Darktrace System Administration Guide v3.1

SYSTEM ADMINISTRATION GUIDE
DARKTRACE SYSTEM ADMINISTRATION GUIDE 1
Darktrace System Administration Guide

Contents
1. Using the Darktrace System Administration Guide�� 2
Darktrace Customer Portal��2
Threat Visualizer��2
Console��2
2. Basic Darktrace Appliance Configuration�� 3

Labelling subnets��3
Configuring Subnet DHCP ��4
Label Key devices��4
3. Device Tracking�� 5
Tracking by DHCP��5
Tracking by Hostname��5
Using Log Input to Provide Tracking Data��8
4. LDAP Authentication and Enrichment of User Details�� 10
5. Configuring HTTPS Certification�� 13
6. Configuring Email Alerts�� 14
7. Registering the Darktrace Mobile App�� 16
8. User Administration�� 18
Available Permissions�� 18
Recommended User Access Settings�� 19
Anonymization Mode�� 20
9. Upgrading Darktrace Models�� 21

Auto-updating Models�� 21
Manual Confirmation�� 22
10. Host Variable Configuration�� 23

Available Host Variables:�� 23
Modifying Host Variables�� 24
11. Creating Backups�� 25

Create an Immediate Backup�� 25
Create Scheduled Backups�� 25
Email Notifications for Scheduled Backup Status�� 28
12. Restore from a Backup�� 29
13. Upgrading the Darktrace Appliance�� 30

Types of Software Bundle�� 30
Upgrade procedure�� 32
14. Securely Erasing Captured Data �� 35

Delete Captured Data�� 35
Restore to Factory Settings�� 36
This iteration of the Darktrace System Administration Guide is intended for Darktrace appliances running software version 3.1 and above.
1. Using the Darktrace System Administration Guide

The Darktrace System Administration guide aims to provide assistance for the installation, configuration, and support for Darktrace
appliances and applications such as the Threat Visualizer. The following guide is intended for system administrators and information
technology professionals; a familiarity with networking concepts is assumed.
To perform the full range of configuration steps contained within this guide, the following specified access and credentials are
considered essential. Prerequisites for each configuration section are also stated at the outset.
Darktrace Customer Portal
The Darktrace Customer Portal is a dedicated web application to provide assistance and support for your appliance. It provides a
facility to raise tickets with support, download software such as appliance upgrade bundles, and review the latest documentation
online. Significant system administration tasks such as restoring an appliance to factory settings will require a confirmation code
provided by a Darktrace support representative. Where Call-Home is disabled, software upgrade bundles can be downloaded from the
Customer Portal and transferred to the appliance.
If you experience any issues during any of the following configuration steps, Darktrace support can guide you through the troubleshooting
process.
Threat Visualizer
Access to the Threat Visualizer User Interface
The majority of configuration steps contained within this guide require access to the Darktrace Threat Visualizer User Interface. The
Threat Visualizer can be accessed by navigating to the IP address of your Darktrace appliance in web browser. When logging in for the
first time, a customer license agreement screen will be displayed.
Login credentials for the Threat Visualizer ‘admin’ user.
A number of configuration steps require access to the Threat Visualizer System Config page. Credentials for the ‘admin’ user are
required to access all possible configuration options. These credentials are provided by your Darktrace representative when the
appliance is initially deployed. If you cannot locate these credentials, please contact Darktrace support.
Console
Access to the Appliance Console
Sections 10-14 require access to the appliance console, distinct from the Threat Visualizer User Interface. If you are unfamiliar with
accessing the console, please refer to the guide, Setting Up the Darktrace Appliance.
Login credentials for the appliance ‘console’ user.
Sections 10-14 require access to the appliance console, distinct from the Threat Visualizer User Interface. Accessing the console
requires the console user credentials. These credentials are provided by your Darktrace representative when the appliance is initially
deployed. If you cannot locate these credentials, please contact Darktrace support.
Login credentials for the appliance ‘transfer’ user.
If Call-Home is disabled, upgrade bundles must be copied to the appliance via the console transfer user. Any immediate backups
created (in contrast to scheduled backups) must also be transferred from the appliance by this user. These credentials are provided by
your Darktrace representative when the appliance is initially deployed. If you cannot locate these credentials, please contact Darktrace
support.
2. Basic Darktrace Appliance Configuration

Requirements: access to the Darktrace Threat Visualizer, credentials for the admin user.
Labelling subnets and key devices is the first step to customizing your Darktrace deployment to streamline investigation and quickly
identify key assets. The following configuration steps will improve user workflow and remove unnecessary warnings from subnets
without DHCP.
Labelling subnets
Darktrace provides the ability to label Subnet IP address ranges for ease of use. Labelling larger subnets removes the need to memorize
the purpose of each IP address range and allows for simpler Subnet searching and selection in the Threat Visualizer
Manual Labels
Individual subnets can be manually labelled within the Threat Visualizer user interface.
1. Within the Threat Visualizer, navigate to the ‘Subnet Admin’ page

in the main menu under ‘Admin’.
2. Click the IP address value under the ‘LABEL’ column to edit it.
Enter a short description such as “Public Wifi”, and click the Save
button on the right.
Uploading Labels
To make changes to a large number of Subnets on the Subnet Admin page, it is possible to upload a CSV file containing Subnet details.
Darktrace will not accept any network ranges uploaded which do not correspond to a range already seen by the appliance.
CSV files must be structured in the following format:
Label Network Latitude Longitude DHCP

Office 1 192.168.1.0/24 12.34 56.67 TRUE or FALSE
Office 2 192.168.2.0/24 12.34 56.67 TRUE or FALSE
Optionally, a correctly formatted CSV file containing all current Subnet information (including labels) may be downloaded from the
Subnet Admin page using the Download CSV button.
1. Within the Threat Visualizer, navigate to the ‘Subnet Admin’ page

2. Click ‘Edit Subnet Details’, a ‘Choose Files’ option will appear.

Select your CSV file and click ‘Process File’
3. A prompt will appear detailing the changes to be made.

Confirm the changes.
Configuring Subnet DHCP
By default, all Subnets have DHCP enabled. This setting indicates that Darktrace should expect to observe DHCP traffic on the Subnet.
If a subnet does not have any DHCP traffic, such as a server network employing static IP addresses, the Threat Visualizer Status page
will show “No DHCP” in red for the offending Subnet. Disabling DHCP in the Subnet Admin page will remove this warning.
1. Within the Threat Visualizer, navigate to the ‘System Status’ page

2. Scroll down and review the Subnets section. Locate any Subnets
with ‘No DHCP’ in red.
If this is a static subnet, you can remove this warning.
3. Navigate to the ‘Subnet Admin’ page in the main menu under

‘Admin’ and locate the corresponding entry.
Set the DHCP value to ‘No’ for the Subnet and save the changes.
4. Return to the System Status page and confirm that the ‘No DHCP’
warning is now grey.
Label Key devices
For ease of identification and prioritization, it is recommended that the most important 20-30 devices are labelled. For example,
labelling the Domain Controllers as DC1 and DC2 can assist in identifying these key assets.
Labelling a device is particularly helpful for devices that do not have a hostname, where the hostname is ambiguous, or where a device
deviates from the naming convention. Device labels appear in search results and any model breaches associated with the device.
1. Within the Threat Visualizer, navigate to the ‘Device Admin’ page in

the main menu under ‘Admin’.
2. Choose a device and click the label to begin editing it.

