Вы находитесь на странице: 1из 38

SYSTEM ADMINISTRATION GUIDE

DARKTRACE SYSTEM ADMINISTRATION GUIDE 1

Darktrace System Administration Guide


Contents
1. Using the Darktrace System Administration Guide���������������������������������������������������������������������������� 2
Darktrace Customer Portal����������������������������������������������������������������������������������������������������������������������������������������������������������2
Threat Visualizer����������������������������������������������������������������������������������������������������������������������������������������������������������������������������2
Console�������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������2

2. Basic Darktrace Appliance Configuration������������������������������������������������������������������������������������������ 3


Labelling subnets��������������������������������������������������������������������������������������������������������������������������������������������������������������������������3
Configuring Subnet DHCP ����������������������������������������������������������������������������������������������������������������������������������������������������������4
Label Key devices��������������������������������������������������������������������������������������������������������������������������������������������������������������������������4

3. Device Tracking������������������������������������������������������������������������������������������������������������������������������� 5
Tracking by DHCP�������������������������������������������������������������������������������������������������������������������������������������������������������������������������5
Tracking by Hostname�����������������������������������������������������������������������������������������������������������������������������������������������������������������5
Using Log Input to Provide Tracking Data��������������������������������������������������������������������������������������������������������������������������������8

4. LDAP Authentication and Enrichment of User Details���������������������������������������������������������������������� 10

5. Configuring HTTPS Certification���������������������������������������������������������������������������������������������������� 13

6. Configuring Email Alerts���������������������������������������������������������������������������������������������������������������� 14

7. Registering the Darktrace Mobile App��������������������������������������������������������������������������������������������� 16

8. User Administration����������������������������������������������������������������������������������������������������������������������� 18
Available Permissions��������������������������������������������������������������������������������������������������������������������������������������������������������������� 18
Recommended User Access Settings������������������������������������������������������������������������������������������������������������������������������������ 19
Anonymization Mode����������������������������������������������������������������������������������������������������������������������������������������������������������������� 20

9. Upgrading Darktrace Models���������������������������������������������������������������������������������������������������������� 21


Auto-updating Models��������������������������������������������������������������������������������������������������������������������������������������������������������������� 21
Manual Confirmation����������������������������������������������������������������������������������������������������������������������������������������������������������������� 22

10. Host Variable Configuration��������������������������������������������������������������������������������������������������������� 23


Available Host Variables:����������������������������������������������������������������������������������������������������������������������������������������������������������� 23
Modifying Host Variables���������������������������������������������������������������������������������������������������������������������������������������������������������� 24

11. Creating Backups������������������������������������������������������������������������������������������������������������������������� 25


Create an Immediate Backup��������������������������������������������������������������������������������������������������������������������������������������������������� 25
Create Scheduled Backups������������������������������������������������������������������������������������������������������������������������������������������������������� 25
Email Notifications for Scheduled Backup Status���������������������������������������������������������������������������������������������������������������� 28

12. Restore from a Backup����������������������������������������������������������������������������������������������������������������� 29

13. Upgrading the Darktrace Appliance����������������������������������������������������������������������������������������������� 30


Types of Software Bundle��������������������������������������������������������������������������������������������������������������������������������������������������������� 30
Upgrade procedure�������������������������������������������������������������������������������������������������������������������������������������������������������������������� 32

14. Securely Erasing Captured Data �������������������������������������������������������������������������������������������������� 35


Delete Captured Data���������������������������������������������������������������������������������������������������������������������������������������������������������������� 35
Restore to Factory Settings������������������������������������������������������������������������������������������������������������������������������������������������������ 36

This iteration of the Darktrace System Administration Guide is intended for Darktrace appliances running software version 3.1 and above.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 2

1. Using the Darktrace System Administration Guide


The Darktrace System Administration guide aims to provide assistance for the installation, configuration, and support for Darktrace
appliances and applications such as the Threat Visualizer. The following guide is intended for system administrators and information
technology professionals; a familiarity with networking concepts is assumed.

To perform the full range of configuration steps contained within this guide, the following specified access and credentials are
considered essential. Prerequisites for each configuration section are also stated at the outset.

Darktrace Customer Portal

The Darktrace Customer Portal is a dedicated web application to provide assistance and support for your appliance. It provides a
facility to raise tickets with support, download software such as appliance upgrade bundles, and review the latest documentation
online. Significant system administration tasks such as restoring an appliance to factory settings will require a confirmation code
provided by a Darktrace support representative. Where Call-Home is disabled, software upgrade bundles can be downloaded from the
Customer Portal and transferred to the appliance.

If you experience any issues during any of the following configuration steps, Darktrace support can guide you through the troubleshooting
process.

Threat Visualizer

Access to the Threat Visualizer User Interface

The majority of configuration steps contained within this guide require access to the Darktrace Threat Visualizer User Interface. The
Threat Visualizer can be accessed by navigating to the IP address of your Darktrace appliance in web browser. When logging in for the
first time, a customer license agreement screen will be displayed.

Login credentials for the Threat Visualizer ‘admin’ user.

A number of configuration steps require access to the Threat Visualizer System Config page. Credentials for the ‘admin’ user are
required to access all possible configuration options. These credentials are provided by your Darktrace representative when the
appliance is initially deployed. If you cannot locate these credentials, please contact Darktrace support.

Console

Access to the Appliance Console

Sections 10-14 require access to the appliance console, distinct from the Threat Visualizer User Interface. If you are unfamiliar with
accessing the console, please refer to the guide, Setting Up the Darktrace Appliance.

Login credentials for the appliance ‘console’ user.

Sections 10-14 require access to the appliance console, distinct from the Threat Visualizer User Interface. Accessing the console
requires the console user credentials. These credentials are provided by your Darktrace representative when the appliance is initially
deployed. If you cannot locate these credentials, please contact Darktrace support.

Login credentials for the appliance ‘transfer’ user.

If Call-Home is disabled, upgrade bundles must be copied to the appliance via the console transfer user. Any immediate backups
created (in contrast to scheduled backups) must also be transferred from the appliance by this user. These credentials are provided by
your Darktrace representative when the appliance is initially deployed. If you cannot locate these credentials, please contact Darktrace
support.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 3

2. Basic Darktrace Appliance Configuration


Requirements: access to the Darktrace Threat Visualizer, credentials for the admin user.

Labelling subnets and key devices is the first step to customizing your Darktrace deployment to streamline investigation and quickly
identify key assets. The following configuration steps will improve user workflow and remove unnecessary warnings from subnets
without DHCP.

Labelling subnets

Darktrace provides the ability to label Subnet IP address ranges for ease of use. Labelling larger subnets removes the need to memorize
the purpose of each IP address range and allows for simpler Subnet searching and selection in the Threat Visualizer

Manual Labels

Individual subnets can be manually labelled within the Threat Visualizer user interface.

1. Within the Threat Visualizer, navigate to the ‘Subnet Admin’ page


in the main menu under ‘Admin’.

2. Click the IP address value under the ‘LABEL’ column to edit it.
Enter a short description such as “Public Wifi”, and click the Save
button on the right.

Uploading Labels

To make changes to a large number of Subnets on the Subnet Admin page, it is possible to upload a CSV file containing Subnet details.
Darktrace will not accept any network ranges uploaded which do not correspond to a range already seen by the appliance.

CSV files must be structured in the following format:

Label Network Latitude Longitude DHCP


Office 1 192.168.1.0/24 12.34 56.67 TRUE or FALSE

Office 2 192.168.2.0/24 12.34 56.67 TRUE or FALSE

Optionally, a correctly formatted CSV file containing all current Subnet information (including labels) may be downloaded from the
Subnet Admin page using the Download CSV button.

