Skip to main content

Cyware Orchestrate

Darktrace

App Vendor: Darktrace

App Category: Network Security

Connector Version: 1.1.0

API Version: 1.0.0

About App

Darktrace app provides a method for accessing additional information about an alert or a device in the Darktrace system.

The Darktrace app is configured with Orchestrate application to perform the following actions:

Action Name

Description

Fetch Model Breaches

This action retrieves a time sorted list of model breaches.

Fetch AI Analyst Incidents

This action retrieves a list of AI analyst incidents.

Add Domain to Intel Feed

This action adds a domain to intel feed.

Add IPs to Intel Feed

This action adds IPs to the intel feed.

Get Event Log

This action retrieves a list of model breaches.

List Devices

This action retrieves a list of devices.

Create PCAP

This action creates a packet capture (PCAP).

Get List of PCAPs

This action retrieves a list of packet captures (PCAPs).

Configuration Parameters

The following configuration parameters are required for the Darktrace app to communicate with the Darktrace enterprise application. The parameters can be configured by creating instances in the Darktrace app.

Parameter

Description

Field Type

Required/Optional

Comments

Appliance IP

Enter the appliance IP for the darktrace application.

Example:

"192.168.0.1"

Text

Required

Private Token

Enter the private token to authenticate the Darktrace application.

Example:

“ffeeddccxxx99887766554433221100ffeeddcc”

Password

Required

Public Token

Enter the public token obtained while creating the API token pair.

Example:

“00112233445566778899xxxxccddeeff00112233”

Text

Required

TLS Verification

Choose to verify or skip the TLS certification.

Example:

true

Boolean

Optional

Allowed values:

  • true

  • false

Action: Fetch Model Breaches

This action retrieves a time sorted list of model breaches.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Device ID

Enter the identification number of a device that is modelled in the Darktrace application.

Example:

478

Integer

Optional

End Time

Enter the end time in Unix epoch format.

Example:

1582213002000

Integer

Optional

From Date

Enter the start time in milliseconds format to return results.

Example:

“2020-02-03T00:00:00”

Text

Optional

Minimum Score

Enter a minimum score to return model breaches.

Example:

“0.6”

Text

Optional

Minimum score of 0.6 retrieves model breaches with a breach score above 60%.

Policy Breach ID

Enter a policy breach ID to retrieve breaches.

Example:

287232

Integer

Optional

Policy ID

Enter the policy ID to retrieve breaches.

Example:

143

Integer

Optional

Start Time

Enter the start time in Unix epoch format.

Example:

1582212986000

Integer

Optional

Extra Params

Enter the extra parameters.

Key Value

Optional

Allowed keys:

  • deviceattop

  • expandenums

  • historicmodelonly

  • includeacknowledged

  • includebreachurl

  • responsedata

  • uuid

  • minimal

Example Request 

[
    {
        “did": 478,
        “end_time”: 1582213002000,
        “from_”: “2020-02-03T00:00:00”,
        “minscore": "0.6",
        “pbid”: 287232,
        “pid”: 143,
        “start_time”: 1582212986000 
    }
]
Action: Fetch AI Analyst Incidents

This action retrieves a list of AI analyst incidents. AI analyst incidents are a group of anomalies or network activity investigated by cyber AI analyst that can pose a cyber threat.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Start Time

Enter the start time of incident in Unix epoch format.

Example:

1582212986000

Integer

Required

Include Acknowledged

Choose to return acknowledgement.

Example:

true

Boolean

Optional

Allowed values:

  • true

  • false

End Time

Enter the end time of the incident in Unix epoch format.

Example:

1582213002000

Integer

Optional

Locale

Enter a language for returned strings.

Example:

“en_gb”

Text

Optional

Allowed values:

  • de_de (German)

  • en_gb (English UK)

  • en_us (English US)

  • es_es (Spanish es)

  • es_419 (Spanish latam)

  • fr_fr (French)

  • ja_ jp (Japanese)

  • ko_kr (Korean)

  • pt_br (Portuguese br)

UUID

Enter the unique identifier for an AI Analyst event.

Example:

“c0ec5c71”

Text

Optional

You can enter multiple comma-separated values.

Merge Events

Choose to aggregate multiple child events into a single event.

Example:

true

Boolean

Optional

Allowed values:

  • true

  • false

Example Request 

[
    {
        “start_time”: 1582212986000,
        “include_acknowledged”: true,
        “end_time”: 1582213002000,
        “locale": “en_gb”,
        “uuid”: "c0ec5c71",
        “merge_events”:true
     }
]
Action: Add Domain to Intel Feed

This action adds domains to intel feed.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Domain to Add

Enter external domains to add to the intel feed.

Example:

“google.com”

Text

Required

Description

Enter a description for the added domain.

Example:

“An external domain for testing”

Text

Required

Set as Hostname

Set to true to treat the added item as hostname rather than domain.

Example:

true

Boolean

Optional

Allowed values:

  • true

  • false

Source

Enter a source for added entry or restrict a retrieved list of entries to a particular source.

Example:

“ThreatIntel”

Text

Optional

Default value:

ThreatIntel

Expiry

Enter an expiration time for added domain.

