Skip to main content

Darktrace ASM

This Integration is part of the DarktraceASM Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

Darktrace is a Cyber AI platform for threat detection and response across cloud, email, industrial, and the network. This integration was integrated and tested with version 6.0.0 of Darktrace

Configure Darktrace ASM in Cortex#

ParameterDescriptionRequired
urlServer URL (e.g. https://example.net\)True
isFetchFetch incidentsFalse
insecureTrust any certificate (not secure)False
api_tokenAPI TokenTrue
alert_typeIncident types to fetchFalse
min_severityMinimum Risk severity to fetchFalse
max_alertsMaximum Risks per fetchFalse
first_fetchFirst fetch timeFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

darktrace-asm-get-risk#


Returns the Risk object associated with the given Risk ID.

Base Command#

darktrace-asm-get-risk

Input#

Argument NameDescriptionRequired
risk_idDarktrace ASM Risk IDRequired

Context Output#

PathTypeDescription
Darktrace.riskdictDarktrace Risk object.
Darktrace.risk.assetdictDarktrace ASM Asset object associated with the given Risk.
Darktrace.risk.asset.brandstringBrand of associtated Asset.
Darktrace.risk.asset.tagslistList of Tags associated with Asset.
Darktrace.risk.asset.idstringAsset ID.
Darktrace.risk.asset.updatedAttimestampLast time Asset was updated.
Darktrace.risk.asset.securityratingstringSecurity rating of Asset.
Darktrace.risk.asset.isMaliciousbooleanMalicious state of the Asset.
Darktrace.risk.asset.createdAttimestampTime Asset was created.
Darktrace.risk.asset.statestringState of Asset.
Darktrace.risk.commentsdictDictionary of comments by comment ID.
Darktrace.risk.descriptionstringDescription of Risk.
Darktrace.risk.endedAttimestampEnd time of Risk.
Darktrace.risk.evidencestringEvidence gathered indicating the Risk.
Darktrace.risk.idstringRisk ID.
Darktrace.risk.mitigatedAttimestampMitigation time of Risk.
Darktrace.risk.proposedActionstringRecommended action to solve Risk.
Darktrace.risk.securityRatingstringSecurity rating of Risk.
Darktrace.risk.startedAttimestampStart time of Risk.
Darktrace.risk.titlestringName of Risk.
Darktrace.risk.typestringType of Risk.

Command Example#

!darktrace-asm-get-risk risk_id=Umlza1R5cGU6MTE5Nzc=

Context Example#

"risk": {
"id": "Umlza1R5cGU6MTE5Nzc=",
"type": "SSL",
"startedAt": "2022-05-27T18:38:45.439551+00:00",
"endedAt": "2023-06-07T09:59:49.344739+00:00",
"title": "HSTS header missing",
"description": "The HSTS header enforces users to always visit your website through SSL, after their first visit.",
"evidence": "No HSTS header present.",
"proposedAction": "Turn on the HSTS header, read more on https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html",
"asset": {
"id": "QXBwbGljYXRpb25UeXBlOjIyNjg0",
"state": "Unconfirmed",
"brand": "Darktrace",
"createdAt": "2022-05-27 14:18:24.264958+00:00",
"updatedAt": "2023-06-29 06:40:41.007652+00:00",
"securityrating": "f",
"isMalicious": true,
"tags": []
},
"securityRating": "b",
"mitigatedAt": 2023-06-06T09:59:49.344739+00:00,
"comments": {
"edges": [
{
"node": {
"id": "Q29tbWVudFR5cGU6ODM=",
"text": "API TEST EDIT"
}
}
]
}
}

