Issues with Darktrace Logs Not Showing in Wazuh Manager
Francisco Javier de la Puente Secades
I am currently facing issues with the integration between Darktrace and Wazuh, specifically regarding logs not being visible in the Wazuh Manager, despite logs from other systems being properly received and displayed. Below are the details of the setup and the challenges encountered:
Setup:
Darktrace is configured to send logs to a logserver, which in turn forwards these logs to the Wazuh Manager using both TCP and UDP protocols.
I have confirmed that the logserver is receiving the logs from Darktrace, but they are not showing up in Wazuh Manager, unlike logs from other sources.
The current Wazuh configuration includes two <remote> blocks for syslog connections, listening on ports 5144 and 5145 for specific IP addresses.
Here's an excerpt of the relevant configuration:
- <remote>
<connection>syslog</connection>
<port>5144</port>
<protocol>tcp</protocol>
<allowed-ips>10.5.2.10</allowed-ips>
<local_ip>10.7.0.92</local_ip>
</remote>
<remote>
<connection>syslog</connection>
<port>5145</port>
<protocol>tcp</protocol>
<allowed-ips>10.5.2.29</allowed-ips>
<local_ip>10.7.0.92</local_ip>
</remote>
Troubleshooting steps so far:
- Verified that Darktrace is sending logs in the correct format and to the right IP and ports.
- Used tcpdump to confirm that logs are reaching the logserver, but Wazuh does not seem to process or display them.
- Checked the Wazuh logs (/var/ossec/logs/ossec.log), but no clear error messages related to Darktrace logs have been found.
- Ensured that there are no firewall rules blocking traffic between the logserver and Wazuh.
- I suspect the issue might be related to the decoder or the format of the logs being sent from Darktrace, but I am unable to identify the specific cause. Maybe another possible cause it the size of the log sent.
Could you please assist with further troubleshooting or let me know if any additional steps are required to ensure Wazuh can correctly process and display Darktrace logs?
Thank you for your time and support.
Best regards,
Francisco de la Puente
Himanshu Sharma
Himanshu Sharma
Following your guidance, I found that Darktrace alerts were reaching the archives but not the alerts section in Wazuh. Therefore, I attempted to create a decoder:
darktrace_decoder:
<?xml version="1.0" encoding="utf-8"?> <wazuh_decoders> <decoder name="darktrace_logs"> <program_name>darktrace</program_name> <type>json</type> <json_path>full_log</json_path> <json_fields> <json_field name="model_name" json_path="model.name"/> <json_field name="model_description" json_path="model.description"/> </json_fields> </decoder> </wazuh_decoders>However, when I attempt to save it, I receive the following error:
Error: Could not upload decoder (1113) - XML syntax error at WzRequest.returnErrorInstance (https://10.7.0.92/49007/bundles/plugin/wazuh/wazuh.plugin.js:1:207836) at WzRequest.apiReq (https://10.7.0.92/49007/bundles/plugin/wazuh/wazuh.plugin.js:1:206978) at async resources_handler_ResourcesHandler.updateFile (https://10.7.0.92/49007/bundles/plugin/wazuh/wazuh.chunk.3.js:1:2377378) at async file_editor_WzFileEditor.save (https://10.7.0.92/49007/bundles/plugin/wazuh/wazuh.chunk.3.js:1:2446875)I also created a rule, darktrace_rule, which I am unsure is correctly configured:
<group name="darktrace,"> <rule id="100001" level="3"> <decoded_as>darktrace_logs</decoded_as> <description>Alert from Darktrace</description> <options>no_full_log</options> <group>darktrace_alerts</group> <field name="model_name">*some_model_name*</field> <field name="model_priority">1</field> </rule> </group>Additionally, here is the log I obtained from Darktrace in archives for your reference:
{ "_index": "wazuh-archives-4.x-2024.10.17", "_id": "LTglmpIBc8sZCcxNvuB_", "_version": 1, "_score": null, "_source": { "predecoder": { "hostname": "10.5.2.29", "timestamp": "Oct 17 13:03:07" }, "agent": { "name": "wazuh-server", "id": "000" }, "manager": { "name": "wazuh-server" }, "rule": { "firedtimes": 3, "mail": false, "level": 2, "description": "Unknown problem somewhere in the system.", "groups": [ "syslog", "errors" ], "id": "1002", "gpg13": [ "4.3" ] }, "decoder": {}, "full_log": "Oct 17 13:03:07 10.5.2.29 darktrace {\"model\":{\"name\":\"Device::Attack and Recon Tools\",\"pid\":121,\"phid\":9141,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000197\",\"logic\":{\"data\":[{\"cid\":17604,\"weight\":1},{\"cid\":17605,\"weight\":1},{\"cid\":17606,\"weight\":1},{\"cid\":17607,\"weight\":1},{\"cid\":17608,\"weight\":1},{\"cid\":17609,\"weight\":1},{\"cid\":17610,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":604800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"model\":true,\"breach\":true,\"setTag\":false,\"setType\":false,\"antigena\":{},\"aianalyst\":{\"hypotheses\":[\"HttpAttackSummary\",\"ScanSummary\"]},\"setPriority\":false},\"tags\":[\"AP: Internal Recon\",\"OT Engineer\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2024-08-14 18:23:27\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"A device is using common penetration testing tools.