Darktrace, which is Enterprise Immune System’s flagship threat detection and defense capability, is based on unsupervised machine learning and probabilistic mathematics. Darktrace works by creating unique behavioral models for every user and device across the enterprises and analyzing the relationships between them.
This document provides information about the Darktrace connector, which facilitates automated interactions, with a Darktrace server using FortiSOAR™playbooks. Add the Darktrace connector as a step in FortiSOAR™playbooks and perform automated operations, such as adding or removing a domain, hostname, or IP address from Darktrace's internal watchlist.
Connector Version: 1.2.0
FortiSOAR™ Version Tested on: 7.2.0-914
Darktrace version tested on: 5.2.11 (a6d707)
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Darktrace Connector in version 1.2.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-darktrace
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Darktrace connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | The URL of the Darktrace server to which you will connect and perform the automated operations. |
| API Public Token | The public token of the Darktrace server to which you will connect and perform the automated operations. |
| API Private Token | The private key of the Darktrace server to which you will connect and perform the automated operations. |
| Time difference (minutes) from Darktrace Server Time | Allows you to modify the current time passed (default=0) to the Darktrace API to allow for timezone differences, e.g., passing 29 will add 29 minutes to the time, and -29 will take off 29 minutes. Note: The time difference of 30 minutes time is allowed. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations
| Function | Description | Annotation and Category |
|---|---|---|
| Add To Watch List | Adds external domains, hostnames, or IP addresses to Darktrace's internal watch list. You can add multiple domains, hostnames, or IP addresses at a time, using the CSV or list format. | add_to_list Containment |
| Remove From Watch List | Removes an external domain, hostname, or IP address from Darktrace's internal watch list. | remove_from_list Remediation |
| Get Watch List | Retrieves a list of indicators from a watch list. | get_watchlist Investigation |
| Get Incidents | Retrieves a list of all incidents or specific incidents provided by AI Analyst events based on the input parameters you have specified. | get_incidents Investigation |
| Search Query | Retrieves 'Advanced Search' data that can be queried and got in JSON format from the Darktrace appliance based on the input parameters you have specified. | search_query Investigation |
| Get Incident Comments | Retrieves current comments on an AI Analyst event based on the UUID of the event you have specified. | get_comments Investigation |
| Acknowledge Breach | Allows breaches to be acknowledged programmatically, based on the policy breach ID (PBID) you have specified. | acknowledge_breach Investigation |
| Unacknowledge Breach | Allows breaches to be unacknowledged programmatically, based on the policy breach ID (PBID) you have specified. | unacknowledge_breach Investigation |
| Get Breach Details | Retrieve the details of the model breach based on the policy breach ID (PBID) you have specified. | get_breach_details Investigation |
| Get Model Breaches | Returns a time-sorted list of model breaches from Darktrace, based on the input parameters you have specified. | get_model_breaches Investigation |
| Get Models | Retrieves a list of all models that currently exist on the Threat Visualizer, including custom models and de-activated models based on the models' UUID or Policy ID (PID) you have specified. | get_models Investigation |
| Get Components | Retrieves a list of all component parts of defined models, identified by their component ID (CID). The CID is referenced in the data attribute for model breaches. | get_components Investigation |
| Get Devices | Retrieves a list of all devices identified by Darktrace or details of a specific device for the specified time window. If you specify a Device ID (DID), then the endpoint returns the information displayed in the UI pop-up while hovering over a device. | get_devices Investigation |
| Get Similar Devices | Retrieves a list of similar devices based on the Device ID (DID) of a specific device on the network. | get_similar_devices Investigation |
| Get External Endpoint Details | Retrieves the location, IP address, and (optionally) device connection information from Darktrace for external IPs and hostnames you have specified. | get_external_endpoint_details Investigation |
| Get Device Information | Retrieves the data used in the "Connections Data" view for a specific device that can be accessed from the Threat Visualizer omnisearch based on the Device ID and other input parameters you have specified. | get_device_information Investigation |
| Get Entity Details | Returns a time-sorted list of connections and events for a device or entity (such as a SaaS credential) from Darktrace based on the input parameters you have specified. | get_entity_details Investigation |
| Get Model Breach Comments | Returns all comments across all model breaches, or for a specific model breach from Darktrace based on the input parameters you have specified. | get_mb_comments Investigation |
| Parameter | Description |
|---|---|
| Domain/Hostname/IP Address (In CSV / In List) | Domain(s), hostname(s), or IP address(es) that you want to add to Darktrace's internal watch list. You can add multiple domains, hostnames, or IP addresses at a time, using the CSV or list format. |
The JSON output returns a Success message if the Domain(s), hostname(s), or IP address(es), is added to the Darktrace's internal watch list, or an Error message containing the reason for failure.
The output contains the following populated JSON schema:
{
"response": "",
"added": ""
}
| Parameter | Description |
|---|---|
| Domain/Hostname/IP Address | Domain, hostname, or IP address that you want to remove from Darktrace's internal watch list. |
The JSON output returns a Success message if the Domain, hostname, or IP address, is removed from the Darktrace's internal watch list, or an Error message containing the reason for failure.
The output contains the following populated JSON schema:
{
"response": ""
}
None.
The JSON output returns a list of indicators from a watch list.
No output schema is available at this time.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., a list of all incidents provided by AI Analyst events, is returned.
