Darktrace
Version: 2.0.0
Darktrace's Enterprise Immune System uses proprietary machine learning and AI algorithms to build a so-called "pattern of life" for every network, device, and user within an organization. It then employs correlation techniques to classify and cross-reference these models, establishing a highly accurate understanding of 'normal activity' within that particular environment.
Connect Darktrace with LogicHub
- Navigate to Automations > Integrations.
- Search for Darktrace.
- Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- URL: URL to your Darktrace instance. Example: https://xxx-xxx.cloud.darktrace.com.
- Public API Key/Token: Public API key/token for Darktrace.
- Private API Key/Token: Private API key/token for Darktrace.
- After you've entered all the details, click Connect.
Actions for Darktrace
Acknowledge Event
Acknowledge a model breach.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Breach ID | Select a column that contains a value for Breach ID (pbid). | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- response: SUCCESS
Unacknowledge Event
Unacknowledge a model breach.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Breach ID | Select column that contains a value for Breach ID (pbid). | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- response: SUCCESS
Search/List Models
Searches by Name or Lists all models defined.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Search String | Search String to filter defined models. All models will be listed if left empty. Case-insensitive contains match is done. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- other JSON fields of each model
Search Model Breaches
Returns additional details for model breaches. Has a lot of filter options. Shows a maximum of 100 results if no filters are used.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Model UUID | Select column that contains value for Model UUID (UUID). Applying this filter will only return model breaches for the specified model. | Optional |
| Model ID | Select column that contains a value for Model ID (pid). Applying this filter will only return model breaches for the specified model. | Optional |
| Breach ID | Select column that contains a value for Breach ID (pbid). | Optional |
| Device ID | Select column that contains a value for the Identification number of a device (did). | Optional |
| Start Time | Start time of data to return in YYYY-MM-DDTHH:MM:SS format. Example: '2019-12-01T01:00:00'. | Optional |
| End Time | End time of data to return in YYYY-MM-DDTHH:MM:SS format. Example: '2019-12-02T01:00:00'. | Optional |
| Minimum Score | Return only breaches with a minimum score. Example: 0.1. | Optional |
| Result Format: Device At Top | Select True/False (default is True). This will return the device JSON object as a value of the top-level object rather than within each matched component. | Optional |
| Result Format: Expand Enums | Select True/False (default is False). This will expand numeric enumerated types to their descriptive string representation. | Optional |
| Result Format: Historic Model Only | Select True/False (default is False). This will return the JSON for the historic version of the model details only, rather than both the historic and current definition. | Optional |
| Result Format: Include acknowledged breaches | Select True/False (default is False). This will include acknowledged breaches in the data. | Optional |
| Result Format: Include Breach URL | Select True/False (default is False). This will return a URL for the model breach in the long form of the model breach data, this requires that the FQDN configuration parameter is set. | Optional |
| Result Format: Minimal | Select True/False (default is False). This will reduce the amount of data returned for the API call. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- other JSON fields of each model breach
Breach ID Details
List connections and events for a Breach ID.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Breach ID | Select column that contains a value for Breach ID (pbid). | Required |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- other JSON fields of Breach ID details
Post Intelfeed List
It is the programmatic way to access Watched Domains, a list of domains, IPs and hostnames utilized by the Darktrace system, Darktrace Inoculation and STIXX/TAXII integration to create model breaches.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
| Input Name | Description | Required |
|---|---|---|
| Source | Jinja-templated text containing the source of the watched domains. | Required |
| Description | Jinja-templated text containing the description for the entries to be added. The description must be under 256 characters | Required |
| Entry | Jinja-templated text containing the value of the external domain, hostname or IP address. For example: 'www.example.com'. | Required |
| Expiry | Jinja-templated text containing the expiration time for added items. For example: 1587448800000. | Optional |
Output
A JSON object containing multiple rows of result:
- has_error: True/False
- error: message/null
- other JSON fields of each model breach
Release Notes
v2.0.0- Updated architecture to support IO via filesystemv1.1.2- Added expiry optional field inPost Intelfeed Listaction.v1.1.1- Query big fix inPost Intelfeed Listaction.v1.1.0- Added new action -Post Intelfeed List
Updated about 1 year ago