Darktrace | Marketplace

Details
Content
Dependencies
Version History

Populates Darktrace Model Breaches and AI Analyst Events in Cortex XSOAR, allowing for cross-platform automated investigation and response.

As organizations continue to mature their security stack and adopt defence-in-depth practices, it is increasingly important for security operation teams to have their data available in one place, rather than spread across multiple tools.

This integration pack enriches your Cortex XSOAR playbooks with information from Darktrace’s self-learning AI in our DETECT product family. This ensures your endpoint data is accompanied by tailored Darktrace alerts on anomalous activities within your network, SaaS, cloud and industrial environments.

Together with XSOAR, this pack can speed up your triage workflow, boost SOC efficiency and ensure all your security coverage can be found in one place.

What does this pack do?

This pack provides three optional sub-integrations by pulling a variety of Darktrace metrics:

Model Breaches and all model breach related actions (such as commenting, acknowledging and model logic info).
AI Analyst investigations indicative of critical incidents along with accompanying summaries and timelines. AI actions can also be applied.
Device administration data including device statuses and tags. Your understanding of potential threats can also be levelled-up with Advanced Search logs from DPI.

Customers can decide which of these alerts are integrated, ensuring visibility is bespoke to your individual SOC’s needs. Alerts from the connector will populate in the XSOAR ‘Incidents’ tab.

This integration pack enriches your Cortex playbooks with information from Darktrace’s self-learning AI in our DETECT product family. This ensures your endpoint data is accompanied by tailored Darktrace alerts on anomalous activities within your network, SaaS, cloud and industrial environments.

Together with XSOAR, this pack can speed up your triage workflow, boost SOC efficiency and ensure all your security coverage can be found in one place.

What does this pack do?

This pack provides three optional sub-integrations by pulling a variety of Darktrace metrics:

Model Breaches and all model breach related actions (such as commenting, acknowledging and model logic info).
AI Analyst investigations indicative of critical incidents along with accompanying summaries and timelines. AI actions can also be applied.
Device administration data including device statuses and tags. Your understanding of potential threats can also be levelled-up with Advanced Search logs from DPI.

Customers can decide which of these alerts are integrated, ensuring visibility is bespoke to your individual SOC’s needs. Alerts from the connector will populate in the XSOAR ‘Incidents’ tab.

Classifiers

Name	Description
Darktrace Incident Classifier	Classifies all incidents fetched by the Darktrace integration as "Darktrace Model Breach" type incidents for purposes of using the Integration Playbooks.
Darktrace Model Breach Mapper	Maps model breach fields to mappings for use in Integration Playbooks.
Darktrace Email Mapper
Darktrace AI Analyst
Darktrace Model Breach	Maps model breach fields to mappings for use in Integration Playbooks

Incident Fields

Name	Description
Darktrace Email Subject
Darktrace Model Breach Category
Darktrace Email Actions
Darktrace Comment Count	Number of comments on the Darktrace model breach
Darktrace AI Analyst Score
Darktrace Email Read Status
Darktrace Email Receipt Status
Darktrace Device Label	Device label associated with device in Darktrace
Darktrace Email UUID
Darktrace Device Vendor	Vendor associated with device in Darktrace
Darktrace Email Group Status
Darktrace Device ID
Darktrace Model Breach Comment Count
Darktrace AI Analyst Associated Devices
Darktrace AI Analyst Summary
Darktrace Model Priority	Priority of the breached model in Darktrace
Darktrace Device Hostname	Hostname associated with device in Darktrace
Darktrace Email Direction
Darktrace Model Breach Name
Darktrace Email Sender
Darktrace Email Attachments
Darktrace Email Tags
Darktrace Email Critical Tags
Darktrace Email UI Link
Darktrace Model Name	Name associated with the breached model in Darktrace
Darktrace Model Breach Score	Darktrace Model Breach Score
Darktrace AI Analyst Related Model Breaches
Darktrace Email Recipient
Darktrace Model ID	Model ID (PID) associated with the breached model in Darktrace
Darktrace Model Breach Priority
Darktrace Model Breach Tags
Darktrace AI Analyst Group Id
Darktrace Email Action Status
Darktrace AI Analyst Mitre Tactics
Darktrace Email Warning Tags
Darktrace Model Breach ID	Darktrace Model Breach ID (PBID) of the breached model
Darktrace AI Analyst Category
Darktrace Email Actions Taken
Darktrace Model Breach Description	Description of the Model Breach
Darktrace Email Informational Tags
Darktrace Email Anomaly Score
Darktrace AI Analyst Event Id
Darktrace Device MAC	MAC address associated with device in Darktrace
Darktrace Model Breach Unique Identifier
Darktrace Email Summary
Darktrace Model Breach Policy Id
Darktrace Device IP	IP address associated with device in Darktrace
Darktrace Model UUID	Model UUID associated with the breached model in Darktrace
Darktrace Email Release Requested
Darktrace Email Links
Darktrace Email Time
Darktrace Model Tags	Tags associated with the breached Darktrace model
Darktrace AI Analyst Title

