...
Darktrace's Enterprise Immune System uses proprietary machine learning and AI algorithms to build a so-called "pattern of life" for every network, device, and user within an organization. It then employs correlation techniques to classify and cross-reference these models, establishing a highly accurate understanding of 'normal activity' within that particular environment.
Connect Darktrace with Devo SOAR
Navigate to Automations > Integrations.
Search for Darktrace.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
URL: URL to your Darktrace instance. Example: https://xxx-xxx.cloud.darktrace.com.
Public API Key/Token: Public API key/token for Darktrace.
Private API Key/Token: Private API key/token for Darktrace.
After you've entered all the details, click Connect.
Actions for Darktrace
Acknowledge Event
Acknowledge a model breach.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Breach ID | Select a column that contains a value for Breach ID (pbid). | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
response: SUCCESS
...
Unacknowledge Event
Unacknowledge a model breach.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Breach ID | Select column that contains a value for Breach ID (pbid). | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
response: SUCCESS
...
Search/List Models
Searches by Name or Lists all models defined.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Search String | Search String to filter defined models. All models will be listed if left empty. Case-insensitive contains match is done. | Optional |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
other JSON fields of each model
...
Search Model Breaches
Returns additional details for model breaches. Has a lot of filter options. Shows a maximum of 100 results if no filters are used.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Model UUID | Select column that contains value for Model UUID (UUID). Applying this filter will only return model breaches for the specified model. | Optional |
Model ID | Select column that contains a value for Model ID (pid). Applying this filter will only return model breaches for the specified model. | Optional |
Breach ID | Select column that contains a value for Breach ID (pbid). | Optional |
Device ID | Select column that contains a value for the Identification number of a device (did). | Optional |
Start Time | Start time of data to return in YYYY-MM-DDTHH:MM:SS format. Example: '2019-12-01T01:00:00'. | Optional |
End Time | End time of data to return in YYYY-MM-DDTHH:MM:SS format. Example: '2019-12-02T01:00:00'. | Optional |
Minimum Score | Return only breaches with a minimum score. Example: 0.1. | Optional |
Result Format: Device At Top | Select True/False (default is True). This will return the device JSON object as a value of the top-level object rather than within each matched component. | Optional |
Result Format: Expand Enums | Select True/False (default is False). This will expand numeric enumerated types to their descriptive string representation. | Optional |
Result Format: Historic Model Only | Select True/False (default is False). This will return the JSON for the historic version of the model details only, rather than both the historic and current definition. | Optional |
Result Format: Include acknowledged breaches | Select True/False (default is False). This will include acknowledged breaches in the data. | Optional |
Result Format: Include Breach URL | Select True/False (default is False). This will return a URL for the model breach in the long form of the model breach data, this requires that the FQDN configuration parameter is set. | Optional |
Result Format: Minimal | Select True/False (default is False). This will reduce the amount of data returned for the API call. | Optional |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
other JSON fields of each model breach
...
Breach ID Details
List connections and events for a Breach ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Breach ID | Select column that contains a value for Breach ID (pbid). | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
other JSON fields of Breach ID details
...
Post Intelfeed List
It is the programmatic way to access Watched Domains, a list of domains, IPs and hostnames utilized by the Darktrace system, Darktrace Inoculation and STIXX/TAXII integration to create model breaches.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Source | Jinja-templated text containing the source of the watched domains. | Required |
Description | Jinja-templated text containing the description for the entries to be added. The description must be under 256 characters | Required |
Entry | Jinja-templated text containing the value of the external domain, hostname or IP address. For example: 'www.example.com'. | Required |
Expiry | Jinja-templated text containing the expiration time for added items. For example: 1587448800000. | Optional |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
other JSON fields of each model breach
...
Release Notes
v2.0.0
- Updated architecture to support IO via filesystemv1.1.2
- Added expiry optional field inPost Intelfeed List
action.v1.1.1
- Query big fix inPost Intelfeed List
action.v1.1.0
- Added new action -Post Intelfeed List
...