Publisher: Darktrace
Connector Version: 1.0.7
Product Vendor: Darktrace
Product Name: Darktrace
Product Version Supported (regex): ".*"
Minimum Product Version: 5.3.0
This app integrates with Darktrace to perform investigative and containment actions
The Darktrace app for Splunk Phantom allows users to enrich investigations and workflows with insights from the Darktrace Threat Visualizer. The integration enables users to ingest Darktrace model breaches and Cyber AI Analyst incidents as the basis for an investigation. Actions can be triggered manually or automatically via existing playbooks to acquire additional Darktrace information. These actions include gathering device summaries, connection details and comments existing within Darktrace. Additionally, acknowledgments and comments can be sent to Darktrace for optimized security workflows.
The below configuration variables are required for this Connector to operate. These variables are specified when configuring a Darktrace asset in SOAR.
| VARIABLE | REQUIRED | TYPE | DESCRIPTION |
|---|---|---|---|
| base_url | required | string | IP address of the Darktrace Master |
| poll_aia | optional | boolean | Ingest Cyber AI Analyst Investigations |
| poll_mb | optional | boolean | Ingest Model Breaches |
| private_token | required | password | Darktrace API Private Token |
| public_token | required | password | Darktrace API Public Token |
| tls_verify | optional | boolean | Enable TLS Certificate Verification |
test connectivity - Validate the asset configuration for connectivity using the supplied configuration
get device tags - Receive all of the tags that are currently applied to a device
get tagged devices - Receive all of the devices that currently have a given tag
get breach comments - Receive all comments made on a model breach
on poll - Ingests Darktrace model breaches and Cyber AI Analyst investigations
get device description - Receive device description for the specified device
get device modelbreaches - Receive recent model breaches for the specified device
acknowledge breach - Acknowledge a model breach
unacknowledge breach - Unacknowledge a model breach
post comment - Post a comment to a model breach
post tag - Post a tag to a device
get breach connections - Receive connections involved in a model breach
Validate the asset configuration for connectivity using the supplied configuration
Type: test
Read only: True
No parameters are required for this action
No Output
Receive all of the tags that are currently applied to a device
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| device_id | required | See artifact details to get the device_ID | numeric | darktrace device id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.device_id | numeric | darktrace device id |
| action_result.data.*.name | string | darktrace tag |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Receive all of the devices that currently have a given tag
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| tag | required | The name of an existing tag | string | darktrace tag |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.tag | string | darktrace tag |
| action_result.data | string | |
| action_result.data.*.entityValue | string | |
| action_result.summary.*.did | string | darktrace device id |
| action_result.summary.*.hostname | string | host name darktrace saas credential |
| action_result.summary.*.ip | string | ip |
| action_result.summary.*.label | string | |
| action_result.summary.*.mac | string | mac address |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Receive all comments made on a model breach
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| model_breach_id | required | See artifact details to get the model_breach_id | numeric | darktrace model breach id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.model_breach_id | numeric | darktrace model breach id |
| action_result.data | string | |
| action_result.summary.*.comment | string | |
| action_result.summary.*.time | string | |
| action_result.summary.*.username | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Ingests Darktrace model breaches and Cyber AI Analyst investigations
Type: ingest
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| artifact_count | optional | Maximum number of artifact records to query for | numeric | |
| container_count | optional | Maximum number of container records to query for | numeric | |
| container_id | optional | Container IDs to limit the ingestion to | string | |
| end_time | optional | End of the time range, in epoch time (milliseconds) | numeric | |
| start_time | optional | Start of the time range, in epoch time (milliseconds) | numeric |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.summary | string | |
| action_result.status | string | |
| action_result.message | string | |
| action_result.status | string | |
| action_result.data | string | |
| action_result.parameter.container_id | string | |
| action_result.parameter.start_time | numeric | |
| action_result.parameter.end_time | numeric | |
| action_result.parameter.container_count | numeric | |
| action_result.parameter.artifact_count | numeric |
Receive device description for the specified device
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| device_id | required | See artifact details to get the device_id | numeric | darktrace device id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.device_id | numeric | darktrace device id |
| action_result.data.*.devices.devicelabel | string | |
| action_result.data.*.devices.did | numeric | darktrace device id |
| action_result.data.*.devices.hostname | string | host name darktrace saas credential |
| action_result.data.*.devices.ip | string | ip |
| action_result.data.*.devices.macaddress | string | mac address |
| action_result.data.*.devices.typename | string | |
| action_result.summary.*.acknowledged | string | |
| action_result.summary.*.name | string | |
| action_result.summary.*.score | string | |
| action_result.summary.*.time | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Receive recent model breaches for the specified device
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| device_id | required | See artifact details to get the device_id | numeric | darktrace device id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.device_id | numeric | darktrace device id |
| action_result.data.*.acknowledged | string | |
| action_result.data.*.model.then.name | string | |
| action_result.data.*.pbid | string | darktrace model breach id |
| action_result.data.*.score | string | |
| action_result.data.*.time | numeric | |
| action_result.summary.*.darktrace_url | numeric | |
| action_result.summary.*.severity | numeric | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Acknowledge a model breach
Type: correct
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| model_breach_id | required | See artifact details to get the model_breach_id | numeric | darktrace model breach id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.model_breach_id | numeric | darktrace model breach id |
| action_result.data | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Unacknowledge a model breach
Type: correct
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| model_breach_id | required | See artifact details to get the model_breach_id | numeric | darktrace model breach id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.model_breach_id | numeric | darktrace model breach id |
| action_result.data | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Post a comment to a model breach
Type: correct
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| message | required | Comment to post | string | |
| model_breach_id | required | See artifact details to get the model_breach_id | numeric | darktrace model breach id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.message | string | |
| action_result.parameter.model_breach_id | numeric | darktrace model breach id |
| action_result.data | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Post a tag to a device
Type: correct
Read only: False
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| device_id | required | See artifact details to get the device_id | numeric | darktrace device id |
| duration | optional | How long this tag be applied for (seconds). Ex: enter 3600 for 1 hour. Leave this entry empty if you do not want it to expire | numeric | |
| tag | required | Choose a tag to apply to the device | string | darktrace tag |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.device_id | numeric | darktrace device id |
| action_result.parameter.duration | numeric | |
| action_result.parameter.tag | string | darktrace tag |
| action_result.data | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |
Receive connections involved in a model breach
Type: investigate
Read only: True
| PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS |
|---|---|---|---|---|
| model_breach_id | required | See artifact details to get the model_breach_id | string | darktrace model breach id |
| DATA PATH | TYPE | CONTAINS |
|---|---|---|
| action_result.status | string | |
| action_result.parameter.model_breach_id | numeric | darktrace model breach id |
| action_result.data.*.dest_hostname | string | |
| action_result.data.*.dest_ip | string | |
| action_result.data.*.dest_port | numeric | |
| action_result.data.*.proto | string | |
| action_result.data.*.src_hostname | string | |
| action_result.data.*.src_ip | string | |
| action_result.data.*.src_port | numeric | |
| action_result.data.*.time | string | |
| action_result.summary | string | |
| action_result.message | string | |
| summary.total_objects | numeric | |
| summary.total_objects_successful | numeric |