Darktrace, which is Enterprise Immune System’s flagship threat detection and defense capability, is based on unsupervised machine learning and probabilistic mathematics. Darktrace works by creating unique behavioral models for every user and device across the enterprises, and analyzing the relationships between them.
This document provides information about the Darktrace connector, which facilitates automated interactions, with a Darktrace server using FortiSOAR™playbooks. Add the Darktrace connector as a step in FortiSOAR™playbooks and perform automated operations, such as adding or removing a domain, hostname, or IP address from Darktrace's internal watchlist.
Connector Version: 1.1.0
Compatibility with FortiSOAR™Versions: 4.9.0.0-708 and later
Compatibility with Darktrace Versions: 3.0 and later
Following enhancements have been made to the Darktrace
Connector in version 1.1.0:
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Darktrace connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | URL of the Darktrace server to which you will connect and perform the automated operations. |
API Public Token | Public token of the Darktrace server to which you will connect and perform the automated operations. |
API Private Token | Private key of the Darktrace server to which you will connect and perform the automated operations. |
Time difference (minutes) from Darktrace Server Time | Allows you to modify the current time passed (default=0) to the Darktrace API to allow for timezone differences, e.g., passing 29 will add 29 minutes to the time, -29 will take off 29 minutes. Note: The time difference of 30 minutes time is allowed. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Add To Watch List | Adds external domains, hostnames, or IP addresses to Darktrace's internal watch list. You can add multiple domains, hostnames, or IP addresses at a time, using the csv or list format. | add_to_list Containment |
Remove From Watch List | Removes an external domain, hostname, or IP address from Darktrace's internal watch list. | remove_from_list Remediation |
Get Watch List | Retrieves a list of indicators from a watch list. | get_watchlist Investigation |
Parameter | Description |
---|---|
Domain/Hostname/IP Address (In CSV / In List) | Domain(s), hostname(s), or IP address(es) that you want to add to Darktrace's internal watch list. You can add multiple domains, hostnames, or IP addresses at a time, using the csv or list format. |
The JSON output returns a Success
message if the Domain(s), hostname(s), or IP address(es), is added to the Darktrace's internal watch list, or an Error
message containing the reason for failure.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain/Hostname/IP Address | Domain, hostname, or IP address that you want to remove from Darktrace's internal watch list. |
The JSON output returns a Success
message if the Domain, hostname, or IP address, is removed from the Darktrace's internal watch list, or an Error
message containing the reason for failure.
Following image displays a sample output:
None.
The JSON output returns a list of indicators from a watch list.
Following image displays a sample output:
The Sample-Darktrace-1.1.0
playbook collection comes bundled with the Darktrace connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™after importing the Darktrace connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
Darktrace, which is Enterprise Immune System’s flagship threat detection and defense capability, is based on unsupervised machine learning and probabilistic mathematics. Darktrace works by creating unique behavioral models for every user and device across the enterprises, and analyzing the relationships between them.
This document provides information about the Darktrace connector, which facilitates automated interactions, with a Darktrace server using FortiSOAR™playbooks. Add the Darktrace connector as a step in FortiSOAR™playbooks and perform automated operations, such as adding or removing a domain, hostname, or IP address from Darktrace's internal watchlist.
Connector Version: 1.1.0
Compatibility with FortiSOAR™Versions: 4.9.0.0-708 and later
Compatibility with Darktrace Versions: 3.0 and later
Following enhancements have been made to the Darktrace
Connector in version 1.1.0:
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the Darktrace connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | URL of the Darktrace server to which you will connect and perform the automated operations. |
API Public Token | Public token of the Darktrace server to which you will connect and perform the automated operations. |
API Private Token | Private key of the Darktrace server to which you will connect and perform the automated operations. |
Time difference (minutes) from Darktrace Server Time | Allows you to modify the current time passed (default=0) to the Darktrace API to allow for timezone differences, e.g., passing 29 will add 29 minutes to the time, -29 will take off 29 minutes. Note: The time difference of 30 minutes time is allowed. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Add To Watch List | Adds external domains, hostnames, or IP addresses to Darktrace's internal watch list. You can add multiple domains, hostnames, or IP addresses at a time, using the csv or list format. | add_to_list Containment |
Remove From Watch List | Removes an external domain, hostname, or IP address from Darktrace's internal watch list. | remove_from_list Remediation |
Get Watch List | Retrieves a list of indicators from a watch list. | get_watchlist Investigation |
Parameter | Description |
---|---|
Domain/Hostname/IP Address (In CSV / In List) | Domain(s), hostname(s), or IP address(es) that you want to add to Darktrace's internal watch list. You can add multiple domains, hostnames, or IP addresses at a time, using the csv or list format. |
The JSON output returns a Success
message if the Domain(s), hostname(s), or IP address(es), is added to the Darktrace's internal watch list, or an Error
message containing the reason for failure.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain/Hostname/IP Address | Domain, hostname, or IP address that you want to remove from Darktrace's internal watch list. |
The JSON output returns a Success
message if the Domain, hostname, or IP address, is removed from the Darktrace's internal watch list, or an Error
message containing the reason for failure.
Following image displays a sample output:
None.
The JSON output returns a list of indicators from a watch list.
Following image displays a sample output:
The Sample-Darktrace-1.1.0
playbook collection comes bundled with the Darktrace connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™after importing the Darktrace connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.