Human Readable Output#

FieldValue
assetid: QXBwbGljYXRpb25UeXBlOjIyNjg0
state: Unconfirmed
brand: Darktrace
createdAt: "2022-05-27 14:18:24.264958+00:00
updatedAt: 2023-06-29 06:40:41.007652+00:00
securityrating: f
isMalicious: true
tags: EXAMPLE_TAG
commentsQ29tbWVudFR5cGU6ODM=: "XSOAR Test Comment"
Q29tbWVudFR5cGU6ODN=: "XSOAR Test Comment 2"
descirptionThe HSTS header enforces users to always visit your website through SSL, after their first visit.
endedAt2023-06-07T09:59:49.344739+00:00
evidenceNo HSTS header present.
idUmlza1R5cGU6MTE5Nzc=
mitigatedAt2023-06-06T09:59:49.344739+00:00
proposedActionTurn on the HSTS header, read more on https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Strict_Transport_Security_Cheat_Sheet.html
securityRatingb
startedAt2022-05-27T18:38:45.439551+00:00
titleHSTS header missing
typeSSL

darktrace-asm-get-asset#


Returns the Asset object associated with the given Asset ID. The output will depend on the type of Asset(IP Address, Netblock, FQDN or Application).

Base Command#

darktrace-asm-get-asset

Input#

Argument NameDescriptionRequired
asset_idDarktrace ASM Asset IDRequired

Context Output: All Asset types#

PathTypeDescription
Darktrace.assetdictDarktrace ASM Asset object.
Darktrace.asset.brandstringBrand that the Asset is associated with.
Darktrace.asset.commentslistList of comments by comment ID.
Darktrace.asset.createdAttimestampCreation time of Asset.
Darktrace.asset.discoverySourceslistList of discovery sources.
Darktrace.asset.idstringAsset ID.
Darktrace.asset.isMaliciousboolMalicious state of Asset.
Darktrace.asset.riskslistList of Risks associated with Asset.
Darktrace.asset.securityratingstringSecurity rating of Asset.
Darktrace.asset.statestringState of Asset.
Darktrace.asset.tagslistList of tags applied to Asset within Darktrace UI.
Darktrace.asset.typestringType of Asset.
Darktrace.asset.updatedAttimestampLast time Asset was updated.

Context Output: Application Asset type#

PathTypeDescription
Darktrace.asset.fqdnslistList of FQDNS associated with Asset.
Darktrace.asset.ipaddresseslistList of IPs associated with Asset.
Darktrace.asset.protocolstringProtocol associated with the Asset
Darktrace.asset.screenshotstringScreenshot of webpage associated with Asset.
Darktrace.asset.technologieslistList of technologies associated with Asset.
Darktrace.asset.uristringURI associated with Asset.

Context Output: IP Address Asset type#

PathTypeDescription
Darktrace.asset.latstringLatitude of the Asset.
Darktrace.asset.lonstringLongitude of the Asset.
Darktrace.asset.geoCitystringCity Asset is located.
Darktrace.asset.geoCountrystringCountry Asset is located.
Darktrace.asset.addressstringIP address of the Asset
Darktrace.asset.netblockstringNetblock of the Asset.

Context Output: FQDN Asset type#

PathTypeDescription
Darktrace.asset.namestringHostname associated with Asset.
Darktrace.asset.dnsRecordsstringDNS records associated with Asset.
Darktrace.asset.resolvesTolistList of IPs the Asset hostname resolves to.
Darktrace.asset.whoisstringWhoIs information associated with Asset.
Darktrace.asset.registeredDomainstringDomain associated with Asset.

Context Output: Netblock Asset type#

PathTypeDescription
Darktrace.asset.netnamestringName of the Asset.
Darktrace.asset.ipAddresseslistList of IP addresses associated with Asset.

