Darktrace | Marketplace

Details
Content
Dependencies
Version History

Populates Darktrace Model Breaches and AI Analyst Events in Cortex XSOAR, allowing for cross-platform automated investigation and response.

As organizations continue to mature their security stack and adopt defence-in-depth practices, it is increasingly important for security operation teams to have their data available in one place, rather than spread across multiple tools.

This integration pack enriches your Cortex XSOAR playbooks with information from Darktrace’s self-learning AI in our DETECT product family. This ensures your endpoint data is accompanied by tailored Darktrace alerts on anomalous activities within your network, SaaS, cloud and industrial environments.

Together with XSOAR, this pack can speed up your triage workflow, boost SOC efficiency and ensure all your security coverage can be found in one place.

What does this pack do?

This pack provides three optional sub-integrations by pulling a variety of Darktrace metrics:

Model Breaches and all model breach related actions (such as commenting, acknowledging and model logic info).
AI Analyst investigations indicative of critical incidents along with accompanying summaries and timelines. AI actions can also be applied.
Device administration data including device statuses and tags. Your understanding of potential threats can also be levelled-up with Advanced Search logs from DPI.

Customers can decide which of these alerts are integrated, ensuring visibility is bespoke to your individual SOC’s needs. Alerts from the connector will populate in the XSOAR ‘Incidents’ tab.

This integration pack enriches your Cortex playbooks with information from Darktrace’s self-learning AI in our DETECT product family. This ensures your endpoint data is accompanied by tailored Darktrace alerts on anomalous activities within your network, SaaS, cloud and industrial environments.

Together with XSOAR, this pack can speed up your triage workflow, boost SOC efficiency and ensure all your security coverage can be found in one place.

What does this pack do?

This pack provides three optional sub-integrations by pulling a variety of Darktrace metrics:

Model Breaches and all model breach related actions (such as commenting, acknowledging and model logic info).
AI Analyst investigations indicative of critical incidents along with accompanying summaries and timelines. AI actions can also be applied.
Device administration data including device statuses and tags. Your understanding of potential threats can also be levelled-up with Advanced Search logs from DPI.

Customers can decide which of these alerts are integrated, ensuring visibility is bespoke to your individual SOC’s needs. Alerts from the connector will populate in the XSOAR ‘Incidents’ tab.

Classifiers

Name	Description
Darktrace Incident Classifier	Classifies all incidents fetched by the Darktrace integration as "Darktrace Model Breach" type incidents for purposes of using the Integration Playbooks.
Darktrace Email Mapper
Darktrace Model Breach Mapper	Maps model breach fields to mappings for use in Integration Playbooks.
Darktrace Model Breach	Maps model breach fields to mappings for use in Integration Playbooks
Darktrace AI Analyst

