": "verified", "dataset": "darktrace.system_status_alert", "id": "abcdabcd-1234-1234-1234-3abababcdcd3", - "ingested": "2022-09-13T10:02:04Z", + "ingested": "2022-09-30T11:41:35Z", "kind": "alert", "original": "{\"last_updated\":1618760651,\"uuid\":\"abcdabcd-1234-1234-1234-3abababcdcd3\",\"priority\":43,\"priority_level\":\"medium\",\"hostname\":\"example-vsensor\",\"ip_address\":\"175.16.199.1\",\"message\":\"There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test\",\"name\":\"advanced_search\",\"acknowledge_timeout\":null,\"alert_name\":\"Advanced Search\",\"child_id\":1,\"last_updated_status\":1618760651,\"status\":\"active\"}", "reason": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test", @@ -59,7 +59,7 @@ }, "log": { "source": { - "address": "172.18.0.7:39566" + "address": "192.168.128.5:36197" }, "syslog": { "facility": { @@ -87,6 +87,6 @@ "preserve_original_event", "preserve_duplicate_custom_fields", "forwarded", - "darktrace_system_status_alert" + "darktrace-system_status_alert" ] } \ No newline at end of file diff --git a/packages/darktrace/docs/README.md b/packages/darktrace/docs/README.md index bfe91fa79be..58620835f47 100644 --- a/packages/darktrace/docs/README.md +++ b/packages/darktrace/docs/README.md @@ -97,14 +97,6 @@ For more details, see [Documentation](https://customerportal.darktrace.com/produ **Note** : A Fully Qualified Domain Name (FQDN) must be configured for the Darktrace instance in order for links to be included in external alerts. - An FQDN can be configured from the **System** subsection on the **Settings** tab of the Darktrace **System Config** page. -### Enabling the integration in Elastic - -1. In Kibana go to **Management > Integrations**. -2. In the "Search for integrations" search bar, type **Darktrace**. -3. Click on **Darktrace** integration from the search results. -4. Click on **Add Darktrace** button to add Darktrace integration. -5. Enable the Integration with either via API or TCP or UDP input. - ## Logs reference ### ai_analyst_alert @@ -119,8 +111,8 @@ An example event for `ai_analyst_alert` looks as following: { "@timestamp": "2021-08-03T14:48:09.240Z", "agent": { - "ephemeral_id": "4ac4165f-8807-44a4-8cbf-19c4ec914665", - "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", + "ephemeral_id": "82482032-e103-4c45-a00e-103ac604f4ae", + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.2.1" @@ -265,7 +257,7 @@ An example event for `ai_analyst_alert` looks as following: "version": "8.4.0" }, "elastic_agent": { - "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", "snapshot": false, "version": "8.2.1" }, @@ -282,7 +274,7 @@ An example event for `ai_analyst_alert` looks as following: "2021-08-03T14:15:41.220Z" ], "id": "eabc0011-1234-1234-1234-cabcdefg0011", - "ingested": "2022-09-13T09:53:57Z", + "ingested": "2022-09-30T11:36:06Z", "kind": "alert", "original": "{\"summariser\":\"AdminConnSummary\",\"acknowledged\":false,\"pinned\":true,\"createdAt\":1628002089240,\"attackPhases\":[5],\"title\":\"Extensive Unusual SSH Connections\",\"id\":\"eabc0011-1234-1234-1234-cabcdefg0011\",\"children\":[\"eabcdef0-1234-1234-1234-cabcdefghij9\"],\"category\":\"critical\",\"currentGroup\":\"eabc1234-1234-1234-1234-cabcdefg0011\",\"groupCategory\":\"critical\",\"groupScore\":\"72.9174234\",\"groupPreviousGroups\":null,\"activityId\":\"abcd1234\",\"groupingIds\":[\"abcdef12\"],\"groupByActivity\":false,\"userTriggered\":false,\"externalTriggered\":false,\"aiaScore\":98,\"summary\":\"The device 175.16.199.1 was observed making unusual internal SSH connections to a wide range of devices.\\n\\nThough this behaviour could be the result of legitimate remote access or administration, it could also be a sign of attempted lateral movement by a compromised machine.\\n\\nConsequently, if this activity was not expected, the security team may wish to investigate further.