Enter a label such as “Mail Server” or “Finance Desktop”, and click
away from the label to save your changes.
3. The main Threat Visualizer user interface must be refreshed to

display any changes.
3. Device Tracking
Darktrace models every internal device that it observes on a network. This is achieved by analyzing every single packet to determine
its source and destination.
The most consistent method of tracking IP addresses is by assigning a static IP - in these cases, no configuration is required to instruct
Darktrace how to model static devices such as servers. However, In an increasing world of IoT, there may be thousands of IP addresses
in use day in and day out that are dynamically re-assigned via DHCP to a large number of constantly changing devices.
In the Threat Visualizer interface, there are multiple methods to track dynamic IP addresses. The most suitable method depends on
the network traffic available and deployment scenario.
Tracking by DHCP
Tracking via DHCP is the most reliable and preferred method to track IP address changes, and is enabled by default.
To access a network, a device must begin by sending a DHCP ACK request. The DHCP ACK packet contains two necessary ingredients
for Darktrace tracking: the device’s assigned IP address and the device’s MAC address. Darktrace will dissect this packet and extract
the MAC address. As the MAC address will not change, it can be used as a unique identifier and is therefore the most trusted source
for dynamic IP address tracking.
This method can mean a device such as a laptop can be displayed twice in Darktrace: one device for the connection via a physical
Ethernet cable, and another for the Wi-Fi network card. Differentiating the two connections can assist Darktrace learn a pattern of life
for a device. For example, typically a user’s behavior can be very different on their Wi-Fi when compared to a wired connection - they
may check their social media on pubic Wi-Fi, but never on the corporate LAN.
Tracking by Hostname
Darktrace passively reads hostnames for devices by observing devices making network requests, such as DNS requests for IP
addresses, Kerberos logins, and DHCP handshakes. This provides the Threat Visualizer with hostnames as enrichment data, allowing
for easy identification of devices beyond an IP or MAC address.
If DHCP is unavailable, Darktrace will default to tracking a device by its IP address. Where the device has a dynamic IP address, this
tracking may be inconsistent or lost. By configuring tracking by hostname, hostnames can be appended to a device for greater
consistency.
Hostname tracking can be achieved in three ways:
oo Passively look for hostnames in Kerberos traffic.
oo Actively poll DNS servers for hostnames
oo Passively look for hostnames in DNS traffic

Hostnames in Kerberos Traffic
1. Within the Threat Visualizer, navigate to the ‘System Config’ page

2. Under ‘Settings’, locate ‘Reassign Device IPs from Kerberos’.

When DHCP is not available, setting this to true will enable Darktrace
to append hostnames when performing Kerberos authentication.
If suitable Kerberos packets are available to Darktrace, it will look for
hostnames and reassign IP addresses to them. This is particularly
useful if you are unable to poll DNS servers as described below.
It is recommended to always set this to true.
Hostnames in DNS traffic
It is also possible reassign IPs for client devices based on hostnames observed in DNS traffic and assign them to a network device.
When active polling is configured (see Polling DNS Servers to Append Hostnames below), Darktrace will use this method to reassign
IPs. Otherwise, passive observation will be used.

2. Under ‘Settings’, locate ‘Reassign Device IPs from DNS’.

Typically, enabling this setting is not recommended, unless the other
options have been exhausted.
Set this field to ‘true’.
Polling DNS Servers to Append Hostnames
When set to poll, Darktrace uses network administration command-line tools to poll DNS servers (DIG commands) for an IP address’s
hostname when the IP address becomes active on the network. The hostname resolution will be cached for a time set by the operator.
As IP addresses change frequently, these are both critical components.

2. Under ‘Settings’, locate ‘Poll Network For Hostnames’.

Set the value greater than zero to send commands.
A typical value of 7200 sets the number of seconds to cache
the results, enabling network commands to attempt to resolve
hostnames. Save your settings.
3. New polling options will appear.

Poll Network For Hostnames: 7200
The following steps will explain each setting so you may select an
Poll Network For Hostname Throttle: 10
appropriate value for your environment.
Alternatively, follow the worked example on the left to complete the
Poll Network For Hostnames All Subnets: true|false configuration.
Poll Network For Hostnames DNS Server: <DNS Servers>

4. Configure the Poll Network For Hostname Throttle setting.

When performing active DNS, this value will throttle the maximum
frequency of requests made to the specified limit.
5. Configure the Poll Network For Hostnames setting.

Set to a value greater than 0 to run ‘dig’ on the network to resolve
hostnames for IP addresses.
Typically used where no DHCP is available but correct dynamic
hostnames are available from DNS. Results are cached for this many
seconds. A typical setting is 7200 (two hours).
6. Configure the Poll Network For Hostnames All Subnets setting.
When ‘true’, runs ‘dig’ to resolve hostnames for IP addresses for
all subnets. If false, hostname lookups will not be performed for
subnets marked as having tracking by DHCP or unique usernames.
7. Configure the Poll Network For Hostnames DNS Server setting.

Input DNS Server details. Enter a maximum of 5, separated by
commas. If this field is left empty, polling will be completed using
the DNS servers configured via the console.
Tracking by Credentials
Darktrace automatically detects logins via Kerberos and other credentials. By extracting the source IP address and the credential,
the system can identify which device is in use at the time. If Darktrace is unable to obtain DHCP or DIG, credentials can be utilized to
track devices instead. This is most commonly used when Darktrace has no other means of identifying the device than identifying the
individuals/users logging into them (e.g. VPN users).
Tracking by credentials is configured on a per-Subnet basis in the Threat Visualizer.
1. In the main Threat Visualizer, click on the cube representing the

Subnet where you wish to enable tracking of credentials.
2. The Threat Visualizer should pivot to the selected Subnet and the
Subnet IP range should appear in the Omnisearch bar.
Click the pencil icon () beside the subnet range.
3. Review the options available in the ‘Edit Subnet Info’ popup box:
oo DHCP
oo Track Hostnames
oo Track Credentials
4. Review the DCHP setting.

The DHCP subnet setting controls if Darktrace should track devices
by DHCP. Note that the DHCP setting can also be changed via the
Subnet Admin page.
When disabled, Darktrace will track all devices in a subnet by their
IP addresses. When enabled, devices are tracked through their MAC
addresses.
If Tracking Credentials is to be enabled, DHCP must be disabled.
5. Review the Track Hostnames setting.

Setting Track hostnames to ‘Yes’ will force Darktrace to only track
devices by hostnames, not MAC addresses. If Tracking Credentials is
to be enabled, Track Hostnames must be disabled.
Example Scenario: tracking laptops connecting to a network through
a docking station. The IP address seen by Darktrace will remain the
same, but multiple laptops could use the docking station during the
lifetime of the IP address.
Tracking devices by hostname will assist Darktrace in distinguishing
between the various laptops.
6. Before Track Credentials is enabled, confirm that DHCP is disabled

