Darktrace AI Analyst
This Integration is part of the Darktrace Pack.#
Supported versions
Supported Cortex XSOAR versions: 6.6.0 and later.
Darktrace is a Cyber AI platform for threat detection and response across cloud, email, industrial, and the network. This integration was integrated and tested with version 6.0.0 of Darktrace
Configure Darktrace on Cortex XSOAR#
- Navigate to Settings > Integrations > Servers & Services.
- Search for Darktrace.
- Click Add instance to create and configure a new integration instance.
| Parameter | Description | Required |
|---|---|---|
| url | Server URL (e.g. https://example.net\) | True |
| isFetch | Fetch incidents | False |
| insecure | Trust any certificate (not secure) | False |
| proxy | Use system proxy settings | False |
| public_api_token | Public API Token | True |
| private_api_token | Private API Token | True |
| min_score | Minimum Score | True |
| max_alerts | Maximum Model Breaches per Fetch | False |
| first_fetch | First fetch time | False |
- Click Test to validate the URLs, token, and connection.
Commands#
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
darktrace-get-ai-analyst-incident-event#
Returns all AI Analyst incident events
Base Command#
darktrace-get-ai-analyst-incident-event
Input#
| Argument Name | Description | Required |
|---|---|---|
| eventId | Unique identified of an AI Analyst incident event | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Darktrace.AIAnalyst.eventId | Unknown | AIAnalyst unique identifier |
| Darktrace.AIAnalyst.title | String | AIAnalyst event title |
| Darktrace.AIAnalyst.mitreTactics | Unknown | AIAnalyst mitre tactics seen on event |
| Darktrace.AIAnalyst.score | Unknown | group score for ai analyst incident |
| Darktrace.AIAnalyst.category | String | group category for ai analyst incident |
| Darktrace.AIAnalyst.summary | String | AIAnalyst event summary |
| Darktrace.AIAnalyst.groupId | Unknown | unique identifier for event Id |
| Darktrace.AIAnalyst.devices | Unknown | Associated devices with incident event |
| Darktrace.AIAnalyst.modelBreaches | Unknown | Associated model breaches with event Id |
darktrace-get-comments-for-ai-analyst-incident-event#
Returns all Darktrace Comments for a given Incident Event
Base Command#
darktrace-get-comments-for-ai-analyst-incident-event
Input#
| Argument Name | Description | Required |
|---|---|---|
| eventId | Unique identified of an AI Analyst incident event | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Darktrace.AIAnalyst.incidet_id | Number | Incident event unique identifier |
| Darktrace.AIAnalyst.message | String | Posted message |
| Darktrace.AIAnalyst.eventId | String | Unique event identifier |
| Darktrace.AIAnalyst.time | String | Message post timestamp |
| Darktrace.AIAnalyst.username | String | Darktrace username of posting user |
darktrace-post-comment-to-ai-analyst-incident-event#
Post comment to an AI Analyst Incident Event.
Base Command#
darktrace-post-comment-to-ai-analyst-incident-event
Input#
| Argument Name | Description | Required |
|---|---|---|
| eventId | Unique identified of an AI Analyst incident event | Required |
| comment | Enter a message to comment | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Darktrace.AIAnalyst.commented | String | Whether the incident is commented in Darktrace |
| Darktrace.AIAnalyst.response | String | Post command response |
| Darktrace.AIAnalyst.eventId | String | Unique event identifier |
| Darktrace.AIAnalyst.message | String | Message to be commented |
darktrace-acknowledge-ai-analyst-incident-event#
Acknowledges an AI Analyst Incident Event
Base Command#
darktrace-acknowledge-ai-analyst-incident-event
Input#
| Argument Name | Description | Required |
|---|---|---|
| eventId | Unique identified of an AI Analyst incident event | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Darktrace.AIAnalyst.acknowledged | String | Whether the incident is acknowledge in Darktrace |
| Darktrace.AIAnalyst.response | String | Post response comment |
| Darktrace.AIAnalyst.eventId | String | incident event unique identifier |
darktrace-unacknowledge-ai-analyst-incident-event#
Unacknowledges an AI Analyst Incident Event
Base Command#
darktrace-unacknowledge-ai-analyst-incident-event
Input#
| Argument Name | Description | Required |
|---|---|---|
| eventId | Unique identified of an AI Analyst incident event | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Darktrace.AIAnalyst.unacknowledged | String | Whether the incident is acknowledge in Darktrace |
| Darktrace.AIAnalyst.response | String | Post response comment |
| Darktrace.AIAnalyst.eventId | String | incident event unique identifier |
darktrace-get-ai-analyst-incident-group-from-eventId#
Pulls all linked events for a given event. Over time, events can become merged with one another. This happens when two sets of disparate activity are suddenly linked by shared factors.
Base Command#
darktrace-get-ai-analyst-incident-group-from-eventId
Input#
| Argument Name | Description | Required |
|---|---|---|
| eventId | Unique identified of an AI Analyst incident event | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Darktrace.AIAnalyst.groupId | String | Investigation Group Unique Identifier |
| Darktrace.AIAnalyst.incidentEvents | Unknown | Associated events |
| Darktrace.AIAnalyst.mitreTactics | Unknown | Associated Mitre Tactics seen on incident |
| Darktrace.AIAnalyst.groupScore | Number | Group score |
| Darktrace.AIAnalyst.groupCategory | String | Group category |