Command Example#

!darktrace-asm-get-asset asset_id=QXBwbGljYXRpb25UeXBlOjI2NjI4

Context Example#

"application": {
"brand": "Darktrace",
"comments": [
{
"id": "Q29tbWVudFR5cGU6OTc=",
"text": "Test comment"
}
],
"createdAt": "2022-06-27 18:34:50.473256+00:00",
"discoverySources": [
{
"id": "RGlzY292ZXJ5U291cmNlVHlwZTo1NDc0Ng==",
"description": "Record retrieved from FQDN careers.darktrace.com"
},
{
"id": "RGlzY292ZXJ5U291cmNlVHlwZTo1NDc1Nw==",
"description": "Application from https://careers.darktrace.com/"
}
],
"fqdns": [
{
"id": "RnFkblR5cGU6MjY2Mjc=",
"name": "careers.darktrace.com"
}
],
"id": "QXBwbGljYXRpb25UeXBlOjI2NjI4",
"ipaddresses": [
{
"id": "SVBBZGRyZXNzVHlwZToxNTU3Njc=",
"address": "1.1.1.1"
},
{
"id": "SVBBZGRyZXNzVHlwZToxNTU3Njg=",
"address": "1.1.1.1"
}
],
"isMalicious": false,
"risks": [
{
"id": "Umlza1R5cGU6NjYzNjA=",
"title": "Vulnerable software found - jquery ui/1.13.0 (highest CVE score 4.3)"
},
{
"id": "Umlza1R5cGU6MTU1ODQ=",
"title": "Excessive cookie lifetime (> 1 year)"
},
{
"id": "Umlza1R5cGU6MzQ4MzQ=",
"title": "Excessive cookie lifetime (> 1 year)"
}
],
"screenshot": "https://storage.googleapis.com/asm-prod-1931-z5b5n7ow5w-copy/http_screenshot/screenshot_155822.jpg?Expires=1710617440&GoogleAccessId=asm-prod-1931-cyberweb%40dt-asm-prod.iam.gserviceaccount.com&Signature=Vbz1hBo%2Bo3ZYTRvg5p%2F%2F%2FTFFf4PHRgPaVUrcpaDG8Kp%2BOT2dSm8O2NC1HFJXQW420yD2zppJ5IbOCt46vJ6LZMvx5kcdm7IY1U6yKbedRGACfbpUQaXEjmXN1gLhVawnoET94CYqnmlYue6%2Fy4B6cS4fZwvH6sllm2OnbDZ%2FZacoSw9Xmf214R0M%2FgY3OjKuXapaAnu779r5c8fkjL8cSvX8E8PzkxToGF9ysTNuWVqZc46H05xxUtb8QSauiggAijBeSLg%2Blol1wVj0ZuMP%2Fb1kJvXNpCr6x0Dem6ITe4C%2FPrbiqcNMvwSZChptiDBhgoXGRAm%2FRJokWqktST19Nw%3D%3D",
"securityrating": "b",
"state": "Confirmed",
"tags": [
"MANAGED BY INTERNAL DEV"
],
"updatedAt": "2023-08-21 00:31:57.299904+00:00",
"uri": "https://careers.darktrace.com",
"technologies": [
{
"id": "VGVjaG5vbG9neVR5cGU6MTU4MjY2",
"name": "Amazon ALB"
},
{
"id": "VGVjaG5vbG9neVR5cGU6MTU4MjY3",
"name": "Amazon Web Services"
},
{
"id": "VGVjaG5vbG9neVR5cGU6MTE1MjU3",
"name": "Bootstrap"
}
],
"protocol": "HTTP"
}

