Darktrace threat visualizer

Author: B | 2025-04-24

The Darktrace app for ServiceNow integrates with the Darktrace Threat Visualizer to receive Model Breaches.Users can investigate and acknowledge breaches within ServiceNow or pivot to the Darktrace Threat Visualizer for further analysis if desired. by Darktrace Holdings Limited

ThreatVisualizerUserInterfaceGuide.pdf - Darktrace Threat Visualizer

Darktrace Threat Visualizer USER GUIDE v5.1 CONTENTS Visual Threat Investigation 4 The Model Editor LOOKING AROUND THE NETWORK USING THE MODEL EDITOR FOCUSING THE VIEW UNDERSTANDING A MODEL INVESTIGATING ALERTS MAKING A NEW MODEL INVESTIGATING SAAS ALERTS Darktrace Antigena Advanced Features 43 ANTIGENA SAAS ADVANCED SEARCH ANTIGENA NETWORK THREAT INTELLIGENCE The Mobile App The SaaS Console 77 120 UNIVERSAL ANTIGENA ELEMENTS ALTERNATIVE APPROACHES ADMINISTRATION 97 141 GETTING STARTED CYBER AI ANALYST GETTING STARTED DEVICES AND MODELS THE DASHBOARD OTHER VIEWS AND SETTINGS CYBER AI ANALYST Appendix151 PROFILES OTHER FEATURES MODEL EDITOR Introduction DARKTRACE THREAT VISUALIZER Next generation threat detection is about more than simply finding what you can conceive of in advance – it is about implicitly understanding what you, as a security professional, need to know about. Darktrace’s threat detection capability uses a self-learning approach. Instead of trying to predefine what ‘bad’ looks like, Darktrace builds an evolving understanding of an organization’s ‘pattern of life’ (or ‘self’), spotting very subtle changes in behaviors, as they occur to enable rapid investigation and response to in-progress attacks. Darktrace’s Threat Visualizer is a powerful tool for intuitive visual storytelling alongside rich data that can be used to identify and investigate potential emerging threats as they develop. This document is intended to help Darktrace users get the best possible results from the Threat Visualizer. 3 CHAPTER 1 - VISUAL THREAT INVESTIGATION Looking Around the Network SUGGESTED WORKFLOWS FOR INVESTIGATING AN ALERT LOGGING INTO THE THREAT VISUALIZER FOR THE FIRST TIME GETTING STARTED WITH THE THREAT VISUALIZER MAIN MENU GUIDE VIEWING THE NETWORK EXPANDING A SUBNET VIEWING A DEVICE 5 7 8 9 13 14 16 Focusing the View DEVICE OPTIONS 17 OMNISEARCH19 EXTERNAL SITES SUMMARY 20 WORKING WITH TIME 21 ADJUSTING THE TIME RANGE 22 Investigating Alerts UNDERSTANDING THE THREAT TRAY CYBER AI ANALYST TRIGGERED AI ANALYST INVESTIGATIONS CYBER AI ANALYST INCIDENTS DETAILS OF CYBER AI ANALYST INCIDENT EVENT VIEWING A MODEL BREACH EXPLORING THE MODEL BREACH EVENT LOG UNDERSTANDING THE DEVICE EVENT LOG 24 26 27 28 30 31 34 35 Investigating SaaS Alerts EXTERNAL SITES SUMMARY FOR SAAS AND CLOUD DEVICE SUMMARY FOR SAAS AND CLOUD DEVICE EVENT LOG FOR SAAS AND CLOUD 38 40 41 Suggested Workflows for Investigating an Alert WHERE TO START SUGGESTED WORKFLOW FROM A CYBER AI ANALYST INCIDENT Exploring behavior can be useful for improving the understanding of what is truly happening in the digital business and how it is all interconnected. Cyber AI Analyst will review and investigate all Model Breaches that occur on the system as a starting point for its analysis process. It will then form incidents - a collection of one or more related events - centered around a device. Incidents involving multiple devices will be classified as ‘cross-network’. There are five primary ways in which analyst teams can begin seeing and reacting to identified alerts or incidents produced by Darktrace 1. The Cyber AI Analyst automatically analyzes, investigates and triages all model breaches on your network. The incidents it creates give