1. Within the Threat Visualizer, navigate to the ‘Subnet Admin’ page


in the main menu under ‘Admin’.

2. Click ‘Edit Subnet Details’, a ‘Choose Files’ option will appear.


Select your CSV file and click ‘Process File’

3. A prompt will appear detailing the changes to be made.


Confirm the changes.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 4

Configuring Subnet DHCP

By default, all Subnets have DHCP enabled. This setting indicates that Darktrace should expect to observe DHCP traffic on the Subnet.

If a subnet does not have any DHCP traffic, such as a server network employing static IP addresses, the Threat Visualizer Status page
will show “No DHCP” in red for the offending Subnet. Disabling DHCP in the Subnet Admin page will remove this warning.

1. Within the Threat Visualizer, navigate to the ‘System Status’ page


in the main menu under ‘Admin’.

2. Scroll down and review the Subnets section. Locate any Subnets
with ‘No DHCP’ in red.
If this is a static subnet, you can remove this warning.

3. Navigate to the ‘Subnet Admin’ page in the main menu under


‘Admin’ and locate the corresponding entry.
Set the DHCP value to ‘No’ for the Subnet and save the changes.

4. Return to the System Status page and confirm that the ‘No DHCP’
warning is now grey.

Label Key devices

For ease of identification and prioritization, it is recommended that the most important 20-30 devices are labelled. For example,
labelling the Domain Controllers as DC1 and DC2 can assist in identifying these key assets.

Labelling a device is particularly helpful for devices that do not have a hostname, where the hostname is ambiguous, or where a device
deviates from the naming convention. Device labels appear in search results and any model breaches associated with the device.

1. Within the Threat Visualizer, navigate to the ‘Device Admin’ page in


the main menu under ‘Admin’.

2. Choose a device and click the label to begin editing it.


Enter a label such as “Mail Server” or “Finance Desktop”, and click
away from the label to save your changes.

3. The main Threat Visualizer user interface must be refreshed to


display any changes.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 5

3. Device Tracking
Requirements: access to the Darktrace Threat Visualizer, credentials for the admin user.

Darktrace models every internal device that it observes on a network. This is achieved by analyzing every single packet to determine
its source and destination.

The most consistent method of tracking IP addresses is by assigning a static IP - in these cases, no configuration is required to instruct
Darktrace how to model static devices such as servers. However, In an increasing world of IoT, there may be thousands of IP addresses
in use day in and day out that are dynamically re-assigned via DHCP to a large number of constantly changing devices.

In the Threat Visualizer interface, there are multiple methods to track dynamic IP addresses. The most suitable method depends on
the network traffic available and deployment scenario.

Tracking by DHCP

Tracking via DHCP is the most reliable and preferred method to track IP address changes, and is enabled by default.

To access a network, a device must begin by sending a DHCP ACK request. The DHCP ACK packet contains two necessary ingredients
for Darktrace tracking: the device’s assigned IP address and the device’s MAC address. Darktrace will dissect this packet and extract
the MAC address. As the MAC address will not change, it can be used as a unique identifier and is therefore the most trusted source
for dynamic IP address tracking.

This method can mean a device such as a laptop can be displayed twice in Darktrace: one device for the connection via a physical
Ethernet cable, and another for the Wi-Fi network card. Differentiating the two connections can assist Darktrace learn a pattern of life
for a device. For example, typically a user’s behavior can be very different on their Wi-Fi when compared to a wired connection - they
may check their social media on pubic Wi-Fi, but never on the corporate LAN.

Tracking by Hostname

Darktrace passively reads hostnames for devices by observing devices making network requests, such as DNS requests for IP
addresses, Kerberos logins, and DHCP handshakes. This provides the Threat Visualizer with hostnames as enrichment data, allowing
for easy identification of devices beyond an IP or MAC address.

If DHCP is unavailable, Darktrace will default to tracking a device by its IP address. Where the device has a dynamic IP address, this
tracking may be inconsistent or lost. By configuring tracking by hostname, hostnames can be appended to a device for greater
consistency.

Hostname tracking can be achieved in three ways:

oo Passively look for hostnames in Kerberos traffic.

oo Actively poll DNS servers for hostnames

oo Passively look for hostnames in DNS traffic


DARKTRACE SYSTEM ADMINISTRATION GUIDE 6

Hostnames in Kerberos Traffic

1. Within the Threat Visualizer, navigate to the ‘System Config’ page


in the main menu under ‘Admin’.

2. Under ‘Settings’, locate ‘Reassign Device IPs from Kerberos’.


When DHCP is not available, setting this to true will enable Darktrace
to append hostnames when performing Kerberos authentication.
If suitable Kerberos packets are available to Darktrace, it will look for
hostnames and reassign IP addresses to them. This is particularly
useful if you are unable to poll DNS servers as described below.
It is recommended to always set this to true.

Hostnames in DNS traffic

It is also possible reassign IPs for client devices based on hostnames observed in DNS traffic and assign them to a network device.
When active polling is configured (see Polling DNS Servers to Append Hostnames below), Darktrace will use this method to reassign
IPs. Otherwise, passive observation will be used.

1. Within the Threat Visualizer, navigate to the ‘System Config’ page


in the main menu under ‘Admin’.

2. Under ‘Settings’, locate ‘Reassign Device IPs from DNS’.


Typically, enabling this setting is not recommended, unless the other
options have been exhausted.
Set this field to ‘true’.

Polling DNS Servers to Append Hostnames

When set to poll, Darktrace uses network administration command-line tools to poll DNS servers (DIG commands) for an IP address’s
hostname when the IP address becomes active on the network. The hostname resolution will be cached for a time set by the operator.
As IP addresses change frequently, these are both critical components.

1. Within the Threat Visualizer, navigate to the ‘System Config’ page


in the main menu under ‘Admin’.

2. Under ‘Settings’, locate ‘Poll Network For Hostnames’.


Set the value greater than zero to send commands.
A typical value of 7200 sets the number of seconds to cache
the results, enabling network commands to attempt to resolve
hostnames. Save your settings.

3. New polling options will appear.


Poll Network For Hostnames: 7200
The following steps will explain each setting so you may select an
Poll Network For Hostname Throttle: 10
appropriate value for your environment.
Alternatively, follow the worked example on the left to complete the
Poll Network For Hostnames All Subnets: true|false configuration.

Poll Network For Hostnames DNS Server: <DNS Servers>


DARKTRACE SYSTEM ADMINISTRATION GUIDE 7

4. Configure the Poll Network For Hostname Throttle setting.


When performing active DNS, this value will throttle the maximum
frequency of requests made to the specified limit.

5. Configure the Poll Network For Hostnames setting.


Set to a value greater than 0 to run ‘dig’ on the network to resolve
hostnames for IP addresses.
Typically used where no DHCP is available but correct dynamic
hostnames are available from DNS. Results are cached for this many
seconds. A typical setting is 7200 (two hours).
6. Configure the Poll Network For Hostnames All Subnets setting.
When ‘true’, runs ‘dig’ to resolve hostnames for IP addresses for
all subnets. If false, hostname lookups will not be performed for
subnets marked as having tracking by DHCP or unique usernames.

7. Configure the Poll Network For Hostnames DNS Server setting.


Input DNS Server details. Enter a maximum of 5, separated by
commas. If this field is left empty, polling will be completed using
the DNS servers configured via the console.

Tracking by Credentials

Darktrace automatically detects logins via Kerberos and other credentials. By extracting the source IP address and the credential,
the system can identify which device is in use at the time. If Darktrace is unable to obtain DHCP or DIG, credentials can be utilized to
track devices instead. This is most commonly used when Darktrace has no other means of identifying the device than identifying the
individuals/users logging into them (e.g. VPN users).

