Skip to main content

DarktraceEmail

This Integration is part of the Darktrace Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate critical incidents along with accompanying summaries and timelines. This integration was integrated and tested with version 6.2 of DarktraceEmail.

Configure DarktraceEmail in Cortex#

ParameterDescriptionRequired
Server URL (e.g. https://example.net)True
Fetch incidentsFalse
Trust any certificate (not secure)False
Use system proxy settingsFalse
Incident typeFalse
Public API TokenPublic token obtained by creating an API token pair on the /config configuration page.True
Private API TokenPrivate token obtained by creating an API token pair on the /config configuration page.True
Minimum ScoreMinimum Darktrace score for fetched incidents (0-100).True
Maximum Emails per FetchMaximum number of Darktrace Emails to fetch at a time.False
First fetch timeTime to start fetching the first incidents. Default is to begin fetching 1 day ago. Max number of model breaches that will be populated upon first fetch is 20.False
Incidents Fetch IntervalFalse
Darktrace Tag SeverityFetches Emails with any tags of the desired severity level, filtering is inclusive. By default fetches all severity levels.False
Only Actioned EmailsOnly fetch Emails that have been actioned. Disabled by default.False
DirectionFetch emails based on direction; either inbound, outbound or internal. By default fetches all directions.False

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

darktrace-email-get-email#


Fetch details about a specific Email.

Base Command#

darktrace-email-get-email

Input#

Argument NameDescriptionRequired
uuidDarktrace UUID of the Email.Required

Context Output#

PathTypeDescription
Darktrace.Email.uuidstringUUID of email.
Darktrace.Email.directionstringDirection of email.
Darktrace.Email.dtimestringTimestamp of email.
Darktrace.Email.header_from_emailstringEmail address of sender.
Darktrace.Email.header_subjectstringSubject of email.
Darktrace.Email.model_scorenumberAnomaly score of email.
Darktrace.Email.receipt_statusstringReceipt status of email.

darktrace-email-hold-email#


Apply "hold" action to a specified Email.

Base Command#

darktrace-email-hold-email

Input#

Argument NameDescriptionRequired
uuidUnique ID of Email.Required

Context Output#

PathTypeDescription
Darktrace.Action.respstringStatus of the hold action.

darktrace-email-release-email#


Apply "release" action to a specified Email.

Base Command#

darktrace-email-release-email

Input#

Argument NameDescriptionRequired
uuidUnique ID of Email.Required
recipientRecipient of Email. Not required but speeds up the command.Optional

Context Output#

PathTypeDescription
Darktrace.Action.respstringStatus of the release action.