Darktrace Threat Visualizer User Guide

Your organization’s SSO system, click the Login Via SSO button, and log into your SSO system as standard. You will then be redirected to the Threat Visualizer after a successful login. When logging in for the first time, a customer license agreement screen will be displayed. Read the terms carefully and agree to proceed. For cloud based instances of the Threat Visualizer, or environments where 2FA has been enabled by an administrator, a QR code will be displayed on first access. Please scan this QR code with your preferred multi-factor authentication app such as Google Authenticator or Duo Security. After login, the Threat Visualizer home screen will be displayed. Please note, the minimum supported browsers to access the Darktrace Threat Visualizer application are Chrome 60, Firefox 55, Safari 11.1. 7 Getting Started with the Threat Visualizer THREAT VISUALIZER HOME SCREEN After logging in, the Threat visualizer home screen will be displayed. The summary of subnets and devices is a quick way to understand your network and spot any trend changes. Notice the Threat Visualizer automatically tries to detect the type of devices, such as servers and clients. “Patterns of Life” represents the number of unique connections between devices. Connections include every separate pattern interaction with a device such as individual logins and access to network shares of file systems. Typically, there are approximately two hundred connections for every device on a network. The graph, on the left-hand side of the UI, represents the bandwidth per hour for the entire network being captured by Darktrace. The UI elements drawn on the right-hand side of the page when viewing networks and devices provide summaries of the types of behavior occurring, and can be clicked to become filters e.g. to show only RDP traffic or external traffic or unusual behavior. 1. Home button (returns you to this screen) 2. Main menu 3. Search box 4. Special purpose networks: Link Local Traffic, Internal Multicast Traffic, External Multicast Traffic, Broadcast Traffic, Internal Traffic, SaaS providers 5. Subnets identified and grouped by location where known 6. Time selector 7. Status including number of Devices, Credentials and Networks being modeled. Data and mathematical processing volumes. Antigena status. 8. Threat tray and filters 9. Sensitivity slider 8 Main Menu Guide The Darktrace Main Menu offers an instant way to get to the main features within the UI. Clicking on the menu icon in the top left will display all available options. These will change depending on the user and the permissions granted to them. SEARCH-PLUS ADVANCED SEARCH Opens a new browser tab to Darktrace advanced search. Refer to Darktrace Advanced Search for more information. TAGS TAGS The Threat Visualizer supports a flexible label system called Tags to allow analysts to be able to rapidly label and refer to groups of devices within the platform. One use case for this feature is to enable monitoring of high-risk users or devices such as departing employees or key assets. Refer to Adding and Reviewing Tags for more information. ENVELOPE EMAIL CONSOLE

Darktrace Threat Visualizer - Sekoia.io Documentation

In your hands to action and remediate those threats - autonomously, or with human oversight. Each component offers a combination of autonomous, semi-autonomous, manual and triggered actions. The Antigena framework works with models – when a model breach occurs, the system can be configured to take a range of automatic actions in response or recommend actions for human confirmation or later review. A range of options exist within the platform to configure the operation of Antigena and tailor it to individual requirements. A fully comprehensive user guide for the Antigena Email system is made available separately. ANTIGENA NETWORK The Antigena Network component applies the Cyber AI framework to physical and cloud network devices by controlling connectivity. This control ranges from interrupting communications between distinct endpoint/port combinations up to complete quarantine - actions are proportional to threat and may be escalated if granular blocks are not sufficient. Response can be performed through integration with a number of popular firewalls or by Darktrace virtual sensors such as vSensors and osSensors (both agent and dockerized), ensuring it extends to the farthest reaches of the cloud environment. ANTIGENA SAAS Antigena SaaS is an exciting new extension to the Cyber AI framework. Where anomalous behavior in a third-party SaaS platform begins to escalate, Darktrace SaaS and Cloud Security Modules can step in and utilize access policies and administrative tools to control the account and sever the malicious actor’s access. The suite of actions differs between each platform autonomous response is currently available for the Office 365, Okta and Zoom modules and will be continually expanded over future software updates. Antigena Lambda Where Antigena SaaS offers carefully curated inhibitors selected by Darktrace, Antigena Lambda instead opens the Antigena framework to allow the creation of custom actions through invoked AWS Lambda functions. Through this powerful, flexible tool, Darktrace anomaly detection can be used to drive any action and response desired. 121 Reviewing Antigena Actions THE ANTIGENA ACTIONS PAGE The Antigena Actions window lists all current and expired Antigena Actions. Actions from Antigena Network and Antigena SaaS will appear in this window with each Antigena component in a new tab. The types of action shown will differ depending on where the Antigena Actions page was accessed from and which Antigena components are installed on the system. Antigena Actions is only available to users with the Antigena permission. Threat Visualizer OVERVIEW In the Threat Visualizer interface, Antigena Actions is accessible from the main menu (Antigena Actions) or filtered on a specific device from the a Antigena Actions icon in the Omnisearch bar. The page is broken down into sections reflecting the status of the action and optional filters. Pending Actions Indicates Antigena Actions that have not yet been approved by a human operator. When there are pending Antigena Network or SaaS actions, a notification will appear above the threat tray in the Threat Visualizer. A notification will also appear in the SaaS console threat tray for pending SaaS actions only. Active Actions Displays current Antigena Actions which are in. The Darktrace app for ServiceNow integrates with the Darktrace Threat Visualizer to receive Model Breaches.Users can investigate and acknowledge breaches within ServiceNow or pivot to the Darktrace Threat Visualizer for further analysis if desired. by Darktrace Holdings Limited The Darktrace Mobile App is a brand new way to experience the Darktrace Threat Visualizer and benefit from the unparalleled threat detection and visibility that Darktraces

