Открыть Электронные книги
Категории
Открыть Аудиокниги
Категории
Открыть Журналы
Категории
Открыть Документы
Категории
3. Device Tracking������������������������������������������������������������������������������������������������������������������������������� 5
Tracking by DHCP�������������������������������������������������������������������������������������������������������������������������������������������������������������������������5
Tracking by Hostname�����������������������������������������������������������������������������������������������������������������������������������������������������������������5
Using Log Input to Provide Tracking Data��������������������������������������������������������������������������������������������������������������������������������8
8. User Administration����������������������������������������������������������������������������������������������������������������������� 18
Available Permissions��������������������������������������������������������������������������������������������������������������������������������������������������������������� 18
Recommended User Access Settings������������������������������������������������������������������������������������������������������������������������������������ 19
Anonymization Mode����������������������������������������������������������������������������������������������������������������������������������������������������������������� 20
This iteration of the Darktrace System Administration Guide is intended for Darktrace appliances running software version 3.1 and above.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 2
To perform the full range of configuration steps contained within this guide, the following specified access and credentials are
considered essential. Prerequisites for each configuration section are also stated at the outset.
The Darktrace Customer Portal is a dedicated web application to provide assistance and support for your appliance. It provides a
facility to raise tickets with support, download software such as appliance upgrade bundles, and review the latest documentation
online. Significant system administration tasks such as restoring an appliance to factory settings will require a confirmation code
provided by a Darktrace support representative. Where Call-Home is disabled, software upgrade bundles can be downloaded from the
Customer Portal and transferred to the appliance.
If you experience any issues during any of the following configuration steps, Darktrace support can guide you through the troubleshooting
process.
Threat Visualizer
The majority of configuration steps contained within this guide require access to the Darktrace Threat Visualizer User Interface. The
Threat Visualizer can be accessed by navigating to the IP address of your Darktrace appliance in web browser. When logging in for the
first time, a customer license agreement screen will be displayed.
A number of configuration steps require access to the Threat Visualizer System Config page. Credentials for the ‘admin’ user are
required to access all possible configuration options. These credentials are provided by your Darktrace representative when the
appliance is initially deployed. If you cannot locate these credentials, please contact Darktrace support.
Console
Sections 10-14 require access to the appliance console, distinct from the Threat Visualizer User Interface. If you are unfamiliar with
accessing the console, please refer to the guide, Setting Up the Darktrace Appliance.
Sections 10-14 require access to the appliance console, distinct from the Threat Visualizer User Interface. Accessing the console
requires the console user credentials. These credentials are provided by your Darktrace representative when the appliance is initially
deployed. If you cannot locate these credentials, please contact Darktrace support.
If Call-Home is disabled, upgrade bundles must be copied to the appliance via the console transfer user. Any immediate backups
created (in contrast to scheduled backups) must also be transferred from the appliance by this user. These credentials are provided by
your Darktrace representative when the appliance is initially deployed. If you cannot locate these credentials, please contact Darktrace
support.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 3
Labelling subnets and key devices is the first step to customizing your Darktrace deployment to streamline investigation and quickly
identify key assets. The following configuration steps will improve user workflow and remove unnecessary warnings from subnets
without DHCP.
Labelling subnets
Darktrace provides the ability to label Subnet IP address ranges for ease of use. Labelling larger subnets removes the need to memorize
the purpose of each IP address range and allows for simpler Subnet searching and selection in the Threat Visualizer
Manual Labels
Individual subnets can be manually labelled within the Threat Visualizer user interface.
2. Click the IP address value under the ‘LABEL’ column to edit it.
Enter a short description such as “Public Wifi”, and click the Save
button on the right.
Uploading Labels
To make changes to a large number of Subnets on the Subnet Admin page, it is possible to upload a CSV file containing Subnet details.
Darktrace will not accept any network ranges uploaded which do not correspond to a range already seen by the appliance.
Optionally, a correctly formatted CSV file containing all current Subnet information (including labels) may be downloaded from the
Subnet Admin page using the Download CSV button.
By default, all Subnets have DHCP enabled. This setting indicates that Darktrace should expect to observe DHCP traffic on the Subnet.
If a subnet does not have any DHCP traffic, such as a server network employing static IP addresses, the Threat Visualizer Status page
will show “No DHCP” in red for the offending Subnet. Disabling DHCP in the Subnet Admin page will remove this warning.
