Darktrace
LAST UPDATED: 05/30/2024
Overview
Darktrace offers intelligent, automatic threat detection and response, powered by self-learning AI that can catch every potential threat.
D3 SOAR is providing REST operations to function with the Darktrace.
For example, you can use Darktrace Integration to monitor your digital infrastructure and take intelligent preventive action to stop any threats from escalating into a crisis.
Darktrace Integration is available for use in:
Connection
To connect to Darktrace from D3 SOAR, please follow this part to collect the required information below:
Parameter | Description | Example |
Server URL | The Darktrace server URL. | https://usw1-***-01.cloud.darktrace.com |
Private Token | The private token for authentication with Darktrace. | YOUR_PRIVATE_TOKEN |
Public Token | The public token for authentication with Darktrace. | YOUR_API_TOKEN |
Configuring Darktrace to Work with D3 SOAR
Creating the API token requires access to the Darktrace Threat Visualizer interface and a user account with appropriate permissions to access and modify the System Config page.
Navigate to the System Config page on the Threat Visualizer of the appliance you wish to request data from. Select “Settings” from the left-hand menu.
Locate the “API Token” subsection and click “New”.
Two values will be displayed, a Public and Private token, the Private token will not be displayed again.
Both tokens are required to establish an integration connection in D3 SOAR.
Configuring D3 SOAR to Work with Darktrace
Log in to D3 SOAR.
Find the Darktrace integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type Darktrace in the search box to find the integration, then click it to select it.
Click + Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Darktrace.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add your desired description for the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the tick box to ensure the connection is available for use.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
1. Input your domain level Server URL.
2. Input your Public Token.
3. Input your Private Token.Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
Test the connection.
Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
Click OK to close the alert window.
Click + Add to create and add the configured connection.
Commands
Darktrace includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the Darktrace Enterprise Immune System API, please refer to the Darktrace Enterprise Immune System API reference.
Note for Time-related parameters
The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:
Navigate to Configuration > Application Settings. Select Date/Time Format.
Choose your desired date and time format.
After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.
Acknowledge
Acknowledges the specified model breaches.
Reader Note
The parameter Breach IDs is required to run this command.
Run the Search Breaches command to obtain Breach IDs. Breach IDs can be found from the returned raw data at the path $[*].pbid.
Breaches can either be acknowledged or unacknowledged, but not be both. You may check the breach IDs’ acknowledge status from the response data of the Fetch Event command, at the JSON path $.[*].acknowledge. You can acknowledge the breaches that are unacknowledged (“false”). The breach IDs are returned under the key “pbid”.
Input
Input Parameter | Required/Optional | Description | Example |
Breach IDs | Required | The ID(s) of the model breach(es) to acknowledge. Breach IDs can be obtained using the Search Breaches command. | [ *** ] |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Acknowledge failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: ERROR |
Error Sample Data Acknowledge failed. Status Code: 400. Message: ERROR |
Add Comments
Adds a comment to the specified breaches.
Reader Note
The parameter Breach IDs is required to run this command.
Run the Search Breaches command to obtain Breach IDs. Breach IDs can be found from the returned raw data at the path $[*].pbid.
Input
Input Parameter | Required/Optional | Description | Example |
Breach IDs | Required | The ID(s) of the model breach(es) to add a comment. Breach IDs can be obtained using the Search Breaches command. | [ *** ] |
Comment | Required | The comment text to add. | Hello World!!! |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Add Comments failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: API SIGNATURE ERROR. |
Error Sample Data Add Comments failed. Status Code: 400. Message: API SIGNATURE ERROR. |
Create Actions
Creates manual Darktrace RESPOND/Network actions from Darktrace Threat Visualizer 6.
Reader Note
The parameter Device IDs is required to run this command.
Run the List Devices command to obtain Device IDs. Device IDs can be found from the returned raw data at the path $[*].did.
Input
Input Parameter | Required/Optional | Description | Example |
Device IDs | Required | The IDs of the devices modeled in the Darktrace system on which to take action. Device IDs can be obtained using the List Devices command. | [ 20 ] |
Action | Required | The action to take on the specified devices. Available action options are Block Matching Connections(connection), Enforce pattern of life(pol), Enforce group pattern of life(gpol), Quarantine device(quarantine), Block all outgoing traffic(quarantineOutgoing) and Block all incoming traffic(quarantineIncoming). | Block Matching Connections |
Duration | Optional | The duration of the action in seconds. If this parameter is not defined, the default duration is 60 seconds. | 30 |
Reason | Optional | The purpose of the action. | Test |
Connections | Optional | The connection pairs to block against. Inputs are in Array format with available fields src, dst and port. Please note, this parameter is valid only for the Action parameter choose to Connections. Each connection pair must include src and dst fields, and port field is optional. Src can be an IP or hostname of an endpoint to block connections from. Dst can be an IP or hostname of an endpoint to block connections to. Port is an optional port for dst. | [ { "src": "10.10.10.10", "dst": "8.8.8.9", "port": 443 } ] |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create Actions failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404 |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Device ID Not found. |
Error Sample Data Create Actions failed. Status Code: 404 Message: Device ID Not found. |
Create PCAP
Creates new PCAP files.