Darktrace Threat Visualizer Essentials - Credly

Historical attack data, a priori assumptions, or lists of CVEs. Instead, it learns 'on the job' to evolve alongside IVAR's dynamic and constantly changing workforce and workloads. ‍Protocol and technology agnostic, Darktrace provides holistic and unified defense across IT, OT, and IoT infrastructure in an entirely autonomous capacity. Security workflows have also been drastically streamlined with Darktrace's Cyber AI Analyst, which automatically triages, interprets, and reports on the full scope of security incidents. By auto-generating Incident Reports, the team is able to take action on threats as soon as they emerge. Reducing time to triage by up to 92%, Cyber AI Analyst augments human teams – allowing IVAR to focus its time and expertise where it really matters.‍Illumination across the entire cyber-physical ecosystemDarktrace has been vital in spotting sophisticated threats across IVAR's digital ecosystem that other tools missed. According to Massimo Moimare, CIO of IVAR, "Darktrace is able to illuminate a beacon of potentially critical events regardless of whether they relate to threats already known or attack attempts never seen before in the wild."‍The team gained value from Darktrace immediately. Less than an hour after Darktrace was deployed, IVAR obtained unparalleled visibility through the Threat Visualizer, Darktrace's award-winning user interface. The Threat Visualizer is comprehensive: the security team can trace specific activity and users across time, replaying historical incidents at any level of detail. ‍Providing both a high-level overview of the digital ecosystem as well as a more granular understanding at the subnet, user, and device level, the Threat Visualizer

See the Unseen: DarkTrace Threat Visualizer with Comport

About every email that comes through, every link that gets clicked on, every website that could be corrupted or their endpoint protection. “With Darktrace, I am now confident that if there’s an unusual flow of data or unusual access of data is in process anywhere on our network, I’ll get that notification and have the opportunity to review it,” said Kozik. Comprehensive visibility and protectionDarktrace gave Kozik the opportunity to try Darktrace / NETWORK for three months before making a commitment. “Having a chance to work with the system within our own network was a game changer. I was incredibly impressed they were willing to put such an advanced appliance into my network that delivered immediate results. That built a huge sense of trust and respect.” He was especially impressed with the comprehensive visibility Darktrace gave him across his entire network with just the click of a button. “With the Darktrace Threat Visualizer, I could see all of our endpoint connections, all of the data flowing into and outside of our firewalls and VPNs, and I could immediately identify if there was an issue that needs to be investigated.” Darktrace monitors all of the data flowing in and out of Heartland’s computer-aided dispatch system. If it detects unusual behavior, Kozik can quickly investigate using the Threat Visualizer and take action before it impacts dispatchers. Expertise and investment in innovationDarktrace’s industry expertise and dedication to advancing innovative technology also played a role in Heartland’s decision to choose Darktrace / NETWORK. Founded