2. Scroll down and review the Subnets section. Locate any Subnets
with ‘No DHCP’ in red.
If this is a static subnet, you can remove this warning.
4. Return to the System Status page and confirm that the ‘No DHCP’
warning is now grey.
For ease of identification and prioritization, it is recommended that the most important 20-30 devices are labelled. For example,
labelling the Domain Controllers as DC1 and DC2 can assist in identifying these key assets.
Labelling a device is particularly helpful for devices that do not have a hostname, where the hostname is ambiguous, or where a device
deviates from the naming convention. Device labels appear in search results and any model breaches associated with the device.
3. Device Tracking
Requirements: access to the Darktrace Threat Visualizer, credentials for the admin user.
Darktrace models every internal device that it observes on a network. This is achieved by analyzing every single packet to determine
its source and destination.
The most consistent method of tracking IP addresses is by assigning a static IP - in these cases, no configuration is required to instruct
Darktrace how to model static devices such as servers. However, In an increasing world of IoT, there may be thousands of IP addresses
in use day in and day out that are dynamically re-assigned via DHCP to a large number of constantly changing devices.
In the Threat Visualizer interface, there are multiple methods to track dynamic IP addresses. The most suitable method depends on
the network traffic available and deployment scenario.
Tracking by DHCP
Tracking via DHCP is the most reliable and preferred method to track IP address changes, and is enabled by default.
To access a network, a device must begin by sending a DHCP ACK request. The DHCP ACK packet contains two necessary ingredients
for Darktrace tracking: the device’s assigned IP address and the device’s MAC address. Darktrace will dissect this packet and extract
the MAC address. As the MAC address will not change, it can be used as a unique identifier and is therefore the most trusted source
for dynamic IP address tracking.
This method can mean a device such as a laptop can be displayed twice in Darktrace: one device for the connection via a physical
Ethernet cable, and another for the Wi-Fi network card. Differentiating the two connections can assist Darktrace learn a pattern of life
for a device. For example, typically a user’s behavior can be very different on their Wi-Fi when compared to a wired connection - they
may check their social media on pubic Wi-Fi, but never on the corporate LAN.
Tracking by Hostname
Darktrace passively reads hostnames for devices by observing devices making network requests, such as DNS requests for IP
addresses, Kerberos logins, and DHCP handshakes. This provides the Threat Visualizer with hostnames as enrichment data, allowing
for easy identification of devices beyond an IP or MAC address.
If DHCP is unavailable, Darktrace will default to tracking a device by its IP address. Where the device has a dynamic IP address, this
tracking may be inconsistent or lost. By configuring tracking by hostname, hostnames can be appended to a device for greater
consistency.
It is also possible reassign IPs for client devices based on hostnames observed in DNS traffic and assign them to a network device.
When active polling is configured (see Polling DNS Servers to Append Hostnames below), Darktrace will use this method to reassign
IPs. Otherwise, passive observation will be used.
When set to poll, Darktrace uses network administration command-line tools to poll DNS servers (DIG commands) for an IP address’s
hostname when the IP address becomes active on the network. The hostname resolution will be cached for a time set by the operator.
As IP addresses change frequently, these are both critical components.
Tracking by Credentials
Darktrace automatically detects logins via Kerberos and other credentials. By extracting the source IP address and the credential,
the system can identify which device is in use at the time. If Darktrace is unable to obtain DHCP or DIG, credentials can be utilized to
track devices instead. This is most commonly used when Darktrace has no other means of identifying the device than identifying the
individuals/users logging into them (e.g. VPN users).
2. The Threat Visualizer should pivot to the selected Subnet and the
Subnet IP range should appear in the Omnisearch bar.
Click the pencil icon () beside the subnet range.
3. Review the options available in the ‘Edit Subnet Info’ popup box:
oo DHCP
oo Track Hostnames
oo Track Credentials
When DHCP or Kerberos data cannot be retrieved’ DHCP or VPN logs can be sent to Darktrace to be parsed. Log Input allows custom
log data to be read into Darktrace and mapped to existing devices using the IP or MAC address. Assuming there is little delay retrieving
uploaded information, it can be a very accurate method of tracking devices. This feature is most commonly used to provide device
tracking information, but it can also enrich Darktrace modelling data.
