You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
darktrace: handle nested defeat conditions in Darktrace models (#15552)
Darktrace model defeats are not 1 level only (List) as currently
implemented. Latest API provides functionality for nested conditions.
If not nested, the defeatID is an integer and the defeats list is a
list of conditions. However, if nested, defeats list is a list of lists
of conditions and defeatIDs can either be integers (e.g. 1) or strings
(e.g. 1-1, 1-2 etc.).
Definition of the field from Darktrace documentation:
defeats.defeatID: numeric/string
An id for the defeat within the context of the model. If defeats are
conditional, their id will indicate the relationship - e.g., a
condition for defeat with id 1 will have ID 1-1. In this case, the
id will be a string.
Copy file name to clipboardExpand all lines: packages/darktrace/data_stream/model_breach_alert/_dev/test/pipeline/test-model-breach-alert.log-expected.json
"name": "Antigena::Network::Insider Threat::Antigena Internal Data Transfer Block",
2283
+
"description": "A device has been blocked transferring large volumes of data internally.\n\nAction: Review the device's other alerts to see the activities the device has been conducting. Clear any active blocks if the alert was considered to be legitimate.",
2284
+
"category": "Informational",
2285
+
"uuid": "00000000-0000-0000-0000-000000000000",
2286
+
"version": "17"
2287
+
},
2288
+
"event": {
2289
+
"severity": 2,
2290
+
"original": "{\"acknowledged\":{\"time\":1733838122000,\"username\":\"[email protected]\"},\"breachUrl\":\"https://redacted.local/#modelbreach/36725\",\"commentCount\":0,\"creationTime\":1733813400000,\"device\":{\"devicelabel\":\"test_device\",\"did\":18390,\"firstSeen\":1731062390000,\"generatedlabel\":true,\"lastSeen\":1736249138000,\"os\":\"Windows NT kernel\",\"sid\":-6,\"typelabel\":\"Desktop\",\"typename\":\"desktop\"},\"devicepercentscore\":44,\"devicescore\":0.439,\"did\":18390,\"model\":{\"actions\":{\"aianalyst\":{\"hypotheses\":[]},\"alert\":true,\"antigena\":{\"action\":\"automatic\",\"confirm\":false,\"duration\":3600,\"threshold\":\"20\"},\"breach\":true,\"model\":true,\"setPriority\":false,\"setTag\":false,\"setType\":false},\"active\":true,\"activeTimes\":{\"devices\":{},\"tags\":{},\"type\":\"exclusions\",\"version\":2},\"autoSuppress\":false,\"autoUpdatable\":true,\"autoUpdate\":true,\"behaviour\":\"decreasing\",\"category\":\"Informational\",\"compliance\":false,\"created\":{\"by\":\"System\"},\"defeats\":[[{\"arguments\":{\"value\":\"REDACTED_IP\"},\"comparator\":\"matches\",\"defeatID\":1,\"filtertype\":\"Destination IP\"},{\"arguments\":{\"value\":\"REDACTED_CIDR\"},\"comparator\":\"matches\",\"defeatID\":\"1-1\",\"filtertype\":\"Source IP\"},{\"arguments\":{\"value\":\"1150\"},\"comparator\":\"=\",\"defeatID\":\"1-2\",\"filtertype\":\"Destination port\"}]],\"delay\":0,\"description\":\"A device has been blocked transferring large volumes of data internally.\\n\\nAction: Review the device's other alerts to see the activities the device has been conducting. Clear any active blocks if the alert was considered to be legitimate.