Darktrace Threat Visualizer: User Guide V5.2

A concise summary and actionable steps to investigate any detected threats further. 2. A “threat tray” is shown at the bottom of the 3D Threat Visualizer interface in most screens and will be displayed on login. The 3D Threat Visualizer enables deep investigation of behaviors. 3. A Dynamic Threat Dashboard triage screen (accessible from the menu at top left of the home screen). This screen is intended for extremely rapid triage with a minimum of interaction. Note that it will scroll through incidents if left unattended which can be useful on SOC TV display screens. 4. A simplified SOC dashboard triage screen is available via the Darktrace mobile app. 5. Automated alerts may be exported into SIEMs or via API to other SOC systems and will include a link back to the incident data in the Threat Visualizer. Organizations with one or more Darktrace Security Modules can utilize the SaaS Console for triage and analysis. This specialized interface is focused on the investigation of incidents within SaaS and Cloud environments. For more information, please see Getting Started with the SaaS Console. The Cyber AI Analyst, with its global network awareness and machine-speed investigation time, performs the heavy-lifting of the analysis process. 1. Log into the Threat Visualizer and click the Cyber AI Analyst icon in the Threat Tray or open the AI Analyst tab on the Darktrace mobile app. Review the incidents it has created. 2. Select the most severe incident or the most interesting to you based on your knowledge of the business and network setup. Review the summary created by Cyber AI Analyst to quickly understand what each incident may involve. 3. Review the summary of each event within the incident and understand how the events relate chronologically using the activity-over-time visualization. On the mobile app, read the incident overview and swipe between the events. 4. Scan the detailed event information to gauge the involved connections and review the related anomalies. Confirm if AI Analyst is currently processing any further breaches for the device. Optionally check the attack stages that AI Analyst has derived for each event. 5. If the activity of interest relates directly to a model breach, investigate the breach log. 6. Check the Actions section to see if Antigena Network blocked the associated activity. Follow up the suggestions made by AI Analyst to resolve the incident. 7. Optionally create a PDF report describing the events. 8. Acknowledge each event as the investigation is concluded or acknowledge the entire incident if resolved. 5 SUGGESTED WORKFLOW FROM A MODEL BREACH When investigating an alert, a typical workflow will involve starting with summary information. This is shown by default in the Dynamic Threat Dashboard or can be seen by clicking the eye icon. The analyst is not swamped with too much to deal with all at once – enabling you to triage quickly whether the anomaly is worthy of further review. You can then visually playback the behavior and event information, drilling down into increasing levels of detail,

Deploying Darktrace Client Sensors: Threat Visualizer

Refer to Executive Threat Reports for more information. Provides all configuration settings for the Darktrace Threat Visualizer application including Antigena settings and authentication for SaaS security modules. Alerting options can be configured here. 10 user User Admin js JS Beautifier User permissions can be set on a per-user basis. See the Guide to User Privileges or Darktrace System Administration guide for a full list of User Permissions. Tool for ‘beautifying’ JavaScript to increase readability users Group Admin Users can be sorted into groups to assign network visibility and permissions. For groups created via LDAP or SAML SSO, permissions can be controlled here. clock Epoch Converter Converts epoch time in seconds since 1st Jan 1970 (as seen in advanced search) to normal time. unlock-alt Permissions RANDOM INTEL Users who have created other users (and therefore ‘own’ them) can review their permissions here in a read-only format. The “admin” user can also review permissions for users created via LDAP and SAML SSO on this page. check Trusted Domains Trusted domains are endpoints which Darktrace will consider as 0% rare; this feature ensures that models relying on domain rarity will not fire for activities involving common domains - a default, editable list is provided. See Trusted Domains for more details. PLUG UTILITIES eye Watched Domains U Punycode Convertor Watched domains are endpoints which trigger automatic model breaches if observed in connectivity. The list is not populated by default but may be added to by TAXII feeds, Darktrace Inoculation, via the Threat Visualizer API or by manual edits. See Watched Domains for more details. Enter text in the top window to convert to Punycode; enter Punycode in the bottom window to convert to text. Punycode is used in DNS to encode Unicode international domain names (IDN) into ASCII. Can be identified as it always starts ‘xn—’". (.*) RegEx Tester Enter a RegEx in the top bar and an example string to test it in bottom bar. If the string matches the RegEx the bottom box’s border turns green; otherwise it remains white/yellow. cog TAXII Config Permits the ingestion of internal or third-party TAXII feeds and STIX files. The last 10,000 observables ingested can be reviewed, whether derived from stand-alone files, subscribed TAXII collections or Darktrace Inoculation. See TAXII Config for more details. 64 Base64 Convertor Enter text to be decoded or encoded using Base64. 11 BOLT DYNAMIC THREAT DASHBOARD file-code API Help The Discovery View provides an easy left-to-right dashboard to investigate an incident down to the connections that caused the alert to fire. Refer to Dynamic Threat Dashboard for more information. Provides a link to the Threat Visualizer API documentation hosted on the Darktrace Customer Portal. MAP EXPLORE COGS ACCOUNT SETTINGS cube Explore Subnets Change settings for your own account including default color-coding in the event log, log details font size, orientation of the threat tray controls, changing password, enabling Accessibility Mode, ability to move the camera, AI Analyst language settings and whether or not the world map display zooms into a subnet. The Darktrace app for ServiceNow integrates with the Darktrace Threat Visualizer to receive Model Breaches.Users can investigate and acknowledge breaches within ServiceNow or pivot to the Darktrace Threat Visualizer for further analysis if desired. by Darktrace Holdings Limited