VPN Users
Users who log into your network remotely via a VPN should be tracked via credentials as their IP address will constantly change -
Darktrace may never see the hostname for the associated device. Entering credentials will always be the first thing that a VPN user
needs to do before getting onto your network. For this, Darktrace can ingest VPN Logs that can be parsed for the user’s internal IP
address in use and the user associated with the traffic.
DHCP and username data is used to assign hostnames, IP addresses, or credentials to devices. Event data is used to add custom
events into Darktrace. Note that this data will not be added to Advanced Search.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 9
Log Input
The Log Input feature is available on the System Config page under the Log Input section. The logs should be sent in syslog format to
the IP address of the Darktrace appliance, over UDP/1514.
Multiple Types and Patterns can be appended to parse the log data.
Once log data is being sent to the appliance successfully, the Load
Input option can be used to review a sample of the logs received.
Alternatively, check your own log servers to locate a sample and paste
into the ‘Log Input Test’ field. From the sample, a pattern can be
entered to automatically match and parse, setting variables to specific
attributes found in the log inputs.
Each input log line is matched against each applicable configured pattern in the order listed below until a match is found. Once a match
is found and data is extracted by the associated pattern, no further pattern matching will be attempted.
The following example will take any log that contains date=, and will look for a field called xauthuser. It will then look for the value
and assign that to username and a field called tunnelip, and assign that to the ip_address.
Type: USERTRACK
Match: date=
Pattern: xauthuser=”%{DATA:username}”.*tunnelip=%{IP:ip_address}
Click Load Input to fill the field, and Test Input to test your pattern against the sample log.
A full list of available fields is available on the configuration page on the Help information tool tip.
In a Unified View deployment, logs must be fed to the relevant slave master appliance, as each slave master appliance is a separate
entity. For example, if Slave Master A is modelling Device X, then any logs pertaining to Device X must be sent to Slave Master A.
Please note, a physical appliance may be both a slave master and running the Unified View server.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 10
The Threat Visualizer supports connections to LDAP servers such as Active Directory. This integration can be configured to provide
the following additional functionality:
oo Enable authentication to the Threat Visualizer interface using credentials from an LDAP server.
oo Enrich user details in the Threat Visualizer by providing additional LDAP attributes for users.
2. Scroll down and locate the LDAP section. By default, only LDAP
Server is displayed.
Enter an LDAP server IP address or hostname and press the enter
key. For additional configuration (such as a port number or SSL),
review the tooltip by hovering over .
3. Confirm that additional configuration fields are now available.
These will now be addressed in logical order, rather than alphabetical.
For additional information about each field, hover the mouse pointer
over the blue information icons ()
11. For LDAP Group Attribute Name field, set the attribute name used
for Group Membership.
12. The path to the LDAP Server location can be set at ldap:// or
via SSL with ldaps://
When using SSL, the LDAP Start TLS must be set to false.
Only one encryption method can be used at one time.
13. When not connecting over LDAPS, set the LDAP Start TLS to true.
For testing purposes, if encryption is not available, set the LDAP
server location to ldap:// and the LDAP Start TLS to false.
14. If LDAP Server Referrals are in use, set this field to true
15. For the moment, leave the LDAP Test User and LDAP User
Attributes with their default values.
Set the LDAP User Base path to identify the users in the LDAP tree.
For example: ou=users,dc=company,dc=com
16. Before confirming all changes, it may help to test the connection.
Set the LDAP Test User to a valid user identified by the Threat
Visualizer.
Changes must be saved before testing. Scroll down to the ‘Save all
Settings’ button or press enter when editing a field value to save.
Mapped attributes 18. Hover the mouse over the LDAP success information icon () to
Name James Bourne view more details. This returns a list of attributes for the test user
Email james.bourne@company.com account: .
An example list of attributes is shown across.
Unmapped attributes
The attributes list displays all attributes that can be appended to the
accountExpires 92237827382370833
Threat Visualizer interface. This attribute list has both mapped and
cn James Bourne unmapped attributes:
countryCode UK
Mapped attributes are attributes already shown in the user interface.
distinguishedName CN=james bourne, OU=people, DC=
company, DC=local Unmapped attributes list all the LDAP attributes which are available,
lastLogoff 0 but not currently shown in the interface.
lastLogon 13387832738738378
logonCount 2287
memberOf CN=packages, OU=groups, DC=
company, DC=local
name James Bourne
mail james.borne@company.com
objectClass User
phone 123456789
...
