Darktrace | Marketplace

Details
Content
Dependencies
Version History

Populates Darktrace Model Breaches and AI Analyst Events in Cortex XSOAR, allowing for cross-platform automated investigation and response.

As organizations continue to mature their security stack and adopt defence-in-depth practices, it is increasingly important for security operation teams to have their data available in one place, rather than spread across multiple tools.

This integration pack enriches your Cortex XSOAR playbooks with information from Darktrace’s self-learning AI in our DETECT product family. This ensures your endpoint data is accompanied by tailored Darktrace alerts on anomalous activities within your network, SaaS, cloud and industrial environments.

Together with XSOAR, this pack can speed up your triage workflow, boost SOC efficiency and ensure all your security coverage can be found in one place.

What does this pack do?

This pack provides three optional sub-integrations by pulling a variety of Darktrace metrics:

Model Breaches and all model breach related actions (such as commenting, acknowledging and model logic info).
AI Analyst investigations indicative of critical incidents along with accompanying summaries and timelines. AI actions can also be applied.
Device administration data including device statuses and tags. Your understanding of potential threats can also be levelled-up with Advanced Search logs from DPI.

Customers can decide which of these alerts are integrated, ensuring visibility is bespoke to your individual SOC’s needs. Alerts from the connector will populate in the XSOAR ‘Incidents’ tab.

This integration pack enriches your Cortex playbooks with information from Darktrace’s self-learning AI in our DETECT product family. This ensures your endpoint data is accompanied by tailored Darktrace alerts on anomalous activities within your network, SaaS, cloud and industrial environments.

Together with XSOAR, this pack can speed up your triage workflow, boost SOC efficiency and ensure all your security coverage can be found in one place.

What does this pack do?

This pack provides three optional sub-integrations by pulling a variety of Darktrace metrics:

Model Breaches and all model breach related actions (such as commenting, acknowledging and model logic info).
AI Analyst investigations indicative of critical incidents along with accompanying summaries and timelines. AI actions can also be applied.
Device administration data including device statuses and tags. Your understanding of potential threats can also be levelled-up with Advanced Search logs from DPI.

Customers can decide which of these alerts are integrated, ensuring visibility is bespoke to your individual SOC’s needs. Alerts from the connector will populate in the XSOAR ‘Incidents’ tab.

Classifiers

Name	Description
Darktrace Incident Classifier	Classifies all incidents fetched by the Darktrace integration as "Darktrace Model Breach" type incidents for purposes of using the Integration Playbooks.
Darktrace AI Analyst
Darktrace Model Breach Mapper	Maps model breach fields to mappings for use in Integration Playbooks.
Darktrace Email Mapper
Darktrace Model Breach	Maps model breach fields to mappings for use in Integration Playbooks

Incident Fields

Name	Description
Darktrace Email Read Status
Darktrace Device Hostname	Hostname associated with device in Darktrace
Darktrace Email UUID
Darktrace Device IP	IP address associated with device in Darktrace
Darktrace Model Name	Name associated with the breached model in Darktrace
Darktrace Device Vendor	Vendor associated with device in Darktrace
Darktrace Model ID	Model ID (PID) associated with the breached model in Darktrace
Darktrace Email Subject
Darktrace Model Tags	Tags associated with the breached Darktrace model
Darktrace Model Breach Category
Darktrace Email Warning Tags
Darktrace Email Sender
Darktrace AI Analyst Summary
Darktrace Email Actions Taken
Darktrace AI Analyst Title
Darktrace Comment Count	Number of comments on the Darktrace model breach
Darktrace Email Links
Darktrace AI Analyst Associated Devices
Darktrace Email Attachments
Darktrace Model Priority	Priority of the breached model in Darktrace
Darktrace Email Tags
Darktrace Device MAC	MAC address associated with device in Darktrace
Darktrace AI Analyst Mitre Tactics
Darktrace Model Breach Comment Count
Darktrace Email Direction
Darktrace Model Breach Unique Identifier
Darktrace Model Breach Policy Id
Darktrace Email Actions
Darktrace Email UI Link
Darktrace Email Release Requested
Darktrace Email Anomaly Score
Darktrace AI Analyst Category
Darktrace AI Analyst Score
Darktrace Email Time
Darktrace Model Breach Priority
Darktrace AI Analyst Event Id
Darktrace Email Informational Tags
Darktrace Model UUID	Model UUID associated with the breached model in Darktrace
Darktrace Device Label	Device label associated with device in Darktrace
Darktrace Email Critical Tags
Darktrace Email Receipt Status
Darktrace Device ID
Darktrace Model Breach ID	Darktrace Model Breach ID (PBID) of the breached model
Darktrace AI Analyst Group Id
Darktrace Model Breach Description	Description of the Model Breach
Darktrace Email Group Status
Darktrace Email Action Status
Darktrace Email Summary
Darktrace Model Breach Name
Darktrace AI Analyst Related Model Breaches
Darktrace Model Breach Tags
Darktrace Model Breach Score	Darktrace Model Breach Score
Darktrace Email Recipient