(step 4). Track hostnames must also be disabled (step 5).
Example Scenario: shift workers sharing the same desktop device
during the day. The device keeps the same DHCP information, but
the credentials change.
Enabling this setting will automatically create a separate device in
Darktrace for each user. The hostname will be a combination of the
Subnet and user credentials.
Using Log Input to Provide Tracking Data
When DHCP or Kerberos data cannot be retrieved’ DHCP or VPN logs can be sent to Darktrace to be parsed. Log Input allows custom
log data to be read into Darktrace and mapped to existing devices using the IP or MAC address. Assuming there is little delay retrieving
uploaded information, it can be a very accurate method of tracking devices. This feature is most commonly used to provide device
tracking information, but it can also enrich Darktrace modelling data.
VPN Users
Users who log into your network remotely via a VPN should be tracked via credentials as their IP address will constantly change -
Darktrace may never see the hostname for the associated device. Entering credentials will always be the first thing that a VPN user
needs to do before getting onto your network. For this, Darktrace can ingest VPN Logs that can be parsed for the user’s internal IP
address in use and the user associated with the traffic.
Other Log Types
DHCP and username data is used to assign hostnames, IP addresses, or credentials to devices. Event data is used to add custom
events into Darktrace. Note that this data will not be added to Advanced Search.
Log Input
The Log Input feature is available on the System Config page under the Log Input section. The logs should be sent in syslog format to
the IP address of the Darktrace appliance, over UDP/1514.
Multiple Types and Patterns can be appended to parse the log data.
Once log data is being sent to the appliance successfully, the Load
Input option can be used to review a sample of the logs received.
Alternatively, check your own log servers to locate a sample and paste
into the ‘Log Input Test’ field. From the sample, a pattern can be
entered to automatically match and parse, setting variables to specific
attributes found in the log inputs.
Grok* patterns are used to extract values into a number of named

fields using the syntax %{PATTERN:field}. PATTERN must be one
of the built-in shortcut strings or a regular expression surrounded by
parentheses. Existing patterns may be reviewed by hovering over the
 beside Built in Patterns and copying any relevant options. Multiple
patterns can be configured, each one mapping to a named type.
Patterns can use perl compatible regular expressions or one of a number of built-in shortcuts.
Each input log line is matched against each applicable configured pattern in the order listed below until a match is found. Once a match
is found and data is extracted by the associated pattern, no further pattern matching will be attempted.
The following example will take any log that contains date=, and will look for a field called xauthuser. It will then look for the value
and assign that to username and a field called tunnelip, and assign that to the ip_address.
Type: USERTRACK
Match: date=
Pattern: xauthuser=”%{DATA:username}”.*tunnelip=%{IP:ip_address}
Click Load Input to fill the field, and Test Input to test your pattern against the sample log.
A full list of available fields is available on the configuration page on the Help information tool tip.
Additional Device Tracking Notes
Darktrace provides support for multiple feeds into the appliance.
In a Unified View deployment, logs must be fed to the relevant slave master appliance, as each slave master appliance is a separate
entity. For example, if Slave Master A is modelling Device X, then any logs pertaining to Device X must be sent to Slave Master A.
Please note, a physical appliance may be both a slave master and running the Unified View server.
4. LDAP Authentication and Enrichment of User Details

The Threat Visualizer supports connections to LDAP servers such as Active Directory. This integration can be configured to provide
the following additional functionality:
oo Enable authentication to the Threat Visualizer interface using credentials from an LDAP server.
oo Enrich user details in the Threat Visualizer by providing additional LDAP attributes for users.
1. Within the Threat Visualizer, navigate to ‘System Config’ in the

main menu under ‘Admin’.
2. Scroll down and locate the LDAP section. By default, only LDAP
Server is displayed.
Enter an LDAP server IP address or hostname and press the enter
key. For additional configuration (such as a port number or SSL),
review the tooltip by hovering over  .
3. Confirm that additional configuration fields are now available.
These will now be addressed in logical order, rather than alphabetical.
For additional information about each field, hover the mouse pointer
over the blue information icons ()
4. To enable authentication and gain additional metadata, the LDAP

Account Attribute can be configured. This field provides an LDAP
attribute to match user credentials with - the name of the field in
LDAP containing a user’s username.
5. Setting the LDAP Authentication to True, will enable users to login

to Darktrace using LDAP credentials.
Note, this option cannot be used with unencrypted LDAP connections.
6. For the LDAP Username, specify a username with credentials to

access the LDAP server.
For example:
darktrace@examplecompany.com
cn=darktrace,dc=examplecompany,dc=com
7. An LDAP Password must be set to connect to an LDAP Server.

8. The LDAP Authentication Group Value can restrict usage of LDAP

authentication to specific groups. Therefore, only users belonging to
the group specified as the field value can gain access to Darktrace.
This is an optional attribute, which can be left blank if it is not required.
Wildcard asterisks can also be employed to restrict access to groups
9. There are two types of methods to encrypt connections to LDAP.

Only one option may be enabled at any one time:
• LDAPS (LDAP over SSL)
• LDAP (using STARTTLS)
An LDAP Certificate is optional for both forms of encryption. Omitting
a value disables certificate validation.
10. Optionally set the LDAP Digest Authentication to true to enable

SASL authentication if desired.
11. For LDAP Group Attribute Name field, set the attribute name used
for Group Membership.
12. The path to the LDAP Server location can be set at ldap:// or
via SSL with ldaps://
When using SSL, the LDAP Start TLS must be set to false.
Only one encryption method can be used at one time.
13. When not connecting over LDAPS, set the LDAP Start TLS to true.
For testing purposes, if encryption is not available, set the LDAP
server location to ldap:// and the LDAP Start TLS to false.
14. If LDAP Server Referrals are in use, set this field to true
15. For the moment, leave the LDAP Test User and LDAP User
Attributes with their default values.
Set the LDAP User Base path to identify the users in the LDAP tree.
For example: ou=users,dc=company,dc=com
16. Before confirming all changes, it may help to test the connection.
Set the LDAP Test User to a valid user identified by the Threat
Visualizer.
Changes must be saved before testing. Scroll down to the ‘Save all
Settings’ button or press enter when editing a field value to save.
17. Scroll down to the Test LDAP button.

An LDAP success message is displayed if a connection is established.
A warning will appear if the communication is not encrypted.
Mapped attributes 18. Hover the mouse over the LDAP success information icon () to
Name James Bourne view more details. This returns a list of attributes for the test user
Email james.bourne@company.com account: .
An example list of attributes is shown across.
Unmapped attributes
The attributes list displays all attributes that can be appended to the
accountExpires 92237827382370833
Threat Visualizer interface. This attribute list has both mapped and
cn James Bourne unmapped attributes:
countryCode UK
Mapped attributes are attributes already shown in the user interface.
distinguishedName CN=james bourne, OU=people, DC=
company, DC=local Unmapped attributes list all the LDAP attributes which are available,
lastLogoff 0 but not currently shown in the interface.
lastLogon 13387832738738378
logonCount 2287
memberOf CN=packages, OU=groups, DC=
company, DC=local
name James Bourne
mail james.borne@company.com
objectClass User
phone 123456789
...
19. To append values as mapped attributes, review the LDAP User

Attributes field.
Attributes are set as key-value pairs - e.g. Email=mail.
The first part (here, Email) can be any term shown in the interface.
The second term (here, mail) must be specifically returned by LDAP
or no value will be found.
20. After making changes, the Threat Visualizer will not update until
the user next logs in and their credentials will be captured. Once
refreshed, the new user attributes from LDAP can be viewed in the
Device View.
Select a device and hover over it to view additional details set in the
LDAP User Attributes field. This could include the user name, email,
group, and telephone number.
21. When logging in for the first time after LDAP is enabled, navigate
to Group Admin under menu.
Any groups for a user in LDAP matching the LDAP Authentication
Group Value will be automatically created
In this example, an LDAP Authentication Group Value of *darktrace*
had created a DarktraceAnalyst Group belonging to a user.
When a new Group is created, ensure that user permissions for the
group are updated in Group Admin to match the desired authorization.
Note, additional groups can be appended by setting the LDAP
Populate Groups field.
5. Configuring HTTPS Certification

Uploading a valid HTTPS certificate will prevent the web browser warning that the connection to the Threat Visualizer uses an invalid
certificate. For example, in the Chrome browser, this is indicated by a red line through the ‘https’ part of the URL and may also present
the user with a warning that must first be dismissed before accessing the Threat Visualizer interface.
Darktrace Appliances are shipped with a self-signed certificate for the hostname “dt-XXXX-YY” - the internal appliance hostname as
designated by Darktrace. Self-signed certificates are often not trusted by web browsers and therefore a warning may be displayed
when accessing the appliance. Additionally, it is common practice for companies to have their own appliance naming conventions,
and it is likely the Darktrace designated name will not fit into such a scheme.
The following instructions detail how to configure a TLS/SSL certificate for a Darktrace appliance.