\\\\\\n\\\\\\nAction: Review the device to see if it a security device, these can be tagged as such to exclude them from future alerts. Activity from non security devices merit further investigation into what else the device is doing and could be a significant risk within the network.\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":104,\"mitre\":{\"tactics\":[\"initial-access\"],\"techniques\":[\"T1200\"]},\"priority\":4,\"category\":\"Suspicious\",\"compliance\":false},\"device\":{\"did\":3294,\"ip\":\"10.6.2.15\",\"ips\":[{\"ip\":\"10.6.2.10\",\"timems\":1729148400000,\"time\":\"2024-10-17 07:00:00\",\"sid\":4,\"subnet\":\"10.6.2.0/24\",\"subnetlabel\":\"V_Técnicos\",\"vlan\":0},{\"ip\":\"10.6.2.15\",\"timems\":1729159200000,\"time\":\"2024-10-17 10:00:00\",\"sid\":4,\"subnet\":\"10.6.2.0/24\",\"subnetlabel\":\"V_Técnicos\",\"vlan\":0}],\"sid\":4,\"hostname\":\"scayle-p109.dl.scayle.es\",\"firstSeen\":1729083270000,\"lastSeen\":1729162323000,\"os\":\"Windows\",\"ossource\":\"NTLM\",\"typename\":\"desktop\",\"typelabel\":\"Desktop\",\"credentials\":[\"fpuente\",\"sinner\"],\"tags\":[{\"tid\":64,\"thid\":225,\"name\":\"Domain Authenticated\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":200,\"description\":\"\"},\"isReferenced\":true,\"expiry\":1730365637},{\"tid\":24,\"thid\":24,\"name\":\"Microsoft Windows\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":168,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true,\"expiry\":1730293012},{\"tid\":41,\"thid\":41,\"name\":\"New Device\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":130,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true,\"expiry\":1729688143}]},\"triggeredComponents\":[{\"time\":1729162982000,\"cbid\":14498,\"cid\":17605,\"chid\":26568,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"J\"}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":\"H\"}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"I\"}}}}}}}},\"version\":\"v0.1\"},\"metric\":{\"mlid\":11,\"name\":\"dnsrequests\",\"label\":\"DNS Requests\"},\"triggeredFilters\":[{\"cfid\":220161,\"id\":\"A\",\"filterType\":\"DNS host lookup\",\"arguments\":{\"value\":\"(archive\\\\-.+\\\\.|http\\\\.)?kali(\\\\..+)?\"},\"comparatorType\":\"matches regular expression\",\"trigger\":{\"value\":\"kali.org\"}},{\"cfid\":220162,\"id\":\"B\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":220163,\"id\":\"C\",\"filterType\":\"Tagged internal source\",\"arguments\":{\"value\":17},\"comparatorType\":\"does not have tag\",\"trigger\":{\"value\":\"17\",\"tag\":{\"tid\":17,\"thid\":17,\"name\":\"DNS Server\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":112,\"description\":\"Devices receiving and making DNS queries\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":220164,\"id\":\"D\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":220165,\"id\":\"E\",\"filterType\":\"Tagged internal source\",\"arguments\":{\"value\":5},\"comparatorType\":\"does not have tag\",\"trigger\":{\"value\":\"5\",\"tag\":{\"tid\":5,\"thid\":5,\"name\":\"Security Device\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":55,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":220168,\"id\":\"H\",\"filterType\":\"Tagged internal source\",\"arguments\":{\"value\":30},\"comparatorType\":\"does not have tag\",\"trigger\":{\"value\":\"30\",\"tag\":{\"tid\":30,\"thid\":30,\"name\":\"Mail Server\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":200,\"description\":\"\"},\"isReferenced\":true}}},{\"cfid\":220170,\"id\":\"J\",\"filterType\":\"DNS host lookup\",\"arguments\":{\"value\":\"^kali\\\\.(by|hu|hr|cheng-tsui\\\\.com|tradair\\\\.com)$\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"kali.org\"}},{\"cfid\":220171,\"id\":\"d1\",\"filterType\":\"DNS host lookup\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"kali.org\"}}]}],\"breachUrl\":\"https://srv-darktrace.scayle.es/#modelbreach/10521\",\"pbid\":10521,\"score\":0.871,\"commentCount\":0,\"creationTime\":1729162986000,\"time\":1729162983000,\"mitreTechniques\":[{\"tactics\":[\"initial-access\"],\"technique\":\"Hardware Additions\",\"techniqueID\":\"T1200\"}]}", "input": { "type": "log" }, "@timestamp": "2024-10-17T11:03:34.817Z", "location": "10.5.2.10", "id": "1729163014.412665", "timestamp": "2024-10-17T11:03:34.817+0000" }, "fields": { "@timestamp": [ "2024-10-17T11:03:34.817Z" ], "timestamp": [ "2024-10-17T11:03:34.817Z" ] }, "highlight": { "predecoder.hostname": [ "@opensearch-dashboar...@10.5.2.29@/opensearch-dashboards-highlighted-field@" ], "full_log": [ "Oct 17 13:03:07 @opensearch-dashboar...@10.5.2.29@/opensearch-dashboards-highlighted-field@ darktrace {\"model\":{\"name\":\"Device::Attack and Recon Tools\",\"pid\":121,\"phid\":9141,\"uuid\":\"80010119-6d7f-0000-0305-5e0000000197\",\"logic\":{\"data\":[{\"cid\":17604,\"weight\":1},{\"cid\":17605,\"weight\":1},{\"cid\":17606,\"weight\":1},{\"cid\":17607,\"weight\":1},{\"cid\":17608,\"weight\":1},{\"cid\":17609,\"weight\":1},{\"cid\":17610,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"throttle\":604800,\"sharedEndpoints\":false,\"actions\":{\"alert\":true,\"model\":true,\"breach\":true,\"setTag\":false,\"setType\":false,\"antigena\":{},\"aianalyst\":{\"hypotheses\":[\"HttpAttackSummary\",\"ScanSummary\"]},\"setPriority\":false},\"tags\":[\"AP: Internal Recon\",\"OT Engineer\"],\"interval\":3600,\"delay\":0,\"sequenced\":false,\"active\":true,\"modified\":\"2024-08-14 18:23:27\",\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoUpdatable\":true,\"autoUpdate\":true,\"autoSuppress\":true,\"description\":\"A device is using common penetration testing tools.