Incident Types

Name	Description
Darktrace AI Analyst Event
Darktrace Model Breach Alert
Darktrace Model Breach
Darktrace Email

Integrations

Name	Description
Darktrace Admin (Partner Contribution)	This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to manage device actions including device statuses and tags. Your understanding of potential threats can also be levelled-up with Advanced Search logs from DPI.
Darktrace AI Analyst (Partner Contribution)	Rapid detection of malicious behaviour can make all the difference in the response to a security event. This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate critical incidents along with accompanying summaries and timelines. AI actions can also be applied.
DarktraceEmail (Partner Contribution)	This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate critical incidents along with accompanying summaries and timelines.
Darktrace Model Breaches (Partner Contribution)	Rapid detection of malicious behaviour can make all the difference in the response to a security event. This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate model breaches and all model breach related actions (such as commenting, acknowledging and model logic info).
Darktrace (Deprecated) (Partner Contribution)	Deprecated. Use DarktraceMBs, DarktraceAIA, DarktraceAdmin instead.

Layouts

Name	Description
Darktrace Email Layout
Darktrace Model Breach Layout
Darktrace MBs Layout	Model Breach Layout
Darktrace AI Analyst Incident Layout	AI Analyst Incident Event Layout

Playbooks

Name	Description
Darktrace Email Update Incident Fields	Update all incident fields that may change over time.
Darktrace Basic AI Analyst Event Handler	Runs a common AI Analyst workflow for fetched AI Analyst events.
Darktrace Email Basic Email Handler	Runs a common Email workflow for fetch Darktrace Email incidents.
Handle Darktrace Model Breach	Deprecated. Use Darktrace Basic Model Breach Handler and Darktrace Basic AI Analyst Event Handler instead.
Darktrace Basic Model Breach Handler	Runs a common Model Breach workflow for fetched Model breach alerts.

Classifiers

Name	Description
Darktrace Incident Classifier	Classifies all incidents fetched by the Darktrace integration as "Darktrace Model Breach" type incidents for purposes of using the Integration Playbooks.
Darktrace Model Breach Mapper	Maps model breach fields to mappings for use in Integration Playbooks.
Darktrace AI Analyst
Darktrace Email Mapper
Darktrace Model Breach	Maps model breach fields to mappings for use in Integration Playbooks

