Darktrace
App Vendor: Darktrace
App Category: Network Security
Connector Version: 1.1.0
API Version: 1.0.0
About App
Darktrace app provides a method for accessing additional information about an alert or a device in the Darktrace system.
The Darktrace app is configured with Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Fetch Model Breaches | This action retrieves a time sorted list of model breaches. |
Fetch AI Analyst Incidents | This action retrieves a list of AI analyst incidents. |
Add Domain to Intel Feed | This action adds a domain to intel feed. |
Add IPs to Intel Feed | This action adds IPs to the intel feed. |
Get Event Log | This action retrieves a list of model breaches. |
List Devices | This action retrieves a list of devices. |
Create PCAP | This action creates a packet capture (PCAP). |
Get List of PCAPs | This action retrieves a list of packet captures (PCAPs). |
Configuration Parameters
The following configuration parameters are required for the Darktrace app to communicate with the Darktrace enterprise application. The parameters can be configured by creating instances in the Darktrace app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Appliance IP | Enter the appliance IP for the darktrace application. Example: "192.168.0.1" | Text | Required | |
Private Token | Enter the private token to authenticate the Darktrace application. Example: “ffeeddccxxx99887766554433221100ffeeddcc” | Password | Required | |
Public Token | Enter the public token obtained while creating the API token pair. Example: “00112233445566778899xxxxccddeeff00112233” | Text | Required | |
TLS Verification | Choose to verify or skip the TLS certification. Example: true | Boolean | Optional | Allowed values:
|
Action: Fetch Model Breaches
This action retrieves a time sorted list of model breaches.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Device ID | Enter the identification number of a device that is modelled in the Darktrace application. Example: 478 | Integer | Optional | |
End Time | Enter the end time in Unix epoch format. Example: 1582213002000 | Integer | Optional | |
From Date | Enter the start time in milliseconds format to return results. Example: “2020-02-03T00:00:00” | Text | Optional | |
Minimum Score | Enter a minimum score to return model breaches. Example: “0.6” | Text | Optional | Minimum score of 0.6 retrieves model breaches with a breach score above 60%. |
Policy Breach ID | Enter a policy breach ID to retrieve breaches. Example: 287232 | Integer | Optional | |
Policy ID | Enter the policy ID to retrieve breaches. Example: 143 | Integer | Optional | |
Start Time | Enter the start time in Unix epoch format. Example: 1582212986000 | Integer | Optional | |
Extra Params | Enter the extra parameters. | Key Value | Optional | Allowed keys:
|
Example Request
[
{
“did": 478,
“end_time”: 1582213002000,
“from_”: “2020-02-03T00:00:00”,
“minscore": "0.6",
“pbid”: 287232,
“pid”: 143,
“start_time”: 1582212986000
}
]Action: Fetch AI Analyst Incidents
This action retrieves a list of AI analyst incidents. AI analyst incidents are a group of anomalies or network activity investigated by cyber AI analyst that can pose a cyber threat.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Start Time | Enter the start time of incident in Unix epoch format. Example: 1582212986000 | Integer | Required | |
Include Acknowledged | Choose to return acknowledgement. Example: true | Boolean | Optional | Allowed values:
|
End Time | Enter the end time of the incident in Unix epoch format. Example: 1582213002000 | Integer | Optional | |
Locale | Enter a language for returned strings. Example: “en_gb” | Text | Optional | Allowed values:
|
UUID | Enter the unique identifier for an AI Analyst event. Example: “c0ec5c71” | Text | Optional | You can enter multiple comma-separated values. |
Merge Events | Choose to aggregate multiple child events into a single event. Example: true | Boolean | Optional | Allowed values:
|
Example Request
[
{
“start_time”: 1582212986000,
“include_acknowledged”: true,
“end_time”: 1582213002000,
“locale": “en_gb”,
“uuid”: "c0ec5c71",
“merge_events”:true
}
]Action: Add Domain to Intel Feed
This action adds domains to intel feed.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain to Add | Enter external domains to add to the intel feed. Example: “google.com” | Text | Required | |
Description | Enter a description for the added domain. Example: “An external domain for testing” | Text | Required | |
Set as Hostname | Set to true to treat the added item as hostname rather than domain. Example: true | Boolean | Optional | Allowed values:
|
Source | Enter a source for added entry or restrict a retrieved list of entries to a particular source. Example: “ThreatIntel” | Text | Optional | Default value: ThreatIntel |
Expiry | Enter an expiration time for added domain. Example: “2022-12-31T12:00:00” | Text | Optional |
Example Request
[
{
“domain_to_add”: “google.com”,
“description”: “An external domain for testing”,