20. After making changes, the Threat Visualizer will not update until
the user next logs in and their credentials will be captured. Once
refreshed, the new user attributes from LDAP can be viewed in the
Device View.
Select a device and hover over it to view additional details set in the
LDAP User Attributes field. This could include the user name, email,
group, and telephone number.
21. When logging in for the first time after LDAP is enabled, navigate
to Group Admin under menu.
Any groups for a user in LDAP matching the LDAP Authentication
Group Value will be automatically created
In this example, an LDAP Authentication Group Value of *darktrace*
had created a DarktraceAnalyst Group belonging to a user.
When a new Group is created, ensure that user permissions for the
group are updated in Group Admin to match the desired authorization.
Note, additional groups can be appended by setting the LDAP
Populate Groups field.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 13
Uploading a valid HTTPS certificate will prevent the web browser warning that the connection to the Threat Visualizer uses an invalid
certificate. For example, in the Chrome browser, this is indicated by a red line through the ‘https’ part of the URL and may also present
the user with a warning that must first be dismissed before accessing the Threat Visualizer interface.
Darktrace Appliances are shipped with a self-signed certificate for the hostname “dt-XXXX-YY” - the internal appliance hostname as
designated by Darktrace. Self-signed certificates are often not trusted by web browsers and therefore a warning may be displayed
when accessing the appliance. Additionally, it is common practice for companies to have their own appliance naming conventions,
and it is likely the Darktrace designated name will not fit into such a scheme.
The following instructions detail how to configure a TLS/SSL certificate for a Darktrace appliance.
Darktrace offers a number of alerting types and export options - the simplest form is Email alerts. Multiple email addresses may be
entered as recipients for these alerts.
Email Alerting is especially important for teams that do not have enough time to regularly check the Threat Visualizer and would rather
log in for specific alerts only. Some organizations may prefer to send all model breaches to a central SOC team, while others prefer to
configure the Email Alert so they are only alerted to the most serious model breaches.
Note, emails are only sent when a model is set to alert. To view this setting, edit a model and confirm that the Action setting has ‘Alert’
highlighted.
2. Save the change. Scroll down to the ‘Save all Settings’ button or
press enter when editing a field value to save.
The page will refresh, revealing email specific configuration fields.
Email Alerts: true 3. Complete the configuration using the example across, substituting
Email Date Field: false in the appropriate details.
Email HTML Format: true If extended configuration fields such as a JSON format alert or Email
Email JSON Format: false Date Field value are required, enter a valid recipient and save the
Email Password: <empty> changes. These fields should now become available.
Email Recipients: user@company.com
Note, both the Email Sender name and Email Sender Email Address
Email Sender Email Address: darktrace@company.com are required fields.
Email Sender Name: Darktrace Appliance
Email Server: mail.company.com
Email Server Port: 25
Email Server SSL: false
Email Server TLS: true
Email Username: <empty>
oo Model Expression
These settings control when an email alert should be generated for a
particular model breach. If more than one alert condition is configured
then a model breach must meet all criteria to generate an alert.
5. Optionally set a value for Minimum Alert Priority.
Every Model has a priority from 0-5 indicating the breach severity.
Providing a minimum alert priority of 1 to 5 will restrict emails to
models that fire with a threshold of the priority number or greater
DARKTRACE SYSTEM ADMINISTRATION GUIDE 15
8. Once all fields are completed and alert priority set, save the
changes to reveal a Verify Alert Settings button.
Click this button to send a test email and check all settings are
correct.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 16
Available for iOS and Android, the Darktrace mobile app allows users to easily access Enterprise Immune System Alerts when they are
on the move. In order to associate the Darktrace Mobile app with your Darktrace deployment, the Threat Visualizer must be authorized
to send alerts via IMAP.
The user permission ‘Register mobile app’ is necessary to perform these configuration steps. Please see Section 8 below for further
details on user administration and account permissions.
Mobile App Alerts: True 2. Saving the changes should expose additional configuration
Mobile App Antigena: True options.