Input
Input Parameter | Required/Optional | Description | Example |
Source IP | Required | The source IP of connections in the packet capture. | 1.1.1.1 |
Source Port | Optional | The port number for the source IP. | 443 |
Destination IP | Optional | The destination IP of connections in the packet capture. | 8.8.8.8 |
Destination Port | Optional | The port number for the destination IP. | 80 |
Start Time | Required | The start time for the packet capture in UTC time. Please note, the maximum timeframe for PCAP creation between Start Time and End Time is 30 minutes. | 2023-01-24 00:00 |
End Time | Required | The end time for the packet capture in UTC time. Please note, the maximum timeframe for PCAP creation between Start Time and End Time is 30 minutes. | 2023-01-25 00:00 |
Protocol | Optional | The layer 3 protocol to be specified. Accepts “TCP” or “UDP”. Please note, to use the protocol filter, the Destination IP and Destination port must be specified. | TCP |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create PCAP failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Invalid Source IP. |
Error Sample Data Create PCAP failed. Status Code: 403. Message: Invalid Source IP. |
Get Enumerated Types
Returns the corresponding string values for numeric codes (enumerated types) that are used in many API responses.
Input
Input Parameter | Required/Optional | Description | Example |
Enumerated Types | Optional | The enumerated type to retrieve string values for numeric codes. The valid enumerated types are applicationprotocols, protocols, countries, destinationdevicetypes, sourcedevicetypes and vendors. If this parameter is not defined, all enumerated types will be returned. | [ "protocols", "countries" ] |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Enumerated Types failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: API SIGNATURE ERROR. |
Error Sample Data Get Enumerated Types failed. Status Code: 400. Message: API SIGNATURE ERROR. |
Fetch Event
Returns events (model breaches) based on the specified criteria. Note: Events beyond one year cannot be returned.
Reader Note
The syntax for the Search Condition input parameter is <field1>=<value1>&<field2>=<value2>.... The available input filter fields are did, minscore, pid, pbid and uuid. & is the AND operator, which is the only supported operator for input.
If no parameters are defined, up to 100 events within a year will be returned.
If only Start Time and End Time parameters are defined, and assuming that the input time range is valid, all events within the time range will be returned.
Input
Input Parameter | Required/Optional | Description | Example |
Start Time | Optional | The start time of the time range to fetch events in UTC time. Note: Both Start Time and End Time must be defined for the input value of this command to be effective. Otherwise, breaches within a year will return. | 2023-01-26 00:00 |
End Time | Optional | The end time of the time range to fetch events in UTC time format. Note: Both Start Time and End Time must be defined for the input value of this command to be effective. Otherwise, breaches within a year will return. | 2023-01-27 00:00 |
Number of Event(s) Fetched | Optional | The number of events to return. Note: If this parameter is not defined, but the Start Time and End time parameters are, all breaches between the specified time range will be returned. If all three parameters are not defined, the default value of 100 for this parameter will be used. | 10 |
Search Condition | Optional | The search condition to filter fetched events. The syntax for the Search Condition input parameter is <field1>=<value1>&<field2>=<value2>.... The available input filter fields are did, minscore, pid, pbid and uuid. Note: Do not input time range fields (i.e. starttime, endtime, from and to). They will be overridden by the Start Time and End Time parameters. | did=33&minscore=0.5 |
Tolerance Scope | Optional | The tolerance scope (the default value is 10) in minutes of the query to fetch events between start and end time to avoid the loss of events. Events will be fetched between {Start Time - Tolerance Scope, End Time}. | 0 |
Output
Fetch Event Field Mapping
Please note that Fetch Event commands require event field mapping. Field mapping plays a key role in the data normalization process part of the event pipeline. Field mapping converts the original data fields from the different providers to the D3 fields which are standardized by the D3 Model. Please refer to Event and Incident Intake Field Mapping for details.
If you require a custom field mapping, click +Add Field to add a custom field mapping. You may also remove built-in field mappings by clicking x. Please note that two underscore characters will automatically prefix the defined Field Name as the System Name for a custom field mapping. Additionally, if an input Field Name contains any spaces, they will automatically be replaced with underscores for the corresponding System Name.
As a system integration, the Darktrace integration has some pre-configured field mappings for default field mapping.