Scroll down and locate the HTTPS Certificate section.
Click ‘New’.
2. A series of fields will appear requesting additional information.

Complete as much information as possible.
At a minimum, populate the Country and Fully Qualified Domain
Name.
3. Once the minimum number of fields are complete, the Generate

CSR button will become available.
By clicking ‘Generate CSR’, the supplied information is used to
generate a Certificate Signing Request in PEM format
4. The CSR should be copied to a file and provided to a Certificate

Authority such as Digicert or GoDaddy who will provide a certificate
in return for a nominal fee.
Alternatively, a local certificate authority may be used, provided the
facility is available and users of the appliance are likely to have the
root certificates present on their connecting clients.
5. Upon receiving the certificate back from the Certificate Authority,

return to the HTTPS Certificate section and paste the PEM encoded
contents of the certificate into the Certificate field.
Click Save to apply the change.
Reload the Threat Visualizer and confirm that the invalid certificate
warning has gone.
6. Configuring Email Alerts

Darktrace offers a number of alerting types and export options - the simplest form is Email alerts. Multiple email addresses may be
entered as recipients for these alerts.
Email Alerting is especially important for teams that do not have enough time to regularly check the Threat Visualizer and would rather
log in for specific alerts only. Some organizations may prefer to send all model breaches to a central SOC team, while others prefer to
configure the Email Alert so they are only alerted to the most serious model breaches.
Note, emails are only sent when a model is set to alert. To view this setting, edit a model and confirm that the Action setting has ‘Alert’
highlighted.

In the Alerting section, set ‘Email Alerts’ to true.
2. Save the change. Scroll down to the ‘Save all Settings’ button or
press enter when editing a field value to save.
The page will refresh, revealing email specific configuration fields.
Email Alerts: true 3. Complete the configuration using the example across, substituting
Email Date Field: false in the appropriate details.
Email HTML Format: true If extended configuration fields such as a JSON format alert or Email
Email JSON Format: false Date Field value are required, enter a valid recipient and save the
Email Password: <empty> changes. These fields should now become available.
Email Recipients: user@company.com
Note, both the Email Sender name and Email Sender Email Address
Email Sender Email Address: darktrace@company.com are required fields.
Email Sender Name: Darktrace Appliance
Email Server: mail.company.com
Email Server Port: 25
Email Server SSL: false
Email Server TLS: true
Email Username: <empty>
4. Review the following three options at the bottom of the Alerting

section:
oo Minimum Alert Priority
oo Minimum Alert Score
oo Model Expression
These settings control when an email alert should be generated for a
particular model breach. If more than one alert condition is configured
then a model breach must meet all criteria to generate an alert.
5. Optionally set a value for Minimum Alert Priority.
Every Model has a priority from 0-5 indicating the breach severity.
Providing a minimum alert priority of 1 to 5 will restrict emails to
models that fire with a threshold of the priority number or greater
6. Optionally set a value for Minimum Alert Score.

The Alert score is displayed when hovering over the coloured line to
the left of a model breach. The score is a percentage representing
the overall priority of a breach and can be filtered with a slider in the
main Threat Visualizer.
For example, setting the Alert score to 60 will only send emails that
have a 60% or higher threat score.
7. Optionally set a Model Expression to control alerts.

Regular expressions can be entered in the Model Expression field
to restrict email alerts to model names that match a certain Regex
value.
8. Once all fields are completed and alert priority set, save the
changes to reveal a Verify Alert Settings button.
Click this button to send a test email and check all settings are
correct.
7. Registering the Darktrace Mobile App

Available for iOS and Android, the Darktrace mobile app allows users to easily access Enterprise Immune System Alerts when they are
on the move. In order to associate the Darktrace Mobile app with your Darktrace deployment, the Threat Visualizer must be authorized
to send alerts via IMAP.
The user permission ‘Register mobile app’ is necessary to perform these configuration steps. Please see Section 8 below for further
details on user administration and account permissions.

In the Alerting section, set ‘Mobile App Alerts’ to true.
Scroll down to the ‘Save all Settings’ button or press enter when
editing a field value to save.
Mobile App Alerts: True 2. Saving the changes should expose additional configuration
Mobile App Antigena: True options.
Mobile App IMAP Address: user@example.com Complete your details using the example on the left.
Mobile App IMAP Internal Hostname: <blank>
Mobile App IMAP Password: <password>
Mobile App IMAP Port: 993
Mobile App IMAP Server: imap.example.com
Mobile App IMAP Server SSL: true
Mobile App IMAP Server TLS: false
Mobile App IMAP Username: user@example.com
Mobile App Restricted View: False
3. Optionally review the following alert options at the bottom of the

alerting section:
oo Minimum Alert Priority
oo Minimum Alert Score
oo Model Expression
These settings are covered in detail in Section 6, steps 4-7.
4. After completing the alerting configuration, return to the main
Threat Visualizer and navigate to Account Settings on the main
menu.
The ‘Register Mobile App’ option should now be available. Click
‘Register Mobile App’ to reveal a QR code.
5. On your smartphone, open the appropriate App store and search

for Darktrace.
The Darktrace iOS app is available on the App Store, and the Android
app is available on Google Play.
Download the Darktrace app.
6. Open the Darktrace app.

You will be prompted to authenticate with the Darktrace appliance.
Press ‘Next’ to proceed.
7. The app will request permission to use your smartphone camera.