| Parameter | Description |
|---|---|
| Include Acknowledged | Select this option to include acknowledged events in the data retrieved from Darktrace. |
| Start Time | Specify the start time from when you want to retrieve data from Darktrace, relative to midnight January 1st, 1970 UTC. |
| End Time | Specify the end time till when you want to retrieve data from Darktrace, relative to midnight January 1st, 1970 UTC. |
| Locale | Select the Locale, i.e., the language for returned strings from Darktrace. Currently supported locales are de_DE (German), en_GB (English locale string UK), en_US (English US), es_ES (Spanish ES), es_419 (Spanish LATAM), fr_FR (French),ja_JP (Japanese), ko_KR (Korean), and “pt_BR” (Portuguese BR). |
| UUID | The unique identifier of an AI Analyst event based on which you want to retrieve incidents from Darktrace. You can specify comma-separated values. |
| Merge Events | Select this option (True by default) to aggregate multiple child events (such as cross-network incidents) into a single event while retrieving data from Darktrace. |
The output contains the following populated JSON schema:
{
"summariser": "",
"acknowledged": "",
"pinned": "",
"createdAt": "",
"attackPhases": [],
"title": "",
"id": "",
"children": [],
"category": "",
"currentGroup": "",
"groupCategory": "",
"groupScore": "",
"groupPreviousGroups": [],
"activityId": "",
"groupingIds": [],
"groupByActivity": "",
"userTriggered": "",
"externalTriggered": "",
"aiaScore": "",
"summary": "",
"periods": [
{
"start": "",
"end": ""
}
],
"breachDevices": [
{
"identifier": "",
"hostname": "",
"ip": "",
"mac": "",
"subnet": "",
"did": "",
"sid": ""
}
],
"relatedBreaches": [
{
"modelName": "",
"pbid": "",
"threatScore": "",
"timestamp": ""
}
],
"details": [
[
{
"header": "",
"contents": [
{
"key": "",
"type": "",
"values": [
{
"start": "",
"end": ""
}
]
}
]
}
]
]
}
| Parameter | Description |
|---|---|
| Time Selection | Select the option of time selection to retrieve data from the Darktrace server. You can choose between Absolute Time and Time Interval in Seconds. If you choose 'Absolute Time', then you must specify the following parameters:
|
| Search Query | (Optional) Specify the 'Advanced Search' search query using which you want to search for data on the Darktrace server. Note: Ensure that all double quotes are escaped. For example, @type:"ssl" AND @fields.dest_port:"443" |
| Offset | (Optional) The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Size' parameter to determine how many records to retrieve starting from the offset. |
| Size | (Optional) The number of records that should be returned in a single search. |
The output contains the following populated JSON schema:
{
"took": "",
"timed_out": "",
"_shards": {
"total": "",
"successful": "",
"skipped": "",
"failed": ""
},
"hits": {
"total": "",
"max_score": "",
"hits": [
{
"_index": "",
"_type": "",
"_id": "",
"_score": "",
"_source": {
"@fields": {
"orig_pkts": "",
"epochdate": "",
"orig_ttl": "",
"resp_bytes": "",
"conn_state_full": "",
"dest_port": "",
"conn_state": "",
"orig_bytes": "",
"resp_ip_bytes": "",
"history": "",
"source_port": "",
"proto": "",
"source_ip": "",
"resp_pkts": "",
"orig_ip_bytes": "",
"dest_ip": "",
"start_ts": "",
"missed_bytes_orig": "",
"uid": "",
"missed_bytes_resp": "",
"local_resp": "",
"local_orig": "",
"duration": ""
},
"@type": "",
"@timestamp": "",
"@message": "",
"@darktrace_probe": ""
},
"sort": []
}
]
},
"darktraceChildError": "",
"kibana": {
"index": [],
"per_page": "",
"time": {
"from": "",
"to": ""
},
"default_fields": []
}
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the unique identifier for the AI Analyst event whose current comments you want to retrieve from Darktrace. Note: Only one value is supported at a time, i.e., you can specify a single UUID only for a single operation. |
The output contains the following populated JSON schema:
{
"comments": [
{
"username": "",
"time": "",
"incident_id": "",
"message": ""
}
]
}
| Parameter | Description |
|---|---|
| Policy Breach ID(PBID) | Specify the Policy Breach ID that you want to acknowledge in Darktrace. |
The output contains the following populated JSON schema:
{
"response": ""
}
| Parameter | Description |
|---|---|
| Policy Breach ID(PBID) | Specify the Policy Breach ID that you want to unacknowledge in Darktrace. |
The output contains the following populated JSON schema:
{
"response": ""
}
| Parameter | Description |
|---|---|
| Policy Breach ID(PBID) | Specify the Policy Breach ID based on which you want to retrieve the details of the model breach from Darktrace. |
The output contains the following populated JSON schema:
{
"commentCount": "",
"pbid": "",
"time": "",
"creationTime": "",
"model": {
"then": {
"name": "",
"pid": "",
"phid": "",
"uuid": "",
"logic": {
"data": [
{
"cid": "",
"weight": ""
}
],
"targetScore": "",
"type": "",
"version": ""
},
"throttle": "",
"sharedEndpoints": "",
"actions": {
"alert": "",
"antigena": {},
"breach": "",
"model": "",
"setPriority": "",
"setTag": "",
"setType": ""
},
"tags": [],
"interval": "",
"delay": "",
"sequenced": "",
"active": "",
"modified": "",
"activeTimes": {
"devices": {},
"tags": {},
"type": "",
"version": ""
},
"autoUpdatable": "",
"autoUpdate": "",
"autoSuppress": "",
"description": "",
"behaviour": "",
"created": {
"by": ""
},
"edited": {
"by": ""
},
"version": "",
"priority": "",
"category": "",
"compliance": ""
},
"now": {
"name": "",
"pid": "",
"phid": "",
"uuid": "",
"logic": {
"data": [
{
"cid": "",
"weight": ""
}
],
"targetScore": "",
"type": "",
"version": ""
},
"throttle": "",
"sharedEndpoints": "",
"actions": {
"alert": "",
"antigena": {},
"breach": "",
"model": "",
"setPriority": "",
"setTag": "",
"setType": ""
},
"tags": [],
"interval": "",
"delay": "",
"sequenced": "",
"active": "",
"modified": "",
"activeTimes": {
"devices": {},
"tags": {},
"type": "",
"version": ""
},
"autoUpdatable": "",
"autoUpdate": "",
"autoSuppress": "",
"description": "",
"behaviour": "",
"created": {
"by": ""
},
"edited": {
"by": ""
},
"message": "",
"version": "",
"priority": "",
"category": "",
"compliance": ""
}
},
"triggeredComponents": [
{
"time": "",
"cbid": "",
"cid": "",
"chid": "",
"size": "",
"threshold": "",
"interval": "",
"logic": {
"data": {},
"version": ""
},
"metric": {
"mlid": "",
"name": "",
"label": ""
},
"triggeredFilters": [
{
"cfid": "",
"id": "",
"filterType": "",
"arguments": {
"value": ""
},
"comparatorType": "",
"trigger": {
"value": ""
}
}
]
}
],
"score": "",
"device": {
"did": "",
"macaddress": "",
"vendor": "",
"ip": "",
"sid": "",
"hostname": "",
"firstSeen": "",
"lastSeen": "",
"typename": "",
"typelabel": "",
"credentials": []
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., a list of all model breaches, is returned.