\",\"periods\":[{\"start\":1627985298683,\"end\":1628000141220}],\"breachDevices\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.144\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}],\"relatedBreaches\":[{\"modelName\":\"Unusual Activity / Unusual Activity from Re-Activated Device\",\"pbid\":1234,\"threatScore\":37,\"timestamp\":1627997157000}],\"details\":[[{\"header\":\"Breaching Device\",\"contents\":[{\"key\":null,\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":\"VPN\",\"did\":10,\"sid\":12}]}]}],[{\"header\":\"SSH Activity\",\"contents\":[{\"key\":\"Time\",\"type\":\"timestampRange\",\"values\":[{\"start\":1627985298683,\"end\":1628000141220}]},{\"key\":\"Number of unique IPs\",\"type\":\"integer\",\"values\":[16]},{\"key\":\"Targeted IP ranges include\",\"type\":\"device\",\"values\":[{\"identifier\":null,\"hostname\":null,\"ip\":\"81.2.69.192\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.1\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null},{\"identifier\":null,\"hostname\":null,\"ip\":\"175.16.199.3\",\"mac\":null,\"subnet\":null,\"did\":null,\"sid\":null}]},{\"key\":\"Destination port\",\"type\":\"integer\",\"values\":[22]},{\"key\":\"Connection count\",\"type\":\"integer\",\"values\":[40]},{\"key\":\"Percentage successful\",\"type\":\"percentage\",\"values\":[100]}]}]]}", "reason": "Extensive Unusual SSH Connections", @@ -308,7 +300,7 @@ An example event for `ai_analyst_alert` looks as following: }, "log": { "source": { - "address": "172.18.0.7:40244" + "address": "192.168.128.5:49066" }, "syslog": { "facility": { @@ -342,7 +334,7 @@ An example event for `ai_analyst_alert` looks as following: "preserve_original_event", "preserve_duplicate_custom_fields", "forwarded", - "darktrace_ai_analyst_alert" + "darktrace-ai_analyst_alert" ], "threat": { "enrichments": { @@ -446,7 +438,7 @@ An example event for `ai_analyst_alert` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host mac addresses. | keyword | +| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | @@ -489,8 +481,8 @@ An example event for `model_breach_alert` looks as following: { "@timestamp": "2022-07-11T13:04:08.000Z", "agent": { - "ephemeral_id": "7c606731-92cd-4bb6-90c1-cdaacf255188", - "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", + "ephemeral_id": "572d7663-c480-491f-b06f-96f0330cf942", + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.2.1" @@ -990,7 +982,7 @@ An example event for `model_breach_alert` looks as following: "version": "8.4.0" }, "elastic_agent": { - "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", "snapshot": false, "version": "8.2.1" }, @@ -1001,7 +993,7 @@ An example event for `model_breach_alert` looks as following: ], "created": "2022-07-11T13:04:19.000Z", "dataset": "darktrace.model_breach_alert", - "ingested": "2022-09-13T09:59:33Z", + "ingested": "2022-09-30T11:39:13Z", "kind": "event", "original": "{\"commentCount\":0,\"pbid\":1,\"time\":1657544648000,\"creationTime\":1657544659000,\"aianalystData\":[{\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"related\":[1],\"summariser\":\"BeaconSummary\"}],\"model\":{\"name\":\"Compromise::Beaconing Activity To External Rare\",\"pid\":156,\"phid\":1072,\"uuid\":\"1234abcd-1234-1234-1234-123456abcdef\",\"logic\":{\"data\":[{\"cid\":2026,\"weight\":1},{\"cid\":2024,\"weight\":1},{\"cid\":2025,\"weight\":-100}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":10800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"antigena\":{},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"tags\":[\"AP: C2 Comms\"],\"interval\":10800,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2022-07-11 11:47:37\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"A device has been repeatedly connecting to a rare external location with a beacon score. A beacon score is added when Darktrace identifies that a device is regularly communicating with an endpoint, for example, if a device connects to a rare external endpoint every 12 minutes this would get a beacon score. This model is designed to identify beaconing at a lower threshold and be protocol agnostic.