Darktrace Threat Visualizer User Guide - PDFCOFFEE.COM

And Reviewing Tags) as well as a checkbox next to each device. VIEWING SUBNET ADMIN Subnet Admin can be accessed from the main menu under Admin. The subnet admin provides a catalog of the current subnets being modeled on your environment. Every field is customizable, which allows for enrichment of investigations and usage of the tool. MODIFYING SUBNETS ο The label of a subnet can be used to provide a nickname to a device, this will show up throughout Darktrace’s Threat Visualizer. For more information about labelling subnets, please see Labelling Subnets and Devices or the System Administration guide. ο The network is where a user can change the subnet size, for example from a /24 to a /25. This may change if DHCP traffic sees a more accurate subnet mask or if there is a successful TCP connection to the broadcast IP of the subnet. To apply the tag to all devices on the page, you can check the top checkbox; otherwise, you can simply check the checkboxes one by one. To remove tags, you can click the tag you would like and uncheck the box next to a box that is tagged. Click the link icon to open the Threat Visualizer centered on the specific device. ο The location of the subnet can be changed by providing the latitude and longitude, altering where the subnet is displayed on the home screen of the Threat Visualizer. ο The DHCP field is used to specify if the Darktrace system should expect to see DHCP. ο Hostname and Credentials control the type of device tracking assigned to that subnet. Please see Hostname Tracking and Credentials Tracking or the System Administration guide for more details. 71 The System Status Page The System Status page contains detailed information about the health and scope of your Darktrace Enterprise Immune System deployment. Here, metrics on hardware utilization, throughput, software bundle versions, component health, and modeled devices can be monitored. It is important to ensure every part of your deployment is running successfully and within specification, particularly when a deployment is new, or the scope has been increased significantly. Unhealthy deployments, such as those which are overloaded, observing far too many connections for their specification or with unreachable probes or components, will not experience the full benefits of network visibility and consistent monitoring. SYSTEM ALERTS System alerts keep operators informed of the health of the Darktrace instance and any changes in modeling, data or the health of connected integrations and modules. When changes or errors occur, a “System Alerts” notification will also appear in the bottom right of the Threat Visualizer workspace, above the Threat Tray. This notification will open the System Alerts tab directly. In the Threat Visualizer interface, the Status page is accessible from the main menu under Admin > System Status. From the SaaS Console interface, the Status page is available from the sidebar (tachometer-fast “System Status”). 72 Alerts on the Status Page System alerts are notifications about changes to the scope or

