Fortinet Document Library

Version:


Table of Contents

1.1.0
Copy Link

About the connector

Darktrace, which is Enterprise Immune System’s flagship threat detection and defense capability, is based on unsupervised machine learning and probabilistic mathematics. Darktrace works by creating unique behavioral models for every user and device across the enterprises, and analyzing the relationships between them.

This document provides information about the Darktrace connector, which facilitates automated interactions, with a Darktrace server using FortiSOAR™playbooks. Add the Darktrace connector as a step in FortiSOAR™playbooks and perform automated operations, such as adding or removing a domain, hostname, or IP address from Darktrace's internal watchlist.

 

Version information

Connector Version: 1.1.0

Compatibility with FortiSOAR™Versions: 4.9.0.0-708 and later

Compatibility with Darktrace Versions: 3.0 and later

 

Release Notes for version 1.1.0

Following enhancements have been made to the Darktrace Connector in version 1.1.0:

  • Enhanced the Add To Watch List operation so that you can add multiple domains, hostnames, or IP addresses at a time, using the csv or list format.

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

  • You must have the URL of the Darktrace server to which you will connect and perform the automated operations and the API public and private key to access that server.
  • To access the FortiSOAR™UI, ensure that port 443 is open through the firewall for the FortiSOAR™instance.

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Darktrace connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the Darktrace server to which you will connect and perform the automated operations.
API Public Token Public token of the Darktrace server to which you will connect and perform the automated operations.
API Private Token Private key of the Darktrace server to which you will connect and perform the automated operations.
Time difference (minutes) from Darktrace Server Time Allows you to modify the current time passed (default=0) to the Darktrace API to allow for timezone differences, e.g., passing 29 will add 29 minutes to the time, -29 will take off 29 minutes.
Note: The time difference of 30 minutes time is allowed.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™release 4.10.0 onwards:

 

Function Description Annotation and Category
Add To Watch List Adds external domains, hostnames, or IP addresses to Darktrace's internal watch list. You can add multiple domains, hostnames, or IP addresses at a time, using the csv or list format. add_to_list
Containment
Remove From Watch List Removes an external domain, hostname, or IP address from Darktrace's internal watch list. remove_from_list
Remediation
Get Watch List Retrieves a list of indicators from a watch list. get_watchlist
Investigation

 

operation: Add To Watch List

Input parameters

 

Parameter Description
Domain/Hostname/IP Address (In CSV / In List) Domain(s), hostname(s), or IP address(es) that you want to add to Darktrace's internal watch list. You can add multiple domains, hostnames, or IP addresses at a time, using the csv or list format.

 

Output

The JSON output returns a Success message if the Domain(s), hostname(s), or IP address(es), is added to the Darktrace's internal watch list, or an Error message containing the reason for failure.

Following image displays a sample output:

 

Sample output of the Add To Watch List operation

 

operation: Remove From Watch List

Input parameters

 

Parameter Description
Domain/Hostname/IP Address Domain, hostname, or IP address that you want to remove from Darktrace's internal watch list.

 

Output

The JSON output returns a Success message if the Domain, hostname, or IP address, is removed from the Darktrace's internal watch list, or an Error message containing the reason for failure.

Following image displays a sample output:

 

Sample output of the Remove From Watch List operation

 

operation: Get Watch List

Input parameters

None.

Output

The JSON output returns a list of indicators from a watch list.

Following image displays a sample output:

 

Sample output of the Get Watch List operation

 

Included playbooks

The Sample-Darktrace-1.1.0 playbook collection comes bundled with the Darktrace connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™after importing the Darktrace connector.

  • Add To Watch List
  • Remove From Watch List
  • Get Watch List

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

 

About the connector

Darktrace, which is Enterprise Immune System’s flagship threat detection and defense capability, is based on unsupervised machine learning and probabilistic mathematics. Darktrace works by creating unique behavioral models for every user and device across the enterprises, and analyzing the relationships between them.

This document provides information about the Darktrace connector, which facilitates automated interactions, with a Darktrace server using FortiSOAR™playbooks. Add the Darktrace connector as a step in FortiSOAR™playbooks and perform automated operations, such as adding or removing a domain, hostname, or IP address from Darktrace's internal watchlist.

 

Version information

Connector Version: 1.1.0

Compatibility with FortiSOAR™Versions: 4.9.0.0-708 and later

Compatibility with Darktrace Versions: 3.0 and later

 

Release Notes for version 1.1.0

Following enhancements have been made to the Darktrace Connector in version 1.1.0:

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the Darktrace connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the Darktrace server to which you will connect and perform the automated operations.
API Public Token Public token of the Darktrace server to which you will connect and perform the automated operations.
API Private Token Private key of the Darktrace server to which you will connect and perform the automated operations.
Time difference (minutes) from Darktrace Server Time Allows you to modify the current time passed (default=0) to the Darktrace API to allow for timezone differences, e.g., passing 29 will add 29 minutes to the time, -29 will take off 29 minutes.
Note: The time difference of 30 minutes time is allowed.
Verify SSL Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™release 4.10.0 onwards:

 

Function Description Annotation and Category
Add To Watch List Adds external domains, hostnames, or IP addresses to Darktrace's internal watch list. You can add multiple domains, hostnames, or IP addresses at a time, using the csv or list format. add_to_list
Containment
Remove From Watch List Removes an external domain, hostname, or IP address from Darktrace's internal watch list. remove_from_list
Remediation
Get Watch List Retrieves a list of indicators from a watch list. get_watchlist
Investigation

 

operation: Add To Watch List

Input parameters

 

Parameter Description
Domain/Hostname/IP Address (In CSV / In List) Domain(s), hostname(s), or IP address(es) that you want to add to Darktrace's internal watch list. You can add multiple domains, hostnames, or IP addresses at a time, using the csv or list format.

 

Output

The JSON output returns a Success message if the Domain(s), hostname(s), or IP address(es), is added to the Darktrace's internal watch list, or an Error message containing the reason for failure.

Following image displays a sample output:

 

Sample output of the Add To Watch List operation

 

operation: Remove From Watch List

Input parameters

 

Parameter Description
Domain/Hostname/IP Address Domain, hostname, or IP address that you want to remove from Darktrace's internal watch list.

 

Output

The JSON output returns a Success message if the Domain, hostname, or IP address, is removed from the Darktrace's internal watch list, or an Error message containing the reason for failure.

Following image displays a sample output:

 

Sample output of the Remove From Watch List operation

 

operation: Get Watch List

Input parameters

None.

Output

The JSON output returns a list of indicators from a watch list.

Following image displays a sample output:

 

Sample output of the Get Watch List operation

 

Included playbooks

The Sample-Darktrace-1.1.0 playbook collection comes bundled with the Darktrace connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™after importing the Darktrace connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.