\\\\\\n\\\\\\nAction: Review the device to see if it a security device, these can be tagged as such to exclude them from future alerts. Activity from non security devices merit further investigation into what else the device is doing and could be a significant risk within the network.\",\"behaviour\":\"decreasing\",\"defeats\":[],\"created\":{\"by\":\"System\"},\"edited\":{\"by\":\"System\"},\"version\":104,\"mitre\":{\"tactics\":[\"initial-access\"],\"techniques\":[\"T1200\"]},\"priority\":4,\"category\":\"Suspicious\",\"compliance\":false},\"device\":{\"did\":3294,\"ip\":\"10.6.2.15\",\"ips\":[{\"ip\":\"10.6.2.10\",\"timems\":1729148400000,\"time\":\"2024-10-17 07:00:00\",\"sid\":4,\"subnet\":\"10.6.2.0/24\",\"subnetlabel\":\"V_Técnicos\",\"vlan\":0},{\"ip\":\"10.6.2.15\",\"timems\":1729159200000,\"time\":\"2024-10-17 10:00:00\",\"sid\":4,\"subnet\":\"10.6.2.0/24\",\"subnetlabel\":\"V_Técnicos\",\"vlan\":0}],\"sid\":4,\"hostname\":\"scayle-p109.dl.scayle.es\",\"firstSeen\":1729083270000,\"lastSeen\":1729162323000,\"os\":\"Windows\",\"ossource\":\"NTLM\",\"typename\":\"desktop\",\"typelabel\":\"Desktop\",\"credentials\":[\"fpuente\",\"sinner\"],\"tags\":[{\"tid\":64,\"thid\":225,\"name\":\"Domain Authenticated\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":200,\"description\":\"\"},\"isReferenced\":true,\"expiry\":1730365637},{\"tid\":24,\"thid\":24,\"name\":\"Microsoft Windows\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":168,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true,\"expiry\":1730293012},{\"tid\":41,\"thid\":41,\"name\":\"New Device\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":130,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true,\"expiry\":1729688143}]},\"triggeredComponents\":[{\"time\":1729162982000,\"cbid\":14498,\"cid\":17605,\"chid\":26568,\"size\":1,\"threshold\":0,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"J\"}}}}}},\"operator\":\"OR\",\"right\":{\"left\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"F\",\"operator\":\"AND\",\"right\":\"H\"}}}}},\"operator\":\"OR\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":{\"left\":\"C\",\"operator\":\"AND\",\"right\":{\"left\":\"D\",\"operator\":\"AND\",\"right\":{\"left\":\"E\",\"operator\":\"AND\",\"right\":{\"left\":\"G\",\"operator\":\"AND\",\"right\":{\"left\":\"H\",\"operator\":\"AND\",\"right\":\"I\"}}}}}}}},\"version\":\"v0.1\"},\"metric\":{\"mlid\":11,\"name\":\"dnsrequests\",\"label\":\"DNS Requests\"},\"triggeredFilters\":[{\"cfid\":220161,\"id\":\"A\",\"filterType\":\"DNS host lookup\",\"arguments\":{\"value\":\"(archive\\\\-.+\\\\.|http\\\\.)?kali(\\\\..+)?\"},\"comparatorType\":\"matches regular expression\",\"trigger\":{\"value\":\"kali.org\"}},{\"cfid\":220162,\"id\":\"B\",\"filterType\":\"Internal source device type\",\"arguments\":{\"value\":\"12\"},\"comparatorType\":\"is not\",\"trigger\":{\"value\":\"6\"}},{\"cfid\":220163,\"id\":\"C\",\"filterType\":\"Tagged internal source\",\"arguments\":{\"value\":17},\"comparatorType\":\"does not have tag\",\"trigger\":{\"value\":\"17\",\"tag\":{\"tid\":17,\"thid\":17,\"name\":\"DNS Server\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":112,\"description\":\"Devices receiving and making DNS queries\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":220164,\"id\":\"D\",\"filterType\":\"Direction\",\"arguments\":{\"value\":\"out\"},\"comparatorType\":\"is\",\"trigger\":{\"value\":\"out\"}},{\"cfid\":220165,\"id\":\"E\",\"filterType\":\"Tagged internal source\",\"arguments\":{\"value\":5},\"comparatorType\":\"does not have tag\",\"trigger\":{\"value\":\"5\",\"tag\":{\"tid\":5,\"thid\":5,\"name\":\"Security Device\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":55,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true}}},{\"cfid\":220168,\"id\":\"H\",\"filterType\":\"Tagged internal source\",\"arguments\":{\"value\":30},\"comparatorType\":\"does not have tag\",\"trigger\":{\"value\":\"30\",\"tag\":{\"tid\":30,\"thid\":30,\"name\":\"Mail Server\",\"restricted\":false,\"data\":{\"auto\":false,\"color\":200,\"description\":\"\"},\"isReferenced\":true}}},{\"cfid\":220170,\"id\":\"J\",\"filterType\":\"DNS host lookup\",\"arguments\":{\"value\":\"^kali\\\\.(by|hu|hr|cheng-tsui\\\\.com|tradair\\\\.com)$\"},\"comparatorType\":\"does not match regular expression\",\"trigger\":{\"value\":\"kali.org\"}},{\"cfid\":220171,\"id\":\"d1\",\"filterType\":\"DNS host lookup\",\"arguments\":{},\"comparatorType\":\"display\",\"trigger\":{\"value\":\"kali.org\"}}]}],\"breachUrl\":\"https://srv-darktrace.scayle.es/#modelbreach/10521\",\"pbid\":10521,\"score\":0.871,\"commentCount\":0,\"creationTime\":1729162986000,\"time\":1729162983000,\"mitreTechniques\":[{\"tactics\":[\"initial-access\"],\"technique\":\"Hardware Additions\",\"techniqueID\":\"T1200\"}]}" ] }, "sort": [ 1729163014817 ] }
If you need any other captures or logs in a different format, I will provide them as soon as possible.
