Skip to main content

Darktrace Model Breaches

This Integration is part of the Darktrace Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.6.0 and later.

Darktrace is a Cyber AI platform for threat detection and response across cloud, email, industrial, and the network. This integration was integrated and tested with version 6.0.0 of Darktrace

Configure Darktrace in Cortex#

ParameterDescriptionRequired
urlServer URL (e.g. https://example.net\)True
isFetchFetch incidentsFalse
insecureTrust any certificate (not secure)False
proxyUse system proxy settingsFalse
public_api_tokenPublic API TokenTrue
private_api_tokenPrivate API TokenTrue
min_scoreMinimum ScoreTrue
max_alertsMaximum Model Breaches per FetchFalse
first_fetchFirst fetch timeFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

darktrace-get-model-breach#


darktrace-get-model-breach returns a model breach based on its model breach id (pbid)

Base Command#

darktrace-get-model-breach

Input#

Argument NameDescriptionRequired
pbidModel breach IDRequired

Context Output#

PathTypeDescription
Darktrace.ModelBreach.pbidNumberModel breach ID
Darktrace.ModelBreach.timeDateModel breach generated time.
Darktrace.ModelBreach.commentCountNumberNumber of comments on the model breach
Darktrace.ModelBreach.scoreNumberScore of Darktrace model breach (0 to 1)
Darktrace.ModelBreach.device.didNumberDarktrace device ID of Device that breached the model
Darktrace.ModelBreach.device.macaddressStringMAC address of the device involved in the model breach (if applicable)
Darktrace.ModelBreach.device.vendorStringVendor of the device involved in the model breach (if applicable)
Darktrace.ModelBreach.device.ipStringIP of the device involved in the model breach (if applicable)
Darktrace.ModelBreach.device.hostnameStringHostname of the device involved in the model breach (if applicable)
Darktrace.ModelBreach.device.devicelabelStringDevice label of the device involved in the model breach (if applicable)
Darktrace.ModelBreach.model.nameStringDarktrace model that was breached
Darktrace.ModelBreach.model.pidNumberModel ID of the model that was breached
Darktrace.ModelBreach.model.uuidStringModel UUID of the model that was breached
Darktrace.ModelBreach.model.tagsUnknownList of model tags for the model that was breached
Darktrace.ModelBreach.model.priorityNumberPriority of the model that was breached (0 to 5)
Darktrace.ModelBreach.model.descriptionStringDarktrace model description

Command Example#

!darktrace-get-model-breach pbid=95

Context Example#

{
"Darktrace": {
"ModelBreach": {
"commentCount": 0,
"device": {
"devicelabel": "Kelly's Laptop",
"did": 823,
"hostname": "sf-l-kjohnson",
"ip": "172.31.32.146",
"macaddress": "06:42:04:c2:b0:48",
"vendor": "HP"
},
"model": {
"description": "A device is connecting to watched domains or IP addresses. The watch list can be edited from the main GUI menu, Intel sub-menu, under the icon Watched Domains.\\n\\nAction: Review the domain and IP being connected to.",
"name": "Compromise::Watched Domain",
"pid": 762,
"priority": 5,
"tags": ["AP: C2 Comms"],
"uuid": "3338210a-8979-4a1b-8039-63ca8addf166"
},
"pbid": 95,
"score": 1,
"time": "2020-10-08T21:11:21.000Z"
}
}
}

Human Readable Output#

Darktrace Model Breach 95#

commentCountdevicemodelpbidscoretime
0did: 823
macaddress: 0a:df:4b:52:64:7a
vendor: HP
ip: 172.31.32.146
hostname: ip-172-31-32-146
devicelabel: Kelly's Laptop
name: Compromise::Watched Domain
pid: 762
uuid: 3338210a-8979-4a1b-8039-63ca8addf166
tags: [AP: C2 Comms]
priority: 5
description: A device is connecting to watched domains or IP addresses. The watch list can be edited from the main GUI menu, Intel sub-menu, under the icon Watched Domains.
9512020-10-08T21:11:21.000Z

darktrace-get-model-breach-comments#


Returns the comments on a model breach based on its model breach id (pbid)