\",\"edited\":{\"by\":\"[email protected]\",\"userID\":17},\"interval\":3600,\"logic\":{\"data\":[{\"cid\":67318,\"weight\":1}],\"targetScore\":1,\"type\":\"weightedComponentList\",\"version\":1},\"mitre\":{\"tactics\":[\"defense-evasion\",\"exfiltration\"],\"techniques\":[\"T1030\",\"T1070.004\"]},\"modified\":\"2024-11-19 13:45:36\",\"name\":\"Antigena::Network::Insider Threat::Antigena Internal Data Transfer Block\",\"phid\":10256,\"pid\":90,\"priority\":2,\"sequenced\":false,\"sharedEndpoints\":false,\"tags\":[],\"throttle\":3600,\"uuid\":\"00000000-0000-0000-0000-000000000000\",\"version\":17},\"pbid\":36725,\"pbscore\":0.586,\"percentscore\":44,\"score\":0.439,\"time\":1733813389000,\"triggeredComponents\":[{\"cbid\":45710,\"chid\":77645,\"cid\":67318,\"interval\":3600,\"logic\":{\"data\":{\"left\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":\"C\"}},\"operator\":\"OR\",\"right\":{\"left\":\"A\",\"operator\":\"AND\",\"right\":{\"left\":\"B\",\"operator\":\"AND\",\"right\":\"D\"}}},\"version\":\"v0.1\"},\"metric\":{\"label\":\"Model\",\"mlid\":234,\"name\":\"dtmodelbreach\"},\"size\":1,\"threshold\":0,\"time\":1733813388000,\"triggeredFilters\":[{\"arguments\":{\"value\":\"Unusual Activity / Internal Data Transfer\"},\"cfid\":340800,\"comparatorType\":\"matches\",\"filterType\":\"Message\",\"id\":\"A\",\"trigger\":{\"value\":\"Unusual Activity / Internal Data Transfer\"}},{\"arguments\":{\"value\":50},\"cfid\":340801,\"comparatorType\":\">\",\"filterType\":\"Strength of model breach\",\"id\":\"B\",\"trigger\":{\"value\":\"71\"}},{\"arguments\":{\"value\":16},\"cfid\":340802,\"comparatorType\":\"has tag\",\"filterType\":\"Tagged internal source\",\"id\":\"C\",\"trigger\":{\"tag\":{\"data\":{\"auto\":false,\"color\":92,\"description\":\"\",\"visibility\":\"Public\"},\"isReferenced\":true,\"name\":\"Antigena All\",\"restricted\":false,\"thid\":289,\"tid\":16},\"value\":\"16\"}},{\"arguments\":{},\"cfid\":340804,\"comparatorType\":\"display\",\"filterType\":\"Message\",\"id\":\"d1\",\"trigger\":{\"value\":\"Unusual Activity / Internal Data Transfer\"}}]}]}",
"description": "A device has been blocked transferring large volumes of data internally.\n\nAction: Review the device's other alerts to see the activities the device has been conducting. Clear any active blocks if the alert was considered to be legitimate.",
2345
+
"defeats": [
2346
+
[
2347
+
{
2348
+
"id": "1",
2349
+
"comparator": "matches",
2350
+
"arguments": {
2351
+
"value": "REDACTED_IP"
2352
+
},
2353
+
"filtertype": "Destination IP"
2354
+
},
2355
+
{
2356
+
"id": "1-1",
2357
+
"comparator": "matches",
2358
+
"arguments": {
2359
+
"value": "REDACTED_CIDR"
2360
+
},
2361
+
"filtertype": "Source IP"
2362
+
},
2363
+
{
2364
+
"id": "1-2",
2365
+
"comparator": "=",
2366
+
"arguments": {
2367
+
"value": "1150"
2368
+
},
2369
+
"filtertype": "Destination port"
2370
+
}
2371
+
]
2372
+
],
2373
+
"is_auto_suppress": false,
2374
+
"is_sequenced": false,
2375
+
"in_compliance_behavior_category": false,
2376
+
"is_auto_updatable": true,
2377
+
"modified": "2024-11-19T13:45:36.000Z",
2378
+
"name": "Antigena::Network::Insider Threat::Antigena Internal Data Transfer Block",
2379
+
"behaviour": "decreasing",
2380
+
"category": "Informational",
2381
+
"created": {
2382
+
"by": "System"
2383
+
},
2384
+
"interval": 3600,
2385
+
"logic": {
2386
+
"data_weighted_component_list": [
2387
+
{
2388
+