Thank you for your assistance. I look forward to your response.
Best regards,
Francisco
Himanshu Sharma
I have created a sample custom decoder and rule for you. you can follow the below steps to add them to your environment. You can take the reference and change the decoder and rules according to your requirements.
Add the below configuration to /var/ossec/etc/decoders/local_decoder.xml or create the new file here.
<decoder name="custom_darktrace">
<prematch>darktrace_audit </prematch>
</decoder>
<decoder name="custom_darktrace-child">
<parent>custom_darktrace</parent>
<prematch type="pcre2">darktrace_audit </prematch>
<plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>Add the below configuration to /var/ossec/etc/rules/local_rules.xml or create the new file here. The description you can change accordingly.
<group name="custom_darktrace,">
<rule id="160501" level="3">
<decoded_as>custom_darktrace</decoded_as>
<field name="username">\.+</field>
<description>Darktrace event.</description>
</rule>
</group>Now restart your wazuh manager to apply changes.
Sample output:
Reference:
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html
https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/decoders.html
https://wazuh.com/blog/creating-decoders-and-rules-from-scratch/
Hope this information helps you. Please feel free to reach out to us for any information/issues.
Regards,
Hi Team,
Thank you for your message.
In the drive, you will find the requested log from the /var/ossec/logs/archives/archives.json file. Additionally, I've included a couple of screenshots showing the decoders and rules configurations. Please note that, at this point, we are using the default configurations, and no custom decoders or rules have been created yet.
Let me know if you need anything else.
Best regards,
Francisco
https://drive.google.com/file/d/1Ukyf34aQPVRJld1QtAeaB8Za8CHAQyPm/view?usp=sharing
Francisco Javier de la Puente Secades
Hi Team,
Thank you for your response; it has been very helpful. I’ve read through the tutorials, but I'm encountering difficulties when trying to edit or create a decoder. I keep receiving an XML error, and I'm unsure of the cause.
For example, here is a working example you provided:
However, this is my edited version, which does not work due to an XML error:
Could you please guide me on how to debug XML errors within this platform? Additionally, where can I find the rules and guidelines for these decoders?
Thank you for your assistance.
Best regards,
Francisco
Francisco Javier de la Puente Secades
I have managed to extract information and get it processed by the rule, but despite my attempts, I keep encountering syntax errors with the rules. My goal is to display some fields, such as device.hostname and model.name, for example.
Here is my decoder.xml configuration:
<decoder name="custom_darktrace">
<prematch>darktrace </prematch>
</decoder>
<decoder name="custom_darktrace-child">
<parent>custom_darktrace</parent>
<plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>
<parent>custom_darktrace</parent>
<prematch type="pcre2">darktrace_audit_mail </prematch>
<plugin_decoder offset="after_prematch">JSON_Decoder</plugin_decoder>
</decoder>
This is my rule.xml:
<group name="custom_darktrace">
<rule id="160501" level="9">
<decoded_as>custom_darktrace</decoded_as>
<description>Darktrace event.</description>
</rule>
</group>
Oct 29 13:26:39 srv-darktrace.scayle.es darktrace {"model":{"name":"Device::External Network Scan","pid":254,"phid":9347,"uuid":"1981466a-f741-4a61-bc6a-f81d7acd5739","category":"Informational","compliance":false},"device":{"did":3147,"ip":"10.6.2.102","ips":[{"ip":"10.6.2.102","timems":1730203200000,"time":"2024-10-29 12:00:00","sid":4,"subnet":"10.6.2.0/24","subnetlabel":"V_Técnicos","vlan":0},{"ip":"10.6.2.137","timems":1730116800000,"time":"2024-10-28 12:00:00","sid":4,"subnet":"10.6.2.0/24","subnetlabel":"V_Técnicos","vlan":0}],"sid":4,"hostname":"scayle-p111.dl.scayle.es","firstSeen":1723545694000,"lastSeen":1730204268000,"typename":"desktop","typelabel":"Desktop","credentials":["jgonzalez","dl\\jgonzalez"],"tags":[{"tid":64,"thid":225,"name":"Domain Authenticated","restricted":false,"data":{"auto":false,"color":200,"description":""},"isReferenced":true,"expiry":1730701461},{"tid":78,"thid":178,"name":"High Risk","restricted":false,"data":{"auto":false,"color":7,"description":"","visibility":"Public"},"isReferenced":true,"expiry":1730377597},{"tid":24,"thid":24,"name":"Microsoft Windows","restricted":false,"data":{"auto":false,"color":168,"description":"","visibility":"Public"},"isReferenced":true,"expiry":1730701461}]},"triggeredComponents":[{"time":1730204792000,"cbid":14659,"cid":18030,"chid":27226,"size":21,"threshold":20,"interval":60,"metric":{"mlid":1,"name":"externalconnections","label":"External Connections"},"triggeredFilters":[{"cfid":226434,"id":"C","filterType":"Direction","arguments":{"value":"out"},"comparatorType":"is","trigger":{"value":"out"}},{"cfid":226435,"id":"D","filterType":"Tagged internal