Darktrace

Darktrace's Enterprise Immune System uses proprietary machine learning and AI algorithms to build a so-called "pattern of life" for every network, device, and user within an organization. It then employs correlation techniques to classify and cross-reference these models, establishing a highly accurate understanding of 'normal activity' within that particular environment.

Integration with LogicHub

Connecting with Darktrace

To connect to Darktrace following details are required:

  • Label: Connection name.
  • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
  • URL: URL to your Darktrace instance. Example: https://xxx-xxx.cloud.darktrace.com.
  • Public API Key/Token: Public API key/token for Darktrace.
  • Private API Key/Token: Private API key/token for Darktrace.

Actions with Darktrace

Acknowledge Event

Acknowledge a model breach.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Breach ID: Select a column that contains a value for Breach ID (pbid).

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • response: SUCCESS

Unacknowledge Event

Unacknowledge a model breach.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Breach ID: Select column that contains a value for Breach ID (pbid).

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • response: SUCCESS

Search/List Models

Searches by Name or Lists all models defined.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Search String (Optional): Search String to filter defined models. All models will be listed if left empty. Case-insensitive contains match is done.

Output of Action
Multiple rows of JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • other JSON fields of each model

Search Model Breaches

Returns additional details for model breaches. Has a lot of filter options. Shows a maximum of 100 results if no filters are used.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Model UUID (Optional): Select column that contains value for Model UUID (UUID). Applying this filter will only return model breaches for the specified model.
  • Model ID (Optional): Select column that contains a value for Model ID (pid). Applying this filter will only return model breaches for the specified model.
  • Breach ID (Optional): Select column that contains a value for Breach ID (pbid).
  • Device ID (Optional): Select column that contains a value for the Identification number of a device (did).
  • Start Time (Optional): Start time of data to return in YYYY-MM-DDTHH:MM:SS format. Example: '2019-12-01T01:00:00'
  • End Time (Optional): End time of data to return in YYYY-MM-DDTHH:MM:SS format. Example: '2019-12-02T01:00:00'
  • Minimum Score (Optional): Return only breaches with a minimum score. Example: 0.1
  • Result Format: Device At Top (Optional): Select True/False (default is True). This will return the device JSON object as a value of the top-level object rather than within each matched component.
  • Result Format: Expand Enums (Optional): Select True/False (default is False). This will expand numeric enumerated types to their descriptive string representation.
  • Result Format: Historic Model Only (Optional): Select True/False (default is False). This will return the JSON for the historic version of the model details only, rather than both the historic and current definition.
  • Result Format: Include acknowledged breaches (Optional): Select True/False (default is False). This will include acknowledged breaches in the data.
  • Result Format: Include Breach URL (Optional): Select True/False (default is False). This will return a URL for the model breach in the long form of the model breach data, this requires that the FQDN configuration parameter is set.
  • Result Format: Minimal (Optional): Select True/False (default is False). This will reduce the amount of data returned for the API call.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • other JSON fields of each model breach

Breach ID Details

List connections and events for a Breach ID.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Breach ID: Select column that contains a value for Breach ID (pbid)

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • other JSON fields of Breach ID details

Did this page help you?