"weight": 1,
2389
+
"cid": 67318
2390
+
}
2391
+
],
2392
+
"target_score": 1,
2393
+
"type": "weightedComponentList",
2394
+
"version": 1
2395
+
},
2396
+
"actions": {
2397
+
"is_alerting": true,
2398
+
"is_tag_set": false,
2399
+
"is_type_set": false,
2400
+
"antigena": {
2401
+
"action": "automatic",
2402
+
"duration": 3600,
2403
+
"threshold": 20,
2404
+
"is_confirm_by_human_operator": false
2405
+
},
2406
+
"model": true,
2407
+
"is_priority_set": false,
2408
+
"is_breach": true
2409
+
}
2410
+
},
2411
+
"device_score": 0.439,
2412
+
"device": {
2413
+
"first_seen": "2024-11-08T10:39:50.000Z",
2414
+
"type_label": "Desktop",
2415
+
"type_name": "desktop",
2416
+
"last_seen": "2025-01-07T11:25:38.000Z",
2417
+
"sid": -6,
2418
+
"did": 18390
2419
+
},
2420
+
"triggered_components": [
2421
+
{
2422
+
"triggered_filters": [
2423
+
{
2424
+
"cfid": 340800,
2425
+
"comparator_type": "matches",
2426
+
"filter_type": "Message",
2427
+
"arguments": {
2428
+
"value": "Unusual Activity / Internal Data Transfer"
2429
+
},
2430
+
"id": "A",
2431
+
"trigger": {
2432
+
"value": "Unusual Activity / Internal Data Transfer"
2433
+
}
2434
+
},
2435
+
{
2436
+
"cfid": 340801,
2437
+
"comparator_type": ">",
2438
+
"filter_type": "Strength of model breach",
2439
+
"arguments": {
2440
+
"value": 50
2441
+
},
2442
+
"id": "B",
2443
+
"trigger": {
2444
+
"value": "71"
2445
+
}
2446
+
},
2447
+
{
2448
+
"cfid": 340802,
2449
+
"comparator_type": "has tag",
2450
+
"filter_type": "Tagged internal source",
2451
+
"arguments": {
2452
+
"value": 16
2453
+
},
2454
+
"id": "C",
2455
+
"trigger": {
2456
+
"value": "16",
2457
+
"tag": {
2458
+
"data": {
2459
+
"auto": false,
2460
+
"color": 92,
2461
+
"visibility": "Public"
2462
+
},
2463
+
"restricted": false,
2464
+
"name": "Antigena All",
2465
+
"thid": 289,
2466
+
"is_referenced": true,
2467
+
"tid": 16
2468
+
}
2469
+
}
2470
+
},
2471
+
{
2472
+
"cfid": 340804,
2473
+
"id": "d1",
2474
+
"trigger": {
2475
+
"value": "Unusual Activity / Internal Data Transfer"
Copy file name to clipboardExpand all lines: packages/darktrace/docs/README.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1086,7 +1086,7 @@ An example event for `model_breach_alert` looks as following:
1086
1086
| darktrace.model_breach_alert.model.defeats.arguments.value | The value(s) that must match for the defeat to take effect. | keyword |
1087
1087
| darktrace.model_breach_alert.model.defeats.comparator | The comparator that the value is compared against the create the defeat. | keyword |
1088
1088
| darktrace.model_breach_alert.model.defeats.filtertype | The filter the defeat is made from. | keyword |
1089
-
| darktrace.model_breach_alert.model.defeats.id | A unique ID for the defeat. |long|
1089
+
| darktrace.model_breach_alert.model.defeats.id | A unique ID for the defeat. |keyword|
1090
1090
| darktrace.model_breach_alert.model.delay | Minimum delay in seconds after a positive-scoring component has fired before the overall model score is calculated. Only applicable in target score models. | long |
1091
1091
| darktrace.model_breach_alert.model.description | The optional description of the model. | keyword |
1092
1092
| darktrace.model_breach_alert.model.edited.by | Username that last edited the model. | keyword |
0 commit comments