source","arguments":{"value":5},"comparatorType":"does not have tag","trigger":{"value":"5","tag":{"tid":5,"thid":5,"name":"Security Device","restricted":false,"data":{"auto":false,"color":55,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":226436,"id":"E","filterType":"Tagged internal source","arguments":{"value":8},"comparatorType":"does not have tag","trigger":{"value":"8","tag":{"tid":8,"thid":8,"name":"Admin","restricted":false,"data":{"auto":false,"color":200,"description":"","visibility":""},"isReferenced":true}}},{"cfid":226437,"id":"F","filterType":"Tagged internal destination","arguments":{"value":5},"comparatorType":"does not have tag","trigger":{"value":"5","tag":{"tid":5,"thid":5,"name":"Security Device","restricted":false,"data":{"auto":false,"color":55,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":226438,"id":"H","filterType":"Source port","arguments":{"value":10000},"comparatorType":">","trigger":{"value":"48835"}},{"cfid":226439,"id":"I","filterType":"Destination port","arguments":{"value":10000},"comparatorType":"<","trigger":{"value":"135"}},{"cfid":226440,"id":"J","filterType":"Destination port","arguments":{"value":7680},"comparatorType":"!=","trigger":{"value":"135"}},{"cfid":226441,"id":"K","filterType":"Protocol","arguments":{"value":"6"},"comparatorType":"is","trigger":{"value":"6"}},{"cfid":226442,"id":"M","filterType":"Internal source device type","arguments":{"value":"9"},"comparatorType":"is not","trigger":{"value":"6"}},{"cfid":226443,"id":"N","filterType":"Internal source device type","arguments":{"value":"13"},"comparatorType":"is not","trigger":{"value":"6"}},{"cfid":226444,"id":"O","filterType":"Tagged internal destination","arguments":{"value":40},"comparatorType":"does not have tag","trigger":{"value":"40","tag":{"tid":40,"thid":40,"name":"Printer","restricted":false,"data":{"auto":false,"color":282,"description":"Printer device or Print server","visibility":"Public"},"isReferenced":true}}},{"cfid":226445,"id":"P","filterType":"Tagged internal destination","arguments":{"value":2},"comparatorType":"does not have tag","trigger":{"value":"2","tag":{"tid":2,"thid":151,"name":"Unusual Connectivity Excluded","restricted":true,"data":{"auto":true,"color":200,"description":""},"isReferenced":true}}},{"cfid":226446,"id":"Q","filterType":"Tagged internal source","arguments":{"value":54},"comparatorType":"does not have tag","trigger":{"value":"54","tag":{"tid":54,"thid":54,"name":"Microsoft ATP Scanning","restricted":false,"data":{"auto":false,"color":270,"description":"This device has initiated RDP connections indicative of Microsoft ATP Scanning within the past two hours.","visibility":"Public"},"isReferenced":true}}},{"cfid":226447,"id":"R","filterType":"Message","arguments":{"value":"A new failed"},"comparatorType":"contains","trigger":{"value":"A new failed connection externally on port 135"}},{"cfid":226448,"id":"S","filterType":"Individual size down","arguments":{"value":0},"comparatorType":"=","trigger":{"value":"0"}},{"cfid":226449,"id":"T","filterType":"Individual size up","arguments":{"value":0},"comparatorType":"=","trigger":{"value":"0"}},{"cfid":226450,"id":"U","filterType":"Destination port","arguments":{"value":8530},"comparatorType":"!=","trigger":{"value":"135"}},{"cfid":226451,"id":"V","filterType":"Tagged internal source","arguments":{"value":109},"comparatorType":"does not have tag","trigger":{"value":"109","tag":{"tid":109,"thid":109,"name":"Avast Scanning","restricted":false,"data":{"auto":false,"color":271,"description":"This device has initiated external connections indicative of Avast Scanning activity within the past two hours","visibility":"Public"},"isReferenced":true}}},{"cfid":226452,"id":"d1","filterType":"Message","arguments":{},"comparatorType":"display","trigger":{"value":"A new failed connection externally on port 135"}},{"cfid":226453,"id":"d2","filterType":"Individual size up","arguments":{},"comparatorType":"display","trigger":{"value":"0"}},{"cfid":226454,"id":"d3","filterType":"Individual size down","arguments":{},"comparatorType":"display","trigger":{"value":"0"}},{"cfid":226455,"id":"d4","filterType":"Destination port","arguments":{},"comparatorType":"display","trigger":{"value":"135"}},{"cfid":226456,"id":"d5","filterType":"Internal source device type","arguments":{},"comparatorType":"display","trigger":{"value":"6"}},{"cfid":226457,"id":"d6","filterType":"Internal source credential","arguments":{},"comparatorType":"display","trigger":{"value":"jgonzalez"}},{"cfid":226457,"id":"d6","filterType":"Internal source credential","arguments":{},"comparatorType":"display","trigger":{"value":"dl\\jgonzalez"}}]}],"breachUrl":"https://srv-darktrace.scayle.es/#modelbreach/10648","pbid":10648,"score":0.443,"commentCount":0,"creationTime":1730204798000,"time":1730204793000,"mitreTechniques":[{"tactics":["reconnaissance"],"technique":"Scanning IP Blocks","techniqueID":"T1595.001"}]}
Here is the test result:
**Messages:
INFO: (7202): Session initialized with token '593e2d9f'