Incident Fields

Name	Description
Darktrace Model Name	Name associated with the breached model in Darktrace
Darktrace Device ID
Darktrace Model Tags	Tags associated with the breached Darktrace model
Darktrace Email Critical Tags
Darktrace Device Label	Device label associated with device in Darktrace
Darktrace Model Breach ID	Darktrace Model Breach ID (PBID) of the breached model
Darktrace Email Attachments
Darktrace Email Actions
Darktrace AI Analyst Related Model Breaches
Darktrace Email Tags
Darktrace Device MAC	MAC address associated with device in Darktrace
Darktrace Email Informational Tags
Darktrace Comment Count	Number of comments on the Darktrace model breach
Darktrace Model Breach Name
Darktrace Model Breach Tags
Darktrace Email UI Link
Darktrace Device Vendor	Vendor associated with device in Darktrace
Darktrace AI Analyst Score
Darktrace Email Sender
Darktrace Email Group Status
Darktrace Email Receipt Status
Darktrace Email UUID
Darktrace Model Breach Category
Darktrace Email Subject
Darktrace Model Breach Description	Description of the Model Breach
Darktrace Model Breach Comment Count
Darktrace Model Breach Priority
Darktrace Email Action Status
Darktrace AI Analyst Summary
Darktrace Email Actions Taken
Darktrace Email Summary
Darktrace Email Recipient
Darktrace Model Breach Score	Darktrace Model Breach Score
Darktrace Model Priority	Priority of the breached model in Darktrace
Darktrace Device Hostname	Hostname associated with device in Darktrace
Darktrace Email Direction
Darktrace Model Breach Unique Identifier
Darktrace Email Read Status
Darktrace Model ID	Model ID (PID) associated with the breached model in Darktrace
Darktrace Model UUID	Model UUID associated with the breached model in Darktrace
Darktrace Email Time
Darktrace AI Analyst Category
Darktrace AI Analyst Associated Devices
Darktrace AI Analyst Group Id
Darktrace Email Release Requested
Darktrace Email Links
Darktrace Email Anomaly Score
Darktrace AI Analyst Event Id
Darktrace Email Warning Tags
Darktrace Device IP	IP address associated with device in Darktrace
Darktrace AI Analyst Mitre Tactics
Darktrace Model Breach Policy Id
Darktrace AI Analyst Title

Incident Types

Name	Description
Darktrace Email
Darktrace Model Breach
Darktrace Model Breach Alert
Darktrace AI Analyst Event

Integrations

Name	Description
DarktraceEmail (Partner Contribution)	This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate critical incidents along with accompanying summaries and timelines.
Darktrace Model Breaches (Partner Contribution)	Rapid detection of malicious behaviour can make all the difference in the response to a security event. This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate model breaches and all model breach related actions (such as commenting, acknowledging and model logic info).
Darktrace Admin (Partner Contribution)	This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to manage device actions including device statuses and tags. Your understanding of potential threats can also be levelled-up with Advanced Search logs from DPI.
Darktrace (Deprecated) (Partner Contribution)	Deprecated. Use DarktraceMBs, DarktraceAIA, DarktraceAdmin instead.
Darktrace AI Analyst (Partner Contribution)	Rapid detection of malicious behaviour can make all the difference in the response to a security event. This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate critical incidents along with accompanying summaries and timelines. AI actions can also be applied.

Layouts

Name	Description
Darktrace Email Layout
Darktrace Model Breach Layout
Darktrace MBs Layout	Model Breach Layout
Darktrace AI Analyst Incident Layout	AI Analyst Incident Event Layout

Playbooks

Name	Description
Handle Darktrace Model Breach	Deprecated. Use Darktrace Basic Model Breach Handler and Darktrace Basic AI Analyst Event Handler instead.
Darktrace Email Update Incident Fields	Update all incident fields that may change over time.
Darktrace Email Basic Email Handler	Runs a common Email workflow for fetch Darktrace Email incidents.
Darktrace Basic Model Breach Handler	Runs a common Model Breach workflow for fetched Model breach alerts.
Darktrace Basic AI Analyst Event Handler	Runs a common AI Analyst workflow for fetched AI Analyst events.

Classifiers

Name	Description
Darktrace Incident Classifier	Classifies all incidents fetched by the Darktrace integration as "Darktrace Model Breach" type incidents for purposes of using the Integration Playbooks.
Darktrace Email Mapper
Darktrace Model Breach Mapper	Maps model breach fields to mappings for use in Integration Playbooks.
Darktrace AI Analyst
Darktrace Model Breach	Maps model breach fields to mappings for use in Integration Playbooks