Human Readable Output#

FieldValue
brandDarktrace
commentsQ29tbWVudFR5cGU6OTc=: "Test comment"
createdAt2022-06-27 18:34:50.473256+00:00
discoverySourcesRGlzY292ZXJ5U291cmNlVHlwZTo1NDc0Ng==: Record retrieved from FQDN careers.darktrace.com
RGlzY292ZXJ5U291cmNlVHlwZTo1NDc1Nw==: Application from https://careers.darktrace.com/
fqdnsRnFkblR5cGU6MjY2Mjc=: careers.darktrace.com
idQXBwbGljYXRpb25UeXBlOjI2NjI4
ipaddressesSVBBZGRyZXNzVHlwZToxNTU3Njc=: 1.1.1.1
SVBBZGRyZXNzVHlwZToxNTU3Njg=: 1.1.1.1
isMaliciousfalse
protocolHTTP
risksUmlza1R5cGU6NjYzNjA=: Vulnerable software found - jquery ui/1.13.0 (highest CVE score 4.3)
Umlza1R5cGU6MTU1ODQ=: Excessive cookie lifetime (> 1 year)
Umlza1R5cGU6MzQ4MzQ=: Excessive cookie lifetime (> 1 year)
screenshothttps://storage.googleapis.com/asm-prod-1931-z5b5n7ow5w-copy/http_screenshot/screenshot_155822.jpg?Expires=1710617295&GoogleAccessId=asm-prod-1931-cyberweb%40dt-asm-prod.iam.gserviceaccount.com&Signature=HjT83fw4EV%2F6notDq7tQB24oAr049F4UZ8OUDJ3hiuAaD%2F3y7xFOniBLDyZNtZBMlUDDJgrG6%2BhXbuJ0Sdobhsk%2Bj6KZknqa6xao0eyv%2BT%2FQGysZSxol8YHn%2BykRBkX8Umajs%2F5KRR8GRWc46o7m%2FnW1Rdop4qUuGKPy82UUOWwbyfcI7yYOGH8nky2b0o95QyfvR4%2Fa4GeCEHL8cz8RksGh4imWICWcTDu18OlGNruI%2F0sAiivHVbzPnOnBBFwFunAIXez9THr5oItqIoTzV%2FrNdwIFHc0rRIvtvNpuUVcrQo7%2FqaDunYZSmPu0Hf6eaL7cR6ZbYbXuKchlr2eAOQ%3D%3D
securityratingb
stateConfirmed
tagsMANAGED BY INTERNAL DEV
technologiesVGVjaG5vbG9neVR5cGU6MTU4MjY2: Amazon ALB
VGVjaG5vbG9neVR5cGU6MTU4MjY3: Amazon Web Services
VGVjaG5vbG9neVR5cGU6MTE1MjU3: Bootstrap
typeapplication
updatedAt2023-08-21 00:31:57.299904+00:00
urihttps://careers.darktrace.com

darktrace-asm-mitigate-risk#


Mitigates Risk within the Darktrace UI. Warning: Mitigating a Risk without taking action to resolve the Risk means you accept a Risk and it will no longer appear with the Darktrace UI.

Base Command#

darktrace-asm-mitigate-risk

Input#

Argument NameDescriptionRequired
risk_idDarktrace ASM Risk IDRequired

Context Output#

PathTypeDescription
Darktrace.risk.successbooleanStatus of mitigation.

Command Example#

!darktrace-asm-mitigate-risk risk_id=Umlza1R5cGU6MTE5Nzc=

Context Example#

"closeRisk": {
"success": true,
}

Human Readable Output#

FieldValue
successtrue

darktrace-asm-post-comment#


Post a comment to a Risk or an Asset within the Darktrace UI.

Base Command#

darktrace-asm-post-comment

Input#

Argument NameDescriptionRequired
idDarktrace ASM Risk or Asset IDRequired
commentText of comment to be appliedRequired

Context Output#

PathTypeDescription
Darktrace.comment.comment.idstringUnique ID of Comment.
Darktrace.comment.comment.textstringText of Comment.
Darktrace.comment.successbooleanStatus of post.

Command Example#

!darktrace-asm-post-comment id=QXBwbGljYXRpb25UeXBlOjI2NjI4 comment="API Test Comment"

Context Example#

"placeComment": {
"success": true,
"comment": {
"id": "Q29tbWVudFR5cGU6OTg=",
"text": "API Test Comment"
}
}

Human Readable Output#

FieldValue
commentid: Q29tbWVudFR5cGU6OTg=
text: API Test Comment
successtrue

darktrace-asm-edit-comment#


Edit an existing comment within the Darktrace UI.