Incident Types

Name	Description
Darktrace Model Breach Alert
Darktrace Model Breach
Darktrace AI Analyst Event
Darktrace Email

Integrations

Name	Description
Darktrace Admin (Partner Contribution)	This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to manage device actions including device statuses and tags. Your understanding of potential threats can also be levelled-up with Advanced Search logs from DPI.
Darktrace Model Breaches (Partner Contribution)	Rapid detection of malicious behaviour can make all the difference in the response to a security event. This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate model breaches and all model breach related actions (such as commenting, acknowledging and model logic info).
DarktraceEmail (Partner Contribution)	This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate critical incidents along with accompanying summaries and timelines.
Darktrace AI Analyst (Partner Contribution)	Rapid detection of malicious behaviour can make all the difference in the response to a security event. This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate critical incidents along with accompanying summaries and timelines. AI actions can also be applied.
Darktrace (Deprecated) (Partner Contribution)	Deprecated. Use DarktraceMBs, DarktraceAIA, DarktraceAdmin instead.

Layouts

Name	Description
Darktrace Model Breach Layout
Darktrace AI Analyst Incident Layout	AI Analyst Incident Event Layout
Darktrace Email Layout
Darktrace MBs Layout	Model Breach Layout

Playbooks

Name	Description
Darktrace Email Update Incident Fields	Update all incident fields that may change over time.
Darktrace Basic Model Breach Handler	Runs a common Model Breach workflow for fetched Model breach alerts.
Darktrace Email Basic Email Handler	Runs a common Email workflow for fetch Darktrace Email incidents.
Handle Darktrace Model Breach	Deprecated. Use Darktrace Basic Model Breach Handler and Darktrace Basic AI Analyst Event Handler instead.
Darktrace Basic AI Analyst Event Handler	Runs a common AI Analyst workflow for fetched AI Analyst events.

Classifiers

Name	Description
Darktrace Incident Classifier	Classifies all incidents fetched by the Darktrace integration as "Darktrace Model Breach" type incidents for purposes of using the Integration Playbooks.
Darktrace Model Breach	Maps model breach fields to mappings for use in Integration Playbooks
Darktrace AI Analyst
Darktrace Email Mapper
Darktrace Model Breach Mapper	Maps model breach fields to mappings for use in Integration Playbooks.