\\\\n\\\\nAction: Review the external domains and IPs being connected to to see if they are legitimate and would be expected for business purposes.\",\"behaviour\":\"incdec1\",\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":23,\"priority\":2,\"category\":\"Informational\",\"compliance\":false},\"triggeredComponents\":[{\"time\":1657544648000,\"cbid\":1,\"cid\":2026,\"chid\":2113,\"size\":11,\"threshold\":10,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AC\",\"operator\":\"AND\",\"right\":{\"left\":\"AD\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"AA\",\"operator\":\"AND\",\"right\":{\"left\":\"AB\",\"operator\":\"AND\",\"right\":{\"left\":\"AE\",\"operator\":\"AND\",\"right\":{\"left\":\"AF\",\"operator\":\"AND\",\"right\":{\"left\":\"AG\",\"operator\":\"AND\",\"right\":{\"left\":\"AH\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":{\"left\":\"I\",\"operator\":\"AND\",\"right\":{\"left\":\"J\",\"operator\":\"AND\",\"right\":{\"left\":\"K\",\"operator\":\"AND\",\"right\":{\"left\":\"L\",\"operator\":\"AND\",\"right\":{\"left\":\"M\",\"operator\":\"AND\",\"right\":{\"left\":\"N\",\"operator\":\"AND\",\"right\":{\"left\":\"O\",\"operator\":\"AND\",\"right\":{\"left\":\"P\",\"operator\":\"AND\",\"right\":{\"left\":\"S\",\"operator\":\"AND\",\"right\":{\"left\":\"U\",\"operator\":\"AND\",\"right\":{\"left\":\"V\",\"operator\":\"AND\",\"right\":{\"left\":\"X\",\"operator\":\"AND\",\"right\":{\"left\":\"Y\",\"operator\":\"AND\",\"right\":\"Z\"}}}}}}}}}}}}}}}}}}}}}}}}},\"version\":\"v0.1\"},\"metric\":{\"mlid\":1,\"name\":\"externalconnections\",\"label\":\"External Connections\"},\"triggeredFilters\":[{\"cfid\":23426,\"id\":\"A\",\"filterType\":\"Beaconing score\",\"arguments\":{\"value\":60},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23427,\"id\":\"AA\",\"filterType\":\"Individual size up\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"4382\"}},{\"cfid\":23428,\"id\":\"AB\",\"filterType\":\"Rare domain\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23430,\"id\":\"AD\",\"filterType\":\"Age of destination\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23431,\"id\":\"AE\",\"filterType\":\"Age of external hostname\",\"arguments\":{\"value\":1209600},\"comparatorType\":\"\u003c\",\"trigger\":{\"value\":\"558\"}},{\"cfid\":23432,\"id\":\"AF\",\"filterType\":\"Connection hostname\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"example.com\"}},{\"cfid\":23433,\"id\":\"AG\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"examples\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23434,\"id\":\"AH\",\"filterType\":\"JA3 hash\",\"arguments\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"},\"comparatorType\":\"does not match\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23435,\"id\":\"B\",\"filterType\":\"Rare external IP\",\"arguments\":{\"value\":95},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"100\"}},{\"cfid\":23436,\"id\":\"C\",\"filterType\":\"Application protocol\",\"arguments\":{\"value\":\"1003\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"1004\"}},{\"cfid\":23437,\"id\":\"D\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":53},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23438,\"id\":\"E\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":23439,\"id\":\"H\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":137},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23440,\"id\":\"I\",\"filterType\":\"Destination port\",\"arguments\":{\"value\":161},\"comparatorType\":\"!