Incident Fields

Name	Description
Darktrace AI Analyst Group Id
Darktrace Email Release Requested
Darktrace Device Vendor	Vendor associated with device in Darktrace
Darktrace AI Analyst Related Model Breaches
Darktrace Email Actions Taken
Darktrace Email Links
Darktrace Email Time
Darktrace Model Tags	Tags associated with the breached Darktrace model
Darktrace Model ID	Model ID (PID) associated with the breached model in Darktrace
Darktrace Device Label	Device label associated with device in Darktrace
Darktrace Email Warning Tags
Darktrace Model Priority	Priority of the breached model in Darktrace
Darktrace AI Analyst Category
Darktrace AI Analyst Mitre Tactics
Darktrace Email Informational Tags
Darktrace AI Analyst Event Id
Darktrace Email Attachments
Darktrace Email Action Status
Darktrace Email UUID
Darktrace Email Summary
Darktrace Email Read Status
Darktrace Model Breach Policy Id
Darktrace Email Direction
Darktrace Device IP	IP address associated with device in Darktrace
Darktrace Model Breach Description	Description of the Model Breach
Darktrace Email Subject
Darktrace Model Breach Comment Count
Darktrace Model UUID	Model UUID associated with the breached model in Darktrace
Darktrace Model Breach Priority
Darktrace AI Analyst Associated Devices
Darktrace Comment Count	Number of comments on the Darktrace model breach
Darktrace Email Critical Tags
Darktrace Model Breach Unique Identifier
Darktrace Model Name	Name associated with the breached model in Darktrace
Darktrace Email Actions
Darktrace AI Analyst Title
Darktrace Model Breach Name
Darktrace Model Breach Score	Darktrace Model Breach Score
Darktrace Device ID
Darktrace Model Breach Category
Darktrace Email Group Status
Darktrace Email Sender
Darktrace Email Recipient
Darktrace Model Breach ID	Darktrace Model Breach ID (PBID) of the breached model
Darktrace AI Analyst Score
Darktrace AI Analyst Summary
Darktrace Email Receipt Status
Darktrace Email UI Link
Darktrace Email Tags
Darktrace Email Anomaly Score
Darktrace Model Breach Tags

Incident Types

Name	Description
Darktrace AI Analyst Event
Darktrace Model Breach
Darktrace Model Breach Alert
Darktrace Email

Integrations

Name	Description
Darktrace Event Collector	Use this integration to fetch model breaches from Darktrace as events in XSIAM.
Darktrace Admin (Partner Contribution)	This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to manage device actions including device statuses and tags. Your understanding of potential threats can also be levelled-up with Advanced Search logs from DPI.
Darktrace Model Breaches (Partner Contribution)	Rapid detection of malicious behaviour can make all the difference in the response to a security event. This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate model breaches and all model breach related actions (such as commenting, acknowledging and model logic info).
Darktrace (Deprecated) (Partner Contribution)	Deprecated. Use DarktraceMBs, DarktraceAIA, DarktraceAdmin instead.
DarktraceEmail (Partner Contribution)	This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate critical incidents along with accompanying summaries and timelines.
Darktrace AI Analyst (Partner Contribution)	Rapid detection of malicious behaviour can make all the difference in the response to a security event. This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate critical incidents along with accompanying summaries and timelines. AI actions can also be applied.

Modeling Rules

Name	Description
Darktrace Modeling Rule

Playbooks

Name	Description
Darktrace Email Basic Email Handler	Runs a common Email workflow for fetch Darktrace Email alerts.
Handle Darktrace Model Breach	Deprecated. Use Darktrace Basic Model Breach Handler and Darktrace Basic AI Analyst Event Handler instead.
Darktrace Basic AI Analyst Event Handler	Runs a common AI Analyst workflow for fetched AI Analyst events.
Darktrace Email Update Alert Fields	Update all alert fields that may change over time.
Darktrace Basic Model Breach Handler	Runs a common Model Breach workflow for fetched Model breach alerts.

Required Content Packs (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Types	By: Cortex XSOAR

All level dependencies (6)

Pack Name	Pack By
Rasterize	By: Cortex XSOAR
Base	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR

4.0.2 - R5469292 (October 20, 2025)

Integrations

DarktraceEmail

Updated the DarktraceEmail integration to fetch up to 100 pages per fetch.
Updated the Docker image to: demisto/python3:3.12.11.4819260.

