You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model-breach-alert.log-expected.json
"name": "Antigena::Network::Insider Threat::Antigena Internal Data Transfer Block",
2283
+
"description": "A device has been blocked transferring large volumes of data internally.\n\nAction: Review the device's other alerts to see the activities the device has been conducting. Clear any active blocks if the alert was considered to be legitimate.",
2284
+
"category": "Informational",
2285
+
"uuid": "00000000-0000-0000-0000-000000000000",
2286
+
"version": "17"
2287
+
},
2288
+
"event": {
2289
+
"severity": 2,
2290
+
"original": "{\"acknowledged\":{\"time\":1733838122000,\"username\":\"[email protected]\"},\"breachUrl\":\"https://redacted.local/#modelbreach/36725\",\"commentCount\":0,\"creationTime\":1733813400000,\"device\":{\"devicelabel\":\"test_device\",\"did\":18390,\"firstSeen\":1731062390000,\"generatedlabel\":true,\"lastSeen\":1736249138000,\"os\":\"Windows NT kernel\",\"sid\":-6,\"typelabel\":\"Desktop\",\"typename\":\"desktop\"},\"devicepercentscore\":44,\"devicescore\":0.439,\"did\":18390,\"model\":{\"actions\":{\"aianalyst\":{\"hypotheses\":[]},\"alert\":true,\"antigena\":{\"action\":\"automatic\",\"confirm\":false,\"duration\":3600,\"threshold\":\"20\"},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"active\":true,\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoSuppress\":false,\"autoUpdatable\":true,\"autoUpdate\":true,\"behaviour\":\"decreasing\",\"category\":\"Informational\",\"compliance\":false,\"created\":{\"by\":\"System\"},\"defeats\":[[{\"arguments\":{\"value\":\"REDACTED_IP\"},\"comparator\":\"matches\",\"defeatID\":1,\"filtertype\":\"Destination IP\"},{\"arguments\":{\"value\":\"REDACTED_CIDR\"},\"comparator\":\"matches\",\"defeatID\":\"1-1\",\"filtertype\":\"Source IP\"},{\"arguments\":{\"value\":\"1150\"},\"comparator\":\"=\",\"defeatID\":\"1-2\",\"filtertype\":\"Destination port\"}]],\"delay\":0,\"description\":\"A device has been blocked transferring large volumes of data internally.\\n\\nAction: Review the device's other alerts to see the activities the device has been conducting. Clear any active blocks if the alert was considered to be legitimate.\",\"edited\":{\"by\":\"[email protected]\",\"userID\":17},\"interval\":3600,\"logic\":{\"data\":[{\"cid\":67318,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"mitre\":{\"tactics\":[\"defense-evasion\",\"exfiltration\"],\"techniques\":[\"T1030\",\"T1070.004\"]},\"modified\":\"2024-11-19 13:45:36\",\"name\":\"Antigena::Network::Insider Threat::Antigena Internal Data Transfer Block\",\"phid\":10256,\"pid\":90,\"priority\":2,\"sequenced\":false,\"sharedEndpoints\":false,\"tags\":[],\"throttle\":3600,\"uuid\":\"00000000-0000-0000-0000-000000000000\",\"version\":17},\"pbid\":36725,\"pbscore\":0.586,\"percentscore\":44,\"score\":0.439,\"time\":1733813389000,\"triggeredComponents\":[{\"cbid\":45710,\"chid\":77645,\"cid\":67318,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":\"C\"}},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":\"D\"}}},\"version\":\"v0.1\"},\"metric\":{\"label\":\"Model\",\"mlid\":234,\"name\":\"dtmodelbreach\"},\"size\":1,\"threshold\":0,\"time\":1733813388000,\"triggeredFilters\":[{\"arguments\":{\"value\":\"Unusual Activity / Internal Data Transfer\"},\"cfid\":340800,\"comparatorType\":\"matches\",\"filterType\":\"Message\",\"id\":\"A\",\"trigger\":{\"value\":\"Unusual Activity / Internal Data Transfer\"}},{\"arguments\":{\"value\":50},\"cfid\":340801,\"comparatorType\":\">\",\"filterType\":\"Strength of model breach\",\"id\":\"B\",\"trigger\":{\"value\":\"71\"}},{\"arguments\":{\"value\":16},\"cfid\":340802,\"comparatorType\":\"has tag\",\"filterType\":\"Tagged internal source\",\"id\":\"C\",\"trigger\":{\"tag\":{\"data\":{\"auto\":false,\"color\":92,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true,\"name\":\"Antigena All\",\"restricted\":false,\"thid\":289,\"tid\":16},\"value\":\"16\"}},{\"arguments\":{},\"cfid\":340804,\"comparatorType\":\"display\",\"filterType\":\"Message\",\"id\":\"d1\",\"trigger\":{\"value\":\"Unusual Activity / Internal Data Transfer\"}}]}]}",
"description": "A device has been blocked transferring large volumes of data internally.\n\nAction: Review the device's other alerts to see the activities the device has been conducting. Clear any active blocks if the alert was considered to be legitimate.",