=\",\"trigger\":{\"value\":\"443\"}},{\"cfid\":23441,\"id\":\"J\",\"filterType\":\"Protocol\",\"arguments\":{\"value\":\"6\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23442,\"id\":\"K\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23443,\"id\":\"L\",\"filterType\":\"ASN\",\"arguments\":{\"value\":\"Company\"},\"comparatorType\":\"does not contain\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23444,\"id\":\"M\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"13\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23445,\"id\":\"N\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"5\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23446,\"id\":\"O\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"9\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23447,\"id\":\"P\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23448,\"id\":\"S\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"30\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23449,\"id\":\"U\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"4\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23450,\"id\":\"V\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"3\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":23451,\"id\":\"X\",\"filterType\":\"Trusted hostname\",\"arguments\":{\"value\":\"false\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"false\"}},{\"cfid\":23452,\"id\":\"Y\",\"filterType\":\"Tagged internal source\",\"arguments\":{\"value\":26},\"comparatorType\":\"does not have tag\",\"trigger\":{\"value\":\"26\",\"tag\":{\"tid\":26,\"expiry\":0,\"thid\":26,\"name\":\"No Device Tracking\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":5,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":23453,\"id\":\"Z\",\"filterType\":\"Individual size down\",\"arguments\":{\"value\":0},\"comparatorType\":\"\u003e\",\"trigger\":{\"value\":\"5862\"}},{\"cfid\":23454,\"id\":\"d1\",\"filterType\":\"JA3 hash\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"5d41402abc4b2a76b9719d911017c592\"}},{\"cfid\":23455,\"id\":\"d2\",\"filterType\":\"ASN\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"AS12345 LOCAL-02\"}},{\"cfid\":23456,\"id\":\"d3\",\"filterType\":\"Destination IP\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"81.2.69.192\"}},{\"cfid\":23457,\"id\":\"d4\",\"filterType\":\"Connection hostname\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"example.com\"}}]}],\"score\":0.674,\"device\":{\"did\":3,\"ip\":\"81.2.69.142\",\"sid\":1,\"firstSeen\":1657544089000,\"lastSeen\":1657544418000,\"typename\":\"desktop\",\"typelabel\":\"Desktop\"}}", "risk_score": 0.674, @@ -1027,7 +1019,7 @@ An example event for `model_breach_alert` looks as following: }, "log": { "source": { - "address": "172.18.0.7:57859" + "address": "192.168.128.5:60206" }, "syslog": { "facility": { @@ -1066,7 +1058,7 @@ An example event for `model_breach_alert` looks as following: "preserve_original_event", "preserve_duplicate_custom_fields", "forwarded", - "darktrace_model_breach_alert" + "darktrace-model_breach_alert" ] } ``` @@ -1238,7 +1230,7 @@ An example event for `model_breach_alert` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword | @@ -1288,8 +1280,8 @@ An example event for `system_status_alert` looks as following: { "@timestamp": "2021-04-18T15:44:11.000Z", "agent": { - "ephemeral_id": "6043d9a9-f622-4d79-b15f-8f83b1f845af", - "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", + "ephemeral_id": "5b042cea-01fa-47a2-ab0f-ac1f7baa6bd2", + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", "name": "docker-fleet-agent", "type": "filebeat", "version": "8.2.1" @@ -1319,7 +1311,7 @@ An example event for `system_status_alert` looks as following: "version": "8.4.0" }, "elastic_agent": { - "id": "1e1cf71d-3b74-43ea-a303-402e8ad7e0ee", + "id": "95d2bc73-8bc8-47d9-b36e-a21b58255eec", "snapshot": false, "version": "8.2.1" }, @@ -1327,7 +1319,7 @@ An example event for `system_status_alert` looks