Incident Fields

Name	Description
Darktrace Model Breach Description	Description of the Model Breach
Darktrace Email Subject
Darktrace AI Analyst Mitre Tactics
Darktrace Email Tags
Darktrace Model Breach ID	Darktrace Model Breach ID (PBID) of the breached model
Darktrace Model Breach Priority
Darktrace Model Breach Unique Identifier
Darktrace Model Breach Category
Darktrace Email Informational Tags
Darktrace Email Receipt Status
Darktrace Email Group Status
Darktrace Device IP	IP address associated with device in Darktrace
Darktrace Email Sender
Darktrace Model UUID	Model UUID associated with the breached model in Darktrace
Darktrace Device Vendor	Vendor associated with device in Darktrace
Darktrace Email Links
Darktrace Email Warning Tags
Darktrace Email Actions
Darktrace Model ID	Model ID (PID) associated with the breached model in Darktrace
Darktrace Email Time
Darktrace Model Breach Comment Count
Darktrace Model Breach Name
Darktrace Email Recipient
Darktrace Model Priority	Priority of the breached model in Darktrace
Darktrace Email UI Link
Darktrace AI Analyst Associated Devices
Darktrace Model Breach Score	Darktrace Model Breach Score
Darktrace Email Actions Taken
Darktrace AI Analyst Group Id
Darktrace Email Summary
Darktrace AI Analyst Category
Darktrace Model Breach Tags
Darktrace Email Attachments
Darktrace AI Analyst Title
Darktrace Email Direction
Darktrace Model Breach Policy Id
Darktrace Comment Count	Number of comments on the Darktrace model breach
Darktrace AI Analyst Summary
Darktrace Model Tags	Tags associated with the breached Darktrace model
Darktrace Device ID
Darktrace Email Anomaly Score
Darktrace Email Release Requested
Darktrace AI Analyst Score
Darktrace AI Analyst Related Model Breaches
Darktrace Email Read Status
Darktrace Model Name	Name associated with the breached model in Darktrace
Darktrace Email Action Status
Darktrace Device Label	Device label associated with device in Darktrace
Darktrace Email UUID
Darktrace AI Analyst Event Id
Darktrace Email Critical Tags

Incident Types

Name	Description
Darktrace Model Breach Alert
Darktrace AI Analyst Event
Darktrace Model Breach
Darktrace Email

Integrations

Name	Description
Darktrace Event Collector	Use this integration to fetch model breaches from Darktrace as events in XSIAM.
Darktrace Admin (Partner Contribution)	This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to manage device actions including device statuses and tags. Your understanding of potential threats can also be levelled-up with Advanced Search logs from DPI.
DarktraceEmail (Partner Contribution)	This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate critical incidents along with accompanying summaries and timelines.
Darktrace (Deprecated) (Partner Contribution)	Deprecated. Use DarktraceMBs, DarktraceAIA, DarktraceAdmin instead.
Darktrace AI Analyst (Partner Contribution)	Rapid detection of malicious behaviour can make all the difference in the response to a security event. This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate critical incidents along with accompanying summaries and timelines. AI actions can also be applied.
Darktrace Model Breaches (Partner Contribution)	Rapid detection of malicious behaviour can make all the difference in the response to a security event. This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate model breaches and all model breach related actions (such as commenting, acknowledging and model logic info).

Modeling Rules

Name	Description
Darktrace Modeling Rule

Playbooks

Name	Description
Handle Darktrace Model Breach	Deprecated. Use Darktrace Basic Model Breach Handler and Darktrace Basic AI Analyst Event Handler instead.
Darktrace Email Basic Email Handler	Runs a common Email workflow for fetch Darktrace Email alerts.
Darktrace Basic AI Analyst Event Handler	Runs a common AI Analyst workflow for fetched AI Analyst events.
Darktrace Email Update Alert Fields	Update all alert fields that may change over time.
Darktrace Email Update Alert Fields	Update all alert fields that may change over time.
Darktrace Basic Model Breach Handler	Runs a common Model Breach workflow for fetched Model breach alerts.

Required Content Packs (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Types	By: Cortex XSOAR

All level dependencies (6)

Pack Name	Pack By
Filters And Transformers	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Base	By: Cortex XSOAR

4.0.0 - R3481649 (May 21, 2025)

Incident Fields

New: Darktrace Email Group Status
New: Added a new incident field- Darktrace Email Group Status.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Anomaly Score
New: Added a new incident field- Darktrace Email Anomaly Score.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Direction
New: Added a new incident field- Darktrace Email Direction.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Tags
New: Added a new incident field- Darktrace Email Tags.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Recipient
New: Added a new incident field- Darktrace Email Recipient.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Critical Tags
New: Added a new incident field- Darktrace Email Critical Tags.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Attachments
New: Added a new incident field- Darktrace Email Attachments.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Receipt Status
New: Added a new incident field- Darktrace Email Receipt Status.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Sender
New: Added a new incident field- Darktrace Email Sender.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Summary
New: Added a new incident field- Darktrace Email Summary.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Actions Taken
New: Added a new incident field- Darktrace Email Actions Taken.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Subject
New: Added a new incident field- Darktrace Email Subject.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Warning Tags
New: Added a new incident field- Darktrace Email Warning Tags.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Release Requested
New: Added a new incident field- Darktrace Email Release Requested.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Informational Tags
New: Added a new incident field- Darktrace Email Informational Tags.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email UUID
New: Added a new incident field- Darktrace Email UUID.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Read Status
New: Added a new incident field- Darktrace Email Read Status.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email UI Link
New: Added a new incident field- Darktrace Email UI Link.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Links
New: Added a new incident field- Darktrace Email Links.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Action Status
New: Added a new incident field- Darktrace Email Action Status.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Actions
New: Added a new incident field- Darktrace Email Actions.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Time
New: Added a new incident field- Darktrace Email Time.
(Available from Cortex XSOAR 6.10.0).