| Parameter | Description |
|---|---|
| Device ID(DID) | Specify the identification number of a device modeled in the Darktrace system whose breach details you want to retrieve from Darktace. |
| Start Time | Specify the start time from when you want to retrieve data from Darktrace, relative to midnight January 1st, 1970 UTC. |
| End Time | Specify the end time till when you want to retrieve data from Darktrace, relative to midnight January 1st, 1970 UTC. |
| Include Acknowledged | Select this option to include acknowledged breaches in the data retrieved from Darktrace. |
| Include Breach URL | Select this option to return a URL for the model breach in the long form of the model breach data. |
| Policy Breach ID(PBID) | Specify the Policy Breach ID if you want to return only the model breach with the specified PBID. |
| Policy ID(PID) | Specify the Policy ID if you want to return only the model breach with the specified policy ID. |
| UUID | Specify the UUID of the model if you want to return only the model breaches for the specified model. All models have a UUID and a PID. The UUID (universally unique identifier) is a 128-bit hexadecimal number. |
The output contains the following populated JSON schema:
{
"pbid": "",
"time": "",
"model": {
"now": {
"pid": "",
"name": "",
"phid": "",
"tags": [],
"uuid": "",
"delay": "",
"logic": {
"data": [
{
"cid": "",
"weight": ""
}
],
"type": "",
"version": "",
"targetScore": ""
},
"active": "",
"edited": {
"by": ""
},
"actions": {
"alert": "",
"model": "",
"breach": "",
"setTag": "",
"setType": "",
"antigena": {},
"setPriority": ""
},
"created": {
"by": ""
},
"defeats": [],
"message": "",
"version": "",
"category": "",
"interval": "",
"modified": "",
"priority": "",
"throttle": "",
"behaviour": "",
"sequenced": "",
"autoUpdate": "",
"compliance": "",
"activeTimes": {
"tags": {},
"type": "",
"devices": {},
"version": ""
},
"description": "",
"autoSuppress": "",
"autoUpdatable": "",
"sharedEndpoints": ""
},
"then": {
"pid": "",
"name": "",
"phid": "",
"tags": [],
"uuid": "",
"delay": "",
"logic": {
"data": [
{
"cid": "",
"weight": ""
}
],
"type": "",
"version": "",
"targetScore": ""
},
"active": "",
"edited": {
"by": ""
},
"actions": {
"alert": "",
"model": "",
"breach": "",
"setTag": "",
"setType": "",
"antigena": {},
"setPriority": ""
},
"created": {
"by": ""
},
"version": "",
"category": "",
"interval": "",
"modified": "",
"priority": "",
"throttle": "",
"behaviour": "",
"sequenced": "",
"autoUpdate": "",
"compliance": "",
"activeTimes": {
"tags": {},
"type": "",
"devices": {},
"version": ""
},
"description": "",
"autoSuppress": "",
"autoUpdatable": "",
"sharedEndpoints": ""
}
},
"score": "",
"device": {
"ip": "",
"did": "",
"ips": [
{
"ip": "",
"sid": "",
"time": "",
"timems": ""
}
],
"sid": "",
"vendor": "",
"hostname": "",
"lastSeen": "",
"typename": "",
"firstSeen": "",
"typelabel": "",
"macaddress": ""
},
"acknowledged": "",
"commentCount": "",
"creationTime": "",
"triggeredComponents": [
{
"cid": "",
"cbid": "",
"chid": "",
"size": "",
"time": "",
"logic": {},
"metric": {
"mlid": "",
"name": "",
"label": ""
},
"interval": "",
"threshold": "",
"triggeredFilters": [
{
"id": "",
"cfid": "",
"trigger": {
"value": ""
},
"arguments": {
"value": ""
},
"filterType": "",
"comparatorType": ""
}
]
}
]
}
| Parameter | Description |
|---|---|
| Get Models by |
Select the parameter using which you want to retrieve the list of all models that currently exist on the Threat Visualizer. you can choose between UUID or PID
|
The output contains the following populated JSON schema:
{
"name": "",
"pid": "",
"phid": "",
"uuid": "",
"logic": {
"data": [
{
"cid": "",
"weight": ""
}
],
"targetScore": "",
"type": "",
"version": ""
},
"throttle": "",
"sharedEndpoints": "",
"actions": {
"alert": "",
"antigena": {},
"breach": "",
"model": "",
"setPriority": "",
"setTag": "",
"setType": ""
},
"tags": [],
"interval": "",
"delay": "",
"sequenced": "",
"active": "",
"modified": "",
"activeTimes": {
"devices": {},
"tags": {},
"type": "",
"version": ""
},
"autoUpdatable": "",
"autoUpdate": "",
"autoSuppress": "",
"description": "",
"behaviour": "",
"created": {
"by": ""
},
"edited": {
"by": ""
},
"history": [
{
"modified": "",
"active": "",
"message": "",
"by": "",
"phid": ""
}
],
"message": "",
"version": "",
"priority": "",
"category": "",
"compliance": ""
}
| Parameter | Description |
|---|---|
| Component ID(CID) | The 'component id' (a unique identifier) of the model whose details you want to retrieve from Darktrace. |
The output contains the following populated JSON schema:
{
"cid": "",
"chid": "",
"mlid": "",
"threshold": "",
"interval": "",
"logic": {},
"filters": [
{
"id": "",
"cfid": "",
"cfhid": "",
"filtertype": "",
"comparator": "",
"arguments": {
"value": ""
}
}
],
"active": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., a list of all devices identified by Darktrace, is returned.
| Parameter | Description |
|---|---|
| Device ID(DID) | Specify the identification number of a device modeled in the Darktrace system whose details you want to retrieve from Darktrace. |
| IP | IP of the device model in the Darktrace system whose details you want to retrieve from Darktrace. |
| Seen Since | Specify the relative offset for activity, i.e., devices with activity in the specified time period are returned from Darktrace. The format of the 'seensince' string is either a number representing the number of seconds before the current time or a number with a modifier such as second, minute, hour day, or week (Minimum=1 second). |
| MAC | Specify the MAC address of the device whose details you want to retrieve from Darktrace. |
| Subnet ID(SID) | Specify the identification number of a subnet modeled in the Darktrace system that contains the device whose details you want to retrieve from Darktrace. |
| Count | Specify the maximum number of devices to return. This only limits the number of devices within the current timeframe. |
| Include Tags | Select this option to include tags applied to the device in the response. |
The output contains the following populated JSON schema:
{
"id": "",
"did": "",
"sid": "",
"time": "",
"endtime": "",
"devicelabel": "",
"typename": "",
"typelabel": ""
}
| Parameter | Description |
|---|---|
| Device ID(DID) | Specify the Device ID (unique identifier) of a specific device on the network, based on which you want to retrieve similar devices from Darktrace |
| Count | Specify the maximum number of devices to return. This only limits the number of devices within the current timeframe. |
| Full Device Details | Select this option to return the full device detail objects for all devices referenced by data in the API response. |
No output schema is available at this time.
