Here are some experiences while using DarkTrace. I am putting them together as a note for myself.
Time Zone Change
By default, your incident log, breach log will using UTC time zone to display logs. Click Top Right date and time and search your time zone , then select the one you are in, click Set Time to button to apply.
Change Device Priority
Change Subnets Tracking Methods
For VPN Subnets, it is recommended to use user tracking , rather than using dhcp tracking.
For subnets where there is no DHCP, vendor does recommend disabling DHCP tracking. New subnets are automatically added to subnet admin with DHCP as the default.
TAXII Source Configuration
Two popular free Taxii sources:
Advanced Search Skills
Some Examples::
- @fields.conn_state
Score
Trend
Terms
Stats
- SSL to Ebay
@type:ssl AND @fields.subject:*eBay*
- SSH and RDP from a device
@fields.dest_port:”3389″ OR @fields.dest_port:”22″
@type:ssh OR @type:rdp
- SHA1 hashes of all executable files observed over last 48hrs
- failed kerberos type events
@type:kerberos AND @fields.success:”false”
- find all events for a connection
- Find user agent and method of the last http request send by an ip
- Locate all DNS Servers
- Find connections to external IP Addresses using FTP
Find User Assigned to Specific IP
- Go to Advanced Search
- Search for ‘@type:kerberos AND @fields.source_ip:”10.10.12.3″‘ over the time period you are interested in.
- On the left hand side of the page, if you click the ‘>’ next to @field.client you can view the ‘Score’ and see which users are shown in the Kerberos tickets.
- From that page, if you are interested in a specific user you can click the magnifying glass in the ‘Action’ column and to filter results to just that user.