Tracking by credentials is configured on a per-Subnet basis in the Threat Visualizer.

1. In the main Threat Visualizer, click on the cube representing the


Subnet where you wish to enable tracking of credentials.

2. The Threat Visualizer should pivot to the selected Subnet and the
Subnet IP range should appear in the Omnisearch bar.
Click the pencil icon () beside the subnet range.

3. Review the options available in the ‘Edit Subnet Info’ popup box:

oo DHCP

oo Track Hostnames

oo Track Credentials

4. Review the DCHP setting.


The DHCP subnet setting controls if Darktrace should track devices
by DHCP. Note that the DHCP setting can also be changed via the
Subnet Admin page.
When disabled, Darktrace will track all devices in a subnet by their
IP addresses. When enabled, devices are tracked through their MAC
addresses.
If Tracking Credentials is to be enabled, DHCP must be disabled.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 8

5. Review the Track Hostnames setting.


Setting Track hostnames to ‘Yes’ will force Darktrace to only track
devices by hostnames, not MAC addresses. If Tracking Credentials is
to be enabled, Track Hostnames must be disabled.
Example Scenario: tracking laptops connecting to a network through
a docking station. The IP address seen by Darktrace will remain the
same, but multiple laptops could use the docking station during the
lifetime of the IP address.
Tracking devices by hostname will assist Darktrace in distinguishing
between the various laptops.

6. Before Track Credentials is enabled, confirm that DHCP is disabled


(step 4). Track hostnames must also be disabled (step 5).
Example Scenario: shift workers sharing the same desktop device
during the day. The device keeps the same DHCP information, but
the credentials change.
Enabling this setting will automatically create a separate device in
Darktrace for each user. The hostname will be a combination of the
Subnet and user credentials.

Using Log Input to Provide Tracking Data

When DHCP or Kerberos data cannot be retrieved’ DHCP or VPN logs can be sent to Darktrace to be parsed. Log Input allows custom
log data to be read into Darktrace and mapped to existing devices using the IP or MAC address. Assuming there is little delay retrieving
uploaded information, it can be a very accurate method of tracking devices. This feature is most commonly used to provide device
tracking information, but it can also enrich Darktrace modelling data.

VPN Users

Users who log into your network remotely via a VPN should be tracked via credentials as their IP address will constantly change -
Darktrace may never see the hostname for the associated device. Entering credentials will always be the first thing that a VPN user
needs to do before getting onto your network. For this, Darktrace can ingest VPN Logs that can be parsed for the user’s internal IP
address in use and the user associated with the traffic.

Other Log Types

DHCP and username data is used to assign hostnames, IP addresses, or credentials to devices. Event data is used to add custom
events into Darktrace. Note that this data will not be added to Advanced Search.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 9

Log Input

The Log Input feature is available on the System Config page under the Log Input section. The logs should be sent in syslog format to
the IP address of the Darktrace appliance, over UDP/1514.

Multiple Types and Patterns can be appended to parse the log data.
Once log data is being sent to the appliance successfully, the Load
Input option can be used to review a sample of the logs received.
Alternatively, check your own log servers to locate a sample and paste
into the ‘Log Input Test’ field. From the sample, a pattern can be
entered to automatically match and parse, setting variables to specific
attributes found in the log inputs.

Grok* patterns are used to extract values into a number of named


fields using the syntax %{PATTERN:field}. PATTERN must be one
of the built-in shortcut strings or a regular expression surrounded by
parentheses. Existing patterns may be reviewed by hovering over the
 beside Built in Patterns and copying any relevant options. Multiple
patterns can be configured, each one mapping to a named type.
Patterns can use perl compatible regular expressions or one of a number of built-in shortcuts.

Each input log line is matched against each applicable configured pattern in the order listed below until a match is found. Once a match
is found and data is extracted by the associated pattern, no further pattern matching will be attempted.

The following example will take any log that contains date=, and will look for a field called xauthuser. It will then look for the value
and assign that to username and a field called tunnelip, and assign that to the ip_address.

Type: USERTRACK

Match: date=

Pattern: xauthuser=”%{DATA:username}”.*tunnelip=%{IP:ip_address}

Click Load Input to fill the field, and Test Input to test your pattern against the sample log.

A full list of available fields is available on the configuration page on the Help information tool tip.

Additional Device Tracking Notes

Darktrace provides support for multiple feeds into the appliance.

In a Unified View deployment, logs must be fed to the relevant slave master appliance, as each slave master appliance is a separate
entity. For example, if Slave Master A is modelling Device X, then any logs pertaining to Device X must be sent to Slave Master A.
Please note, a physical appliance may be both a slave master and running the Unified View server.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 10

4. LDAP Authentication and Enrichment of User Details


Requirements: access to the Darktrace Threat Visualizer, credentials for the admin user.

The Threat Visualizer supports connections to LDAP servers such as Active Directory. This integration can be configured to provide
the following additional functionality:

oo Enable authentication to the Threat Visualizer interface using credentials from an LDAP server.

oo Enrich user details in the Threat Visualizer by providing additional LDAP attributes for users.

1. Within the Threat Visualizer, navigate to ‘System Config’ in the


main menu under ‘Admin’.

2. Scroll down and locate the LDAP section. By default, only LDAP
Server is displayed.
Enter an LDAP server IP address or hostname and press the enter
key. For additional configuration (such as a port number or SSL),
review the tooltip by hovering over  .
3. Confirm that additional configuration fields are now available.
These will now be addressed in logical order, rather than alphabetical.
For additional information about each field, hover the mouse pointer
over the blue information icons ()

4. To enable authentication and gain additional metadata, the LDAP


Account Attribute can be configured. This field provides an LDAP
attribute to match user credentials with - the name of the field in
LDAP containing a user’s username.

5. Setting the LDAP Authentication to True, will enable users to login


to Darktrace using LDAP credentials.
Note, this option cannot be used with unencrypted LDAP connections.

6. For the LDAP Username, specify a username with credentials to


access the LDAP server.
For example:
darktrace@examplecompany.com
cn=darktrace,dc=examplecompany,dc=com

7. An LDAP Password must be set to connect to an LDAP Server.


DARKTRACE SYSTEM ADMINISTRATION GUIDE 11

8. The LDAP Authentication Group Value can restrict usage of LDAP


authentication to specific groups. Therefore, only users belonging to
the group specified as the field value can gain access to Darktrace.
This is an optional attribute, which can be left blank if it is not required.
Wildcard asterisks can also be employed to restrict access to groups

9. There are two types of methods to encrypt connections to LDAP.


Only one option may be enabled at any one time:
• LDAPS (LDAP over SSL)
• LDAP (using STARTTLS)
An LDAP Certificate is optional for both forms of encryption. Omitting
a value disables certificate validation.

10. Optionally set the LDAP Digest Authentication to true to enable


SASL authentication if desired.

11. For LDAP Group Attribute Name field, set the attribute name used
for Group Membership.

12. The path to the LDAP Server location can be set at ldap:// or
via SSL with ldaps://
When using SSL, the LDAP Start TLS must be set to false.
Only one encryption method can be used at one time.
13. When not connecting over LDAPS, set the LDAP Start TLS to true.
For testing purposes, if encryption is not available, set the LDAP
server location to ldap:// and the LDAP Start TLS to false.