| Parameter | Description |
|---|---|
| Get Endpoints by |
Select the parameter using which you want to get external endpoints details. You can choose between IP Address or Hostname by IP or hostname
|
| Score | Select this option to return rarity data for the endpoints in the response. |
| Devices | Select this option to return a list of devices that have recently connected to the endpoint in the response. |
The output contains the following populated JSON schema:
Output schema when you choose "" as "IP Address":
{
"ip": "",
"firsttime": "",
"country": "",
"asn": "",
"city": "",
"region": "",
"name": "",
"longitude": "",
"latitude": "",
"devices": [
{
"did": "",
"macaddress": "",
"vendor": "",
"ip": "",
"ips": [
{
"ip": "",
"timems": "",
"time": "",
"sid": ""
}
],
"sid": "",
"firstSeen": "",
"lastSeen": "",
"os": "",
"typename": "",
"typelabel": ""
}
]
}
Output schema when you choose "" as "IP Address":
{
"ip": "",
"firsttime": "",
"country": "",
"asn": "",
"city": "",
"region": "",
"name": "",
"longitude": "",
"latitude": ""
}
Output schema when you choose "" as "Hostname":
{
"hostname": "",
"firsttime": "",
"devices": [
{
"did": "",
"macaddress": "",
"vendor": "",
"ip": "",
"ips": [
{
"ip": "",
"timems": "",
"time": "",
"sid": ""
}
],
"sid": "",
"firstSeen": "",
"lastSeen": "",
"os": "",
"typename": "",
"typelabel": ""
}
]
}
Output schema when you choose "" as "Hostname":
{
"hostname": "",
"firsttime": ""
}
| Parameter | Description |
|---|---|
| Device ID(DID) | Specify the identification number of a device modeled in the Darktrace system whose details you want to retrieve from Darktrace. |
| Data Type | Select the type of data you want to retrieve for the specified device from Darktrace. You can choose between Connections (co), Data Size Out (sizeout ), or Data Size In (sizein). |
| External Domain | Specify the domain name based on which you want to filter external domains for devices whose details you want to retrieve from Darktrace. |
| Full Device Details | Select this option to return the full device detail objects for all devices referenced by data in an API response. The use of this parameter alters the JSON structure of the API response for certain calls. |
| Show All Graph Data | Select this option to return an entry for all time intervals in the graph data, including zero counts. |
| Similar Devices | Specify the number of similar devices whose details you want to retrieve from Darktrace. This parameter returns data for the primary device and the specified number of similar devices. |
| Port | Specify the port number if you want to restrict the returned connection data to the port you have specified. |
| Interval Hours | Specify the size in hours used to group the returned time series data. |
The output contains the following populated JSON schema:
Output schema when you choose "Show All Graph Data" as "true":
{
"deviceInfo": [
{
"did": "",
"similarityScore": "",
"graphData": [
{
"time": "",
"count": ""
}
],
"info": {
"totalUsed": "",
"totalServed": "",
"totalDevicesAndPorts": "",
"devicesAndPorts": [
{
"deviceAndPort": {
"direction": "",
"device": "",
"port": ""
},
"size": ""
}
],
"portsUsed": [
{
"port": "",
"size": "",
"firstTime": ""
}
],
"portsServed": [
{
"port": "",
"size": ""
}
],
"devicesUsed": [
{
"did": "",
"size": "",
"firstTime": ""
}
],
"devicesServed": [
{
"did": "",
"size": ""
}
]
}
}
]
}
Output schema when you choose "Show All Graph Data" as "false":
{
"deviceInfo": [
{
"did": "",
"similarityScore": "",
"graphData": [],
"info": {
"totalUsed": "",
"totalServed": "",
"totalDevicesAndPorts": "",
"devicesAndPorts": [
{
"deviceAndPort": {
"direction": "",
"device": "",
"port": ""
},
"size": ""
}
],
"portsUsed": [
{
"port": "",
"size": "",
"firstTime": ""
}
],
"portsServed": [
{
"port": "",
"size": ""
}
],
"devicesUsed": [
{
"did": "",
"size": "",
"firstTime": ""
}
],
"devicesServed": [
{
"did": "",
"size": ""
}
]
}
}
]
}
This is the default output schema:
{
"deviceInfo": [
{
"did": "",
"similarityScore": "",
"graphData": [
{
"time": "",
"count": ""
}
],
"info": {
"totalUsed": "",
"totalServed": "",
"totalDevicesAndPorts": "",
"devicesAndPorts": [
{
"deviceAndPort": {
"direction": "",
"device": "",
"port": ""
},
"size": ""
}
],
"portsUsed": [
{
"port": "",
"size": "",
"firstTime": ""
}
],
"portsServed": [
{
"port": "",
"size": ""
}
],
"devicesUsed": [
{
"did": "",
"size": "",
"firstTime": ""
}
],
"devicesServed": [
{
"did": "",
"size": ""
}
]
}
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Device ID(DID) | Specify the identification number of a device modeled in the Darktrace system whose entity details you want to retrieve from Darktace. |
| Application Protocol | Specify the application protocol using which you want to filter data returned by this operation. |
| Destination Device ID(DDID) | Specify the identification number of a destination device modeled in the Darktrace system using which you want to filter data returned by this operation. |
| Deduplicate | Select this option to display only one equivalent connection per hour. |
| Port | Specify the port number if you want to filter the returned data by source or destination port. |
| Start Time | Specify the start time from when you want to retrieve data from Darktrace. |
| End Time | Specify the end time till when you want to retrieve data from Darktrace. |
| Event Type | Specifies a type of event whose details you want to retrieve from Darktrace. You can specify the following values: connection, unusualconnection, newconnection, notice, devicehistory, or modelbreach. |
| External Hostname | Specify an external hostname whose details you want to retrieve from Darktace. |
| Full Device Details | Select this option to return the full device detail objects for all devices referenced by data in an API response. The use of this parameter alters the JSON structure of the API response for certain calls. |
| Offset | The offset value retrieves a subset of records that starts from the offset value. |
| Count | Specify the maximum number of items to return. Note: The 'Count' parameter is ignored when the 'Start' time parameter is used. |
The output contains the following populated JSON schema:
{
"uid": "",
"ddid": "",
"port": "",
"sdid": "",
"time": "",
"graph": "",
"action": "",
"source": "",
"timems": "",
"protocol": "",
"direction": "",
"eventType": "",
"graphtitle": "",
"sourcePort": "",
"destination": "",
"sourceDevice": {
"id": "",
"ip": "",
"did": "",
"ips": [
{
"ip": "",
"sid": "",
"time": "",
"timems": ""
}
],
"sid": "",
"time": "",
"hostname": "",
"typename": "",
"typelabel": "",
"macaddress": ""
},
"destinationPort": "",
"destinationDevice": {
"id": "",
"ip": "",
"did": "",
"ips": [
{
"ip": "",
"sid": "",
"time": "",
"timems": ""
}
],
"sid": "",
"time": "",
"typename": "",
"typelabel": ""
},
"applicationprotocol": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., comments across all model breaches, is returned.
| Parameter | Description |
|---|---|
| Policy Breach ID(PBID) | Specify the Policy Breach ID to retrieve comments for the model breach with the specified ID from Darktrace. |
| Start Time | Specify the start time from when you want to retrieve data from Darktrace. |
| End Time | Specify the end time till when you want to retrieve data from Darktrace. |
| Count | Specify the maximum number of comments to return. This only limits the number of comments within the current timeframe. By default, it is set to 100. Note: The 'Count' parameter is ignored when the 'Start' time parameter is used. |
The output contains the following populated JSON schema:
{
"time": "",
"pbid": "",
"username": "",
"message": "",
"pid": "",
"name": ""
}
The Sample - Darktrace - 1.2.0 playbook collection comes bundled with the Darktrace connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOARTM after importing the Darktrace connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Darktrace, which is Enterprise Immune System’s flagship threat detection and defense capability, is based on unsupervised machine learning and probabilistic mathematics. Darktrace works by creating unique behavioral models for every user and device across the enterprises and analyzing the relationships between them.
This document provides information about the Darktrace connector, which facilitates automated interactions, with a Darktrace server using FortiSOAR™playbooks. Add the Darktrace connector as a step in FortiSOAR™playbooks and perform automated operations, such as adding or removing a domain, hostname, or IP address from Darktrace's internal watchlist.