Mobile App IMAP Address: user@example.com Complete your details using the example on the left.
Mobile App IMAP Internal Hostname: <blank>
Mobile App IMAP Password: <password>
Mobile App IMAP Port: 993
Mobile App IMAP Server: imap.example.com
Mobile App IMAP Server SSL: true
Mobile App IMAP Server TLS: false
Mobile App IMAP Username: user@example.com
Mobile App Restricted View: False
oo Model Expression
These settings are covered in detail in Section 6, steps 4-7.
4. After completing the alerting configuration, return to the main
Threat Visualizer and navigate to Account Settings on the main
menu.
The ‘Register Mobile App’ option should now be available. Click
‘Register Mobile App’ to reveal a QR code.
8. User Administration
Requirements: access to the Darktrace Threat Visualizer, credentials for the admin user.
User Admin provides options to control access and restrict privileges for user accounts within the Threat Visualizer application. It can
be accessed by navigating to Admin, User Admin. User privileges can be configured by enabling values in blue, and then clicking the
Save button. By default, the ‘admin’ user will possess all available privileges.
User access can also be controlled by creating user groups in the Group Admin page and assigning specific permissions to each group.
Available Permissions
Permission Description
Edit Models Make changes to Models. Using tags can be a good way of tuning models without requiring access to edit a
model.
Device Admin Lists all devices observed by Darktrace. This is particularly useful for searching, bulk tagging, or changing
device types. Typically for administrators only.
Subnet Admin Lists all subnets, labels, and whether DHCP is enabled. Typically for administrators only
Audit Log Lists captured user behavior such as logging into Darktrace. Typically for administrators only.
User Admin Controls access to user privileges. Typically for administrators only.
Group Admin Controls access to group privileges. Typically for administrators only.
Advanced Advanced Search provides a deep insight into network traffic making every connection searchable. An excellent
Search tool for investigating suspicious activity, but may be restricted to more privileged positions due to the insight
granted.
Status For administrators and developers to check the system health of the Darktrace appliance, probes, and network
traffic.
Acknowledge Enables users to acknowledge model breaches. Any user investigating breaches should likely have access to
Breaches this role. Recommended for all but the most restricted user.
Discuss Breaches Makes comments on model breaches. Very useful for controlling and highlighting which users are working on
a model. Recommended for all but the most restricted user.
Edit Domains Make changes to domain information. Typically for administrators only.
Configuration Make changes to the System Configuration page. Typically for administrators only.
API Help Provides information on the Threat Visualizer API. Recommended for all administrators and developers.
View Models To help understand how a model breach occurred, it is recommended that all users have access to View Models.
Note there is a separate privilege for editing roles, which is much more restricted.
One Click Provides a quick view of the model breach to assist in identifying and investigating model breaches. Recommend
Analysis for all users performing threat analysis.
Create PCAPs Enables users to create Packet Captures in the Threat Visualizer application. Recommended for users familiar
with Wireshark or Darkshark.
Download Allows user to download created Packet Captures. Recommended for users familiar with Wireshark or
PCAPs Darkshark.
Antigena Enables Antigena functionality. The Darktrace appliance must be configured to enable Antigena.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 19
View Messages View comments on model breaches. Very useful to control and highlight which users are working on a model.
Recommended for all but the most restricted user.
Unrestricted When enabled, users can view all user credentials that have accessed a device. Disabling this option restricts
Devices users to an obfuscated view. Recommended for restricted users.
Ask the Expert Ask Analysts questions about articular Model breaches. This will open a window to drag and drop breach log
details and post questions.
Dynamic Threat
Dashboard Provides access to the Dynamic Threat Dashboard
Register Mobile Register the Darktrace Threat Visualizer Mobile App. The Mobile App IMAP settings in the Alerting section of
App the System Config must be set before this feature can be employed. Enabling this functionality provides users
with this access to a link on the Account Settings window
Three user access configurations are covered below. These profiles encompass common roles utilized by organizational security
teams when using Darktrace.
Users with this access are unable to identify users of a particular device, but can make comments and acknowledge breaches. They
do not have access to Advanced Search, nor do they have the privileges to change and administer settings.
The following options provide full threat analysis with Advanced Search and capability to identify users. Packet Capture and Antigena
are also available.