14. If LDAP Server Referrals are in use, set this field to true

15. For the moment, leave the LDAP Test User and LDAP User
Attributes with their default values.
Set the LDAP User Base path to identify the users in the LDAP tree.
For example: ou=users,dc=company,dc=com

16. Before confirming all changes, it may help to test the connection.
Set the LDAP Test User to a valid user identified by the Threat
Visualizer.
Changes must be saved before testing. Scroll down to the ‘Save all
Settings’ button or press enter when editing a field value to save.

17. Scroll down to the Test LDAP button.


An LDAP success message is displayed if a connection is established.
A warning will appear if the communication is not encrypted.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 12

Mapped attributes 18. Hover the mouse over the LDAP success information icon () to
Name James Bourne view more details. This returns a list of attributes for the test user
Email james.bourne@company.com account: .
An example list of attributes is shown across.
Unmapped attributes
The attributes list displays all attributes that can be appended to the
accountExpires 92237827382370833
Threat Visualizer interface. This attribute list has both mapped and
cn James Bourne unmapped attributes:
countryCode UK
Mapped attributes are attributes already shown in the user interface.
distinguishedName CN=james bourne, OU=people, DC=
company, DC=local Unmapped attributes list all the LDAP attributes which are available,
lastLogoff 0 but not currently shown in the interface.
lastLogon 13387832738738378
logonCount 2287
memberOf CN=packages, OU=groups, DC=
company, DC=local
name James Bourne
mail james.borne@company.com
objectClass User
phone 123456789
...

19. To append values as mapped attributes, review the LDAP User


Attributes field.
Attributes are set as key-value pairs - e.g. Email=mail.
The first part (here, Email) can be any term shown in the interface.
The second term (here, mail) must be specifically returned by LDAP
or no value will be found.

20. After making changes, the Threat Visualizer will not update until
the user next logs in and their credentials will be captured. Once
refreshed, the new user attributes from LDAP can be viewed in the
Device View.
Select a device and hover over it to view additional details set in the
LDAP User Attributes field. This could include the user name, email,
group, and telephone number.

21. When logging in for the first time after LDAP is enabled, navigate
to Group Admin under menu.
Any groups for a user in LDAP matching the LDAP Authentication
Group Value will be automatically created
In this example, an LDAP Authentication Group Value of *darktrace*
had created a DarktraceAnalyst Group belonging to a user.
When a new Group is created, ensure that user permissions for the
group are updated in Group Admin to match the desired authorization.
Note, additional groups can be appended by setting the LDAP
Populate Groups field.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 13

5. Configuring HTTPS Certification


Requirements: access to the Darktrace Threat Visualizer, credentials for the admin user.

Uploading a valid HTTPS certificate will prevent the web browser warning that the connection to the Threat Visualizer uses an invalid
certificate. For example, in the Chrome browser, this is indicated by a red line through the ‘https’ part of the URL and may also present
the user with a warning that must first be dismissed before accessing the Threat Visualizer interface.

Darktrace Appliances are shipped with a self-signed certificate for the hostname “dt-XXXX-YY” - the internal appliance hostname as
designated by Darktrace. Self-signed certificates are often not trusted by web browsers and therefore a warning may be displayed
when accessing the appliance. Additionally, it is common practice for companies to have their own appliance naming conventions,
and it is likely the Darktrace designated name will not fit into such a scheme.

The following instructions detail how to configure a TLS/SSL certificate for a Darktrace appliance.

1. Within the Threat Visualizer, navigate to the ‘System Config’ page


in the main menu under ‘Admin’.
Scroll down and locate the HTTPS Certificate section.
Click ‘New’.

2. A series of fields will appear requesting additional information.


Complete as much information as possible.
At a minimum, populate the Country and Fully Qualified Domain
Name.

3. Once the minimum number of fields are complete, the Generate


CSR button will become available.
By clicking ‘Generate CSR’, the supplied information is used to
generate a Certificate Signing Request in PEM format

4. The CSR should be copied to a file and provided to a Certificate


Authority such as Digicert or GoDaddy who will provide a certificate
in return for a nominal fee.
Alternatively, a local certificate authority may be used, provided the
facility is available and users of the appliance are likely to have the
root certificates present on their connecting clients.

5. Upon receiving the certificate back from the Certificate Authority,


return to the HTTPS Certificate section and paste the PEM encoded
contents of the certificate into the Certificate field.
Click Save to apply the change.
Reload the Threat Visualizer and confirm that the invalid certificate
warning has gone.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 14

6. Configuring Email Alerts


Requirements: access to the Darktrace Threat Visualizer, credentials for the admin user.

Darktrace offers a number of alerting types and export options - the simplest form is Email alerts. Multiple email addresses may be
entered as recipients for these alerts.

Email Alerting is especially important for teams that do not have enough time to regularly check the Threat Visualizer and would rather
log in for specific alerts only. Some organizations may prefer to send all model breaches to a central SOC team, while others prefer to
configure the Email Alert so they are only alerted to the most serious model breaches.

Note, emails are only sent when a model is set to alert. To view this setting, edit a model and confirm that the Action setting has ‘Alert’
highlighted.

1. Within the Threat Visualizer, navigate to the ‘System Config’ page


in the main menu under ‘Admin’.
In the Alerting section, set ‘Email Alerts’ to true.

2. Save the change. Scroll down to the ‘Save all Settings’ button or
press enter when editing a field value to save.
The page will refresh, revealing email specific configuration fields.

Email Alerts: true 3. Complete the configuration using the example across, substituting
Email Date Field: false in the appropriate details.
Email HTML Format: true If extended configuration fields such as a JSON format alert or Email
Email JSON Format: false Date Field value are required, enter a valid recipient and save the
Email Password: <empty> changes. These fields should now become available.
Email Recipients: user@company.com
Note, both the Email Sender name and Email Sender Email Address
Email Sender Email Address: darktrace@company.com are required fields.
Email Sender Name: Darktrace Appliance
Email Server: mail.company.com
Email Server Port: 25
Email Server SSL: false
Email Server TLS: true
Email Username: <empty>

4. Review the following three options at the bottom of the Alerting


section:
oo Minimum Alert Priority

oo Minimum Alert Score

oo Model Expression
These settings control when an email alert should be generated for a
particular model breach. If more than one alert condition is configured
then a model breach must meet all criteria to generate an alert.
5. Optionally set a value for Minimum Alert Priority.
Every Model has a priority from 0-5 indicating the breach severity.
Providing a minimum alert priority of 1 to 5 will restrict emails to
models that fire with a threshold of the priority number or greater
DARKTRACE SYSTEM ADMINISTRATION GUIDE 15

6. Optionally set a value for Minimum Alert Score.


The Alert score is displayed when hovering over the coloured line to
the left of a model breach. The score is a percentage representing
the overall priority of a breach and can be filtered with a slider in the
main Threat Visualizer.
For example, setting the Alert score to 60 will only send emails that
have a 60% or higher threat score.

7. Optionally set a Model Expression to control alerts.


Regular expressions can be entered in the Model Expression field
to restrict email alerts to model names that match a certain Regex
value.

8. Once all fields are completed and alert priority set, save the
changes to reveal a Verify Alert Settings button.
Click this button to send a test email and check all settings are
correct.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 16

7. Registering the Darktrace Mobile App


Requirements: access to the Darktrace Threat Visualizer, credentials for the admin user.

Available for iOS and Android, the Darktrace mobile app allows users to easily access Enterprise Immune System Alerts when they are
on the move. In order to associate the Darktrace Mobile app with your Darktrace deployment, the Threat Visualizer must be authorized
to send alerts via IMAP.

The user permission ‘Register mobile app’ is necessary to perform these configuration steps. Please see Section 8 below for further
details on user administration and account permissions.