**Phase 1: Completed pre-decoding.
full event: 'Oct 29 13:26:39 srv-darktrace.scayle.es darktrace {"model":{"name":"Device::External Network Scan","pid":254,"phid":9347,"uuid":"1981466a-f741-4a61-bc6a-f81d7acd5739","category":"Informational","compliance":false},"device":{"did":3147,"ip":"10.6.2.102","ips":[{"ip":"10.6.2.102","timems":1730203200000,"time":"2024-10-29 12:00:00","sid":4,"subnet":"10.6.2.0/24","subnetlabel":"V_Técnicos","vlan":0},{"ip":"10.6.2.137","timems":1730116800000,"time":"2024-10-28 12:00:00","sid":4,"subnet":"10.6.2.0/24","subnetlabel":"V_Técnicos","vlan":0}],"sid":4,"hostname":"scayle-p111.dl.scayle.es","firstSeen":1723545694000,"lastSeen":1730204268000,"typename":"desktop","typelabel":"Desktop","credentials":["jgonzalez","dl\\jgonzalez"],"tags":[{"tid":64,"thid":225,"name":"Domain Authenticated","restricted":false,"data":{"auto":false,"color":200,"description":""},"isReferenced":true,"expiry":1730701461},{"tid":78,"thid":178,"name":"High Risk","restricted":false,"data":{"auto":false,"color":7,"description":"","visibility":"Public"},"isReferenced":true,"expiry":1730377597},{"tid":24,"thid":24,"name":"Microsoft Windows","restricted":false,"data":{"auto":false,"color":168,"description":"","visibility":"Public"},"isReferenced":true,"expiry":1730701461}]},"triggeredComponents":[{"time":1730204792000,"cbid":14659,"cid":18030,"chid":27226,"size":21,"threshold":20,"interval":60,"metric":{"mlid":1,"name":"externalconnections","label":"External Connections"},"triggeredFilters":[{"cfid":226434,"id":"C","filterType":"Direction","arguments":{"value":"out"},"comparatorType":"is","trigger":{"value":"out"}},{"cfid":226435,"id":"D","filterType":"Tagged internal source","arguments":{"value":5},"comparatorType":"does not have tag","trigger":{"value":"5","tag":{"tid":5,"thid":5,"name":"Security Device","restricted":false,"data":{"auto":false,"color":55,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":226436,"id":"E","filterType":"Tagged internal source","arguments":{"value":8},"comparatorType":"does not have tag","trigger":{"value":"8","tag":{"tid":8,"thid":8,"name":"Admin","restricted":false,"data":{"auto":false,"color":200,"description":"","visibility":""},"isReferenced":true}}},{"cfid":226437,"id":"F","filterType":"Tagged internal destination","arguments":{"value":5},"comparatorType":"does not have tag","trigger":{"value":"5","tag":{"tid":5,"thid":5,"name":"Security Device","restricted":false,"data":{"auto":false,"color":55,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":226438,"id":"H","filterType":"Source port","arguments":{"value":10000},"comparatorType":">","trigger":{"value":"48835"}},{"cfid":226439,"id":"I","filterType":"Destination port","arguments":{"value":10000},"comparatorType":"<","trigger":{"value":"135"}},{"cfid":226440,"id":"J","filterType":"Destination port","arguments":{"value":7680},"comparatorType":"!=","trigger":{"value":"135"}},{"cfid":226441,"id":"K","filterType":"Protocol","arguments":{"value":"6"},"comparatorType":"is","trigger":{"value":"6"}},{"cfid":226442,"id":"M","filterType":"Internal source device type","arguments":{"value":"9"},"comparatorType":"is not","trigger":{"value":"6"}},{"cfid":226443,"id":"N","filterType":"Internal source device type","arguments":{"value":"13"},"comparatorType":"is not","trigger":{"value":"6"}},{"cfid":226444,"id":"O","filterType":"Tagged internal destination","arguments":{"value":40},"comparatorType":"does not have tag","trigger":{"value":"40","tag":{"tid":40,"thid":40,"name":"Printer","restricted":false,"data":{"auto":false,"color":282,"description":"Printer device or Print server","visibility":"Public"},"isReferenced":true}}},{"cfid":226445,"id":"P","filterType":"Tagged internal destination","arguments":{"value":2},"comparatorType":"does not have tag","trigger":{"value":"2","tag":{"tid":2,"thid":151,"name":"Unusual Connectivity Excluded","restricted":true,"data":{"auto":true,"color":200,"description":""},"isReferenced":true}}},{"cfid":226446,"id":"Q","filterType":"Tagged internal source","arguments":{"value":54},"comparatorType":"does not have tag","trigger":{"value":"54","tag":{"tid":54,"thid":54,"name":"Microsoft ATP Scanning","restricted":false,"data":{"auto":false,"color":270,"description":"This device has initiated RDP connections indicative of Microsoft ATP Scanning within the past two hours.","visibility":"Public"},"isReferenced":true}}},{"cfid":226447,"id":"R","filterType":"Message","arguments":{"value":"A new failed"},"comparatorType":"contains","trigger":{"value":"A new failed connection externally on port 135"}},{"cfid":226448,"id":"S","filterType":"Individual size down","arguments":{"value":0},"comparatorType":"=","trigger":{"value":"0"}},{"cfid":226449,"id":"T","filterType":"Individual size up","arguments":{"value":0},"comparatorType":"=","trigger":{"value":"0"}},{"cfid":226450,"id":"U","filterType":"Destination port","arguments":{"value":8530},"comparatorType":"!