Latest Posts

DarkTrace Usage Tips and Tricks

Here are some experiences while using DarkTrace. I am putting them together as a note for myself.



Time Zone Change

By default, your incident log, breach log will using UTC time zone to display logs. Click Top Right date and time and search your time zone , then select the one you are in, click Set Time to button to apply.



Change Device Priority






Change Subnets Tracking Methods

For VPN Subnets, it is recommended to use user tracking , rather than using dhcp tracking.

For subnets where there is no DHCP, vendor does recommend disabling DHCP tracking. New subnets are automatically added to subnet admin with DHCP as the default.



TAXII Source Configuration

Two popular free Taxii sources:
1. hailataxii.com - using username and password
2. otx.allenvault.com - using api key










@fields.conn_state 

Score

Trend

Terms

Stats






a. SSL to Ebay
@type:ssl AND @fields.subject:*eBay*

b. SSH and RDP from a device
 @fields.dest_port:"3389" OR  @fields.dest_port:"22" 
@type:ssh OR @type:rdp

c. SHA1 hashes of all executable files observed over last 48hrs


d. failed kerberos type events
@type:kerberos AND @fields.success:"false"

e. find all events for a connection
@fields:uid:"<connection_uid>"


f. Find user agent and method of the last http request send by an ip

g. Locate all DNS Servers

h. Find connections to external IP Addresses using FTP 













No comments