Example:

“2022-12-31T12:00:00”

Text

Optional

Example Request 

[
    {
         “domain_to_add”: “google.com”,
         “description”: “An external domain for testing”,
         “set_as_hostname”:true,
         “source”: “ThreatIntel”,
         “expiry”: “2022-12-31T12:00:00” 
     }
]
Action: Add IPs to Intel Feed

This action adds IP addresses to the intel feed.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

IP to Add

Enter external IP addresses to add to the intel feed.

Example:

“192.158. 1.38”

Text

Required

Description

Enter a description for the added IP address.

Example:

“An external IP address for testing”

Text

Required

Source

Enter a source for added entry or restrict a retrieved list of entries to a particular source.

Example:

“ThreatIntel”

Text

Optional

Default value:

ThreatIntel

Expiry

Enter an expiration time for added IP address.

Example:

“2022-12-31T12:00:00”

Text

Optional

Example Request 

[
    {
         “ip_to_add”: “192.158. 1.38”,
         “description”: “An external domain for testing”,
         “source”: “ThreatIntel”,
         “expiry”: “2020-12-31T12:00:00” 
     }
]
Action: Get Event Log

This action retrieves a list of model breaches.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Device ID

Enter the identification number of a device modeled in the Dracktrace application.

Example :

1

Integer

Optional

End Time

Enter the end-time in epoch format to retrieve results.

Example:

1605266100

Integer

Optional

From Time

Enter the start time in YYYY-MM-DDTHH:MM:SS format to return results.

Example:

"2020-12-01T12:00:00"

Text

Optional

From Time parameter must be used with the extra parameter to.

Message

Enter the value of the message field in notice events to return details for. Typically used to specify user credential strings.

Example:

"10.12.14.2 logged in to 192.168.72.4 successfully via SSH"

Text

Optional

Policy Breach ID

Enter a policy breach ID to retrieve breaches that match the specified ID.

Example:

315955

Integer

Required

Start Time

Enter the start time in epoch format to return results.

Example:

1605266200

Integer

Optional

Extra Params

Enter the extra parameters.

Key Value

Optional

Allowed keys:

  • eventtype

  • to

  • port

  • protocol

  • uid

  • sourceport

  • fulldevicedetails

  • count

Example Request 

[
    {
        "pbid": 315955
    }
]
Action: List Devices

This action retrieves a list of devices.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Seen Since

Enter a time period to retrieve devices with activity in the specified time.

Example:

  • 2min

  • 3600

  • 3hour

Text

Optional

The allowed format is either a number representing a number of seconds before the current time or a number with a modifier such as second, minute, hour day, or week (Minimum=1 second).

Default value:

1hour

Device ID

Enter the identification number of a device modeled in the Darktrace application.

Example:

316

Integer

Optional

IP Address

Enter the IP address of the device modeled in the Darktrace application.

Example:

"10.0.56.12"

Text

Optional

IP Time

Enter the IP time to return the devices which had the IP at the given time.

Example:

"1584529027000"

Text

Optional

MAC Address

Enter the MAC address.

Example:

"56:2d:4b:9c:18:42"

Text

Optional

Subnet ID

Enter the identification number of a subnet modeled in the Darktrace system.

Example:

12

Integer

Optional

Count

Enter the number of devices to return. Only limits the number of devices within the current timeframe.

Example:

25

Integer

Optional

Include Tags

Enter true to include tags applied to the device in the response.

Example:

false

Boolean

Optional

Default value:

false

Allowed values:

  • true

  • false

Example Request 

[
    {
        "include_tags": false
    }
]
Action: Create PCAP

This action creates a packet capture (PCAP).

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

Source IP

Enter the source IP address.

Example:

"192.168.72.4"

Text

Required

Destination IP

Enter the destination IP address.

Example:

"10.0.18.224"

Text

Optional

Port for Source IP

Enter a port for the source IP address.

Example:

21

Integer

Optional

Port for Destination IP

Enter a port for the destination IP address.

Example:

53

Integer

Optional

Start Time

Enter the start time for the packet capture in epoch format.

Example:

1605266200

Integer

Optional

End Time

Enter the end time for the packet capture in epoch format.

Example:

1605266300

Integer

Optional

Protocol

Enter the layer 3 protocol.

Example:

"tcp"

Text

Optional

Allowed values:

  • tcp

  • udp

Example Request 

[
    {
        "ip1": "192.168.72.5",
        "ip2": "192.168.72.7",
        "end_time": "1605266300",
        "start_time": "1605266200"
    }
]
Action: Get List of PCAPs

This action retrieves a list of PCAPs.

Action Input Parameters

Parameter

Description

Field Type

Required/Optional

Comments

PCAP File

Enter true to retrieve a binary file.

Example:

false

Boolean

Optional

Default value:

false

Allowed values:

  • true

  • false

File Name

Enter the file name to retrieve.

Example:

"DCIP_2021033xx63306_202xx330063307_10_36_39_131_35860_10_2_3_4_53_udp_Lx5blz.pcap"

Text

Optional

If the PCAP File parameter is set to true, then the file name must be specified.

Example Request 

[
    {
        "file_name": "DCIP_20220xx6015636_2022061xx20136_192_168_1_4_192_168_1_2_4FsaSn_m.pcap",
        "pcap_file": true
    }
]