Darktrace

Version: 2.0.0

Darktrace's Enterprise Immune System uses proprietary machine learning and AI algorithms to build a so-called "pattern of life" for every network, device, and user within an organization. It then employs correlation techniques to classify and cross-reference these models, establishing a highly accurate understanding of 'normal activity' within that particular environment.

Connect Darktrace with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for Darktrace.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • URL: URL to your Darktrace instance. Example: https://xxx-xxx.cloud.darktrace.com.
    • Public API Key/Token: Public API key/token for Darktrace.
    • Private API Key/Token: Private API key/token for Darktrace.
  4. After you've entered all the details, click Connect.

Actions for Darktrace

Acknowledge Event

Acknowledge a model breach.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Breach IDSelect a column that contains a value for Breach ID (pbid).Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • response: SUCCESS
918

Unacknowledge Event

Unacknowledge a model breach.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Breach IDSelect column that contains a value for Breach ID (pbid).Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • response: SUCCESS
909

Search/List Models

Searches by Name or Lists all models defined.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Search StringSearch String to filter defined models. All models will be listed if left empty. Case-insensitive contains match is done.Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • other JSON fields of each model
929

Search Model Breaches

Returns additional details for model breaches. Has a lot of filter options. Shows a maximum of 100 results if no filters are used.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Model UUIDSelect column that contains value for Model UUID (UUID). Applying this filter will only return model breaches for the specified model.Optional
Model IDSelect column that contains a value for Model ID (pid). Applying this filter will only return model breaches for the specified model.Optional
Breach IDSelect column that contains a value for Breach ID (pbid).Optional
Device IDSelect column that contains a value for the Identification number of a device (did).Optional
Start TimeStart time of data to return in YYYY-MM-DDTHH:MM:SS format. Example: '2019-12-01T01:00:00'.Optional
End TimeEnd time of data to return in YYYY-MM-DDTHH:MM:SS format. Example: '2019-12-02T01:00:00'.Optional
Minimum ScoreReturn only breaches with a minimum score. Example: 0.1.Optional
Result Format: Device At TopSelect True/False (default is True). This will return the device JSON object as a value of the top-level object rather than within each matched component.Optional
Result Format: Expand EnumsSelect True/False (default is False). This will expand numeric enumerated types to their descriptive string representation.Optional
Result Format: Historic Model OnlySelect True/False (default is False). This will return the JSON for the historic version of the model details only, rather than both the historic and current definition.Optional
Result Format: Include acknowledged breachesSelect True/False (default is False). This will include acknowledged breaches in the data.Optional
Result Format: Include Breach URLSelect True/False (default is False). This will return a URL for the model breach in the long form of the model breach data, this requires that the FQDN configuration parameter is set.Optional
Result Format: MinimalSelect True/False (default is False). This will reduce the amount of data returned for the API call.Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • other JSON fields of each model breach
933

Breach ID Details

List connections and events for a Breach ID.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Breach IDSelect column that contains a value for Breach ID (pbid).Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • other JSON fields of Breach ID details
940

Post Intelfeed List

It is the programmatic way to access Watched Domains, a list of domains, IPs and hostnames utilized by the Darktrace system, Darktrace Inoculation and STIXX/TAXII integration to create model breaches.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
SourceJinja-templated text containing the source of the watched domains.Required
DescriptionJinja-templated text containing the description for the entries to be added. The description must be under 256 charactersRequired
EntryJinja-templated text containing the value of the external domain, hostname or IP address. For example: 'www.example.com'.Required
ExpiryJinja-templated text containing the expiration time for added items. For example: 1587448800000.Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • other JSON fields of each model breach
1304

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem
  • v1.1.2 - Added expiry optional field in Post Intelfeed List action.
  • v1.1.1 - Query big fix in Post Intelfeed List action.
  • v1.1.0 - Added new action - Post Intelfeed List

© Devo Technology Inc. All Rights Reserved.