Connector Version: 1.2.0
FortiSOAR™ Version Tested on: 7.2.0-914
Darktrace version tested on: 5.2.11 (a6d707)
Authored By: Fortinet
Certified: Yes
Following enhancements have been made to the Darktrace Connector in version 1.2.0:
Use the Content Hub to install the connector. For the detailed procedure to install a connector, click here.
You can also use the following yum command as a root user to install connectors from an SSH session:
yum install cyops-connector-darktrace
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Content Hub (or Connector Store) page, click the Manage tab, and then click the Darktrace connector card. On the connector popup, click the Configurations tab to enter the required configuration details:
| Parameter | Description |
|---|---|
| Server URL | The URL of the Darktrace server to which you will connect and perform the automated operations. |
| API Public Token | The public token of the Darktrace server to which you will connect and perform the automated operations. |
| API Private Token | The private key of the Darktrace server to which you will connect and perform the automated operations. |
| Time difference (minutes) from Darktrace Server Time | Allows you to modify the current time passed (default=0) to the Darktrace API to allow for timezone differences, e.g., passing 29 will add 29 minutes to the time, and -29 will take off 29 minutes. Note: The time difference of 30 minutes time is allowed. |
| Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations
| Function | Description | Annotation and Category |
|---|---|---|
| Add To Watch List | Adds external domains, hostnames, or IP addresses to Darktrace's internal watch list. You can add multiple domains, hostnames, or IP addresses at a time, using the CSV or list format. | add_to_list Containment |
| Remove From Watch List | Removes an external domain, hostname, or IP address from Darktrace's internal watch list. | remove_from_list Remediation |
| Get Watch List | Retrieves a list of indicators from a watch list. | get_watchlist Investigation |
| Get Incidents | Retrieves a list of all incidents or specific incidents provided by AI Analyst events based on the input parameters you have specified. | get_incidents Investigation |
| Search Query | Retrieves 'Advanced Search' data that can be queried and got in JSON format from the Darktrace appliance based on the input parameters you have specified. | search_query Investigation |
| Get Incident Comments | Retrieves current comments on an AI Analyst event based on the UUID of the event you have specified. | get_comments Investigation |
| Acknowledge Breach | Allows breaches to be acknowledged programmatically, based on the policy breach ID (PBID) you have specified. | acknowledge_breach Investigation |
| Unacknowledge Breach | Allows breaches to be unacknowledged programmatically, based on the policy breach ID (PBID) you have specified. | unacknowledge_breach Investigation |
| Get Breach Details | Retrieve the details of the model breach based on the policy breach ID (PBID) you have specified. | get_breach_details Investigation |
| Get Model Breaches | Returns a time-sorted list of model breaches from Darktrace, based on the input parameters you have specified. | get_model_breaches Investigation |
| Get Models | Retrieves a list of all models that currently exist on the Threat Visualizer, including custom models and de-activated models based on the models' UUID or Policy ID (PID) you have specified. | get_models Investigation |
| Get Components | Retrieves a list of all component parts of defined models, identified by their component ID (CID). The CID is referenced in the data attribute for model breaches. | get_components Investigation |
| Get Devices | Retrieves a list of all devices identified by Darktrace or details of a specific device for the specified time window. If you specify a Device ID (DID), then the endpoint returns the information displayed in the UI pop-up while hovering over a device. | get_devices Investigation |
| Get Similar Devices | Retrieves a list of similar devices based on the Device ID (DID) of a specific device on the network. | get_similar_devices Investigation |
| Get External Endpoint Details | Retrieves the location, IP address, and (optionally) device connection information from Darktrace for external IPs and hostnames you have specified. | get_external_endpoint_details Investigation |
| Get Device Information | Retrieves the data used in the "Connections Data" view for a specific device that can be accessed from the Threat Visualizer omnisearch based on the Device ID and other input parameters you have specified. | get_device_information Investigation |
| Get Entity Details | Returns a time-sorted list of connections and events for a device or entity (such as a SaaS credential) from Darktrace based on the input parameters you have specified. | get_entity_details Investigation |
| Get Model Breach Comments | Returns all comments across all model breaches, or for a specific model breach from Darktrace based on the input parameters you have specified. | get_mb_comments Investigation |
| Parameter | Description |
|---|---|
| Domain/Hostname/IP Address (In CSV / In List) | Domain(s), hostname(s), or IP address(es) that you want to add to Darktrace's internal watch list. You can add multiple domains, hostnames, or IP addresses at a time, using the CSV or list format. |
The JSON output returns a Success message if the Domain(s), hostname(s), or IP address(es), is added to the Darktrace's internal watch list, or an Error message containing the reason for failure.
The output contains the following populated JSON schema:
{
"response": "",
"added": ""
}
| Parameter | Description |
|---|---|
| Domain/Hostname/IP Address | Domain, hostname, or IP address that you want to remove from Darktrace's internal watch list. |
The JSON output returns a Success message if the Domain, hostname, or IP address, is removed from the Darktrace's internal watch list, or an Error message containing the reason for failure.
The output contains the following populated JSON schema:
{
"response": ""
}
None.
The JSON output returns a list of indicators from a watch list.
No output schema is available at this time.
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., a list of all incidents provided by AI Analyst events, is returned.