1. Within the Threat Visualizer, navigate to the ‘System Config’ page


in the main menu under ‘Admin’.
In the Alerting section, set ‘Mobile App Alerts’ to true.
Scroll down to the ‘Save all Settings’ button or press enter when
editing a field value to save.

Mobile App Alerts: True 2. Saving the changes should expose additional configuration
Mobile App Antigena: True options.
Mobile App IMAP Address: user@example.com Complete your details using the example on the left.
Mobile App IMAP Internal Hostname: <blank>
Mobile App IMAP Password: <password>
Mobile App IMAP Port: 993
Mobile App IMAP Server: imap.example.com
Mobile App IMAP Server SSL: true
Mobile App IMAP Server TLS: false
Mobile App IMAP Username: user@example.com
Mobile App Restricted View: False

3. Optionally review the following alert options at the bottom of the


alerting section:

oo Minimum Alert Priority

oo Minimum Alert Score

oo Model Expression
These settings are covered in detail in Section 6, steps 4-7.
4. After completing the alerting configuration, return to the main
Threat Visualizer and navigate to Account Settings on the main
menu.
The ‘Register Mobile App’ option should now be available. Click
‘Register Mobile App’ to reveal a QR code.

5. On your smartphone, open the appropriate App store and search


for Darktrace.
The Darktrace iOS app is available on the App Store, and the Android
app is available on Google Play.
Download the Darktrace app.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 17

6. Open the Darktrace app.


You will be prompted to authenticate with the Darktrace appliance.
Press ‘Next’ to proceed.

7. The app will request permission to use your smartphone camera.


Use the camera to scan the QR code in the Threat Visualizer
generated in step 4.
The app should now authenticate.
Further information about using the app can be found in the Threat
Visualizer User Guide.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 18

8. User Administration
Requirements: access to the Darktrace Threat Visualizer, credentials for the admin user.

User Admin provides options to control access and restrict privileges for user accounts within the Threat Visualizer application. It can
be accessed by navigating to Admin, User Admin. User privileges can be configured by enabling values in blue, and then clicking the
Save button. By default, the ‘admin’ user will possess all available privileges.

User access can also be controlled by creating user groups in the Group Admin page and assigning specific permissions to each group.

Available Permissions

The following permissions are available:

Permission Description

Visualizer Access to the Threat Visualizer interface.

Edit Models Make changes to Models. Using tags can be a good way of tuning models without requiring access to edit a
model.

Device Admin Lists all devices observed by Darktrace. This is particularly useful for searching, bulk tagging, or changing
device types. Typically for administrators only.

Subnet Admin Lists all subnets, labels, and whether DHCP is enabled. Typically for administrators only

Audit Log Lists captured user behavior such as logging into Darktrace. Typically for administrators only.

User Admin Controls access to user privileges. Typically for administrators only.

Group Admin Controls access to group privileges. Typically for administrators only.

Advanced Advanced Search provides a deep insight into network traffic making every connection searchable. An excellent
Search tool for investigating suspicious activity, but may be restricted to more privileged positions due to the insight
granted.

Status For administrators and developers to check the system health of the Darktrace appliance, probes, and network
traffic.
Acknowledge Enables users to acknowledge model breaches. Any user investigating breaches should likely have access to
Breaches this role. Recommended for all but the most restricted user.

Discuss Breaches Makes comments on model breaches. Very useful for controlling and highlighting which users are working on
a model. Recommended for all but the most restricted user.

Edit Domains Make changes to domain information. Typically for administrators only.

Configuration Make changes to the System Configuration page. Typically for administrators only.

API Help Provides information on the Threat Visualizer API. Recommended for all administrators and developers.

View Models To help understand how a model breach occurred, it is recommended that all users have access to View Models.
Note there is a separate privilege for editing roles, which is much more restricted.
One Click Provides a quick view of the model breach to assist in identifying and investigating model breaches. Recommend
Analysis for all users performing threat analysis.

Create PCAPs Enables users to create Packet Captures in the Threat Visualizer application. Recommended for users familiar
with Wireshark or Darkshark.
Download Allows user to download created Packet Captures. Recommended for users familiar with Wireshark or
PCAPs Darkshark.

Antigena Enables Antigena functionality. The Darktrace appliance must be configured to enable Antigena.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 19

View Messages View comments on model breaches. Very useful to control and highlight which users are working on a model.
Recommended for all but the most restricted user.
Unrestricted When enabled, users can view all user credentials that have accessed a device. Disabling this option restricts
Devices users to an obfuscated view. Recommended for restricted users.

Download TIRs Enables users to download Threat Intelligence Reports.

Ask the Expert Ask Analysts questions about articular Model breaches. This will open a window to drag and drop breach log
details and post questions.
Dynamic Threat
Dashboard Provides access to the Dynamic Threat Dashboard

Register Mobile Register the Darktrace Threat Visualizer Mobile App. The Mobile App IMAP settings in the Alerting section of
App the System Config must be set before this feature can be employed. Enabling this functionality provides users
with this access to a link on the Account Settings window

Recommended User Access Settings

Three user access configurations are covered below. These profiles encompass common roles utilized by organizational security
teams when using Darktrace.

(a). Basic threat analysis with obfuscation privileges

Users with this access are unable to identify users of a particular device, but can make comments and acknowledge breaches. They
do not have access to Advanced Search, nor do they have the privileges to change and administer settings.

Visualizer Edit Models Device Admin Subnet Admin Audit Log


User Admin Group Admin Advanced Search Status Acknowledge Breaches
Discuss Breaches Edit Domains Configuration API Help View Models
One Click Analysis Create PCAPs Download PCAPs Antigena View Messages
Unrestricted Devices Download TIRs Ask the Expert Dynamic Threat Dashboard Register Mobile App

(b). Full threat analysis privileges

The following options provide full threat analysis with Advanced Search and capability to identify users. Packet Capture and Antigena
are also available.

Visualizer Edit Models Device Admin Subnet Admin Audit Log


User Admin Group Admin Advanced Search Status Acknowledge Breaches
Discuss Breaches Edit Domains Configuration API Help View Models
One Click Analysis Create PCAPs Download PCAPs Antigena View Messages
Unrestricted Devices Download TIRs Ask the Expert Dynamic Threat Dashboard Register Mobile App

(c). Full administration privileges

Full Administration access to change system configuration and perform detailed threat analysis. Typically, this level is granted to
System Administrators only.

Visualizer Edit Models Device Admin Subnet Admin Audit Log


User Admin Group Admin Advanced Search Status Acknowledge Breaches
Discuss Breaches Edit Domains Configuration API Help View Models
One Click Analysis Create PCAPs Download PCAPs Antigena View Messages
Unrestricted Devices Download TIRs Ask the Expert Dynamic Threat Dashboard Register Mobile App
DARKTRACE SYSTEM ADMINISTRATION GUIDE 20

Anonymization Mode

Darktrace’s technology has been designed with protection and controls in place that allow customers to comply with a range of privacy
and confidentiality policies. Anonymization Mode can be configured for enhanced anonymization on a per-user basis. Importantly, this
mode only impacts Client machines in Darktrace. It does not impact any Server device Types. If set, this mode anonymizes various
aspects of the data seen by Darktrace, in order to protect the privacy of employees and to comply with European privacy laws.

Anonymization Mode includes the following features:

oo The last octet of IPv4 addresses is anonymized. For example, 192.168.0.22 is anonymized to 192.168.0.#36178

oo Hostnames are anonymized. For example, some.companydomain.internal is anonymized to #63680206

oo Credentials are not displayed

oo No PCAPs can be generated

oo Access to Advanced Search is restricted

To the left is a Subnet view with Anonymization Mode enabled. The hostname
and IP address have been automatically anonymized.