=","trigger":{"value":"135"}},{"cfid":226451,"id":"V","filterType":"Tagged internal source","arguments":{"value":109},"comparatorType":"does not have tag","trigger":{"value":"109","tag":{"tid":109,"thid":109,"name":"Avast Scanning","restricted":false,"data":{"auto":false,"color":271,"description":"This device has initiated external connections indicative of Avast Scanning activity within the past two hours","visibility":"Public"},"isReferenced":true}}},{"cfid":226452,"id":"d1","filterType":"Message","arguments":{},"comparatorType":"display","trigger":{"value":"A new failed connection externally on port 135"}},{"cfid":226453,"id":"d2","filterType":"Individual size up","arguments":{},"comparatorType":"display","trigger":{"value":"0"}},{"cfid":226454,"id":"d3","filterType":"Individual size down","arguments":{},"comparatorType":"display","trigger":{"value":"0"}},{"cfid":226455,"id":"d4","filterType":"Destination port","arguments":{},"comparatorType":"display","trigger":{"value":"135"}},{"cfid":226456,"id":"d5","filterType":"Internal source device type","arguments":{},"comparatorType":"display","trigger":{"value":"6"}},{"cfid":226457,"id":"d6","filterType":"Internal source credential","arguments":{},"comparatorType":"display","trigger":{"value":"jgonzalez"}},{"cfid":226457,"id":"d6","filterType":"Internal source credential","arguments":{},"comparatorType":"display","trigger":{"value":"dl\\jgonzalez"}}]}],"breachUrl":"https://srv-darktrace.scayle.es/#modelbreach/10648","pbid":10648,"score":0.443,"commentCount":0,"creationTime":1730204798000,"time":1730204793000,"mitreTechniques":[{"tactics":["reconnaissance"],"technique":"Scanning IP Blocks","techniqueID":"T1595.001"}]}'
timestamp: 'Oct 29 13:26:39'
hostname: 'srv-darktrace.scayle.es'
**Phase 2: Completed decoding.
name: 'custom_darktrace'
parent: 'custom_darktrace'
breachUrl: 'https://srv-darktrace.scayle.es/#modelbreach/10648'
commentCount: '0'
creationTime: '1730204798000.000000'
device.credentials: '["jgonzalez","dl\\jgonzalez"]'
device.did: '3147'
device.firstSeen: '1723545694000.000000'
device.hostname: 'scayle-p111.dl.scayle.es'
device.ip: '10.6.2.102'
device.ips: '[{"ip":"10.6.2.102","timems":1730203200000,"time":"2024-10-29 12:00:00","sid":4,"subnet":"10.6.2.0/24","subnetlabel":"V_Técnicos","vlan":0},{"ip":"10.6.2.137","timems":1730116800000,"time":"2024-10-28 12:00:00","sid":4,"subnet":"10.6.2.0/24","subnetlabel":"V_Técnicos","vlan":0}]'
device.lastSeen: '1730204268000.000000'
device.sid: '4'
device.tags: '[{"tid":64,"thid":225,"name":"Domain Authenticated","restricted":false,"data":{"auto":false,"color":200,"description":""},"isReferenced":true,"expiry":1730701461},{"tid":78,"thid":178,"name":"High Risk","restricted":false,"data":{"auto":false,"color":7,"description":"","visibility":"Public"},"isReferenced":true,"expiry":1730377597},{"tid":24,"thid":24,"name":"Microsoft Windows","restricted":false,"data":{"auto":false,"color":168,"description":"","visibility":"Public"},"isReferenced":true,"expiry":1730701461}]'
device.typelabel: 'Desktop'
device.typename: 'desktop'
mitreTechniques: '[{"tactics":["reconnaissance"],"technique":"Scanning IP Blocks","techniqueID":"T1595.001"}]'
model.category: 'Informational'
model.compliance: 'false'
model.name: 'Device::External Network Scan'
model.phid: '9347'
model.pid: '254'
model.uuid: '1981466a-f741-4a61-bc6a-f81d7acd5739'
pbid: '10648'
score: '0.443000'
time: '1730204793000.000000'
triggeredComponents: '[{"time":1730204792000,"cbid":14659,"cid":18030,"chid":27226,"size":21,"threshold":20,"interval":60,"metric":{"mlid":1,"name":"externalconnections","label":"External Connections"},"triggeredFilters":[{"cfid":226434,"id":"C","filterType":"Direction","arguments":{"value":"out"},"comparatorType":"is","trigger":{"value":"out"}},{"cfid":226435,"id":"D","filterType":"Tagged internal source","arguments":{"value":5},"comparatorType":"does not have tag","trigger":{"value":"5","tag":{"tid":5,"thid":5,"name":"Security Device","restricted":false,"data":{"auto":false,"color":55,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":226436,"id":"E","filterType":"Tagged internal source","arguments":{"value":8},"comparatorType":"does not have tag","trigger":{"value":"8","tag":{"tid":8,"thid":8,"name":"Admin","restricted":false,"data":{"auto":false,"color":200,"description":"","visibility":""},"isReferenced":true}}},{"cfid":226437,"id":"F","filterType":"Tagged internal destination","arguments":{"value":5},"comparatorType":"does not have tag","trigger":{"value":"5","tag":{"tid":5,"thid":5,"name":"Security Device","restricted":false,"data":{"auto":false,"color":55,"description":"","visibility":"Public"},"isReferenced":true}}},{"cfid":226438,"id":"H","filterType":"Source port","arguments":{"value":10000},"comparatorType":">","trigger":{"value":"48835"}},{"cfid":226439,"id":"I","filterType":"Destination port","arguments":{"value":10000},"comparatorType":"<","trigger":{"value":"135"}},{"cfid":226440,"id":"J","filterType":"Destination port","arguments":{"value":7680},"comparatorType":"!