| Parameter | Description |
|---|---|
| Include Acknowledged | Select this option to include acknowledged events in the data retrieved from Darktrace. |
| Start Time | Specify the start time from when you want to retrieve data from Darktrace, relative to midnight January 1st, 1970 UTC. |
| End Time | Specify the end time till when you want to retrieve data from Darktrace, relative to midnight January 1st, 1970 UTC. |
| Locale | Select the Locale, i.e., the language for returned strings from Darktrace. Currently supported locales are de_DE (German), en_GB (English locale string UK), en_US (English US), es_ES (Spanish ES), es_419 (Spanish LATAM), fr_FR (French),ja_JP (Japanese), ko_KR (Korean), and “pt_BR” (Portuguese BR). |
| UUID | The unique identifier of an AI Analyst event based on which you want to retrieve incidents from Darktrace. You can specify comma-separated values. |
| Merge Events | Select this option (True by default) to aggregate multiple child events (such as cross-network incidents) into a single event while retrieving data from Darktrace. |
The output contains the following populated JSON schema:
{
"summariser": "",
"acknowledged": "",
"pinned": "",
"createdAt": "",
"attackPhases": [],
"title": "",
"id": "",
"children": [],
"category": "",
"currentGroup": "",
"groupCategory": "",
"groupScore": "",
"groupPreviousGroups": [],
"activityId": "",
"groupingIds": [],
"groupByActivity": "",
"userTriggered": "",
"externalTriggered": "",
"aiaScore": "",
"summary": "",
"periods": [
{
"start": "",
"end": ""
}
],
"breachDevices": [
{
"identifier": "",
"hostname": "",
"ip": "",
"mac": "",
"subnet": "",
"did": "",
"sid": ""
}
],
"relatedBreaches": [
{
"modelName": "",
"pbid": "",
"threatScore": "",
"timestamp": ""
}
],
"details": [
[
{
"header": "",
"contents": [
{
"key": "",
"type": "",
"values": [
{
"start": "",
"end": ""
}
]
}
]
}
]
]
}
| Parameter | Description |
|---|---|
| Time Selection | Select the option of time selection to retrieve data from the Darktrace server. You can choose between Absolute Time and Time Interval in Seconds. If you choose 'Absolute Time', then you must specify the following parameters:
|
| Search Query | (Optional) Specify the 'Advanced Search' search query using which you want to search for data on the Darktrace server. Note: Ensure that all double quotes are escaped. For example, @type:"ssl" AND @fields.dest_port:"443" |
| Offset | (Optional) The offset value retrieves a subset of records that starts from the offset value. The offset works with the 'Size' parameter to determine how many records to retrieve starting from the offset. |
| Size | (Optional) The number of records that should be returned in a single search. |
The output contains the following populated JSON schema:
{
"took": "",
"timed_out": "",
"_shards": {
"total": "",
"successful": "",
"skipped": "",
"failed": ""
},
"hits": {
"total": "",
"max_score": "",
"hits": [
{
"_index": "",
"_type": "",
"_id": "",
"_score": "",
"_source": {
"@fields": {
"orig_pkts": "",
"epochdate": "",
"orig_ttl": "",
"resp_bytes": "",
"conn_state_full": "",
"dest_port": "",
"conn_state": "",
"orig_bytes": "",
"resp_ip_bytes": "",
"history": "",
"source_port": "",
"proto": "",
"source_ip": "",
"resp_pkts": "",
"orig_ip_bytes": "",
"dest_ip": "",
"start_ts": "",
"missed_bytes_orig": "",
"uid": "",
"missed_bytes_resp": "",
"local_resp": "",
"local_orig": "",
"duration": ""
},
"@type": "",
"@timestamp": "",
"@message": "",
"@darktrace_probe": ""
},
"sort": []
}
]
},
"darktraceChildError": "",
"kibana": {
"index": [],
"per_page": "",
"time": {
"from": "",
"to": ""
},
"default_fields": []
}
}
| Parameter | Description |
|---|---|
| Incident ID | Specify the unique identifier for the AI Analyst event whose current comments you want to retrieve from Darktrace. Note: Only one value is supported at a time, i.e., you can specify a single UUID only for a single operation. |
The output contains the following populated JSON schema:
{
"comments": [
{
"username": "",
"time": "",
"incident_id": "",
"message": ""
}
]
}
| Parameter | Description |
|---|---|
| Policy Breach ID(PBID) | Specify the Policy Breach ID that you want to acknowledge in Darktrace. |
The output contains the following populated JSON schema:
{
"response": ""
}
| Parameter | Description |
|---|---|
| Policy Breach ID(PBID) | Specify the Policy Breach ID that you want to unacknowledge in Darktrace. |
The output contains the following populated JSON schema:
{
"response": ""
}
| Parameter | Description |
|---|---|
| Policy Breach ID(PBID) | Specify the Policy Breach ID based on which you want to retrieve the details of the model breach from Darktrace. |
The output contains the following populated JSON schema:
{
"commentCount": "",
"pbid": "",
"time": "",
"creationTime": "",
"model": {
"then": {
"name": "",
"pid": "",
"phid": "",
"uuid": "",
"logic": {
"data": [
{
"cid": "",
"weight": ""
}
],
"targetScore": "",
"type": "",
"version": ""
},
"throttle": "",
"sharedEndpoints": "",
"actions": {
"alert": "",
"antigena": {},
"breach": "",
"model": "",
"setPriority": "",
"setTag": "",
"setType": ""
},
"tags": [],
"interval": "",
"delay": "",
"sequenced": "",
"active": "",
"modified": "",
"activeTimes": {
"devices": {},
"tags": {},
"type": "",
"version": ""
},
"autoUpdatable": "",
"autoUpdate": "",
"autoSuppress": "",
"description": "",
"behaviour": "",
"created": {
"by": ""
},
"edited": {
"by": ""
},
"version": "",
"priority": "",
"category": "",
"compliance": ""
},
"now": {
"name": "",
"pid": "",
"phid": "",
"uuid": "",
"logic": {
"data": [
{
"cid": "",
"weight": ""
}
],
"targetScore": "",
"type": "",
"version": ""
},
"throttle": "",
"sharedEndpoints": "",
"actions": {
"alert": "",
"antigena": {},
"breach": "",
"model": "",
"setPriority": "",
"setTag": "",
"setType": ""
},
"tags": [],
"interval": "",
"delay": "",
"sequenced": "",
"active": "",
"modified": "",
"activeTimes": {
"devices": {},
"tags": {},
"type": "",
"version": ""
},
"autoUpdatable": "",
"autoUpdate": "",
"autoSuppress": "",
"description": "",
"behaviour": "",
"created": {
"by": ""
},
"edited": {
"by": ""
},
"message": "",
"version": "",
"priority": "",
"category": "",
"compliance": ""
}
},
"triggeredComponents": [
{
"time": "",
"cbid": "",
"cid": "",
"chid": "",
"size": "",
"threshold": "",
"interval": "",
"logic": {
"data": {},
"version": ""
},
"metric": {
"mlid": "",
"name": "",
"label": ""
},
"triggeredFilters": [
{
"cfid": "",
"id": "",
"filterType": "",
"arguments": {
"value": ""
},
"comparatorType": "",
"trigger": {
"value": ""
}
}
]
}
],
"score": "",
"device": {
"did": "",
"macaddress": "",
"vendor": "",
"ip": "",
"sid": "",
"hostname": "",
"firstSeen": "",
"lastSeen": "",
"typename": "",
"typelabel": "",
"credentials": []
}
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., a list of all model breaches, is returned.