Darktrace Threat Visualizer - Freeit Data Solutions

Permissions level to Antigena. Once this is complete, immunity settings will appear against each account. The organization would like to ensure the IP 35.176.59.98 is not actioned in either tenancy. To do this, it must be added to Immune IP Addresses for both accounts. To make a user immune, enter their username as it appears in the Darktrace Threat Visualizer or SaaS console. Do not include the prefix. For example, SaaS::Office365: [email protected] would be entered as just [email protected]. ο Immune IPs Addresses are IP addresses that will not be blocked by actions that control access to the relevant SaaS platform, such as “Block IP”. This field will only appear if the SaaS Module can take IP-based actions. The field takes a comma-separated list of IPs or valid CIDR IP ranges. When “Per Inhibitor Antigena” is enabled, immunity can also be set for specific actions. For example, a user could be eligible for lower severity actions like “Force Logout”, but immune from more stringent actions like “Disable User”. These settings are in addition to the general Immune Users and Immune IP Addresses settings. Inhibitors will also differ between modules as capabilities and appropriate actions vary between different SaaS platforms. 132 Antigena Network Models Darktrace Antigena Network expands Cyber AI response to devices by severing network connections, restricting access and quarantining devices by limiting their outbound connectivity. Actions can be taken when a device exhibits significantly anomalous behavior, when it contravenes a compliance policy, when a device attempts to access a specific watched endpoint, or any other custom criteria defined in a model. Unlike anomaly level, which is determined on behavior, risk profiles will vary across an organization’s network according to business requirements. You may wish some devices and users to be exempt from Antigena Actions, to restrict the actions to only match anomalies exhibiting certain behavior or apply actions automatically only at certain times of the day. MODEL CATEGORIES Antigena Network responses are triggered by model breaches within the Threat Visualizer Antigena models look for specific behavior or for indicators triggered by other model breaches. Darktrace models are a series of logical statements and conditions which, if met, trigger an alert or action; models are primarily used to identify and alert on anomalous and potentially malicious behavior. The models framework leverages both the underlying ‘pattern of life’ detection and outputs from Darktrace Deep Packet Inspection and Security Modules. When Antigena Network is enabled within your Darktrace environment, a new collection of models will become available: Antigena > Network. This collection contains specific Antigena Network models which are set to trigger on specific types of connection or activity and perform different actions depending on the incident identified. REVIEWING THE ANTIGENA NETWORK MODELS Open the Model Editor. In the Threat Visualizer interface, the Model Editor is accessible from the main menu under Models > Model Editor or from any breach log with the “ Click to view model” button. From the left-hand model list, select the Antigena > Network folder. In. The Darktrace app for ServiceNow integrates with the Darktrace Threat Visualizer to receive Model Breaches.Users can investigate and acknowledge breaches within ServiceNow or pivot to the Darktrace Threat Visualizer for further analysis if desired. by Darktrace Holdings Limited

Darktrace Threat Visualizer security vulnerability (CVE- )

Box. Unsync log from the Threat Visualizer time You may have arrived at the device event log via investigating a device that previously breached a model, so the device event log and main Threat Visualizer will show the same (past) time. Unsyncing the log means that you can change the time shown in the Threat Visualizer while still seeing the same data presented in the event log. When you click again to resync the log, it reverts to the time shown in the Threat Visualizer, if you have changed it. Unsync log from the Threat Visualizer filters If you are viewing a device in the main Threat Visualizer and have applied filters to show only certain types of activity from the right-hand side list (e.g., show only connections to port 443), the event log will by default apply these filters to the logs shown. Click this to remove or reapply the same filters as shown in the main Threat Visualizer. Choose which type of events to show in the log / types of events that can be filtered out ο Connections: indicated by a blue (outgoing) or red (incoming) arrow. A flashing arrow means the connection is ongoing ο Unusual connections: based on Darktrace mathematical modeling ο New connections: these are signaled in the same way as unusual connections, with a comment ο Unusual activity: mathematically-based contextual information; not a model breach. The activity may be slightly unusual but not enough to generate a model breach depending on how ‘sensitive’ the model is. Indicated by an orange circle ο Model Breaches: indicated by a blue triangle ο Notices: extra interesting contextual information about certain connections. Indicated by an ‘i’ sign ο History: device history such as IP address or hostname changes, and different usernames 36 Choose whether to show internal or external events in the log. View packet capture file for this device. Show only internal network events, only external events or both. See Creating Packet Captures. exchange-alt Toggle incoming/outgoing events. ENTRY-SPECIFIC ACTIONS Show only incoming connections, outgoing connections or both. Click on the caret-down triangle icon for a log entry to see a menu showing these event-related options. Hide duplicate connections. Shows/Hides repeated connections. Show connections to common hostnames Common hostnames are determined based on what this network’s devices typically connect to. Color-code events by their properties. Color-code the event log lines by the specific filter. Doing so will add additional details after the event line. For example, coloring by port will add the port in square brackets (e.g. [443]), coloring by application protocol will add this information instead, e.g. [DHCP]. Default color coding is controlled in each user’s account settings. The SaaS Device Event Log has special filter options - see Device Event Log for SaaS and Cloud. Highlight connections that transferred more than a certain amount of data. Filter on the amount of data transferred. Hide/show connection descriptions Hides/shows the interesting contextual descriptions. View advanced search for this device Opens a new browser tab to Darktrace advanced