as following: "agent_id_status": "verified", "dataset": "darktrace.system_status_alert", "id": "abcdabcd-1234-1234-1234-3abababcdcd3", - "ingested": "2022-09-13T10:02:04Z", + "ingested": "2022-09-30T11:41:35Z", "kind": "alert", "original": "{\"last_updated\":1618760651,\"uuid\":\"abcdabcd-1234-1234-1234-3abababcdcd3\",\"priority\":43,\"priority_level\":\"medium\",\"hostname\":\"example-vsensor\",\"ip_address\":\"175.16.199.1\",\"message\":\"There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test\",\"name\":\"advanced_search\",\"acknowledge_timeout\":null,\"alert_name\":\"Advanced Search\",\"child_id\":1,\"last_updated_status\":1618760651,\"status\":\"active\"}", "reason": "There have been no Advanced Search hits for this instance seen since Sun 18 April 2021 13:20:23 (UTC). If this is not expected behaviour, please open a ticket using the following link or get in touch with your Cyber Technology Specialist. https://example.com/test", @@ -1346,7 +1338,7 @@ An example event for `system_status_alert` looks as following: }, "log": { "source": { - "address": "172.18.0.7:39566" + "address": "192.168.128.5:36197" }, "syslog": { "facility": { @@ -1374,7 +1366,7 @@ An example event for `system_status_alert` looks as following: "preserve_original_event", "preserve_duplicate_custom_fields", "forwarded", - "darktrace_system_status_alert" + "darktrace-system_status_alert" ] } ``` From 0c1f8379d208430e6fd0e36edd00a85b2d0b6c5b Mon Sep 17 00:00:00 2001 From: vinit-elastic Date: Mon, 3 Oct 2022 17:52:12 +0530 Subject: [PATCH 5/5] resolved build failed --- packages/darktrace/data_stream/ai_analyst_alert/fields/ecs.yml | 2 -- .../darktrace/data_stream/model_breach_alert/fields/ecs.yml | 2 -- packages/darktrace/docs/README.md | 2 +- 3 files changed, 1 insertion(+), 5 deletions(-) diff --git a/packages/darktrace/data_stream/ai_analyst_alert/fields/ecs.yml b/packages/darktrace/data_stream/ai_analyst_alert/fields/ecs.yml index 91f5c279f9e..4fcab038289 100644 --- a/packages/darktrace/data_stream/ai_analyst_alert/fields/ecs.yml +++ b/packages/darktrace/data_stream/ai_analyst_alert/fields/ecs.yml @@ -30,8 +30,6 @@ name: host.id - external: ecs name: host.ip -- external: ecs - name: host.mac - external: ecs name: host.name - external: ecs diff --git a/packages/darktrace/data_stream/model_breach_alert/fields/ecs.yml b/packages/darktrace/data_stream/model_breach_alert/fields/ecs.yml index d719265327f..2b34237b623 100644 --- a/packages/darktrace/data_stream/model_breach_alert/fields/ecs.yml +++ b/packages/darktrace/data_stream/model_breach_alert/fields/ecs.yml @@ -28,8 +28,6 @@ name: host.id - external: ecs name: host.ip -- external: ecs - name: host.mac - external: ecs name: host.type - external: ecs diff --git a/packages/darktrace/docs/README.md b/packages/darktrace/docs/README.md index 58620835f47..fe1804a8544 100644 --- a/packages/darktrace/docs/README.md +++ b/packages/darktrace/docs/README.md @@ -438,7 +438,7 @@ An example event for `ai_analyst_alert` looks as following: | host.hostname | Hostname of the host. It normally contains what the `hostname` command returns on the host machine. | keyword | | host.id | Unique host id. As hostname is not always unique, use values that are meaningful in your environment. Example: The current usage of `beat.name`. | keyword | | host.ip | Host ip addresses. | ip | -| host.mac | Host MAC addresses. The notation format from RFC 7042 is suggested: Each octet (that is, 8-bit byte) is represented by two [uppercase] hexadecimal digits giving the value of the octet as an unsigned integer. Successive octets are separated by a hyphen. | keyword | +| host.mac | Host mac addresses. | keyword | | host.name | Name of the host. It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use. | keyword | | host.os.build | OS build information. | keyword | | host.os.codename | OS codename, if any. | keyword |