Does this information look incorrect or out-of-date? Please contact us at support@socos.io.
Darktrace works by passively learning what 'normal' looks like across OT, IT and industrial IoT, allowing it to detect even the subtlest signals of emerging cyber-threats in real time, in both OT environments, such as SCADA systems, and IT networks.
Darktrace can easily be set to send alerts to a syslog target; as is needed for forwarding to SOC.OS. Access is via Darktrace's System Config menu.
Under System Config, in the Alerting section a fully configurable setup will be visible.
To configure the forwarding:
- Set the dropdown for Advanced Options to True
- Set CEF Syslog Alerts to True
- Hit enter – just changing the dropdown value won’t make the extra fields appear, but when you hit enter they should. If that doesn’t work, find a text entry field and set your cursor in it, and hit enter
- Enter the IP address of your syslog server into the CEF Syslog Server line and the port for your listener into CEF Syslog Server Port. Hit enter after each for good measure
- Darktrace alerting will depend on how events are being scored, so to maximise what is forwarded to SOC.OS, make sure Minimum Alert Priority and Score are both set to 1