=","trigger":{"value":"135"}},{"cfid":226441,"id":"K","filterType":"Protocol","arguments":{"value":"6"},"comparatorType":"is","trigger":{"value":"6"}},{"cfid":226442,"id":"M","filterType":"Internal source device type","arguments":{"value":"9"},"comparatorType":"is not","trigger":{"value":"6"}},{"cfid":226443,"id":"N","filterType":"Internal source device type","arguments":{"value":"13"},"comparatorType":"is not","trigger":{"value":"6"}},{"cfid":226444,"id":"O","filterType":"Tagged internal destination","arguments":{"value":40},"comparatorType":"does not have tag","trigger":{"value":"40","tag":{"tid":40,"thid":40,"name":"Printer","restricted":false,"data":{"auto":false,"color":282,"description":"Printer device or Print server","visibility":"Public"},"isReferenced":true}}},{"cfid":226445,"id":"P","filterType":"Tagged internal destination","arguments":{"value":2},"comparatorType":"does not have tag","trigger":{"value":"2","tag":{"tid":2,"thid":151,"name":"Unusual Connectivity Excluded","restricted":true,"data":{"auto":true,"color":200,"description":""},"isReferenced":true}}},{"cfid":226446,"id":"Q","filterType":"Tagged internal source","arguments":{"value":54},"comparatorType":"does not have tag","trigger":{"value":"54","tag":{"tid":54,"thid":54,"name":"Microsoft ATP Scanning","restricted":false,"data":{"auto":false,"color":270,"description":"This device has initiated RDP connections indicative of Microsoft ATP Scanning within the past two hours.","visibility":"Public"},"isReferenced":true}}},{"cfid":226447,"id":"R","filterType":"Message","arguments":{"value":"A new failed"},"comparatorType":"contains","trigger":{"value":"A new failed connection externally on port 135"}},{"cfid":226448,"id":"S","filterType":"Individual size down","arguments":{"value":0},"comparatorType":"=","trigger":{"value":"0"}},{"cfid":226449,"id":"T","filterType":"Individual size up","arguments":{"value":0},"comparatorType":"=","trigger":{"value":"0"}},{"cfid":226450,"id":"U","filterType":"Destination port","arguments":{"value":8530},"comparatorType":"!=","trigger":{"value":"135"}},{"cfid":226451,"id":"V","filterType":"Tagged internal source","arguments":{"value":109},"comparatorType":"does not have tag","trigger":{"value":"109","tag":{"tid":109,"thid":109,"name":"Avast Scanning","restricted":false,"data":{"auto":false,"color":271,"description":"This device has initiated external connections indicative of Avast Scanning activity within the past two hours","visibility":"Public"},"isReferenced":true}}},{"cfid":226452,"id":"d1","filterType":"Message","arguments":{},"comparatorType":"display","trigger":{"value":"A new failed connection externally on port 135"}},{"cfid":226453,"id":"d2","filterType":"Individual size up","arguments":{},"comparatorType":"display","trigger":{"value":"0"}},{"cfid":226454,"id":"d3","filterType":"Individual size down","arguments":{},"comparatorType":"display","trigger":{"value":"0"}},{"cfid":226455,"id":"d4","filterType":"Destination port","arguments":{},"comparatorType":"display","trigger":{"value":"135"}},{"cfid":226456,"id":"d5","filterType":"Internal source device type","arguments":{},"comparatorType":"display","trigger":{"value":"6"}},{"cfid":226457,"id":"d6","filterType":"Internal source credential","arguments":{},"comparatorType":"display","trigger":{"value":"jgonzalez"}},{"cfid":226457,"id":"d6","filterType":"Internal source credential","arguments":{},"comparatorType":"display","trigger":{"value":"dl\\jgonzalez"}}]}]'
**Phase 3: Completed filtering (rules).
id: '160501'
level: '9'
description: 'Darktrace event.'
groups: '["custom_darktrace"]'
firedtimes: '1'
mail: 'false'
**Alert to be generated.
What changes can I make to display a field in the Wazuh discover?
I imagine that the changes should be made in the rule, but I'm not sure if it's here or in the decoder.
I don’t need someone to do it for me, but I would appreciate any guidance, as I haven't found much clarity in the available documentation and tutorials.
Thank you,
Francisco
Francisco Javier de la Puente Secades
Hi team,
With your permission, I’d like to follow up on this message, as it may have been overlooked when I responded to myself earlier.
I look forward to your response.
Kind regards,
Francisco