Latest Posts

DarkTrace Usage Tips and Tricks

Here are some experiences while using DarkTrace. I am putting them together as a note for myself.



Time Zone Change

By default, your incident log, breach log will using UTC time zone to display logs. Click Top Right date and time and search your time zone , then select the one you are in, click Set Time to button to apply.



Change Device Priority






Change Subnets Tracking Methods

For VPN Subnets, it is recommended to use user tracking , rather than using dhcp tracking.

For subnets where there is no DHCP, vendor does recommend disabling DHCP tracking. New subnets are automatically added to subnet admin with DHCP as the default.



TAXII Source Configuration

Two popular free Taxii sources:
1. hailataxii.com - using username and password
2. otx.allenvault.com - using api key









Advanced Search Skills

Some Examples::

  • @fields.conn_state 

Score

Trend

Terms

Stats






  • SSL to Ebay
@type:ssl AND @fields.subject:*eBay*

  • SSH and RDP from a device
 @fields.dest_port:"3389" OR  @fields.dest_port:"22" 
@type:ssh OR @type:rdp

  • SHA1 hashes of all executable files observed over last 48hrs


  • failed kerberos type events
@type:kerberos AND @fields.success:"false"


  • find all events for a connection
@fields:uid:"<connection_uid>"


  • Find user agent and method of the last http request send by an ip


  • Locate all DNS Servers


  • Find connections to external IP Addresses using FTP 



Find User Assigned to Specific IP

  1. Go to Advanced Search 
  2. Search for '@type:kerberos AND @fields.source_ip:"10.10.12.3"' over the time period you are interested in. 
  3. On the left hand side of the page, if you click the '>' next to @field.client you can view the 'Score' and see which users are shown in the Kerberos tickets. 
  4. From that page, if you are interested in a specific user you can click the magnifying glass in the 'Action' column and to filter results to just that user.




Search RDP User

@type:"rdp" AND @fields.desk_ip:192.168.2.200






No comments