Full Administration access to change system configuration and perform detailed threat analysis. Typically, this level is granted to
System Administrators only.
Anonymization Mode
Darktrace’s technology has been designed with protection and controls in place that allow customers to comply with a range of privacy
and confidentiality policies. Anonymization Mode can be configured for enhanced anonymization on a per-user basis. Importantly, this
mode only impacts Client machines in Darktrace. It does not impact any Server device Types. If set, this mode anonymizes various
aspects of the data seen by Darktrace, in order to protect the privacy of employees and to comply with European privacy laws.
oo The last octet of IPv4 addresses is anonymized. For example, 192.168.0.22 is anonymized to 192.168.0.#36178
To the left is a Subnet view with Anonymization Mode enabled. The hostname
and IP address have been automatically anonymized.
When a software upgrade bundle is applied, any changes to Darktrace models (such as new or updated models) will also be performed.
Where software upgrades are set to pre-cache, model updates will be pushed to the User Interface for automatic update or approval
even if the full software bundle is not yet applied.
Separate to this software upgrade process, updates to Darktrace models are delivered on a regular basis to the Threat Visualizer when
Call-Home is enabled
Model updates can be deployed via two methods, auto-update and manual confirmation. Manual confirmation can be applied on a
model-by-model basis or across all models. In this mode, an operator must confirm all model updates before application. Antigena
Models will never be updated automatically.
Auto-updating Models
1. Within the Threat Visualizer, navigate to the ‘System Config’ page
under ‘Admin’ on the main menu.
4. Edit any Model in the Threat Visualizer and confirm that the Auto
Update setting is ‘Yes’.
When set to Yes, this model will automatically upgrade to the latest
version when its released.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 22
Manual Confirmation
1. If models are not updated automatically due to any of the
conditions listed above, a message will appear on the home page
of the Threat Visualizer stating ‘x’ number of model updates are
available and require review.
Clicking this blue notification will redirect the user to the Model
Updates page. The Model Updates page can be accessed at any time
from the main menu under ‘Models’.
Any new models created or duplicated will not be impacted by
automatic updates
2. The Models Updates page lists all Models which have been
customized but have new updates available.
Click on a Model row to reveal more options.
3. For each model, each revision will appear as a separate line with
a short description of the changes and options to Accept, Decline or
View them.
5. Click ‘View Upgrade’ to see the newest version of the model. You
may Ignore or Accept the changes.
Accepting the changes will permanently update the Model. Be careful
not to overwrite any changes.
If you wish to preserve your changes to a model but are concerned
about delaying any important updates, one method is to duplicate
the model and then upgrade the original. The duplicated model will
retain the original logic with your changes and can be revised to
match the upgraded version at your convenience.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 23
Darktrace provides several custom configuration options which may be appropriate for your environment. These configuration options
are accessed via the console and will help to access, use and administer the appliance and ensure any internal policies are adhered to.
The available host variables may change from version to version, dependent on requirements. Each option is described in detail when
selected from the console menu.
Configures the SSH server to use a highly compatible set of ciphers. Disabling this option increases the security of the SSH server.
Enabling this option restricts the cipher suite in use by the HTTPS server and disables TLS protocols other than TLS v1.2.
Sets the number of minutes after which UI sessions are logged out due to inactivity.
Enabling this option requires that all users of the Threat Visualizer provide a second credential to access the user interface. Two-factor
authentication be individually enabled for specific users in the User Administration page on the Threat Visualizer User Interface.
This option sets the maximum transaction unit (MTU) size that can be communicated over the network.
Enabling this option applies the kernel patch to mitigate the Meltdown vulnerability (Kernel page table isolation). A reboot is required
for changes to take effect.
For more details, please refer to “Darktrace Threat Note Meltdown and Spectre.pdf” available to download from the Darktrace Customer
Portal.
Sets the Terminal Services Agent (TSA) to post data to the appliance on port 1443.
Changes the encoding for DHCP hostnames. The Windows DHCP client transfers computer hostnames using the system encoding.
Organizations with Windows machines configured using to use non-ascii charactersets by default may wish to change this setting.
Automatically generate an Executive Threat Report every Sunday at midnight UTC. Please note, this feature will not run on probes or
individual masters underneath a Unified View instance.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 24
To modify the following host variables, access to the appliance console is required.