Use the camera to scan the QR code in the Threat Visualizer
generated in step 4.
The app should now authenticate.
Further information about using the app can be found in the Threat
Visualizer User Guide.
8. User Administration
User Admin provides options to control access and restrict privileges for user accounts within the Threat Visualizer application. It can
be accessed by navigating to Admin, User Admin. User privileges can be configured by enabling values in blue, and then clicking the
Save button. By default, the ‘admin’ user will possess all available privileges.
User access can also be controlled by creating user groups in the Group Admin page and assigning specific permissions to each group.
Available Permissions
The following permissions are available:
Permission Description
Visualizer Access to the Threat Visualizer interface.
Edit Models Make changes to Models. Using tags can be a good way of tuning models without requiring access to edit a
model.
Device Admin Lists all devices observed by Darktrace. This is particularly useful for searching, bulk tagging, or changing
device types. Typically for administrators only.
Subnet Admin Lists all subnets, labels, and whether DHCP is enabled. Typically for administrators only
Audit Log Lists captured user behavior such as logging into Darktrace. Typically for administrators only.
User Admin Controls access to user privileges. Typically for administrators only.
Group Admin Controls access to group privileges. Typically for administrators only.
Advanced Advanced Search provides a deep insight into network traffic making every connection searchable. An excellent
Search tool for investigating suspicious activity, but may be restricted to more privileged positions due to the insight
granted.
Status For administrators and developers to check the system health of the Darktrace appliance, probes, and network
traffic.
Acknowledge Enables users to acknowledge model breaches. Any user investigating breaches should likely have access to
Breaches this role. Recommended for all but the most restricted user.
Discuss Breaches Makes comments on model breaches. Very useful for controlling and highlighting which users are working on
a model. Recommended for all but the most restricted user.
Edit Domains Make changes to domain information. Typically for administrators only.
Configuration Make changes to the System Configuration page. Typically for administrators only.
API Help Provides information on the Threat Visualizer API. Recommended for all administrators and developers.
View Models To help understand how a model breach occurred, it is recommended that all users have access to View Models.
Note there is a separate privilege for editing roles, which is much more restricted.
One Click Provides a quick view of the model breach to assist in identifying and investigating model breaches. Recommend
Analysis for all users performing threat analysis.
Create PCAPs Enables users to create Packet Captures in the Threat Visualizer application. Recommended for users familiar
with Wireshark or Darkshark.
Download Allows user to download created Packet Captures. Recommended for users familiar with Wireshark or
PCAPs Darkshark.
Antigena Enables Antigena functionality. The Darktrace appliance must be configured to enable Antigena.
View Messages View comments on model breaches. Very useful to control and highlight which users are working on a model.
Recommended for all but the most restricted user.
Unrestricted When enabled, users can view all user credentials that have accessed a device. Disabling this option restricts
Devices users to an obfuscated view. Recommended for restricted users.
Download TIRs Enables users to download Threat Intelligence Reports.
Ask the Expert Ask Analysts questions about articular Model breaches. This will open a window to drag and drop breach log
details and post questions.
Dynamic Threat
Dashboard Provides access to the Dynamic Threat Dashboard
Register Mobile Register the Darktrace Threat Visualizer Mobile App. The Mobile App IMAP settings in the Alerting section of
App the System Config must be set before this feature can be employed. Enabling this functionality provides users
with this access to a link on the Account Settings window
Recommended User Access Settings
Three user access configurations are covered below. These profiles encompass common roles utilized by organizational security
teams when using Darktrace.
(a). Basic threat analysis with obfuscation privileges
Users with this access are unable to identify users of a particular device, but can make comments and acknowledge breaches. They
do not have access to Advanced Search, nor do they have the privileges to change and administer settings.
Visualizer Edit Models Device Admin Subnet Admin Audit Log

User Admin Group Admin Advanced Search Status Acknowledge Breaches
Discuss Breaches Edit Domains Configuration API Help View Models
One Click Analysis Create PCAPs Download PCAPs Antigena View Messages
Unrestricted Devices Download TIRs Ask the Expert Dynamic Threat Dashboard Register Mobile App
(b). Full threat analysis privileges
The following options provide full threat analysis with Advanced Search and capability to identify users. Packet Capture and Antigena
are also available.

(c). Full administration privileges
Full Administration access to change system configuration and perform detailed threat analysis. Typically, this level is granted to
System Administrators only.

Anonymization Mode
Darktrace’s technology has been designed with protection and controls in place that allow customers to comply with a range of privacy
and confidentiality policies. Anonymization Mode can be configured for enhanced anonymization on a per-user basis. Importantly, this
mode only impacts Client machines in Darktrace. It does not impact any Server device Types. If set, this mode anonymizes various
aspects of the data seen by Darktrace, in order to protect the privacy of employees and to comply with European privacy laws.
Anonymization Mode includes the following features:
oo The last octet of IPv4 addresses is anonymized. For example, 192.168.0.22 is anonymized to 192.168.0.#36178
oo Hostnames are anonymized. For example, some.companydomain.internal is anonymized to #63680206
oo Credentials are not displayed
oo No PCAPs can be generated
oo Access to Advanced Search is restricted
To the left is a Subnet view with Anonymization Mode enabled. The hostname
and IP address have been automatically anonymized.
If an incident is identified in Anonymization Mode, an analyst can seek

internal approval to conduct an in-depth investigation with more visibility.
Once approval is given, the analyst then switches to a higher-privileged user
that does not run in anonymization mode, allowing the analyst to conduct
a thorough investigation of the incident. This mode grants enough visibility
for analysts to conduct initial triage, and to identify incidents, without risking
exposing the identity or privacy of employees or other users on a network.
Enabling Anonymization Mode
1. Within the Threat Visualizer, navigate to the ‘User Admin’ page in

the main menu under ‘Admin’.
2. Deselect the ‘Unrestricted Devices’ option and save the changes.

Repeat for all users intended for anonymization.
9. Upgrading Darktrace Models

Requirements: Access to the Darktrace Threat Visualizer, credentials for the admin user.
When a software upgrade bundle is applied, any changes to Darktrace models (such as new or updated models) will also be performed.
Where software upgrades are set to pre-cache, model updates will be pushed to the User Interface for automatic update or approval
even if the full software bundle is not yet applied.
Separate to this software upgrade process, updates to Darktrace models are delivered on a regular basis to the Threat Visualizer when
Call-Home is enabled
Whether a model is updated automatically or not is decided by the following process:
Darktrace Model edited by Auto-update is Auto-update is

Model is an FALSE FALSE TRUE TRUE Model updated
updates a a non-Darktrace ‘True’ in the set to ‘Yes’
Antigena Model? automatically
model user? System Config? on the model?
TRUE TRUE FALSE FALSE

Manual
confirmation
required
Model updates can be deployed via two methods, auto-update and manual confirmation. Manual confirmation can be applied on a
model-by-model basis or across all models. In this mode, an operator must confirm all model updates before application. Antigena
Models will never be updated automatically.
Auto-updating Models
under ‘Admin’ on the main menu.
2. Under Settings, confirm that Auto Update Models is ‘true’.
3. Additionally, confirm the setting for ‘Auto Update Models Maintain

Tags’. True will preserve any tags added to the model when auto-
updating, a useful setting if models have been mapped to specific
use-cases or an existing playbook.
False will overwrite any tags on a model during an auto-update.
4. Edit any Model in the Threat Visualizer and confirm that the Auto
Update setting is ‘Yes’.
When set to Yes, this model will automatically upgrade to the latest
version when its released.
Manual Confirmation
1. If models are not updated automatically due to any of the
conditions listed above, a message will appear on the home page
of the Threat Visualizer stating ‘x’ number of model updates are
available and require review.
Clicking this blue notification will redirect the user to the Model
Updates page. The Model Updates page can be accessed at any time
from the main menu under ‘Models’.
Any new models created or duplicated will not be impacted by
automatic updates
2. The Models Updates page lists all Models which have been
customized but have new updates available.
Click on a Model row to reveal more options.
3. For each model, each revision will appear as a separate line with
a short description of the changes and options to Accept, Decline or
View them.
4. The ‘Active’ model is the current version active on your deployment.

