How to configure DarkTrace to send logs to CYBERQUEST server

Darktrace is a network traffic analyzing tool that delivers notification events to downstream systems. The collector can be configured to capture these notification events and generate investigations around them.

Before you begin

You must configure Darktrace to send syslog to the CYBERQUEST Server. You must be a Darktrace administrator with access to the user interface.

To configure syslog forwarding for Darktrace, please follow the steps bellow:

1) Log in to Darktrace interface

2) Expand top left menu and select Admin, a second menu appears

3) Select System Config page

4) In Alerting section, click on Verify Alert Settings

5) In JSON Syslog Alerts, set field to True

6) Set syslog server to CYBERQUEST Server’s IP address

7) Set a port 5140 UDP to use with the CYBERQUEST event source

8) Set JSON Syslog TCP Alerts to True

How to Configure This Event Source

1) From your dashboard, select Data Collection on the left-hand menu

2) When Data Collection page appears, click on Setup Event Source drop-down and pick Add Event Source

3) From Third Party Alerts section, click the Darktrace icon

4) Add Event Source panel appears

5) Choose your collector and event source (you can also name your event source)

6) Optionally send unfiltered logs

7) Enter the port you chose in the Darktrace interface

8) Select TCP as your protocol

9) Click Save

Verify the configuration

After you configure the event source, you can send a test alert from Darktrace to verify everything is working properly.

To send a test alert, please follow the steps bellow:

1) Return to Darktrace interface

2) Expand top left menu and select Admin, a second menu appears

3) Select System Config page

4) In the Alerting section, click on Verify Alert Settings

5) 1 Alert Sent. IMAP settings valid message appears