“set_as_hostname”:true,
“source”: “ThreatIntel”,
“expiry”: “2022-12-31T12:00:00”
}
]Action: Add IPs to Intel Feed
This action adds IP addresses to the intel feed.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP to Add | Enter external IP addresses to add to the intel feed. Example: “192.158. 1.38” | Text | Required | |
Description | Enter a description for the added IP address. Example: “An external IP address for testing” | Text | Required | |
Source | Enter a source for added entry or restrict a retrieved list of entries to a particular source. Example: “ThreatIntel” | Text | Optional | Default value: ThreatIntel |
Expiry | Enter an expiration time for added IP address. Example: “2022-12-31T12:00:00” | Text | Optional |
Example Request
[
{
“ip_to_add”: “192.158. 1.38”,
“description”: “An external domain for testing”,
“source”: “ThreatIntel”,
“expiry”: “2020-12-31T12:00:00”
}
]Action: Get Event Log
This action retrieves a list of model breaches.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Device ID | Enter the identification number of a device modeled in the Dracktrace application. Example : 1 | Integer | Optional | |
End Time | Enter the end-time in epoch format to retrieve results. Example: 1605266100 | Integer | Optional | |
From Time | Enter the start time in YYYY-MM-DDTHH:MM:SS format to return results. Example: "2020-12-01T12:00:00" | Text | Optional | From Time parameter must be used with the extra parameter to. |
Message | Enter the value of the message field in notice events to return details for. Typically used to specify user credential strings. Example: "10.12.14.2 logged in to 192.168.72.4 successfully via SSH" | Text | Optional | |
Policy Breach ID | Enter a policy breach ID to retrieve breaches that match the specified ID. Example: 315955 | Integer | Required | |
Start Time | Enter the start time in epoch format to return results. Example: 1605266200 | Integer | Optional | |
Extra Params | Enter the extra parameters. | Key Value | Optional | Allowed keys:
|
Example Request
[
{
"pbid": 315955
}
]Action: List Devices
This action retrieves a list of devices.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Seen Since | Enter a time period to retrieve devices with activity in the specified time. Example:
| Text | Optional | The allowed format is either a number representing a number of seconds before the current time or a number with a modifier such as second, minute, hour day, or week (Minimum=1 second). Default value: 1hour |
Device ID | Enter the identification number of a device modeled in the Darktrace application. Example: 316 | Integer | Optional | |
IP Address | Enter the IP address of the device modeled in the Darktrace application. Example: "10.0.56.12" | Text | Optional | |
IP Time | Enter the IP time to return the devices which had the IP at the given time. Example: "1584529027000" | Text | Optional | |
MAC Address | Enter the MAC address. Example: "56:2d:4b:9c:18:42" | Text | Optional | |
Subnet ID | Enter the identification number of a subnet modeled in the Darktrace system. Example: 12 | Integer | Optional | |
Count | Enter the number of devices to return. Only limits the number of devices within the current timeframe. Example: 25 | Integer | Optional | |
Include Tags | Enter true to include tags applied to the device in the response. Example: false | Boolean | Optional | Default value: false Allowed values:
|
Example Request
[
{
"include_tags": false
}
]Action: Create PCAP
This action creates a packet capture (PCAP).
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
Source IP | Enter the source IP address. Example: "192.168.72.4" | Text | Required | |
Destination IP | Enter the destination IP address. Example: "10.0.18.224" | Text | Optional | |
Port for Source IP | Enter a port for the source IP address. Example: 21 | Integer | Optional | |
Port for Destination IP | Enter a port for the destination IP address. Example: 53 | Integer | Optional | |
Start Time | Enter the start time for the packet capture in epoch format. Example: 1605266200 | Integer | Optional | |
End Time | Enter the end time for the packet capture in epoch format. Example: 1605266300 | Integer | Optional | |
Protocol | Enter the layer 3 protocol. Example: "tcp" | Text | Optional | Allowed values:
|
Example Request
[
{
"ip1": "192.168.72.5",
"ip2": "192.168.72.7",
"end_time": "1605266300",
"start_time": "1605266200"
}
]Action: Get List of PCAPs
This action retrieves a list of PCAPs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
PCAP File | Enter true to retrieve a binary file. Example: false | Boolean | Optional | Default value: false Allowed values:
|
File Name | Enter the file name to retrieve. Example: "DCIP_2021033xx63306_202xx330063307_10_36_39_131_35860_10_2_3_4_53_udp_Lx5blz.pcap" | Text | Optional | If the PCAP File parameter is set to true, then the file name must be specified. |
Example Request
[
{
"file_name": "DCIP_20220xx6015636_2022061xx20136_192_168_1_4_192_168_1_2_4FsaSn_m.pcap",
"pcap_file": true
}
]