Clicking the View button will display the current Model settings with
the option to view the new upgrade.
5. Click ‘View Upgrade’ to see the newest version of the model. You
may Ignore or Accept the changes.
Accepting the changes will permanently update the Model. Be careful
not to overwrite any changes.
If you wish to preserve your changes to a model but are concerned
about delaying any important updates, one method is to duplicate
the model and then upgrade the original. The duplicated model will
retain the original logic with your changes and can be revised to
match the upgraded version at your convenience.
10. Host Variable Configuration

Requirements: access to the Master appliance console, credentials for the console user.
Darktrace provides several custom configuration options which may be appropriate for your environment. These configuration options
are accessed via the console and will help to access, use and administer the appliance and ensure any internal policies are adhered to.
The available host variables may change from version to version, dependent on requirements. Each option is described in detail when
selected from the console menu.
Available Host Variables:
1. Use highly compatible ssh ciphers
Configures the SSH server to use a highly compatible set of ciphers. Disabling this option increases the security of the SSH server.
2. HTTPS: Disable SHA1 ciphers and TLS protocols < 1.2
Enabling this option restricts the cipher suite in use by the HTTPS server and disables TLS protocols other than TLS v1.2.
3. UI session expiry length
Sets the number of minutes after which UI sessions are logged out due to inactivity.
4. Enforce two factor authentication
Enabling this option requires that all users of the Threat Visualizer provide a second credential to access the user interface. Two-factor
authentication be individually enabled for specific users in the User Administration page on the Threat Visualizer User Interface.
5. Set MTU Configuration
This option sets the maximum transaction unit (MTU) size that can be communicated over the network.
6. CVE-2017-5754 Intel “Meltdown” patch
Enabling this option applies the kernel patch to mitigate the Meltdown vulnerability (Kernel page table isolation). A reboot is required
for changes to take effect.
For more details, please refer to “Darktrace Threat Note Meltdown and Spectre.pdf” available to download from the Darktrace Customer
Portal.
7. Set alternative TSA port
Sets the Terminal Services Agent (TSA) to post data to the appliance on port 1443.
8. Block Darktrace user from generating PCAPs
Restricts the ability to generate PCAPs for the Darktrace user.
9. Set DHCP hostname encoding
Changes the encoding for DHCP hostnames. The Windows DHCP client transfers computer hostnames using the system encoding.
Organizations with Windows machines configured using to use non-ascii charactersets by default may wish to change this setting.
10. Generate weekly Executive Threat Report
Automatically generate an Executive Threat Report every Sunday at midnight UTC. Please note, this feature will not run on probes or
individual masters underneath a Unified View instance.
Modifying Host Variables
To modify the following host variables, access to the appliance console is required.
1. Login to the console menu and select 3. Appliance Admin.
2. Select option 5. Configure host variables.
3. The Host variables menu shows all the currently available

configuration options.
Select a desired variable.
4. After selecting an option, an explanation of the setting will be

displayed.
For the majority, pressing the space bar will toggle the setting on or
off. On is indicated by an asterisk [*].
Variables which require a value will allow for text entry.
11. Creating Backups

Requirements: access to the Master appliance(s) console, credentials for the console user, credentials for the transfer user.
The Darktrace Threat Visualizer application includes configuration options to backup your Darktrace appliances. A backup includes
all Darktrace machine learning, models, breaches, as well as subnet and device information, and configuration settings on the Threat
Visualizer GUI. It does not include transactional data such as connections in the Event Log, Advanced Search entries and PCAP files,
nor configuration settings on the console menu.
A backup will take approximately 2GB of storage space, although actual size may vary, and can be created either manually or
automatically on a daily schedule.
In networks with Probe and Master appliances, only the Master appliance needs to be backed up. In Unified View deployments, or if
more than Master is being used, make sure to back up all Masters.
Create an Immediate Backup
A backup file can be manually created through the appliance console and accessed via SFTP by the transfer user.
1. On a Master appliance, login to the console menu and select 4.

Backup and Restore.
2. A range of backup options are available.

Select 1. Backup locally now.
3. A warning will appear stating that Darktrace appliances can only

be restored from a backup of the same software version.
Select ‘Yes’ to proceed.
4. The Backup file is created in the /files directory.

This directory can be accessed by the transfer user via SFTP.
Create Scheduled Backups
Backups can be automatically created on a daily basis and passed to a specified remote server via SCP or SMB.
Creating Scheduled Backups over SCP

Backup and Restore.
2. A range of backup options are available. Select 2. Scheduled

backup configuration
3. When accessing this feature for the first time, a prompt may appear
stating ‘Backup configuration not set’. Confirm ‘OK’ to proceed.
The next screen will ask if you wish to change the configuration at
this time. Select ‘Yes’ to proceed.
4. Choose a protocol over which to transfer backups.

Select scp.
Selecting none disables scheduled backups.
5. Enter the IP address or hostname of the remote server intended to

receive the backup files and proceed.
6. Enter a port on the backup server and confirm.
7. Enter a user to authenticate against for the server and confirm.
8. Enter a path on the server where the backup will be sent and
confirm.
9. Enter the hour, minute and second in UTC for the daily backup and
confirm.
10. Confirm your configuration options and select ‘Yes’ to proceed.

Please note, the public key is generated in the /files directory,
which can be accessed by the transfer user via SFTP.
This key must be added to the .ssh/authorized_keys file for the
configured user on the remote backup server.
The key can also be regenerated from 4. Generate/regenerate scp
transfer key under the Backup and Restore submenu.
11. Optionally test the configuration.

Configuration can be tested at any time from 3. Test backup transfer
under the Backup and Restore submenu.
Creating Scheduled Backups over SMB

Backup and Restore.
2. A range of backup options are available. Select 2. Scheduled

backup configuration.
3. When accessing this feature for the first time, a prompt may appear
stating ‘Backup configuration not set’. Confirm ‘OK’ to proceed.
The next screen will ask if you wish to change the configuration at
this time. Select ‘Yes’ to proceed.
4. Choose a protocol over which to transfer backups.

Select SMB.
Selecting none disables scheduled backups.
5. Enter the IP address or hostname of the remote server intended to

receive the backup files and proceed.
7. Enter the name of the share on the SMB server and confirm.
8. Enter a user to authenticate against for the server and confirm.
9. Set the domain or workgroup that this user is a member of and

confirm.
10. Set a password for the user for authentication and confirm.
11. Set the path on the server where the backup will be sent. and
confirm.
12. Enter the hour, minute and second in UTC for the daily backup
and confirm.
13. Confirm your configuration options and select ‘Yes’ to proceed.
14. Optionally test the configuration.

Configuration can be tested at any time using 3. Test backup transfer
under the Backup and Restore submenu.
Email Notifications for Scheduled Backup Status
Darktrace provides the option to receive email notifications about the success or failure of daily scheduled backups. Scheduled backups
must be configured for email notifications to be set.

Backup and Restore.
Under the Backup and Restore submenu, select 6. Configure email
alerts.
2. A prompt will describe scheduled backup notifications.

Select ‘OK’ to proceed.
3. A further prompt will ask whether you wish to enable notifications.

Choose ‘Yes’ to configure email alerts.
4. By default, email notifications are sent when a backup fails.

Optionally, notifications can be sent when a backup is successful.
Select your preferred configuration option and proceed.
5. Enter an email address to receive notifications.
6. Enter an email address to send notifications from (optional).
7. Enter the hostname or IP address of an SMTP server to send

emails via.
8. Select a port for SMTP.
9. Choose whether STARTTLS is to be used.
10. Enter a user name to configure SMTP authentication.
11. Enter the Password of this user.
12. Confirm the configuration and select Yes to proceed.
13. Optionally send a test email to confirm the configuration process

was successful.
12. Restore from a Backup

Requirements: Access to the Master appliance console, credentials for the console user, credentials for the transfer user.
The option to restore from a backup is available in the console menu. Transactional data such as connections in the Event Log,
Advanced Search entries, and PCAP files are not restored.
Before restoring from a backup, check the following:
oo Upload the backup file to /files/upload in the transfer user directory via SFTP.
oo Confirm the appliance is running the same software version as the backup file, otherwise the restore cannot be performed.
1. On the Master appliance intended for restore, login to the console

menu, and select 4. Backup and Restore.
2. Select 5. Restore from backup.
3. A prompt will appear to warn that a backup must be present

before a restoration can occur.
Select OK to continue.
4. Select a backup to restore from the list.
5. A prompt will request confirmation for the chosen backup.