The Darktrace Threat Visualizer application includes configuration options to backup your Darktrace appliances. A backup includes
all Darktrace machine learning, models, breaches, as well as subnet and device information, and configuration settings on the Threat
Visualizer GUI. It does not include transactional data such as connections in the Event Log, Advanced Search entries and PCAP files,
nor configuration settings on the console menu.
A backup will take approximately 2GB of storage space, although actual size may vary, and can be created either manually or
automatically on a daily schedule.
In networks with Probe and Master appliances, only the Master appliance needs to be backed up. In Unified View deployments, or if
more than Master is being used, make sure to back up all Masters.
A backup file can be manually created through the appliance console and accessed via SFTP by the transfer user.
Backups can be automatically created on a daily basis and passed to a specified remote server via SCP or SMB.
3. When accessing this feature for the first time, a prompt may appear
stating ‘Backup configuration not set’. Confirm ‘OK’ to proceed.
The next screen will ask if you wish to change the configuration at
this time. Select ‘Yes’ to proceed.
8. Enter a path on the server where the backup will be sent and
confirm.
9. Enter the hour, minute and second in UTC for the daily backup and
confirm.
3. When accessing this feature for the first time, a prompt may appear
stating ‘Backup configuration not set’. Confirm ‘OK’ to proceed.
The next screen will ask if you wish to change the configuration at
this time. Select ‘Yes’ to proceed.
7. Enter the name of the share on the SMB server and confirm.
10. Set a password for the user for authentication and confirm.
11. Set the path on the server where the backup will be sent. and
confirm.
12. Enter the hour, minute and second in UTC for the daily backup
and confirm.
Darktrace provides the option to receive email notifications about the success or failure of daily scheduled backups. Scheduled backups
must be configured for email notifications to be set.
The option to restore from a backup is available in the console menu. Transactional data such as connections in the Event Log,
Advanced Search entries, and PCAP files are not restored.
oo Upload the backup file to /files/upload in the transfer user directory via SFTP.
oo Confirm the appliance is running the same software version as the backup file, otherwise the restore cannot be performed.
This section describes the process for manually upgrading the software version running on a Darktrace appliance. When Call-Home is
enabled, Darktrace appliances will automatically be upgraded by Darktrace to the latest release unless the ‘Upgrade requires approval’
option has been selected. In such case, or when “Call Home” is not enabled, a manual upgrade is required.
Upgrading to the latest version of the Threat Visualizer involves the following stages:
oo Log in to the Threat Visualizer application and confirm the latest version is installed.
As a Darktrace installation may involve multiple appliances, it is important to ensure that all appliances are upgraded to the same
version. Upgrading an appliance will not change any previous settings or overwrite any stored model breaches.
There are two types of software bundle available, full and differential. Full packages contain the entirety of the Darktrace software
needed to upgrade an appliance to the newest version and consequently are larger files. Differential packages are much smaller
upgrade bundles and only contain the necessary content to upgrade from the version specified in the file name. Understanding the
difference will ensure you download the correct package for your needs.
Full package
A full package can be applied to upgrade an appliance running any older version of the Darktrace software These software bundles
follow the naming syntax:
Example: darktrace-bundle-31007_20181217T1457Z-983d8-x.dat
Differential package
Differential packages are much smaller files than full packages. Unlike full packages, differential packages can only upgrade appliances
running the specific software versions named in the package file name. Differential packages come in two types, delta and xdelta.
Delta Packages
Delta packages can be applied to any software version newer than the version specified in the filename. These software bundles
follow the naming syntax:
Example: darktrace-bundle-31007-delta30911_20181217T1457Z-983d8-x.dat
In this example, any appliance running the oldest version (30911) or newer can be upgraded with this bundle.
Xdelta Packages
Xdelta packages can only be applied to the specific software version included in the filename. These software bundles follow the
naming syntax:
DARKTRACE SYSTEM ADMINISTRATION GUIDE 31
Example: darktrace-bundle-30811-xdelta30801_20180726T1426Z-5c186-x.dat
In this example, only an appliance running the specific version (30801) can be upgraded with this bundle.
Software upgrade bundle files can be obtained via automatic download, manual download or from the Darktrace Customer portal.