Incident Types

New: Darktrace Email
New: Added a new incident type- Darktrace Email.
(Available from Cortex XSOAR 6.10.0).

Integrations

New: DarktraceEmail

New: Added a new integration- DarktraceEmail that This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate critical incidents along with accompanying summaries and timelines.
(Available from Cortex XSOAR 6.10.0).
Added the following commands:
- darktrace-email-get-email
- darktrace-email-hold-email
- darktrace-email-release-email

Layouts

New: Darktrace Email Layout
New: Added a new layout- Darktrace Email Layout
(Available from Cortex XSOAR 6.10.0).

Mappers

New: Darktrace Email Mapper

New: Added a new mapper- Darktrace Email Mapper.
(Available from Cortex XSOAR 6.10.0).

Playbooks

New: Darktrace Email Update Incident Fields

Update all incident fields that may change over time.
(Available from Cortex XSOAR 6.10.0).

New: Darktrace Email Basic Email Handler

Runs a common Email workflow for fetch Darktrace Email incidents.
(Available from Cortex XSOAR 6.10.0).

Related pull requests:
- 39808
- 39551

Download

3.0.17 - 3042633 (April 2, 2025)

Integrations

Darktrace Model Breaches

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 39380

Download

3.0.16 - R2988287 (March 26, 2025)

Integrations

Darktrace Admin

Metadata and documentation improvements.

Darktrace AI Analyst

Metadata and documentation improvements.

Darktrace Model Breaches

Metadata and documentation improvements.

Related pull requests:
- 39023

Download

3.0.15 - 2613464 (March 2, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 38837

Download

3.0.14 - 1935630 (January 6, 2025)

Integrations

Darktrace AI Analyst

Code functionality improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Darktrace Admin

Code functionality improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Related pull requests:
- 37472

Download

3.0.13 - 1873754 (December 25, 2024)

Integrations

Darktrace Model Breaches

Added support for acknowledging and unacknowledging model alerts with Darktrace UV deployments.

Related pull requests:
- 37641
- 37838

Download

3.0.12 - 1681986 (November 21, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 37285

Download

3.0.11 - 1438938 (September 26, 2024)

Integrations

Darktrace Admin

code linting

Darktrace Model Breaches

code linting
fix post comment command

Darktrace AI Analyst

code linting

Related pull requests:
- 36451
- 36515

Download

3.0.10 - R1051712 (May 28, 2024)

Integrations

Darktrace Admin

Updated the Docker image to: demisto/python3:3.10.13.87159.

Darktrace Model Breaches

Updated the Docker image to: demisto/python3:3.10.13.87159.

Darktrace AI Analyst

Updated the Docker image to: demisto/python3:3.10.13.87159.

Related pull requests:
- 33040

Download

4.0.0 - R3481649 (May 21, 2025)

