TABLE OF CONTENTS

• Overview
• Steps of configuration
• Verification
  • Using the UI
  • Using CCE server

Overview

Here are the steps to integrate your Darktrace with ADR SIEM so you can have comprehensive visibility and proactive threat detection in your environment. There will be a log transfer between your firewall to APE (Analytics and Policy Engine) via CCE (Collection and Control Engine). In this document, we are guiding you through the steps for log forwarding.

Steps of configuration

1. Log in to the Darktrace interface.
2. Expand the top-left menu and select Admin; a second menu appears.
3. Select the System Config page.
   
4. In the Alerting section, click on Verify Alert Settings.
5. In JSON Syslog Alerts, set the field to True.
   
6. Set Syslog server to the CCE server’s IP address.
7. Set port 514 UDP to use with the CQ event source.
8. Set JSON Syslog TCP Alerts to True.

Reference link: Darktrace | InsightIDR Documentation

Verification

Verification can be done either from the CCE server or from the ADR UI.

Using the UI

1. Log in to the UI with administrative rights and navigate to System >> Log/Flow Collection Status.
   
2. Inside Source Device IP, the IP address of the device will be shown, including the number of logs sent to the ADR servers.
   

Using CCE server

Run the following command on the CCE server to check whether logs are being received:

sudo tcpdump -i any host 514 and host <IP address> -AAA