If this is the correct backup, proceed with the restoration.
6. Please wait for the restoration to complete.

Larger backup files will take longer to restore from.
7. A ‘restore completed successfully’ message will confirm

restoration was successful.
13. Upgrading the Darktrace Appliance

Requirements: access to the appliance(s) console, access to the Darktrace Customer Portal, access to the Darktrace Threat Visualizer,
credentials for the console user, credentials for the transfer user, credentials for the admin user.
This section describes the process for manually upgrading the software version running on a Darktrace appliance. When Call-Home is
enabled, Darktrace appliances will automatically be upgraded by Darktrace to the latest release unless the ‘Upgrade requires approval’
option has been selected. In such case, or when “Call Home” is not enabled, a manual upgrade is required.
Upgrading to the latest version of the Threat Visualizer involves the following stages:
oo Download the latest bundle (if not downloaded automatically).
oo Copy the bundle to all Darktrace Appliances.
oo In the Darktrace console, unpack the bundle.
oo Install the latest Threat Visualizer version.
oo Log in to the Threat Visualizer application and confirm the latest version is installed.
As a Darktrace installation may involve multiple appliances, it is important to ensure that all appliances are upgraded to the same
version. Upgrading an appliance will not change any previous settings or overwrite any stored model breaches.
Types of Software Bundle
There are two types of software bundle available, full and differential. Full packages contain the entirety of the Darktrace software
needed to upgrade an appliance to the newest version and consequently are larger files. Differential packages are much smaller
upgrade bundles and only contain the necessary content to upgrade from the version specified in the file name. Understanding the
difference will ensure you download the correct package for your needs.
Full package
A full package can be applied to upgrade an appliance running any older version of the Darktrace software These software bundles
follow the naming syntax:
darktrace-bundle-<upgrade version>_<release date>-<alphanumeric>-x.dat
Example: darktrace-bundle-31007_20181217T1457Z-983d8-x.dat
Differential package
Differential packages are much smaller files than full packages. Unlike full packages, differential packages can only upgrade appliances
running the specific software versions named in the package file name. Differential packages come in two types, delta and xdelta.
Delta Packages
Delta packages can be applied to any software version newer than the version specified in the filename. These software bundles
follow the naming syntax:
darktrace-bundle-<upgrade version>-delta<oldest version>_<release date>-<alphanumeric>-x.dat
Example: darktrace-bundle-31007-delta30911_20181217T1457Z-983d8-x.dat
In this example, any appliance running the oldest version (30911) or newer can be upgraded with this bundle.
Xdelta Packages
Xdelta packages can only be applied to the specific software version included in the filename. These software bundles follow the
naming syntax:
darktrace-bundle-<upgrade version>-xdelta<specific old version>_<release date>-<alphanumeric>-x.dat
Example: darktrace-bundle-30811-xdelta30801_20180726T1426Z-5c186-x.dat
In this example, only an appliance running the specific version (30801) can be upgraded with this bundle.
Downloading Bundle files
Software upgrade bundle files can be obtained via automatic download, manual download or from the Darktrace Customer portal.
Automatic download
A differential package file is automatically downloaded every weekend (if available) when automatic downloads are configured. To
check the current settings, access the console and navigate to 2. Software Updates > Guided mode > 3. Configure downloads. To
disable all automatic downloads, select None (disable guided updates) under the appropriate submenu.
oo Automatic download via Call-Home: Update bundle files are downloaded via Call-Home. (Call-Home must be established to select
this). This is enabled by default.
oo Automatic download over the internet: Alongside the Call-Home SSH connection, Darktrace provides another channel for
appliances to automatically download bundle files over the internet via HTTPS.
The appliance requires access to packages.darktrace.com (or the cloudfront.net content delivery network, if you prefer) over port
443. A proxy can be configured if required. This method requires a bundle key which can be requested from Darktrace Support.
Manual Download
All current software bundles can be found on the Darktrace Customer Portal. A manual update check can also be performed from the
appliance console.
oo Manual download via Call-Home: The latest differential package can be downloaded via the console menu. Navigate to 2. Software
Updates > Guided mode > 1. Check for updates now
oo Manual Download via Customer Portal: The latest bundle file is available in the Customer Portal. Download the file from the
website and copy it to the appliance intended for upgrade via SFTP using the transfer user.
Upgrade procedure
You can manually upgrade your appliance using the following procedure. Please ensure that your upgrade bundle file is placed on the
appliance before the upgrade process. If you downloaded a bundle from the Customer Portal, login to your appliance as the transfer
user via SFTP, and upload your upgrade bundle file to the /files/upload directory.
Guided Mode
1. On the appliance intended for upgrade, login to the console menu

and select 2. Software Updates.
2. Two options are available, Guided mode and Manual mode.

Select Guided Mode.
3. Review the options available on the Guided mode menu:

[1] Check for updates now: Checks if there are any new available
updates. If an update is available it will download and proceed to
unpack and install it, prompting before each step begins.
[2] Unpack and Install updates: runs through the update process,
asking for confirmation before each step.
[3] Configure download: provides configuration settings for fetching
the latest upgrade bundles. Please see ‘Downloading Bundle Files’
above for further information.
4. Select Check for Updates Now. The appliance will locate any
available updates and proceed through the upgrade process.
Confirm each step in turn and the upgrade will run successfully.
Manual Mode
1. On the appliance intended for upgrade, login to the console menu

and select 2. Software Updates.
2. Two options are available, Guided mode and Manual mode.

Select Manual mode.
3. Manual mode requires further configuration steps to unpack the

downloaded bundle and before installation.
In the Manual Mode submenu, select 2. Unpack uploaded update
bundle.
4. A list of available bundles stored on the appliance will appear.

Select the newest bundle to install. The latest bundle is always at
the bottom of the list.
Press OK to continue.
5. A prompt will ask if you wish to unpack the specified bundle.

Confirm and proceed.
It may take some time for the unpacking operation to complete.
6. Once unpacked, the console will return to the Manual mode

submenu.
Select 3. Apply update/configuration changes.
7. A confirmation warning will appear. Proceed with the update.

If an error occurs, please try applying the latest changes a second
time. If the error persists, please contact Darktrace Support.
8. A further warning will appear. Upgrading a Darktrace appliance

without confirmation from Darktrace support may affect your
Service Level Agreement.
Confirm your understanding and proceed.
9. A final warning will explain that all capture services will be

restarted on upgrade.
Confirm and proceed.
10. The update process will begin.

When finished, press OK to complete the upgrade.
11. Optionally check the status of the services.