Incident Fields

Name	Description
Darktrace Email Recipient
Darktrace Email Critical Tags
Darktrace Email Sender
Darktrace AI Analyst Event Id
Darktrace Email Tags
Darktrace Model ID	Model ID (PID) associated with the breached model in Darktrace
Darktrace Email Actions
Darktrace Email Summary
Darktrace Email Warning Tags
Darktrace Email Action Status
Darktrace Email Direction
Darktrace AI Analyst Summary
Darktrace Comment Count	Number of comments on the Darktrace model breach
Darktrace Email Actions Taken
Darktrace Device IP	IP address associated with device in Darktrace
Darktrace AI Analyst Category
Darktrace AI Analyst Mitre Tactics
Darktrace Model Breach Unique Identifier
Darktrace Model Breach Priority
Darktrace Device Vendor	Vendor associated with device in Darktrace
Darktrace AI Analyst Group Id
Darktrace Email UUID
Darktrace Device ID
Darktrace Email Release Requested
Darktrace Email Read Status
Darktrace Email Attachments
Darktrace Model Breach Description	Description of the Model Breach
Darktrace Email Receipt Status
Darktrace Email UI Link
Darktrace Model Breach Name
Darktrace Email Informational Tags
Darktrace Model Breach Policy Id
Darktrace Email Subject
Darktrace AI Analyst Associated Devices
Darktrace Model Breach Category
Darktrace AI Analyst Title
Darktrace Model Priority	Priority of the breached model in Darktrace
Darktrace Model Breach Comment Count
Darktrace Model UUID	Model UUID associated with the breached model in Darktrace
Darktrace Email Group Status
Darktrace Model Name	Name associated with the breached model in Darktrace
Darktrace Email Time
Darktrace Model Breach ID	Darktrace Model Breach ID (PBID) of the breached model
Darktrace Model Breach Tags
Darktrace Model Breach Score	Darktrace Model Breach Score
Darktrace Email Anomaly Score
Darktrace AI Analyst Related Model Breaches
Darktrace Email Links
Darktrace Device Label	Device label associated with device in Darktrace
Darktrace AI Analyst Score
Darktrace Model Tags	Tags associated with the breached Darktrace model

Incident Types

Name	Description
Darktrace AI Analyst Event
Darktrace Model Breach Alert
Darktrace Email
Darktrace Model Breach

Integrations

Name	Description
Darktrace Event Collector	Use this integration to fetch model breaches from Darktrace as events in XSIAM.
Darktrace AI Analyst (Partner Contribution)	Rapid detection of malicious behaviour can make all the difference in the response to a security event. This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate critical incidents along with accompanying summaries and timelines. AI actions can also be applied.
Darktrace (Deprecated) (Partner Contribution)	Deprecated. Use DarktraceMBs, DarktraceAIA, DarktraceAdmin instead.
Darktrace Model Breaches (Partner Contribution)	Rapid detection of malicious behaviour can make all the difference in the response to a security event. This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate model breaches and all model breach related actions (such as commenting, acknowledging and model logic info).
Darktrace Admin (Partner Contribution)	This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to manage device actions including device statuses and tags. Your understanding of potential threats can also be levelled-up with Advanced Search logs from DPI.
DarktraceEmail (Partner Contribution)	This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate critical incidents along with accompanying summaries and timelines.

Modeling Rules

Name	Description
Darktrace Modeling Rule

Playbooks

Name	Description
Darktrace Email Basic Email Handler	Runs a common Email workflow for fetch Darktrace Email alerts.
Darktrace Email Update Alert Fields	Update all alert fields that may change over time.
Darktrace Basic AI Analyst Event Handler	Runs a common AI Analyst workflow for fetched AI Analyst events.
Handle Darktrace Model Breach	Deprecated. Use Darktrace Basic Model Breach Handler and Darktrace Basic AI Analyst Event Handler instead.
Darktrace Basic Model Breach Handler	Runs a common Model Breach workflow for fetched Model breach alerts.

Required Content Packs (4)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Types	By: Cortex XSOAR

All level dependencies (7)

Pack Name	Pack By
Common Playbooks	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Base	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR

4.0.6 - 8515806 (April 27, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 43940

Download

4.0.5 - 8210013 (April 13, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 43748

Download

4.0.4 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43567

Download

4.0.3 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

4.0.2 - R5469292 (October 20, 2025)

Integrations

DarktraceEmail

Updated the DarktraceEmail integration to fetch up to 100 pages per fetch.
Updated the Docker image to: demisto/python3:3.12.11.4819260.