If an incident is identified in Anonymization Mode, an analyst can seek


internal approval to conduct an in-depth investigation with more visibility.
Once approval is given, the analyst then switches to a higher-privileged user
that does not run in anonymization mode, allowing the analyst to conduct
a thorough investigation of the incident. This mode grants enough visibility
for analysts to conduct initial triage, and to identify incidents, without risking
exposing the identity or privacy of employees or other users on a network.

Enabling Anonymization Mode

1. Within the Threat Visualizer, navigate to the ‘User Admin’ page in


the main menu under ‘Admin’.

2. Deselect the ‘Unrestricted Devices’ option and save the changes.


Repeat for all users intended for anonymization.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 21

9. Upgrading Darktrace Models


Requirements: Access to the Darktrace Threat Visualizer, credentials for the admin user.

When a software upgrade bundle is applied, any changes to Darktrace models (such as new or updated models) will also be performed.
Where software upgrades are set to pre-cache, model updates will be pushed to the User Interface for automatic update or approval
even if the full software bundle is not yet applied.

Separate to this software upgrade process, updates to Darktrace models are delivered on a regular basis to the Threat Visualizer when
Call-Home is enabled

Whether a model is updated automatically or not is decided by the following process:

Darktrace Model edited by Auto-update is Auto-update is


Model is an FALSE FALSE TRUE TRUE Model updated
updates a a non-Darktrace ‘True’ in the set to ‘Yes’
Antigena Model? automatically
model user? System Config? on the model?

TRUE TRUE FALSE FALSE


Manual
confirmation
required

Model updates can be deployed via two methods, auto-update and manual confirmation. Manual confirmation can be applied on a
model-by-model basis or across all models. In this mode, an operator must confirm all model updates before application. Antigena
Models will never be updated automatically.

Auto-updating Models
1. Within the Threat Visualizer, navigate to the ‘System Config’ page
under ‘Admin’ on the main menu.

2. Under Settings, confirm that Auto Update Models is ‘true’.

3. Additionally, confirm the setting for ‘Auto Update Models Maintain


Tags’. True will preserve any tags added to the model when auto-
updating, a useful setting if models have been mapped to specific
use-cases or an existing playbook.
False will overwrite any tags on a model during an auto-update.

4. Edit any Model in the Threat Visualizer and confirm that the Auto
Update setting is ‘Yes’.
When set to Yes, this model will automatically upgrade to the latest
version when its released.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 22

Manual Confirmation
1. If models are not updated automatically due to any of the
conditions listed above, a message will appear on the home page
of the Threat Visualizer stating ‘x’ number of model updates are
available and require review.
Clicking this blue notification will redirect the user to the Model
Updates page. The Model Updates page can be accessed at any time
from the main menu under ‘Models’.
Any new models created or duplicated will not be impacted by
automatic updates
2. The Models Updates page lists all Models which have been
customized but have new updates available.
Click on a Model row to reveal more options.

3. For each model, each revision will appear as a separate line with
a short description of the changes and options to Accept, Decline or
View them.

4. The ‘Active’ model is the current version active on your deployment.


Clicking the View button will display the current Model settings with
the option to view the new upgrade.

5. Click ‘View Upgrade’ to see the newest version of the model. You
may Ignore or Accept the changes.
Accepting the changes will permanently update the Model. Be careful
not to overwrite any changes.
If you wish to preserve your changes to a model but are concerned
about delaying any important updates, one method is to duplicate
the model and then upgrade the original. The duplicated model will
retain the original logic with your changes and can be revised to
match the upgraded version at your convenience.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 23

10. Host Variable Configuration


Requirements: access to the Master appliance console, credentials for the console user.

Darktrace provides several custom configuration options which may be appropriate for your environment. These configuration options
are accessed via the console and will help to access, use and administer the appliance and ensure any internal policies are adhered to.

The available host variables may change from version to version, dependent on requirements. Each option is described in detail when
selected from the console menu.

Available Host Variables:

1. Use highly compatible ssh ciphers

Configures the SSH server to use a highly compatible set of ciphers. Disabling this option increases the security of the SSH server.

2. HTTPS: Disable SHA1 ciphers and TLS protocols < 1.2

Enabling this option restricts the cipher suite in use by the HTTPS server and disables TLS protocols other than TLS v1.2.

3. UI session expiry length

Sets the number of minutes after which UI sessions are logged out due to inactivity.

4. Enforce two factor authentication

Enabling this option requires that all users of the Threat Visualizer provide a second credential to access the user interface. Two-factor
authentication be individually enabled for specific users in the User Administration page on the Threat Visualizer User Interface.

5. Set MTU Configuration

This option sets the maximum transaction unit (MTU) size that can be communicated over the network.

6. CVE-2017-5754 Intel “Meltdown” patch

Enabling this option applies the kernel patch to mitigate the Meltdown vulnerability (Kernel page table isolation). A reboot is required
for changes to take effect.

For more details, please refer to “Darktrace Threat Note Meltdown and Spectre.pdf” available to download from the Darktrace Customer
Portal.

7. Set alternative TSA port

Sets the Terminal Services Agent (TSA) to post data to the appliance on port 1443.

8. Block Darktrace user from generating PCAPs

Restricts the ability to generate PCAPs for the Darktrace user.

9. Set DHCP hostname encoding

Changes the encoding for DHCP hostnames. The Windows DHCP client transfers computer hostnames using the system encoding.
Organizations with Windows machines configured using to use non-ascii charactersets by default may wish to change this setting.

10. Generate weekly Executive Threat Report

Automatically generate an Executive Threat Report every Sunday at midnight UTC. Please note, this feature will not run on probes or
individual masters underneath a Unified View instance.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 24

Modifying Host Variables

To modify the following host variables, access to the appliance console is required.

1. Login to the console menu and select 3. Appliance Admin.

2. Select option 5. Configure host variables.

3. The Host variables menu shows all the currently available


configuration options.
Select a desired variable.

4. After selecting an option, an explanation of the setting will be


displayed.
For the majority, pressing the space bar will toggle the setting on or
off. On is indicated by an asterisk [*].
Variables which require a value will allow for text entry.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 25

11. Creating Backups


Requirements: access to the Master appliance(s) console, credentials for the console user, credentials for the transfer user.

The Darktrace Threat Visualizer application includes configuration options to backup your Darktrace appliances. A backup includes
all Darktrace machine learning, models, breaches, as well as subnet and device information, and configuration settings on the Threat
Visualizer GUI. It does not include transactional data such as connections in the Event Log, Advanced Search entries and PCAP files,
nor configuration settings on the console menu.

A backup will take approximately 2GB of storage space, although actual size may vary, and can be created either manually or
automatically on a daily schedule.

In networks with Probe and Master appliances, only the Master appliance needs to be backed up. In Unified View deployments, or if
more than Master is being used, make sure to back up all Masters.

Create an Immediate Backup

A backup file can be manually created through the appliance console and accessed via SFTP by the transfer user.

1. On a Master appliance, login to the console menu and select 4.


Backup and Restore.

2. A range of backup options are available.


Select 1. Backup locally now.

3. A warning will appear stating that Darktrace appliances can only


be restored from a backup of the same software version.
Select ‘Yes’ to proceed.

4. The Backup file is created in the /files directory.


This directory can be accessed by the transfer user via SFTP.

Create Scheduled Backups

Backups can be automatically created on a daily basis and passed to a specified remote server via SCP or SMB.

Creating Scheduled Backups over SCP

1. On a Master appliance, login to the console menu and select 4.


Backup and Restore.