Select ‘Yes’ if you wish to do so. After the status check you will be
logged out of the console.
‘No’ will log you out of the console immediately.
12. Login to the console menu again to confirm that the software
version has updated.
13. Login into the Threat Visualizer web application and navigate to
Admin, System Status under the main menu.
14. On the Status page, confirm that the software version has been
updated to the latest version.
If so, the upgrade process has been successful.
14. Securely Erasing Captured Data

Requirements: access to the appliance console, access to the Darktrace Customer Portal, credentials for the console user.
Data erasure is useful when relocating a Darktrace appliance and/or changing its monitoring scope, to start initial deployment
‘baselining’ afresh, or if data needs to be wiped before returning an appliance to Darktrace.
There are two options for data erasure, captured data deletion or a factory reset. Both data erasure processes above can be performed
onsite, provided access to a Darktrace appliance is available. Neither processes will affect the appliance Operating System or any
Darktrace proprietary software.
The ‘delete captured data’ option will include, but may not be limited to, the following data sets: topology settings (connected probes
and their IP addresses), hostnames and popularity (rare hostnames etc.), environmental details (proxies, domains etc.), all modelled
devices, breaches and partial breaches, device connectivity states, and backups. A factory reset will write zeros to all disks and reinstall
the operating system and Darktrace software components, rendering the appliance in an as-new state.
Darktrace will also fully erase any information on all storage drives for new or returned appliances.
Delete Captured Data
Captured data is erased through the console application. This process will also require an unlock code to be provided by a Darktrace
representative, and exchanged via a secure channel such as text message or the Darktrace Customer Portal.
1. Access the appliance console. From the main menu, select 3.

Appliance Admin, then 10. Reset appliance.
2. Select 1. Delete capture data and choose OK.
3. A prompt will appear with a warning message.

Confirm Yes if you wish to proceed.
No will cancel the process and no changes will be made.
4. Another warning prompt will require that you reconfirm your

decision to reset captured data.
Select ‘Yes’ again to confirm your choice.
5. A further screen will ask if you wish to disable capture interfaces

before proceeding.
‘Yes’ will disable capture interfaces, meaning that no further data can
be ingested even after the appliance completes its reset regardless
of if cables have been removed. Capture Interfaces should not be
disabled if you wish to continue to use the appliance after reset;
only Darktrace Support can re-enable them.
Selecting ‘No’ means the appliance will begin ingesting data again
through any connected capture interfaces on completion of the
reset.
6. The appliance will now request a reset unlock code. Enter the
unlock code provided by Darktrace and confirm.
7. The ‘Device successfully reset’ message confirms the erasure

process was successful
Press OK.
Restore to Factory Settings
A factory reset is performed through the Appliance console and is the most stringent data erasure method available. A factory reset
will write zeros to all disks, reinstall the operating system and all Darktrace software components to return the Appliance to an as-new
state. Consequently, this process will take considerably longer than the standard Delete function and requires a reset code provided by
a Darktrace representative and exchanged via a secure channel (such as text message or the Darktrace Customer Portal).
Before proceeding with a factory reset, unplug all analysis port cables (management and RMM cables can remain plugged in).
1. Access the appliance console.

From the main menu, select 3. Appliance Admin, then 10. Reset
appliance.
2. Select 2. Factory reset and select ‘OK’.
3. A prompt will appear with a warning message.

Confirm ‘Yes’; if you wish to proceed.
‘No’ will cancel the process and no changes will be made.
4. Another warning prompt will require that you reconfirm your

decision to restore the appliance to factory settings.
Select ‘Yes’ again to confirm your choice.
5. The appliance will now request a reset unlock code.

Enter the factory reset unlock code provided by Darktrace and
confirm OK.
6. During the first part of the process, the following message will
appear on the screen:
“Initiating factory reset. The appliance will reset upon success. This
can take a long time, please wait. After reboot, consult the monitor
screen to view the progress of the factory reset.”
Do not interrupt the process or the appliance may be left in an
irrecoverable state.
7. After rebooting the appliance, the terminal will display the

progress of the wipe.
This progress will periodically update.
8. Once the wipe is complete, the terminal will show the following
message on the screen:
“Completed Wipe. Starting Setup.”
After completing the setup the appliance will reboot one further
time, at which point the process will be complete.
US: +1 415 229 9100 UK: +44 (0) 1223 394 100 LATAM: +55 11 97242 2011 APAC: +65 6804 5010 info@darktrace.com darktrace.com

Язык

Darktrace System Administration Guide v3.1

Загружено:

Сведения о документе

Авторское право

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Darktrace System Administration Guide v3.1

Загружено:

Авторское право:

SYSTEM ADMINISTRATION GUIDE

DARKTRACE SYSTEM ADMINISTRATION GUIDE 1

Darktrace System Administration Guide

4. LDAP Authentication and Enrichment of User Details���������������������������������������������������������������������� 10

1. Using the Darktrace System Administration Guide

Darktrace Customer Portal

Access to the Threat Visualizer User Interface

Login credentials for the Threat Visualizer ‘admin’ user.

Access to the Appliance Console

Login credentials for the appliance ‘console’ user.

Login credentials for the appliance ‘transfer’ user.

2. Basic Darktrace Appliance Configuration

1. Within the Threat Visualizer, navigate to the ‘Subnet Admin’ page

CSV files must be structured in the following format:

Label Network Latitude Longitude DHCP

Office 2 192.168.2.0/24 12.34 56.67 TRUE or FALSE

1. Within the Threat Visualizer, navigate to the ‘Subnet Admin’ page

2. Click ‘Edit Subnet Details’, a ‘Choose Files’ option will appear.

3. A prompt will appear detailing the changes to be made.

Configuring Subnet DHCP

1. Within the Threat Visualizer, navigate to the ‘System Status’ page

3. Navigate to the ‘Subnet Admin’ page in the main menu under

Label Key devices

1. Within the Threat Visualizer, navigate to the ‘Device Admin’ page in

2. Choose a device and click the label to begin editing it.

3. The main Threat Visualizer user interface must be refreshed to

Hostname tracking can be achieved in three ways:

oo Passively look for hostnames in Kerberos traffic.

oo Actively poll DNS servers for hostnames

oo Passively look for hostnames in DNS traffic

Hostnames in Kerberos Traffic

1. Within the Threat Visualizer, navigate to the ‘System Config’ page

2. Under ‘Settings’, locate ‘Reassign Device IPs from Kerberos’.

Hostnames in DNS traffic

1. Within the Threat Visualizer, navigate to the ‘System Config’ page

2. Under ‘Settings’, locate ‘Reassign Device IPs from DNS’.

Polling DNS Servers to Append Hostnames

1. Within the Threat Visualizer, navigate to the ‘System Config’ page

2. Under ‘Settings’, locate ‘Poll Network For Hostnames’.

3. New polling options will appear.

Poll Network For Hostnames DNS Server: <DNS Servers>

4. Configure the Poll Network For Hostname Throttle setting.

5. Configure the Poll Network For Hostnames setting.

7. Configure the Poll Network For Hostnames DNS Server setting.

Tracking by credentials is configured on a per-Subnet basis in the Threat Visualizer.

1. In the main Threat Visualizer, click on the cube representing the

4. Review the DCHP setting.

5. Review the Track Hostnames setting.

6. Before Track Credentials is enabled, confirm that DHCP is disabled

Using Log Input to Provide Tracking Data

Other Log Types

Grok* patterns are used to extract values into a number of named

Additional Device Tracking Notes

Darktrace provides support for multiple feeds into the appliance.

4. LDAP Authentication and Enrichment of User Details

1. Within the Threat Visualizer, navigate to ‘System Config’ in the

4. To enable authentication and gain additional metadata, the LDAP

5. Setting the LDAP Authentication to True, will enable users to login

6. For the LDAP Username, specify a username with credentials to

7. An LDAP Password must be set to connect to an LDAP Server.

8. The LDAP Authentication Group Value can restrict usage of LDAP

9. There are two types of methods to encrypt connections to LDAP.

10. Optionally set the LDAP Digest Authentication to true to enable

17. Scroll down to the Test LDAP button.

19. To append values as mapped attributes, review the LDAP User

5. Configuring HTTPS Certification

4. LDAP Authentication and Enrichment of User Details�� 10