Fortinet white logo
Fortinet white logo

External Systems Configuration Guide

Darktrace CyberIntelligence Platform

Darktrace CyberIntelligence Platform

What is Discovered and Monitored

Protocol Information Discovered Metrics/LOGs collected Used for
Syslog (CEF formatted) Over 40 security logs Security and Compliance monitoring

Event Types

Go to ADMIN > Device Support > Event Types and search for "Darktrace-DCIP" to see the event types associated with this device.

Rules

None

Reports

None

Configuration

Configure Darktrace to send CEF formatted logs to FortiSIEM. FortiSIEM will automatically parse the logs. No configuration is required in FortiSIEM.

Sample Events

CEF:0|Darktrace|DCIP|3.0.8|537|Antigena/Network/Compliance/Antigena RDP Block|Low| eventId=2 externalId=1462565 art=1536856095244 deviceSeverity=1 rt=1536856054000 shost=personalpcd698.abccompany.local src=10.10.1.85 sourceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 smac=1:1:1:1:1:1 dst=1.1.1.1 destinationZoneURI=/All Zones/ArcSight System/Public Address Space Zones/APNIC/1.0.0.0-1.1.1.255 (APNIC) dpt=9999 ahost=personalpc123.abccompany.local agt=10.10.28.38 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 av=2.2.2.2.0 atz=CountryA aid=3mAvC02UBABCAa72iNm4jZA\=\= at=syslog dvc=10.10.10.10 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 dtz=CountryA _cefVer=0.1 ad.darktraceUrl=https://10.10.10.10/#modelbreach/1462565

Darktrace CyberIntelligence Platform

Darktrace CyberIntelligence Platform

What is Discovered and Monitored

Protocol Information Discovered Metrics/LOGs collected Used for
Syslog (CEF formatted) Over 40 security logs Security and Compliance monitoring

Event Types

Go to ADMIN > Device Support > Event Types and search for "Darktrace-DCIP" to see the event types associated with this device.

Rules

None

Reports

None

Configuration

Configure Darktrace to send CEF formatted logs to FortiSIEM. FortiSIEM will automatically parse the logs. No configuration is required in FortiSIEM.

Sample Events

CEF:0|Darktrace|DCIP|3.0.8|537|Antigena/Network/Compliance/Antigena RDP Block|Low| eventId=2 externalId=1462565 art=1536856095244 deviceSeverity=1 rt=1536856054000 shost=personalpcd698.abccompany.local src=10.10.1.85 sourceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 smac=1:1:1:1:1:1 dst=1.1.1.1 destinationZoneURI=/All Zones/ArcSight System/Public Address Space Zones/APNIC/1.0.0.0-1.1.1.255 (APNIC) dpt=9999 ahost=personalpc123.abccompany.local agt=10.10.28.38 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 av=2.2.2.2.0 atz=CountryA aid=3mAvC02UBABCAa72iNm4jZA\=\= at=syslog dvc=10.10.10.10 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 dtz=CountryA _cefVer=0.1 ad.darktraceUrl=https://10.10.10.10/#modelbreach/1462565