2345
+
"defeats": [
2346
+
[
2347
+
{
2348
+
"id": "1",
2349
+
"comparator": "matches",
2350
+
"arguments": {
2351
+
"value": "REDACTED_IP"
2352
+
},
2353
+
"filtertype": "Destination IP"
2354
+
},
2355
+
{
2356
+
"id": "1-1",
2357
+
"comparator": "matches",
2358
+
"arguments": {
2359
+
"value": "REDACTED_CIDR"
2360
+
},
2361
+
"filtertype": "Source IP"
2362
+
},
2363
+
{
2364
+
"id": "1-2",
2365
+
"comparator": "=",
2366
+
"arguments": {
2367
+
"value": "1150"
2368
+
},
2369
+
"filtertype": "Destination port"
2370
+
}
2371
+
]
2372
+
],
2373
+
"is_auto_suppress": false,
2374
+
"is_sequenced": false,
2375
+
"in_compliance_behavior_category": false,
2376
+
"is_auto_updatable": true,
2377
+
"modified": "2024-11-19T13:45:36.000Z",
2378
+
"name": "Antigena::Network::Insider Threat::Antigena Internal Data Transfer Block",
2379
+
"behaviour": "decreasing",
2380
+
"category": "Informational",
2381
+
"created": {
2382
+
"by": "System"
2383
+
},
2384
+
"interval": 3600,
2385
+
"logic": {
2386
+
"data_weighted_component_list": [
2387
+
{
2388
+
"weight": 1,
2389
+
"cid": 67318
2390
+
}
2391
+
],
2392
+
"target_score": 1,
2393
+
"type": "weightedComponentList",
2394
+
"version": 1
2395
+
},
2396
+
"actions": {
2397
+
"is_alerting": true,
2398
+
"is_tag_set": false,
2399
+
"is_type_set": false,
2400
+
"antigena": {
2401
+
"action": "automatic",
2402
+
"duration": 3600,
2403
+
"threshold": 20,
2404
+
"is_confirm_by_human_operator": false
2405
+
},
2406
+
"model": true,
2407
+
"is_priority_set": false,
2408
+
"is_breach": true
2409
+
}
2410
+
},
2411
+
"device_score": 0.439,
2412
+
"device": {
2413
+
"first_seen": "2024-11-08T10:39:50.000Z",
2414
+
"type_label": "Desktop",
2415
+
"type_name": "desktop",
2416
+
"last_seen": "2025-01-07T11:25:38.000Z",
2417
+
"sid": -6,
2418
+
"did": 18390
2419
+
},
2420
+
"triggered_components": [
2421
+
{
2422
+
"triggered_filters": [
2423
+
{
2424
+
"cfid": 340800,
2425
+
"comparator_type": "matches",
2426
+
"filter_type": "Message",
2427
+
"arguments": {
2428
+
"value": "Unusual Activity / Internal Data Transfer"
2429
+
},
2430
+
"id": "A",
2431
+
"trigger": {
2432
+
"value": "Unusual Activity / Internal Data Transfer"
2433
+
}
2434
+
},
2435
+
{
2436
+
"cfid": 340801,
2437
+
"comparator_type": ">",
2438
+
"filter_type": "Strength of model breach",
2439
+
"arguments": {
2440
+
"value": 50
2441
+
},
2442
+
"id": "B",
2443
+
"trigger": {
2444
+
"value": "71"
2445
+
}
2446
+
},
2447
+
{
2448
+
"cfid": 340802,
2449
+
"comparator_type": "has tag",
2450
+
"filter_type": "Tagged internal source",
2451
+
"arguments": {
2452
+
"value": 16
2453
+
},
2454
+
"id": "C",
2455
+
"trigger": {
2456
+
"value": "16",
2457
+
"tag": {
2458
+
"data": {
2459
+
"auto": false,
2460
+
"color": 92,
2461
+
"visibility": "Public"
2462
+
},
2463
+
"restricted": false,
2464
+
"name": "Antigena All",
2465
+
"thid": 289,
2466
+
"is_referenced": true,
2467
+
"tid": 16
2468
+
}
2469
+
}
2470
+
},
2471
+
{
2472
+
"cfid": 340804,
2473
+
"id": "d1",
2474
+
"trigger": {
2475
+
"value": "Unusual Activity / Internal Data Transfer"
Copy file name to clipboardExpand all lines: packages/darktrace/docs/README.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1086,7 +1086,7 @@ An example event for `model_breach_alert` looks as following:
1086
1086
| darktrace.model_breach_alert.model.defeats.arguments.value | The value(s) that must match for the defeat to take effect. | keyword |
1087
1087
| darktrace.model_breach_alert.model.defeats.comparator | The comparator that the value is compared against the create the defeat. | keyword |
1088
1088
| darktrace.model_breach_alert.model.defeats.filtertype | The filter the defeat is made from. | keyword |
1089
-
| darktrace.model_breach_alert.model.defeats.id | A unique ID for the defeat. |long|
1089
+
| darktrace.model_breach_alert.model.defeats.id | A unique ID for the defeat. |keyword|
1090
1090
| darktrace.model_breach_alert.model.delay | Minimum delay in seconds after a positive-scoring component has fired before the overall model score is calculated. Only applicable in target score models. | long |
1091
1091
| darktrace.model_breach_alert.model.description | The optional description of the model. | keyword |
1092
1092
| darktrace.model_breach_alert.model.edited.by | Username that last edited the model. | keyword |
0 commit comments