Document toolboxDocument toolbox

Darktrace

Owned by Jonas Gonzalez
Last updated: Nov 29, 2024
5 min read
[ 1 Connect Darktrace with Devo SOAR ] [ 2 Actions for Darktrace ] [ 2.1 Acknowledge Event ] [ 2.1.1 Input Field ] [ 2.1.2 Output ] [ 2.2 Unacknowledge Event ] [ 2.2.1 Input Field ] [ 2.2.2 Output ] [ 2.3 Search/List Models ] [ 2.3.1 Input Field ] [ 2.3.2 Output ] [ 2.4 Search Model Breaches ] [ 2.4.1 Input Field ] [ 2.4.2 Output ] [ 2.5 Breach ID Details ] [ 2.5.1 Input Field ] [ 2.5.2 Output ] [ 2.6 Post Intelfeed List ] [ 2.6.1 Input Field ] [ 2.6.2 Output ] [ 3 Release Notes ]

Darktrace's Enterprise Immune System uses proprietary machine learning and AI algorithms to build a so-called "pattern of life" for every network, device, and user within an organization. It then employs correlation techniques to classify and cross-reference these models, establishing a highly accurate understanding of 'normal activity' within that particular environment.

Connect Darktrace with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for Darktrace.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. URL: URL to your Darktrace instance. Example: https://xxx-xxx.cloud.darktrace.com.

  9. Public API Key/Token: Public API key/token for Darktrace.

  10. Private API Key/Token: Private API key/token for Darktrace.

  11. After you've entered all the details, click Connect.

Actions for Darktrace

Acknowledge Event

Acknowledge a model breach.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Breach ID

Select a column that contains a value for Breach ID (pbid).

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • response: SUCCESS

Unacknowledge Event

Unacknowledge a model breach.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Breach ID

Select column that contains a value for Breach ID (pbid).

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • response: SUCCESS

Search/List Models

Searches by Name or Lists all models defined.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Search String

Search String to filter defined models. All models will be listed if left empty. Case-insensitive contains match is done.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • other JSON fields of each model

Search Model Breaches

Returns additional details for model breaches. Has a lot of filter options. Shows a maximum of 100 results if no filters are used.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Model UUID

Select column that contains value for Model UUID (UUID). Applying this filter will only return model breaches for the specified model.

Optional

Model ID

Select column that contains a value for Model ID (pid). Applying this filter will only return model breaches for the specified model.

Optional

Breach ID

Select column that contains a value for Breach ID (pbid).

Optional

Device ID

Select column that contains a value for the Identification number of a device (did).

Optional

Start Time

Start time of data to return in YYYY-MM-DDTHH:MM:SS format. Example: '2019-12-01T01:00:00'.

Optional

End Time

End time of data to return in YYYY-MM-DDTHH:MM:SS format. Example: '2019-12-02T01:00:00'.

Optional

Minimum Score

Return only breaches with a minimum score. Example: 0.1.

Optional

Result Format: Device At Top

Select True/False (default is True). This will return the device JSON object as a value of the top-level object rather than within each matched component.

Optional

Result Format: Expand Enums

Select True/False (default is False). This will expand numeric enumerated types to their descriptive string representation.

Optional

Result Format: Historic Model Only

Select True/False (default is False). This will return the JSON for the historic version of the model details only, rather than both the historic and current definition.

Optional

Result Format: Include acknowledged breaches

Select True/False (default is False). This will include acknowledged breaches in the data.

Optional

Result Format: Include Breach URL

Select True/False (default is False). This will return a URL for the model breach in the long form of the model breach data, this requires that the FQDN configuration parameter is set.

Optional

Result Format: Minimal

Select True/False (default is False). This will reduce the amount of data returned for the API call.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • other JSON fields of each model breach

Breach ID Details

List connections and events for a Breach ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Breach ID

Select column that contains a value for Breach ID (pbid).

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • other JSON fields of Breach ID details

Post Intelfeed List

It is the programmatic way to access Watched Domains, a list of domains, IPs and hostnames utilized by the Darktrace system, Darktrace Inoculation and STIXX/TAXII integration to create model breaches.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Input Name

Description

Required

Source

Jinja-templated text containing the source of the watched domains.

Required

Description

Jinja-templated text containing the description for the entries to be added. The description must be under 256 characters

Required

Entry

Jinja-templated text containing the value of the external domain, hostname or IP address. For example: 'www.example.com'.

Required

Expiry

Jinja-templated text containing the expiration time for added items. For example: 1587448800000.

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • other JSON fields of each model breach

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem

  • v1.1.2 - Added expiry optional field in Post Intelfeed List action.

  • v1.1.1 - Query big fix in Post Intelfeed List action.

  • v1.1.0 - Added new action - Post Intelfeed List