Base Command#

darktrace-asm-edit-comment

Input#

Argument NameDescriptionRequired
comment_idID of comment to be editedRequired
commentText of comment to be appliedRequired

Context Output#

PathTypeDescription
Darktrace.comment.comment.idstringUnique ID of Comment.
Darktrace.comment.comment.textstringText of Comment.
Darktrace.comment.successbooleanStatus of edit.

Command Example#

!darktrace-asm-edit-comment comment_id=Q29tbWVudFR5cGU6OTg= comment="API Test Comment Edited"

Context Example#

"editComment": {
"success": true,
"comment": {
"id": "Q29tbWVudFR5cGU6OTg=",
"text": "API Test Comment Edited"
}
}

Human Readable Output#

FieldValue
commentid: Q29tbWVudFR5cGU6OTg=
text: API Test Comment Edited
successtrue

darktrace-asm-delete-comment#


Delete an existing comment within the Darktrace UI.

Base Command#

darktrace-asm-delete-comment

Input#

Argument NameDescriptionRequired
comment_idID of comment to be deletedRequired

Context Output#

PathTypeDescription
Darktrace.comment.successbooleanStatus of deletion.

Command Example#

!darktrace-asm-delete-comment comment_id=Q29tbWVudFR5cGU6OTg=

Context Example#

"deleteComment": {
"success": true
}

Human Readable Output#

FieldValue
successtrue

darktrace-asm-create-tag#


Creat a new Tag within the Darktrace UI. Tags can be applied to Assets.

Base Command#

darktrace-asm-create-tag

Input#

Argument NameDescriptionRequired
tag_nameName of Tag to createRequired

Context Output#

PathTypeDescription
Darktrace.tag.successbooleanStatus of creation.
Darktrace.tag.tag.idstringTag ID.
Darktrace.tag.tag.namestringName of Tag.

Command Example#

!darktrace-asm-create-tag tag_name="API TEST"

Context Example#

"createTag": {
"success": true,
"tag": {
"id": "VGFnVHlwZTo1Mg==",
"name": "API TEST"
}
}

Human Readable Output#

FieldValue
successtrue
tagid: VGFnVHlwZTo1Mg==
name: API TEST

darktrace-asm-assign-tag#


Assign an existing Tag to an Asset within the Darktrace UI.

Base Command#

darktrace-asm-assign-tag

Input#

Argument NameDescriptionRequired
tag_nameName of Tag to apply to AssetRequired
asset_idAsset ID to apply Tag toRequired

Context Output#

PathTypeDescription
Darktrace.tag.successbooleanStatus of assignment.
Darktrace.tag.asset.idstringAsset ID.
Darktrace.tag.asset.tagslistList of Tags assigned to Asset.

Command Example#

!darktrace-asm-assign-tag tag_name="API TEST" asset_id=SVBBZGRyZXNzVHlwZTox

Context Example#

"assignTag": {
"success": true,
"asset": {
"id": "SVBBZGRyZXNzVHlwZTox",
"tags": [
"API TEST"
]
}
}

Human Readable Output#

FieldValue
assetid: SVBBZGRyZXNzVHlwZTox
tags: API TEST
successtrue

darktrace-asm-unassign-tag#


Unssign an existing Tag from an Asset within the Darktrace UI.

Base Command#

darktrace-asm-unassign-tag

Input#

Argument NameDescriptionRequired
tag_nameName of Tag to remove from AssetRequired
asset_idAsset ID to remove Tag fromRequired

Context Output#

PathTypeDescription
Darktrace.tag.successbooleanStatus of assignment.
Darktrace.tag.asset.idstringAsset ID.
Darktrace.tag.asset.tagslistList of Tags assigned to Asset.

Command Example#

!darktrace-asm-unassign-tag tag_name="API TEST" asset_id=SVBBZGRyZXNzVHlwZTox

Context Example#

"unassignTag": {
"success": true,
"asset": {
"id": "SVBBZGRyZXNzVHlwZTox",
"tags": []
}
}

Human Readable Output#

FieldValue
assetid: SVBBZGRyZXNzVHlwZTox
tags:
successtrue