| Parameter | Description |
|---|---|
| Device ID(DID) | Specify the identification number of a device modeled in the Darktrace system whose breach details you want to retrieve from Darktace. |
| Start Time | Specify the start time from when you want to retrieve data from Darktrace, relative to midnight January 1st, 1970 UTC. |
| End Time | Specify the end time till when you want to retrieve data from Darktrace, relative to midnight January 1st, 1970 UTC. |
| Include Acknowledged | Select this option to include acknowledged breaches in the data retrieved from Darktrace. |
| Include Breach URL | Select this option to return a URL for the model breach in the long form of the model breach data. |
| Policy Breach ID(PBID) | Specify the Policy Breach ID if you want to return only the model breach with the specified PBID. |
| Policy ID(PID) | Specify the Policy ID if you want to return only the model breach with the specified policy ID. |
| UUID | Specify the UUID of the model if you want to return only the model breaches for the specified model. All models have a UUID and a PID. The UUID (universally unique identifier) is a 128-bit hexadecimal number. |
The output contains the following populated JSON schema:
{
"pbid": "",
"time": "",
"model": {
"now": {
"pid": "",
"name": "",
"phid": "",
"tags": [],
"uuid": "",
"delay": "",
"logic": {
"data": [
{
"cid": "",
"weight": ""
}
],
"type": "",
"version": "",
"targetScore": ""
},
"active": "",
"edited": {
"by": ""
},
"actions": {
"alert": "",
"model": "",
"breach": "",
"setTag": "",
"setType": "",
"antigena": {},
"setPriority": ""
},
"created": {
"by": ""
},
"defeats": [],
"message": "",
"version": "",
"category": "",
"interval": "",
"modified": "",
"priority": "",
"throttle": "",
"behaviour": "",
"sequenced": "",
"autoUpdate": "",
"compliance": "",
"activeTimes": {
"tags": {},
"type": "",
"devices": {},
"version": ""
},
"description": "",
"autoSuppress": "",
"autoUpdatable": "",
"sharedEndpoints": ""
},
"then": {
"pid": "",
"name": "",
"phid": "",
"tags": [],
"uuid": "",
"delay": "",
"logic": {
"data": [
{
"cid": "",
"weight": ""
}
],
"type": "",
"version": "",
"targetScore": ""
},
"active": "",
"edited": {
"by": ""
},
"actions": {
"alert": "",
"model": "",
"breach": "",
"setTag": "",
"setType": "",
"antigena": {},
"setPriority": ""
},
"created": {
"by": ""
},
"version": "",
"category": "",
"interval": "",
"modified": "",
"priority": "",
"throttle": "",
"behaviour": "",
"sequenced": "",
"autoUpdate": "",
"compliance": "",
"activeTimes": {
"tags": {},
"type": "",
"devices": {},
"version": ""
},
"description": "",
"autoSuppress": "",
"autoUpdatable": "",
"sharedEndpoints": ""
}
},
"score": "",
"device": {
"ip": "",
"did": "",
"ips": [
{
"ip": "",
"sid": "",
"time": "",
"timems": ""
}
],
"sid": "",
"vendor": "",
"hostname": "",
"lastSeen": "",
"typename": "",
"firstSeen": "",
"typelabel": "",
"macaddress": ""
},
"acknowledged": "",
"commentCount": "",
"creationTime": "",
"triggeredComponents": [
{
"cid": "",
"cbid": "",
"chid": "",
"size": "",
"time": "",
"logic": {},
"metric": {
"mlid": "",
"name": "",
"label": ""
},
"interval": "",
"threshold": "",
"triggeredFilters": [
{
"id": "",
"cfid": "",
"trigger": {
"value": ""
},
"arguments": {
"value": ""
},
"filterType": "",
"comparatorType": ""
}
]
}
]
}
| Parameter | Description |
|---|---|
| Get Models by |
Select the parameter using which you want to retrieve the list of all models that currently exist on the Threat Visualizer. you can choose between UUID or PID
|
The output contains the following populated JSON schema:
{
"name": "",
"pid": "",
"phid": "",
"uuid": "",
"logic": {
"data": [
{
"cid": "",
"weight": ""
}
],
"targetScore": "",
"type": "",
"version": ""
},
"throttle": "",
"sharedEndpoints": "",
"actions": {
"alert": "",
"antigena": {},
"breach": "",
"model": "",
"setPriority": "",
"setTag": "",
"setType": ""
},
"tags": [],
"interval": "",
"delay": "",
"sequenced": "",
"active": "",
"modified": "",
"activeTimes": {
"devices": {},
"tags": {},
"type": "",
"version": ""
},
"autoUpdatable": "",
"autoUpdate": "",
"autoSuppress": "",
"description": "",
"behaviour": "",
"created": {
"by": ""
},
"edited": {
"by": ""
},
"history": [
{
"modified": "",
"active": "",
"message": "",
"by": "",
"phid": ""
}
],
"message": "",
"version": "",
"priority": "",
"category": "",
"compliance": ""
}
| Parameter | Description |
|---|---|
| Component ID(CID) | The 'component id' (a unique identifier) of the model whose details you want to retrieve from Darktrace. |
The output contains the following populated JSON schema:
{
"cid": "",
"chid": "",
"mlid": "",
"threshold": "",
"interval": "",
"logic": {},
"filters": [
{
"id": "",
"cfid": "",
"cfhid": "",
"filtertype": "",
"comparator": "",
"arguments": {
"value": ""
}
}
],
"active": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., a list of all devices identified by Darktrace, is returned.
| Parameter | Description |
|---|---|
| Device ID(DID) | Specify the identification number of a device modeled in the Darktrace system whose details you want to retrieve from Darktrace. |
| IP | IP of the device model in the Darktrace system whose details you want to retrieve from Darktrace. |
| Seen Since | Specify the relative offset for activity, i.e., devices with activity in the specified time period are returned from Darktrace. The format of the 'seensince' string is either a number representing the number of seconds before the current time or a number with a modifier such as second, minute, hour day, or week (Minimum=1 second). |
| MAC | Specify the MAC address of the device whose details you want to retrieve from Darktrace. |
| Subnet ID(SID) | Specify the identification number of a subnet modeled in the Darktrace system that contains the device whose details you want to retrieve from Darktrace. |
| Count | Specify the maximum number of devices to return. This only limits the number of devices within the current timeframe. |
| Include Tags | Select this option to include tags applied to the device in the response. |
The output contains the following populated JSON schema:
{
"id": "",
"did": "",
"sid": "",
"time": "",
"endtime": "",
"devicelabel": "",
"typename": "",
"typelabel": ""
}
| Parameter | Description |
|---|---|
| Device ID(DID) | Specify the Device ID (unique identifier) of a specific device on the network, based on which you want to retrieve similar devices from Darktrace |
| Count | Specify the maximum number of devices to return. This only limits the number of devices within the current timeframe. |
| Full Device Details | Select this option to return the full device detail objects for all devices referenced by data in the API response. |
No output schema is available at this time.