Related pull requests:
- 41421

Download

4.0.1 - 4770511 (September 4, 2025)

Integrations

Darktrace AI Analyst

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Darktrace Model Breaches

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Darktrace Admin

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 41158

Download

4.0.0 - R3980324 (June 26, 2025)

Incident Fields

New: Darktrace Email Group Status
New: Added a new incident field- Darktrace Email Group Status.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Anomaly Score
New: Added a new incident field- Darktrace Email Anomaly Score.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Direction
New: Added a new incident field- Darktrace Email Direction.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Tags
New: Added a new incident field- Darktrace Email Tags.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Recipient
New: Added a new incident field- Darktrace Email Recipient.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Critical Tags
New: Added a new incident field- Darktrace Email Critical Tags.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Attachments
New: Added a new incident field- Darktrace Email Attachments.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Receipt Status
New: Added a new incident field- Darktrace Email Receipt Status.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Sender
New: Added a new incident field- Darktrace Email Sender.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Summary
New: Added a new incident field- Darktrace Email Summary.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Actions Taken
New: Added a new incident field- Darktrace Email Actions Taken.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Subject
New: Added a new incident field- Darktrace Email Subject.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Warning Tags
New: Added a new incident field- Darktrace Email Warning Tags.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Release Requested
New: Added a new incident field- Darktrace Email Release Requested.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Informational Tags
New: Added a new incident field- Darktrace Email Informational Tags.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email UUID
New: Added a new incident field- Darktrace Email UUID.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Read Status
New: Added a new incident field- Darktrace Email Read Status.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email UI Link
New: Added a new incident field- Darktrace Email UI Link.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Links
New: Added a new incident field- Darktrace Email Links.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Action Status
New: Added a new incident field- Darktrace Email Action Status.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Actions
New: Added a new incident field- Darktrace Email Actions.
(Available from Cortex XSOAR 6.10.0).
New: Darktrace Email Time
New: Added a new incident field- Darktrace Email Time.
(Available from Cortex XSOAR 6.10.0).

Incident Types

New: Darktrace Email
New: Added a new incident type- Darktrace Email.
(Available from Cortex XSOAR 6.10.0).

Integrations

New: DarktraceEmail

New: Added a new integration- DarktraceEmail that This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate critical incidents along with accompanying summaries and timelines.
(Available from Cortex XSOAR 6.10.0).
Added the following commands:
- darktrace-email-get-email
- darktrace-email-hold-email
- darktrace-email-release-email

Layouts

New: Darktrace Email Layout
New: Added a new layout- Darktrace Email Layout
(Available from Cortex XSOAR 6.10.0).

Mappers

New: Darktrace Email Mapper

New: Added a new mapper- Darktrace Email Mapper.
(Available from Cortex XSOAR 6.10.0).

Playbooks

New: Darktrace Email Update Incident Fields

Update all incident fields that may change over time.
(Available from Cortex XSOAR 6.10.0).

New: Darktrace Email Basic Email Handler

Runs a common Email workflow for fetch Darktrace Email incidents.
(Available from Cortex XSOAR 6.10.0).

Related pull requests:
- 39808
- 39551

Download

3.0.17 - 3042633 (April 2, 2025)

Integrations

Darktrace Model Breaches

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Related pull requests:
- 39380

Download

4.0.6 - 8542515 (April 28, 2026)

Modeling Rules

Darktrace Modeling Rule

Documentation and metadata improvements.

Related pull requests:
- 43940

Download

4.0.5 - 8210013 (April 13, 2026)

Integrations

Darktrace Event Collector

Documentation and metadata improvements.