2. A range of backup options are available. Select 2. Scheduled


backup configuration
DARKTRACE SYSTEM ADMINISTRATION GUIDE 26

3. When accessing this feature for the first time, a prompt may appear
stating ‘Backup configuration not set’. Confirm ‘OK’ to proceed.
The next screen will ask if you wish to change the configuration at
this time. Select ‘Yes’ to proceed.

4. Choose a protocol over which to transfer backups.


Select scp.
Selecting none disables scheduled backups.

5. Enter the IP address or hostname of the remote server intended to


receive the backup files and proceed.

6. Enter a port on the backup server and confirm.

7. Enter a user to authenticate against for the server and confirm.

8. Enter a path on the server where the backup will be sent and
confirm.

9. Enter the hour, minute and second in UTC for the daily backup and
confirm.

10. Confirm your configuration options and select ‘Yes’ to proceed.


Please note, the public key is generated in the /files directory,
which can be accessed by the transfer user via SFTP.
This key must be added to the .ssh/authorized_keys file for the
configured user on the remote backup server.
The key can also be regenerated from 4. Generate/regenerate scp
transfer key under the Backup and Restore submenu.

11. Optionally test the configuration.


Configuration can be tested at any time from 3. Test backup transfer
under the Backup and Restore submenu.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 27

Creating Scheduled Backups over SMB

1. On a Master appliance, login to the console menu and select 4.


Backup and Restore.

2. A range of backup options are available. Select 2. Scheduled


backup configuration.

3. When accessing this feature for the first time, a prompt may appear
stating ‘Backup configuration not set’. Confirm ‘OK’ to proceed.
The next screen will ask if you wish to change the configuration at
this time. Select ‘Yes’ to proceed.

4. Choose a protocol over which to transfer backups.


Select SMB.
Selecting none disables scheduled backups.

5. Enter the IP address or hostname of the remote server intended to


receive the backup files and proceed.

7. Enter the name of the share on the SMB server and confirm.

8. Enter a user to authenticate against for the server and confirm.

9. Set the domain or workgroup that this user is a member of and


confirm.

10. Set a password for the user for authentication and confirm.

11. Set the path on the server where the backup will be sent. and
confirm.

12. Enter the hour, minute and second in UTC for the daily backup
and confirm.

13. Confirm your configuration options and select ‘Yes’ to proceed.

14. Optionally test the configuration.


Configuration can be tested at any time using 3. Test backup transfer
under the Backup and Restore submenu.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 28

Email Notifications for Scheduled Backup Status

Darktrace provides the option to receive email notifications about the success or failure of daily scheduled backups. Scheduled backups
must be configured for email notifications to be set.

1. On a Master appliance, login to the console menu and select 4.


Backup and Restore.
Under the Backup and Restore submenu, select 6. Configure email
alerts.

2. A prompt will describe scheduled backup notifications.


Select ‘OK’ to proceed.

3. A further prompt will ask whether you wish to enable notifications.


Choose ‘Yes’ to configure email alerts.

4. By default, email notifications are sent when a backup fails.


Optionally, notifications can be sent when a backup is successful.
Select your preferred configuration option and proceed.

5. Enter an email address to receive notifications.

6. Enter an email address to send notifications from (optional).

7. Enter the hostname or IP address of an SMTP server to send


emails via.

8. Select a port for SMTP.

9. Choose whether STARTTLS is to be used.

10. Enter a user name to configure SMTP authentication.

11. Enter the Password of this user.

12. Confirm the configuration and select Yes to proceed.

13. Optionally send a test email to confirm the configuration process


was successful.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 29

12. Restore from a Backup


Requirements: Access to the Master appliance console, credentials for the console user, credentials for the transfer user.

The option to restore from a backup is available in the console menu. Transactional data such as connections in the Event Log,
Advanced Search entries, and PCAP files are not restored.

Before restoring from a backup, check the following:

oo Upload the backup file to /files/upload in the transfer user directory via SFTP.

oo Confirm the appliance is running the same software version as the backup file, otherwise the restore cannot be performed.

1. On the Master appliance intended for restore, login to the console


menu, and select 4. Backup and Restore.

2. Select 5. Restore from backup.

3. A prompt will appear to warn that a backup must be present


before a restoration can occur.
Select OK to continue.

4. Select a backup to restore from the list.

5. A prompt will request confirmation for the chosen backup.


If this is the correct backup, proceed with the restoration.

6. Please wait for the restoration to complete.


Larger backup files will take longer to restore from.

7. A ‘restore completed successfully’ message will confirm


restoration was successful.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 30

13. Upgrading the Darktrace Appliance


Requirements: access to the appliance(s) console, access to the Darktrace Customer Portal, access to the Darktrace Threat Visualizer,
credentials for the console user, credentials for the transfer user, credentials for the admin user.

This section describes the process for manually upgrading the software version running on a Darktrace appliance. When Call-Home is
enabled, Darktrace appliances will automatically be upgraded by Darktrace to the latest release unless the ‘Upgrade requires approval’
option has been selected. In such case, or when “Call Home” is not enabled, a manual upgrade is required.

Upgrading to the latest version of the Threat Visualizer involves the following stages:

oo Download the latest bundle (if not downloaded automatically).

oo Copy the bundle to all Darktrace Appliances.

oo In the Darktrace console, unpack the bundle.

oo Install the latest Threat Visualizer version.

oo Log in to the Threat Visualizer application and confirm the latest version is installed.

As a Darktrace installation may involve multiple appliances, it is important to ensure that all appliances are upgraded to the same
version. Upgrading an appliance will not change any previous settings or overwrite any stored model breaches.

Types of Software Bundle

There are two types of software bundle available, full and differential. Full packages contain the entirety of the Darktrace software
needed to upgrade an appliance to the newest version and consequently are larger files. Differential packages are much smaller
upgrade bundles and only contain the necessary content to upgrade from the version specified in the file name. Understanding the
difference will ensure you download the correct package for your needs.

Full package

A full package can be applied to upgrade an appliance running any older version of the Darktrace software These software bundles
follow the naming syntax:

darktrace-bundle-<upgrade version>_<release date>-<alphanumeric>-x.dat

Example: darktrace-bundle-31007_20181217T1457Z-983d8-x.dat

Differential package

Differential packages are much smaller files than full packages. Unlike full packages, differential packages can only upgrade appliances
running the specific software versions named in the package file name. Differential packages come in two types, delta and xdelta.

Delta Packages

Delta packages can be applied to any software version newer than the version specified in the filename. These software bundles
follow the naming syntax:

darktrace-bundle-<upgrade version>-delta<oldest version>_<release date>-<alphanumeric>-x.dat

Example: darktrace-bundle-31007-delta30911_20181217T1457Z-983d8-x.dat

In this example, any appliance running the oldest version (30911) or newer can be upgraded with this bundle.

Xdelta Packages

Xdelta packages can only be applied to the specific software version included in the filename. These software bundles follow the
naming syntax:
DARKTRACE SYSTEM ADMINISTRATION GUIDE 31

darktrace-bundle-<upgrade version>-xdelta<specific old version>_<release date>-<alphanumeric>-x.dat

Example: darktrace-bundle-30811-xdelta30801_20180726T1426Z-5c186-x.dat

In this example, only an appliance running the specific version (30801) can be upgraded with this bundle.

Downloading Bundle files

Software upgrade bundle files can be obtained via automatic download, manual download or from the Darktrace Customer portal.

Automatic download

A differential package file is automatically downloaded every weekend (if available) when automatic downloads are configured. To
check the current settings, access the console and navigate to 2. Software Updates > Guided mode > 3. Configure downloads. To
disable all automatic downloads, select None (disable guided updates) under the appropriate submenu.

oo Automatic download via Call-Home: Update bundle files are downloaded via Call-Home. (Call-Home must be established to select
this). This is enabled by default.

oo Automatic download over the internet: Alongside the Call-Home SSH connection, Darktrace provides another channel for
appliances to automatically download bundle files over the internet via HTTPS.