Related pull requests:
- 41421

Download

4.0.1 - 4770511 (September 4, 2025)

Integrations

Darktrace AI Analyst

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Darktrace Model Breaches

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Darktrace Admin

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 41158

Download

4.0.0 - R3980324 (June 26, 2025)

Incident Fields

New: Darktrace Email Group Status
New: Added a new incident field- Darktrace Email Group Status.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Anomaly Score
New: Added a new incident field- Darktrace Email Anomaly Score.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Direction
New: Added a new incident field- Darktrace Email Direction.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Tags
New: Added a new incident field- Darktrace Email Tags.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Recipient
New: Added a new incident field- Darktrace Email Recipient.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Critical Tags
New: Added a new incident field- Darktrace Email Critical Tags.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Attachments
New: Added a new incident field- Darktrace Email Attachments.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Receipt Status
New: Added a new incident field- Darktrace Email Receipt Status.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Sender
New: Added a new incident field- Darktrace Email Sender.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Summary
New: Added a new incident field- Darktrace Email Summary.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Actions Taken
New: Added a new incident field- Darktrace Email Actions Taken.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Subject
New: Added a new incident field- Darktrace Email Subject.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Warning Tags
New: Added a new incident field- Darktrace Email Warning Tags.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Release Requested
New: Added a new incident field- Darktrace Email Release Requested.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Informational Tags
New: Added a new incident field- Darktrace Email Informational Tags.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email UUID
New: Added a new incident field- Darktrace Email UUID.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Read Status
New: Added a new incident field- Darktrace Email Read Status.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email UI Link
New: Added a new incident field- Darktrace Email UI Link.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Links
New: Added a new incident field- Darktrace Email Links.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Action Status
New: Added a new incident field- Darktrace Email Action Status.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Actions
New: Added a new incident field- Darktrace Email Actions.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Time
New: Added a new incident field- Darktrace Email Time.
(Available from Cortex XSOAR 6.10.0).

Incident Types

New: Darktrace Email
New: Added a new incident type- Darktrace Email.
(Available from Cortex XSOAR 6.10.0).

Integrations

New: DarktraceEmail

New: Added a new integration- DarktraceEmail that This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate critical incidents along with accompanying summaries and timelines.
(Available from Cortex XSOAR 6.10.0).
Added the following commands:
- darktrace-email-get-email
- darktrace-email-hold-email
- darktrace-email-release-email

Layouts

New: Darktrace Email Layout
New: Added a new layout- Darktrace Email Layout
(Available from Cortex XSOAR 6.10.0).

Mappers

New: Darktrace Email Mapper

New: Added a new mapper- Darktrace Email Mapper.
(Available from Cortex XSOAR 6.10.0).

Playbooks

New: Darktrace Email Update Incident Fields

Update all incident fields that may change over time.
(Available from Cortex XSOAR 6.10.0).

New: Darktrace Email Basic Email Handler

Runs a common Email workflow for fetch Darktrace Email incidents.
(Available from Cortex XSOAR 6.10.0).

Related pull requests:
- 39808
- 39551

Download

3.0.17 - 3042633 (April 2, 2025)

Integrations

Darktrace Model Breaches

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 39380

Download

3.0.16 - R2988287 (March 26, 2025)

Integrations

Darktrace Admin

Metadata and documentation improvements.

Darktrace AI Analyst

Metadata and documentation improvements.

Darktrace Model Breaches

Metadata and documentation improvements.

Related pull requests:
- 39023

Download

3.0.15 - 2613464 (March 2, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 38837

Download

3.0.14 - 1935630 (January 6, 2025)

Integrations

Darktrace AI Analyst

Code functionality improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Darktrace Admin

Code functionality improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Related pull requests:
- 37472

Download

3.0.13 - 1873754 (December 25, 2024)

Integrations

Darktrace Model Breaches

Added support for acknowledging and unacknowledging model alerts with Darktrace UV deployments.

Related pull requests:
- 37641
- 37838

Download

3.0.12 - 1681986 (November 21, 2024)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 37285

Download

4.0.2 - R5469292 (October 20, 2025)

Integrations

DarktraceEmail

Updated the DarktraceEmail integration to fetch up to 100 pages per fetch.
Updated the Docker image to: demisto/python3:3.12.11.4819260.