Incident Fields

New: Darktrace Email Group Status
New: Added a new incident field- Darktrace Email Group Status.
New: Darktrace Email Anomaly Score
New: Added a new incident field- Darktrace Email Anomaly Score.
New: Darktrace Email Direction
New: Added a new incident field- Darktrace Email Direction.
New: Darktrace Email Tags
New: Added a new incident field- Darktrace Email Tags.
New: Darktrace Email Recipient
New: Added a new incident field- Darktrace Email Recipient.
New: Darktrace Email Critical Tags
New: Added a new incident field- Darktrace Email Critical Tags.
New: Darktrace Email Attachments
New: Added a new incident field- Darktrace Email Attachments.
New: Darktrace Email Receipt Status
New: Added a new incident field- Darktrace Email Receipt Status.
New: Darktrace Email Sender
New: Added a new incident field- Darktrace Email Sender.
New: Darktrace Email Summary
New: Added a new incident field- Darktrace Email Summary.
New: Darktrace Email Actions Taken
New: Added a new incident field- Darktrace Email Actions Taken.
New: Darktrace Email Subject
New: Added a new incident field- Darktrace Email Subject.
New: Darktrace Email Warning Tags
New: Added a new incident field- Darktrace Email Warning Tags.
New: Darktrace Email Release Requested
New: Added a new incident field- Darktrace Email Release Requested.
New: Darktrace Email Informational Tags
New: Added a new incident field- Darktrace Email Informational Tags.
New: Darktrace Email UUID
New: Added a new incident field- Darktrace Email UUID.
New: Darktrace Email Read Status
New: Added a new incident field- Darktrace Email Read Status.
New: Darktrace Email UI Link
New: Added a new incident field- Darktrace Email UI Link.
New: Darktrace Email Links
New: Added a new incident field- Darktrace Email Links.
New: Darktrace Email Action Status
New: Added a new incident field- Darktrace Email Action Status.
New: Darktrace Email Actions
New: Added a new incident field- Darktrace Email Actions.
New: Darktrace Email Time
New: Added a new incident field- Darktrace Email Time.

Incident Types

New: Darktrace Email
New: Added a new incident type- Darktrace Email.

Integrations

New: DarktraceEmail

New: Added a new integration- DarktraceEmail that This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate critical incidents along with accompanying summaries and timelines.
Added the following commands:
- darktrace-email-get-email
- darktrace-email-hold-email
- darktrace-email-release-email

Mappers

New: Darktrace Email Mapper

New: Added a new mapper- Darktrace Email Mapper.

Playbooks

New: Darktrace Email Update Incident Fields

Update all incident fields that may change over time.

New: Darktrace Email Basic Email Handler

Runs a common Email workflow for fetch Darktrace Email incidents.

Related pull requests:
- 39808
- 39551

Download

3.0.17 - 3042633 (April 2, 2025)

Integrations

Darktrace Model Breaches

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Darktrace Event Collector

Documentation and metadata improvements.

Related pull requests:
- 39380

Download

3.0.16 - R2988287 (March 26, 2025)

Integrations

Darktrace Admin

Metadata and documentation improvements.

Darktrace AI Analyst

Metadata and documentation improvements.

Darktrace Event Collector

Metadata and documentation improvements.

Darktrace Model Breaches

Metadata and documentation improvements.

Related pull requests:
- 39023

Download

3.0.15 - 2613464 (March 2, 2025)

Integrations

Darktrace Event Collector

Updated sending events to XSIAM to using with proxy.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 38837

Download

3.0.14 - 1935630 (January 6, 2025)

Integrations

Darktrace AI Analyst

Code functionality improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Darktrace Admin

Code functionality improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Related pull requests:
- 37472

Download

3.0.13 - 1873754 (December 25, 2024)

Integrations

Darktrace Model Breaches

Added support for acknowledging and unacknowledging model alerts with Darktrace UV deployments.

Related pull requests:
- 37641
- 37838

Download

3.0.12 - 1681986 (November 21, 2024)

Integrations

Darktrace Event Collector

Updated the Docker image to: demisto/python3:3.11.10.116439.

Related pull requests:
- 37285

Download

3.0.11 - 1441232 (September 27, 2024)

Integrations

Darktrace Admin

code linting

Darktrace Model Breaches

code linting
fix post comment command

Darktrace AI Analyst

code linting

Related pull requests:
- 36451
- 36515

Download

3.0.10 - R1051712 (May 28, 2024)

Integrations

Darktrace Admin

Updated the Docker image to: demisto/python3:3.10.13.87159.

Darktrace Model Breaches

Updated the Docker image to: demisto/python3:3.10.13.87159.

Darktrace AI Analyst

Updated the Docker image to: demisto/python3:3.10.13.87159.

Related pull requests:
- 33040

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	December 20, 2020
Last Release	May 21, 2025

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.