The appliance requires access to packages.darktrace.com (or the cloudfront.net content delivery network, if you prefer) over port
443. A proxy can be configured if required. This method requires a bundle key which can be requested from Darktrace Support.

Manual Download

All current software bundles can be found on the Darktrace Customer Portal. A manual update check can also be performed from the
appliance console.

oo Manual download via Call-Home: The latest differential package can be downloaded via the console menu. Navigate to 2. Software
Updates > Guided mode > 1. Check for updates now

oo Manual Download via Customer Portal: The latest bundle file is available in the Customer Portal. Download the file from the
website and copy it to the appliance intended for upgrade via SFTP using the transfer user.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 32

Upgrade procedure

You can manually upgrade your appliance using the following procedure. Please ensure that your upgrade bundle file is placed on the
appliance before the upgrade process. If you downloaded a bundle from the Customer Portal, login to your appliance as the transfer
user via SFTP, and upload your upgrade bundle file to the /files/upload directory.

Guided Mode

1. On the appliance intended for upgrade, login to the console menu


and select 2. Software Updates.

2. Two options are available, Guided mode and Manual mode.


Select Guided Mode.

3. Review the options available on the Guided mode menu:


[1] Check for updates now: Checks if there are any new available
updates. If an update is available it will download and proceed to
unpack and install it, prompting before each step begins.
[2] Unpack and Install updates: runs through the update process,
asking for confirmation before each step.
[3] Configure download: provides configuration settings for fetching
the latest upgrade bundles. Please see ‘Downloading Bundle Files’
above for further information.

4. Select Check for Updates Now. The appliance will locate any
available updates and proceed through the upgrade process.
Confirm each step in turn and the upgrade will run successfully.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 33

Manual Mode

1. On the appliance intended for upgrade, login to the console menu


and select 2. Software Updates.

2. Two options are available, Guided mode and Manual mode.


Select Manual mode.

3. Manual mode requires further configuration steps to unpack the


downloaded bundle and before installation.
In the Manual Mode submenu, select 2. Unpack uploaded update
bundle.

4. A list of available bundles stored on the appliance will appear.


Select the newest bundle to install. The latest bundle is always at
the bottom of the list.
Press OK to continue.

5. A prompt will ask if you wish to unpack the specified bundle.


Confirm and proceed.
It may take some time for the unpacking operation to complete.

6. Once unpacked, the console will return to the Manual mode


submenu.
Select 3. Apply update/configuration changes.

7. A confirmation warning will appear. Proceed with the update.


If an error occurs, please try applying the latest changes a second
time. If the error persists, please contact Darktrace Support.

8. A further warning will appear. Upgrading a Darktrace appliance


without confirmation from Darktrace support may affect your
Service Level Agreement.
Confirm your understanding and proceed.

9. A final warning will explain that all capture services will be


restarted on upgrade.
Confirm and proceed.

10. The update process will begin.


When finished, press OK to complete the upgrade.

11. Optionally check the status of the services.


Select ‘Yes’ if you wish to do so. After the status check you will be
logged out of the console.
‘No’ will log you out of the console immediately.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 34

12. Login to the console menu again to confirm that the software
version has updated.

13. Login into the Threat Visualizer web application and navigate to
Admin, System Status under the main menu.

14. On the Status page, confirm that the software version has been
updated to the latest version.
If so, the upgrade process has been successful.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 35

14. Securely Erasing Captured Data


Requirements: access to the appliance console, access to the Darktrace Customer Portal, credentials for the console user.

Data erasure is useful when relocating a Darktrace appliance and/or changing its monitoring scope, to start initial deployment
‘baselining’ afresh, or if data needs to be wiped before returning an appliance to Darktrace.

There are two options for data erasure, captured data deletion or a factory reset. Both data erasure processes above can be performed
onsite, provided access to a Darktrace appliance is available. Neither processes will affect the appliance Operating System or any
Darktrace proprietary software.

The ‘delete captured data’ option will include, but may not be limited to, the following data sets: topology settings (connected probes
and their IP addresses), hostnames and popularity (rare hostnames etc.), environmental details (proxies, domains etc.), all modelled
devices, breaches and partial breaches, device connectivity states, and backups. A factory reset will write zeros to all disks and reinstall
the operating system and Darktrace software components, rendering the appliance in an as-new state.

Darktrace will also fully erase any information on all storage drives for new or returned appliances.

Delete Captured Data

Captured data is erased through the console application. This process will also require an unlock code to be provided by a Darktrace
representative, and exchanged via a secure channel such as text message or the Darktrace Customer Portal.

1. Access the appliance console. From the main menu, select 3.


Appliance Admin, then 10. Reset appliance.

2. Select 1. Delete capture data and choose OK.

3. A prompt will appear with a warning message.


Confirm Yes if you wish to proceed.
No will cancel the process and no changes will be made.

4. Another warning prompt will require that you reconfirm your


decision to reset captured data.
Select ‘Yes’ again to confirm your choice.

5. A further screen will ask if you wish to disable capture interfaces


before proceeding.
‘Yes’ will disable capture interfaces, meaning that no further data can
be ingested even after the appliance completes its reset regardless
of if cables have been removed. Capture Interfaces should not be
disabled if you wish to continue to use the appliance after reset;
only Darktrace Support can re-enable them.
Selecting ‘No’ means the appliance will begin ingesting data again
through any connected capture interfaces on completion of the
reset.

6. The appliance will now request a reset unlock code. Enter the
unlock code provided by Darktrace and confirm.

7. The ‘Device successfully reset’ message confirms the erasure


process was successful
Press OK.
DARKTRACE SYSTEM ADMINISTRATION GUIDE 36

Restore to Factory Settings

A factory reset is performed through the Appliance console and is the most stringent data erasure method available. A factory reset
will write zeros to all disks, reinstall the operating system and all Darktrace software components to return the Appliance to an as-new
state. Consequently, this process will take considerably longer than the standard Delete function and requires a reset code provided by
a Darktrace representative and exchanged via a secure channel (such as text message or the Darktrace Customer Portal).

Before proceeding with a factory reset, unplug all analysis port cables (management and RMM cables can remain plugged in).

1. Access the appliance console.


From the main menu, select 3. Appliance Admin, then 10. Reset
appliance.

2. Select 2. Factory reset and select ‘OK’.

3. A prompt will appear with a warning message.


Confirm ‘Yes’; if you wish to proceed.
‘No’ will cancel the process and no changes will be made.

4. Another warning prompt will require that you reconfirm your


decision to restore the appliance to factory settings.
Select ‘Yes’ again to confirm your choice.

5. The appliance will now request a reset unlock code.


Enter the factory reset unlock code provided by Darktrace and
confirm OK.

6. During the first part of the process, the following message will
appear on the screen:
“Initiating factory reset. The appliance will reset upon success. This
can take a long time, please wait. After reboot, consult the monitor
screen to view the progress of the factory reset.”
Do not interrupt the process or the appliance may be left in an
irrecoverable state.

7. After rebooting the appliance, the terminal will display the


progress of the wipe.
This progress will periodically update.

8. Once the wipe is complete, the terminal will show the following
message on the screen:
“Completed Wipe. Starting Setup.”
After completing the setup the appliance will reboot one further
time, at which point the process will be complete.
US: +1 415 229 9100 UK: +44 (0) 1223 394 100 LATAM: +55 11 97242 2011 APAC: +65 6804 5010 info@darktrace.com darktrace.com