Related pull requests:
- 41421

Download

4.0.1 - 4761438 (September 4, 2025)

Integrations

Darktrace AI Analyst

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Darktrace Model Breaches

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Darktrace Event Collector

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Darktrace Admin

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 41158

Download

4.0.0 - R3980324 (June 26, 2025)

Incident Fields

New: Darktrace Email Group Status
New: Added a new incident field- Darktrace Email Group Status.
New: Darktrace Email Anomaly Score
New: Added a new incident field- Darktrace Email Anomaly Score.
New: Darktrace Email Direction
New: Added a new incident field- Darktrace Email Direction.
New: Darktrace Email Tags
New: Added a new incident field- Darktrace Email Tags.
New: Darktrace Email Recipient
New: Added a new incident field- Darktrace Email Recipient.
New: Darktrace Email Critical Tags
New: Added a new incident field- Darktrace Email Critical Tags.
New: Darktrace Email Attachments
New: Added a new incident field- Darktrace Email Attachments.
New: Darktrace Email Receipt Status
New: Added a new incident field- Darktrace Email Receipt Status.
New: Darktrace Email Sender
New: Added a new incident field- Darktrace Email Sender.
New: Darktrace Email Summary
New: Added a new incident field- Darktrace Email Summary.
New: Darktrace Email Actions Taken
New: Added a new incident field- Darktrace Email Actions Taken.
New: Darktrace Email Subject
New: Added a new incident field- Darktrace Email Subject.
New: Darktrace Email Warning Tags
New: Added a new incident field- Darktrace Email Warning Tags.
New: Darktrace Email Release Requested
New: Added a new incident field- Darktrace Email Release Requested.
New: Darktrace Email Informational Tags
New: Added a new incident field- Darktrace Email Informational Tags.
New: Darktrace Email UUID
New: Added a new incident field- Darktrace Email UUID.
New: Darktrace Email Read Status
New: Added a new incident field- Darktrace Email Read Status.
New: Darktrace Email UI Link
New: Added a new incident field- Darktrace Email UI Link.
New: Darktrace Email Links
New: Added a new incident field- Darktrace Email Links.
New: Darktrace Email Action Status
New: Added a new incident field- Darktrace Email Action Status.
New: Darktrace Email Actions
New: Added a new incident field- Darktrace Email Actions.
New: Darktrace Email Time
New: Added a new incident field- Darktrace Email Time.

Incident Types

New: Darktrace Email
New: Added a new incident type- Darktrace Email.

Integrations

New: DarktraceEmail

New: Added a new integration- DarktraceEmail that This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate critical incidents along with accompanying summaries and timelines.
Added the following commands:
- darktrace-email-get-email
- darktrace-email-hold-email
- darktrace-email-release-email

Mappers

New: Darktrace Email Mapper

New: Added a new mapper- Darktrace Email Mapper.

Playbooks

New: Darktrace Email Update Incident Fields

Update all incident fields that may change over time.

New: Darktrace Email Basic Email Handler

Runs a common Email workflow for fetch Darktrace Email incidents.

Related pull requests:
- 39808
- 39551

Download

3.0.17 - 3042633 (April 2, 2025)

Integrations

Darktrace Model Breaches

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Darktrace Event Collector

Documentation and metadata improvements.

Related pull requests:
- 39380

Download

3.0.16 - R2988287 (March 26, 2025)

Integrations

Darktrace Admin

Metadata and documentation improvements.

Darktrace AI Analyst

Metadata and documentation improvements.

Darktrace Event Collector

Metadata and documentation improvements.

Darktrace Model Breaches

Metadata and documentation improvements.

Related pull requests:
- 39023

Download

3.0.15 - 2613464 (March 2, 2025)

Integrations

Darktrace Event Collector

Updated sending events to XSIAM to using with proxy.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 38837

Download

3.0.14 - 1935630 (January 6, 2025)

Integrations

Darktrace AI Analyst

Code functionality improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Darktrace Admin

Code functionality improvements.
Updated the Docker image to: demisto/python3:3.11.10.116949.

Related pull requests:
- 37472

Download

3.0.13 - 1873754 (December 25, 2024)

Integrations

Darktrace Model Breaches

Added support for acknowledging and unacknowledging model alerts with Darktrace UV deployments.

Related pull requests:
- 37641
- 37838

Download

3.0.12 - 1681986 (November 21, 2024)

Integrations

Darktrace Event Collector

Updated the Docker image to: demisto/python3:3.11.10.116439.

Related pull requests:
- 37285

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	December 20, 2020
Last Release	October 20, 2025

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.