Base Command#

darktrace-get-model-breach-comments

Input#

Argument NameDescriptionRequired
pbidModel Breach IDRequired

Context Output#

PathTypeDescription
Darktrace.ModelBreach.Comment.messageUnknowncomments on Model Breach
Darktrace.ModelBreach.pbidUnknownModel breach identifier
Darktrace.ModelBreach.Comment.usernameUnknownCommented by user
Darktrace.ModelBreach.Comment.timeUnknownComment timestamp

Command Example#

!darktrace-get-model-breach-comments pbid=46

Context Example#

{
"Darktrace": {
"ModelBreach": {
"comments": [
{
"message": "Flag for follow-up",
"pbid": 46,
"pid": 210,
"time": "2020-10-08T21:11:21.000Z",
"username": "user.one"
},
{
"message": "Activity has been remediated",
"pbid": 46,
"pid": 210,
"time": "2020-10-08T23:11:21.000Z",
"username": "user.two"
}
]
}
}
}

Human Readable Output#

Darktrace Model Breach 46 Comments#

messagepbidpidtimeusername
Flag for follow-up462102020-10-08T21:11:21.000Zuser.one
Activity has been remediated462102020-10-08T23:11:21.000Zuser.two

darktrace-acknowledge-model-breach#


Acknowledge a model breach as specified by Model Breach ID

Base Command#

darktrace-acknowledge-model-breach

Input#

Argument NameDescriptionRequired
pbidModel Breach IDRequired

Context Output#

PathTypeDescription
Darktrace.ModelBreach.acknowledgedStringWhether the model breach is acknowledged in Darktrace
Darktrace.ModelBreach.pbidNumberModel breach ID
Darktrace.ModelBreach.acknowledged.responseNumberMessage response from acknowledge action

Command Example#

!darktrace-acknowledge-model-breach pbid=111

Context Example#

{
"Darktrace": {
"ModelBreach": {
"acknowledged": true,
"pbid": 111
}
}
}

Human Readable Output#

Model Breach 111 Acknowledged#

response
Successfully acknowledged.

darktrace-unacknowledge-model-breach#


Unacknowledges a model breach as specified by Model Breach ID

Base Command#

darktrace-unacknowledge-model-breach

Input#

Argument NameDescriptionRequired
pbidDarktrace model breach IDRequired

Context Output#

PathTypeDescription
Darktrace.ModelBreach.acknowledgedStringWhether the model breach is acknowledged
Darktrace.ModelBreach.pbidNumberModel breach ID
Darktrace.ModelBreach.acknowledged.responseStringMessage response from acknowledge action

Command Example#

!darktrace-unacknowledge-model-breach pbid=111

Context Example#

{
"Darktrace": {
"ModelBreach": {
"acknowledged": false,
"pbid": 111
}
}
}

Human Readable Output#

Model Breach 111 Unacknowledged#

response
Successfully unacknowledged.

darktrace-get-model-breach-connections#


Returns connections encountered by the device during a model breach.

Base Command#

darktrace-get-model-breach-connections

Input#

Argument NameDescriptionRequired
pbidDarktrace model breach IDRequired
endtimeEndtime of data retrievedNot Required
countThe amount of lines returnedNot Required
offsetThe offset of data pulledNot Required

Context Output#

PathTypeDescription
Darktrace.ModelBreachDictionaryDetails of the model breach

darktrace-get-model#


Returns a model given a UUID

Base Command#

darktrace-get-model

Input#

Argument NameDescriptionRequired
uuidDarktrace model IDRequired

Context Output#

PathTypeDescription
Darktrace.ModelDictionaryDetails of the model

darktrace-get-model-component#


Returns the details of a component given a CID

Base Command#

darktrace-get-model-component

Input#

Argument NameDescriptionRequired
cidDarktrace components IDRequired

Context Output#

PathTypeDescription
Darktrace.Model.ComponentDictionaryDetails of the component

darktrace-post-comment-to-model-breach#


Posts a specified comment to a model breach.

Base Command#

darktrace-post-comment-to-model-breach

Input#

Argument NameDescriptionRequired
pbidDarktrace model breach unique identifierRequired
messageComment messageRequired

Context Output#

PathTypeDescription
Darktrace.ModelBreach.commentedStringWhether the model breach is commented in Darktrace
Darktrace.ModelBreach.pbidNumberModel breach ID
Darktrace.ModelBreach.messageStringComment content
Darktrace.ModelBreach.responseStringMessage response from comment action