Darktrace Model Breaches
Darktrace Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.6.0 and later.
Darktrace is a Cyber AI platform for threat detection and response across cloud, email, industrial, and the network. This integration was integrated and tested with version 6.0.0 of Darktrace
#
Configure Darktrace in CortexParameter | Description | Required |
---|---|---|
url | Server URL (e.g. https://example.net\) | True |
isFetch | Fetch incidents | False |
insecure | Trust any certificate (not secure) | False |
proxy | Use system proxy settings | False |
public_api_token | Public API Token | True |
private_api_token | Private API Token | True |
min_score | Minimum Score | True |
max_alerts | Maximum Model Breaches per Fetch | False |
first_fetch | First fetch time | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
darktrace-get-model-breachdarktrace-get-model-breach returns a model breach based on its model breach id (pbid)
#
Base Commanddarktrace-get-model-breach
#
InputArgument Name | Description | Required |
---|---|---|
pbid | Model breach ID | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Darktrace.ModelBreach.pbid | Number | Model breach ID |
Darktrace.ModelBreach.time | Date | Model breach generated time. |
Darktrace.ModelBreach.commentCount | Number | Number of comments on the model breach |
Darktrace.ModelBreach.score | Number | Score of Darktrace model breach (0 to 1) |
Darktrace.ModelBreach.device.did | Number | Darktrace device ID of Device that breached the model |
Darktrace.ModelBreach.device.macaddress | String | MAC address of the device involved in the model breach (if applicable) |
Darktrace.ModelBreach.device.vendor | String | Vendor of the device involved in the model breach (if applicable) |
Darktrace.ModelBreach.device.ip | String | IP of the device involved in the model breach (if applicable) |
Darktrace.ModelBreach.device.hostname | String | Hostname of the device involved in the model breach (if applicable) |
Darktrace.ModelBreach.device.devicelabel | String | Device label of the device involved in the model breach (if applicable) |
Darktrace.ModelBreach.model.name | String | Darktrace model that was breached |
Darktrace.ModelBreach.model.pid | Number | Model ID of the model that was breached |
Darktrace.ModelBreach.model.uuid | String | Model UUID of the model that was breached |
Darktrace.ModelBreach.model.tags | Unknown | List of model tags for the model that was breached |
Darktrace.ModelBreach.model.priority | Number | Priority of the model that was breached (0 to 5) |
Darktrace.ModelBreach.model.description | String | Darktrace model description |
#
Command Example!darktrace-get-model-breach pbid=95
#
Context Example#
Human Readable Output#
Darktrace Model Breach 95
commentCount device model pbid score time 0 did: 823
macaddress: 0a:df:4b:52:64:7a
vendor: HP
ip: 172.31.32.146
hostname: ip-172-31-32-146
devicelabel: Kelly's Laptopname: Compromise::Watched Domain
pid: 762
uuid: 3338210a-8979-4a1b-8039-63ca8addf166
tags: [AP: C2 Comms]
priority: 5
description: A device is connecting to watched domains or IP addresses. The watch list can be edited from the main GUI menu, Intel sub-menu, under the icon Watched Domains.95 1 2020-10-08T21:11:21.000Z
#
darktrace-get-model-breach-commentsReturns the comments on a model breach based on its model breach id (pbid)
#
Base Commanddarktrace-get-model-breach-comments
#
InputArgument Name | Description | Required |
---|---|---|
pbid | Model Breach ID | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Darktrace.ModelBreach.Comment.message | Unknown | comments on Model Breach |
Darktrace.ModelBreach.pbid | Unknown | Model breach identifier |
Darktrace.ModelBreach.Comment.username | Unknown | Commented by user |
Darktrace.ModelBreach.Comment.time | Unknown | Comment timestamp |
#
Command Example!darktrace-get-model-breach-comments pbid=46
#
Context Example#
Human Readable Output#
Darktrace Model Breach 46 Comments
message pbid pid time username Flag for follow-up 46 210 2020-10-08T21:11:21.000Z user.one Activity has been remediated 46 210 2020-10-08T23:11:21.000Z user.two
#
darktrace-acknowledge-model-breachAcknowledge a model breach as specified by Model Breach ID
#
Base Commanddarktrace-acknowledge-model-breach
#
InputArgument Name | Description | Required |
---|---|---|
pbid | Model Breach ID | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Darktrace.ModelBreach.acknowledged | String | Whether the model breach is acknowledged in Darktrace |
Darktrace.ModelBreach.pbid | Number | Model breach ID |
Darktrace.ModelBreach.acknowledged.response | Number | Message response from acknowledge action |
#
Command Example!darktrace-acknowledge-model-breach pbid=111
#
Context Example#
Human Readable Output#
Model Breach 111 Acknowledged
response Successfully acknowledged.
#
darktrace-unacknowledge-model-breachUnacknowledges a model breach as specified by Model Breach ID
#
Base Commanddarktrace-unacknowledge-model-breach
#
InputArgument Name | Description | Required |
---|---|---|
pbid | Darktrace model breach ID | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Darktrace.ModelBreach.acknowledged | String | Whether the model breach is acknowledged |
Darktrace.ModelBreach.pbid | Number | Model breach ID |
Darktrace.ModelBreach.acknowledged.response | String | Message response from acknowledge action |
#
Command Example!darktrace-unacknowledge-model-breach pbid=111
#
Context Example#
Human Readable Output#
Model Breach 111 Unacknowledged
response Successfully unacknowledged.
#
darktrace-get-model-breach-connectionsReturns connections encountered by the device during a model breach.
#
Base Commanddarktrace-get-model-breach-connections
#
InputArgument Name | Description | Required |
---|---|---|
pbid | Darktrace model breach ID | Required |
endtime | Endtime of data retrieved | Not Required |
count | The amount of lines returned | Not Required |
offset | The offset of data pulled | Not Required |
#
Context OutputPath | Type | Description |
---|---|---|
Darktrace.ModelBreach | Dictionary | Details of the model breach |
#
darktrace-get-modelReturns a model given a UUID
#
Base Commanddarktrace-get-model
#
InputArgument Name | Description | Required |
---|---|---|
uuid | Darktrace model ID | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Darktrace.Model | Dictionary | Details of the model |
#
darktrace-get-model-componentReturns the details of a component given a CID
#
Base Commanddarktrace-get-model-component
#
InputArgument Name | Description | Required |
---|---|---|
cid | Darktrace components ID | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Darktrace.Model.Component | Dictionary | Details of the component |
#
darktrace-post-comment-to-model-breachPosts a specified comment to a model breach.
#
Base Commanddarktrace-post-comment-to-model-breach
#
InputArgument Name | Description | Required |
---|---|---|
pbid | Darktrace model breach unique identifier | Required |
message | Comment message | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Darktrace.ModelBreach.commented | String | Whether the model breach is commented in Darktrace |
Darktrace.ModelBreach.pbid | Number | Model breach ID |
Darktrace.ModelBreach.message | String | Comment content |
Darktrace.ModelBreach.response | String | Message response from comment action |