| Parameter | Description |
|---|---|
| Get Endpoints by |
Select the parameter using which you want to get external endpoints details. You can choose between IP Address or Hostname by IP or hostname
|
| Score | Select this option to return rarity data for the endpoints in the response. |
| Devices | Select this option to return a list of devices that have recently connected to the endpoint in the response. |
The output contains the following populated JSON schema:
Output schema when you choose "" as "IP Address":
{
"ip": "",
"firsttime": "",
"country": "",
"asn": "",
"city": "",
"region": "",
"name": "",
"longitude": "",
"latitude": "",
"devices": [
{
"did": "",
"macaddress": "",
"vendor": "",
"ip": "",
"ips": [
{
"ip": "",
"timems": "",
"time": "",
"sid": ""
}
],
"sid": "",
"firstSeen": "",
"lastSeen": "",
"os": "",
"typename": "",
"typelabel": ""
}
]
}
Output schema when you choose "" as "IP Address":
{
"ip": "",
"firsttime": "",
"country": "",
"asn": "",
"city": "",
"region": "",
"name": "",
"longitude": "",
"latitude": ""
}
Output schema when you choose "" as "Hostname":
{
"hostname": "",
"firsttime": "",
"devices": [
{
"did": "",
"macaddress": "",
"vendor": "",
"ip": "",
"ips": [
{
"ip": "",
"timems": "",
"time": "",
"sid": ""
}
],
"sid": "",
"firstSeen": "",
"lastSeen": "",
"os": "",
"typename": "",
"typelabel": ""
}
]
}
Output schema when you choose "" as "Hostname":
{
"hostname": "",
"firsttime": ""
}
| Parameter | Description |
|---|---|
| Device ID(DID) | Specify the identification number of a device modeled in the Darktrace system whose details you want to retrieve from Darktrace. |
| Data Type | Select the type of data you want to retrieve for the specified device from Darktrace. You can choose between Connections (co), Data Size Out (sizeout ), or Data Size In (sizein). |
| External Domain | Specify the domain name based on which you want to filter external domains for devices whose details you want to retrieve from Darktrace. |
| Full Device Details | Select this option to return the full device detail objects for all devices referenced by data in an API response. The use of this parameter alters the JSON structure of the API response for certain calls. |
| Show All Graph Data | Select this option to return an entry for all time intervals in the graph data, including zero counts. |
| Similar Devices | Specify the number of similar devices whose details you want to retrieve from Darktrace. This parameter returns data for the primary device and the specified number of similar devices. |
| Port | Specify the port number if you want to restrict the returned connection data to the port you have specified. |
| Interval Hours | Specify the size in hours used to group the returned time series data. |
The output contains the following populated JSON schema:
Output schema when you choose "Show All Graph Data" as "true":
{
"deviceInfo": [
{
"did": "",
"similarityScore": "",
"graphData": [
{
"time": "",
"count": ""
}
],
"info": {
"totalUsed": "",
"totalServed": "",
"totalDevicesAndPorts": "",
"devicesAndPorts": [
{
"deviceAndPort": {
"direction": "",
"device": "",
"port": ""
},
"size": ""
}
],
"portsUsed": [
{
"port": "",
"size": "",
"firstTime": ""
}
],
"portsServed": [
{
"port": "",
"size": ""
}
],
"devicesUsed": [
{
"did": "",
"size": "",
"firstTime": ""
}
],
"devicesServed": [
{
"did": "",
"size": ""
}
]
}
}
]
}
Output schema when you choose "Show All Graph Data" as "false":
{
"deviceInfo": [
{
"did": "",
"similarityScore": "",
"graphData": [],
"info": {
"totalUsed": "",
"totalServed": "",
"totalDevicesAndPorts": "",
"devicesAndPorts": [
{
"deviceAndPort": {
"direction": "",
"device": "",
"port": ""
},
"size": ""
}
],
"portsUsed": [
{
"port": "",
"size": "",
"firstTime": ""
}
],
"portsServed": [
{
"port": "",
"size": ""
}
],
"devicesUsed": [
{
"did": "",
"size": "",
"firstTime": ""
}
],
"devicesServed": [
{
"did": "",
"size": ""
}
]
}
}
]
}
This is the default output schema:
{
"deviceInfo": [
{
"did": "",
"similarityScore": "",
"graphData": [
{
"time": "",
"count": ""
}
],
"info": {
"totalUsed": "",
"totalServed": "",
"totalDevicesAndPorts": "",
"devicesAndPorts": [
{
"deviceAndPort": {
"direction": "",
"device": "",
"port": ""
},
"size": ""
}
],
"portsUsed": [
{
"port": "",
"size": "",
"firstTime": ""
}
],
"portsServed": [
{
"port": "",
"size": ""
}
],
"devicesUsed": [
{
"did": "",
"size": "",
"firstTime": ""
}
],
"devicesServed": [
{
"did": "",
"size": ""
}
]
}
}
]
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list is returned.
| Parameter | Description |
|---|---|
| Device ID(DID) | Specify the identification number of a device modeled in the Darktrace system whose entity details you want to retrieve from Darktace. |
| Application Protocol | Specify the application protocol using which you want to filter data returned by this operation. |
| Destination Device ID(DDID) | Specify the identification number of a destination device modeled in the Darktrace system using which you want to filter data returned by this operation. |
| Deduplicate | Select this option to display only one equivalent connection per hour. |
| Port | Specify the port number if you want to filter the returned data by source or destination port. |
| Start Time | Specify the start time from when you want to retrieve data from Darktrace. |
| End Time | Specify the end time till when you want to retrieve data from Darktrace. |
| Event Type | Specifies a type of event whose details you want to retrieve from Darktrace. You can specify the following values: connection, unusualconnection, newconnection, notice, devicehistory, or modelbreach. |
| External Hostname | Specify an external hostname whose details you want to retrieve from Darktace. |
| Full Device Details | Select this option to return the full device detail objects for all devices referenced by data in an API response. The use of this parameter alters the JSON structure of the API response for certain calls. |
| Offset | The offset value retrieves a subset of records that starts from the offset value. |
| Count | Specify the maximum number of items to return. Note: The 'Count' parameter is ignored when the 'Start' time parameter is used. |
The output contains the following populated JSON schema:
{
"uid": "",
"ddid": "",
"port": "",
"sdid": "",
"time": "",
"graph": "",
"action": "",
"source": "",
"timems": "",
"protocol": "",
"direction": "",
"eventType": "",
"graphtitle": "",
"sourcePort": "",
"destination": "",
"sourceDevice": {
"id": "",
"ip": "",
"did": "",
"ips": [
{
"ip": "",
"sid": "",
"time": "",
"timems": ""
}
],
"sid": "",
"time": "",
"hostname": "",
"typename": "",
"typelabel": "",
"macaddress": ""
},
"destinationPort": "",
"destinationDevice": {
"id": "",
"ip": "",
"did": "",
"ips": [
{
"ip": "",
"sid": "",
"time": "",
"timems": ""
}
],
"sid": "",
"time": "",
"typename": "",
"typelabel": ""
},
"applicationprotocol": ""
}
Note: All the input parameters are optional. However, if you do not specify any parameter, then no filter criterion is applied, and an unfiltered list, i.e., comments across all model breaches, is returned.
| Parameter | Description |
|---|---|
| Policy Breach ID(PBID) | Specify the Policy Breach ID to retrieve comments for the model breach with the specified ID from Darktrace. |
| Start Time | Specify the start time from when you want to retrieve data from Darktrace. |
| End Time | Specify the end time till when you want to retrieve data from Darktrace. |
| Count | Specify the maximum number of comments to return. This only limits the number of comments within the current timeframe. By default, it is set to 100. Note: The 'Count' parameter is ignored when the 'Start' time parameter is used. |
The output contains the following populated JSON schema:
{
"time": "",
"pbid": "",
"username": "",
"message": "",
"pid": "",
"name": ""
}
The Sample - Darktrace - 1.2.0 playbook collection comes bundled with the Darktrace connector. These playbooks contain steps using which you can perform all supported actions. You can see bundled playbooks in the Automation > Playbooks section in FortiSOARTM after importing the Darktrace connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