Related pull requests:
- 43748

Download

4.0.4 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43567

Download

4.0.3 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

4.0.2 - R5469292 (October 20, 2025)

Integrations

DarktraceEmail

Updated the DarktraceEmail integration to fetch up to 100 pages per fetch.
Updated the Docker image to: demisto/python3:3.12.11.4819260.

Related pull requests:
- 41421

Download

4.0.1 - 4761438 (September 4, 2025)

Integrations

Darktrace AI Analyst

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Darktrace Model Breaches

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Darktrace Event Collector

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Darktrace Admin

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 41158

Download

4.0.0 - R3980324 (June 26, 2025)

Incident Fields

New: Darktrace Email Group Status
New: Added a new incident field- Darktrace Email Group Status.
New: Darktrace Email Anomaly Score
New: Added a new incident field- Darktrace Email Anomaly Score.
New: Darktrace Email Direction
New: Added a new incident field- Darktrace Email Direction.
New: Darktrace Email Tags
New: Added a new incident field- Darktrace Email Tags.
New: Darktrace Email Recipient
New: Added a new incident field- Darktrace Email Recipient.
New: Darktrace Email Critical Tags
New: Added a new incident field- Darktrace Email Critical Tags.
New: Darktrace Email Attachments
New: Added a new incident field- Darktrace Email Attachments.
New: Darktrace Email Receipt Status
New: Added a new incident field- Darktrace Email Receipt Status.
New: Darktrace Email Sender
New: Added a new incident field- Darktrace Email Sender.
New: Darktrace Email Summary
New: Added a new incident field- Darktrace Email Summary.
New: Darktrace Email Actions Taken
New: Added a new incident field- Darktrace Email Actions Taken.
New: Darktrace Email Subject
New: Added a new incident field- Darktrace Email Subject.
New: Darktrace Email Warning Tags
New: Added a new incident field- Darktrace Email Warning Tags.
New: Darktrace Email Release Requested
New: Added a new incident field- Darktrace Email Release Requested.
New: Darktrace Email Informational Tags
New: Added a new incident field- Darktrace Email Informational Tags.
New: Darktrace Email UUID
New: Added a new incident field- Darktrace Email UUID.
New: Darktrace Email Read Status
New: Added a new incident field- Darktrace Email Read Status.
New: Darktrace Email UI Link
New: Added a new incident field- Darktrace Email UI Link.
New: Darktrace Email Links
New: Added a new incident field- Darktrace Email Links.
New: Darktrace Email Action Status
New: Added a new incident field- Darktrace Email Action Status.
New: Darktrace Email Actions
New: Added a new incident field- Darktrace Email Actions.
New: Darktrace Email Time
New: Added a new incident field- Darktrace Email Time.

Incident Types

New: Darktrace Email
New: Added a new incident type- Darktrace Email.

Integrations

New: DarktraceEmail

New: Added a new integration- DarktraceEmail that This pack includes configurations to combine the world-class threat detection of Darktrace with the synchrony and automation abilities of XSOAR, allowing security teams to investigate critical incidents along with accompanying summaries and timelines.
Added the following commands:
- darktrace-email-get-email
- darktrace-email-hold-email
- darktrace-email-release-email

Mappers

New: Darktrace Email Mapper

New: Added a new mapper- Darktrace Email Mapper.

Playbooks

New: Darktrace Email Update Incident Fields

Update all incident fields that may change over time.

New: Darktrace Email Basic Email Handler

Runs a common Email workflow for fetch Darktrace Email incidents.

Related pull requests:
- 39808
- 39551

Download

3.0.17 - 3042633 (April 2, 2025)

Integrations

Darktrace Model Breaches

Documentation and metadata improvements.
Updated the Docker image to: demisto/python3:3.12.8.1983910.

Darktrace Event Collector

Documentation and metadata improvements.

Related pull requests:
- 39380

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Partner
Created	December 20, 2020
Last Release	April 27, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.