Automatic download
A differential package file is automatically downloaded every weekend (if available) when automatic downloads are configured. To
check the current settings, access the console and navigate to 2. Software Updates > Guided mode > 3. Configure downloads. To
disable all automatic downloads, select None (disable guided updates) under the appropriate submenu.
oo Automatic download via Call-Home: Update bundle files are downloaded via Call-Home. (Call-Home must be established to select
this). This is enabled by default.
oo Automatic download over the internet: Alongside the Call-Home SSH connection, Darktrace provides another channel for
appliances to automatically download bundle files over the internet via HTTPS.
The appliance requires access to packages.darktrace.com (or the cloudfront.net content delivery network, if you prefer) over port
443. A proxy can be configured if required. This method requires a bundle key which can be requested from Darktrace Support.
Manual Download
All current software bundles can be found on the Darktrace Customer Portal. A manual update check can also be performed from the
appliance console.
oo Manual download via Call-Home: The latest differential package can be downloaded via the console menu. Navigate to 2. Software
Updates > Guided mode > 1. Check for updates now
oo Manual Download via Customer Portal: The latest bundle file is available in the Customer Portal. Download the file from the
website and copy it to the appliance intended for upgrade via SFTP using the transfer user.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 32
Upgrade procedure
You can manually upgrade your appliance using the following procedure. Please ensure that your upgrade bundle file is placed on the
appliance before the upgrade process. If you downloaded a bundle from the Customer Portal, login to your appliance as the transfer
user via SFTP, and upload your upgrade bundle file to the /files/upload directory.
Guided Mode
4. Select Check for Updates Now. The appliance will locate any
available updates and proceed through the upgrade process.
Confirm each step in turn and the upgrade will run successfully.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 33
Manual Mode
12. Login to the console menu again to confirm that the software
version has updated.
13. Login into the Threat Visualizer web application and navigate to
Admin, System Status under the main menu.
14. On the Status page, confirm that the software version has been
updated to the latest version.
If so, the upgrade process has been successful.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 35
Data erasure is useful when relocating a Darktrace appliance and/or changing its monitoring scope, to start initial deployment
‘baselining’ afresh, or if data needs to be wiped before returning an appliance to Darktrace.
There are two options for data erasure, captured data deletion or a factory reset. Both data erasure processes above can be performed
onsite, provided access to a Darktrace appliance is available. Neither processes will affect the appliance Operating System or any
Darktrace proprietary software.
The ‘delete captured data’ option will include, but may not be limited to, the following data sets: topology settings (connected probes
and their IP addresses), hostnames and popularity (rare hostnames etc.), environmental details (proxies, domains etc.), all modelled
devices, breaches and partial breaches, device connectivity states, and backups. A factory reset will write zeros to all disks and reinstall
the operating system and Darktrace software components, rendering the appliance in an as-new state.
Darktrace will also fully erase any information on all storage drives for new or returned appliances.
Captured data is erased through the console application. This process will also require an unlock code to be provided by a Darktrace
representative, and exchanged via a secure channel such as text message or the Darktrace Customer Portal.
6. The appliance will now request a reset unlock code. Enter the
unlock code provided by Darktrace and confirm.
A factory reset is performed through the Appliance console and is the most stringent data erasure method available. A factory reset
will write zeros to all disks, reinstall the operating system and all Darktrace software components to return the Appliance to an as-new
state. Consequently, this process will take considerably longer than the standard Delete function and requires a reset code provided by
a Darktrace representative and exchanged via a secure channel (such as text message or the Darktrace Customer Portal).
Before proceeding with a factory reset, unplug all analysis port cables (management and RMM cables can remain plugged in).
6. During the first part of the process, the following message will
appear on the screen:
“Initiating factory reset. The appliance will reset upon success. This
can take a long time, please wait. After reboot, consult the monitor
screen to view the progress of the factory reset.”
Do not interrupt the process or the appliance may be left in an
irrecoverable state.
8. Once the wipe is complete, the terminal will show the following
message on the screen:
“Completed Wipe. Starting Setup.”
After completing the setup the appliance will reboot one further
time, at which point the process will be complete.
US: +1 415 229 9100 UK: +44 (0) 1223 394 100 LATAM: +55 11 97242 2011 APAC: +65 6804 5010 info@darktrace.com darktrace.com