Default Event Source
The Default Event Source is the default set of field mappings that are applied when this fetch event command is executed. For out-of-the-box integrations, you will find a set of field mapping provided by the system. Default event source provides field mappings for common fields from fetched events . The default event source has a “Main Event JSON Path” (i.e., $) that is used to extract a batch of events from the response raw data. Click Edit Event Source to view the “Main Event JSON Path”.Main Event JSON Path: $
The Main Event JSON Path determines the root path where the system starts parsing raw response data into D3 event data. The JSON path begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). Square brackets with nested quotation marks ([‘...’]) should be used to separate child elements in JSON arrays.
For example, the root node of a JSON Path is . The child node denoting the Metric Name field would be .triggeredComponents[*].metric.label. Putting it together, the JSON Path expression to extract the Metric Name is $[*].triggeredComponents[*].metric.label.
The pre-configured field mappings are detailed below:
Field Name | Source Field |
Unique Event Key | .pbid |
Event Type | .model.now.name |
Start Time | .time |
Description | .model.now.description |
Score | .score |
Device | .device.hostname |
Device IP Address | .device.ip |
Device Mac Address | .device.macaddress |
Device category | .device.typelabel |
Device ID | .device.did |
Acknowledged | .acknowledged |
Creation Time | .creationTime |
Severity | .model.now.category |
Priority | .model.now.priority |
Metric Logic ID | .triggeredComponents[*].metric.mlid |
Metric Name | .triggeredComponents[*].metric.label |
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Fetch Event failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: API SIGNATURE ERROR. |
Error Sample Data Fetch Event failed. Status Code: 400. Message: API SIGNATURE ERROR. |
List Filter Types
Returns all internal Darktrace filters used in the Model Editor, their filter types (e.g. boolean and numeric) and the available comparators.
Input
N/A
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Filter Types failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: API DATE ERROR. |
Error Sample Data List Filter Types failed. Status Code: 400. Message: API DATE ERROR. |
Get Breaches
Returns information from the specified model breaches.
Reader Note
The parameter Breach IDs is required to run this command.
Run the Search Breaches command to obtain Breach IDs. Breach IDs can be found from the returned raw data at the path $[*].pbid.
Both acknowledged and unacknowledged breaches will be returned, so the acknowledged breaches can also be obtained from this command.
Input
Input Parameter | Required/Optional | Description | Example |
Breach IDs | Required | The ID(s) of the model breach(es) to retrieve information from. Breach IDs can be obtained using the Search Breaches command. | [ *** ] |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Breaches failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace Enterprise Immune System portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: API DATE ERROR. |
Error Sample Data Get Breaches failed. Status Code: 400. Message: API DATE ERROR. |
Get Comments
Returns the current comments of the specified model breaches. The returned comments are sorted by comment time, in ascending order.
Reader Note
The parameter Breach IDs is required to run this command.
Run the Search Breaches command to obtain Breach IDs. Breach IDs can be found from the returned raw data at the path $[*].pbid.
Input
Input Parameter | Required/Optional | Description | Example |
Breach IDs | Required | The ID(s) of the model breach(es) to retrieve comments. Breach IDs can be obtained using the Search Breaches command. | [ *** ] |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Comments failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: API DATE ERROR. |
Error Sample Data Get Comments failed. Status Code: 400. Message: API DATE ERROR. |
Get Details
Returns a time-sorted list of connections and events for a device or entity (e.g. a SaaS credential). The request requires a device (returned under the “did” field of the raw data from the List Devices command), a model breach ID (returned under the “pbid” field of the raw data from the Search Breaches command) or a message field value (“msg”). You must specify at least one of three parameters - device ID, breach ID or message.
Alert
At least one of the Device ID, Breach ID and Message needs to be defined. The relationship between all input parameters is AND, meaning only connections and events matching all the input conditions will be returned. Otherwise, the command will run successfully with no returned results.
Reader Note
Device ID and Breach ID are optional parameters to run this command.
Run the List Devices command to obtain Device ID. Device IDs can be found from the returned raw data at the path $[*].did.
Run the Search Breaches command to obtain Breach ID. Breach IDs can be found from the returned raw data at the path $[*].pbid.
The format of the returned raw data may vary depending on the returned connections and events.
Input
Input Parameter | Required/Optional | Description | Example |
Start Time | Optional | The start time of the time range to search for connections and events in UTC time. | 2023-01-26 00:00 |
End Time | Optional | The end time of the time range to search for connections and events in UTC time. | 2023-01-27 00:00 |
Device ID | Optional | The ID of the device to retrieve corresponding connections and events. Device IDs can be obtained using the List Devices command. | *** |
Breach ID | Optional | The ID of the model breach to retrieve corresponding connections and events. Breach IDs can be obtained using the Search Breaches command. | *** |
Message | Optional | The value of the message field in notice events to return details for. Typically used to specify user credential strings. | google.com |
Event Type | Optional | The event type to retrieve details. The valid event types are Connection, Unusual Connection, New Connection, Notice, Device History, Model Breach, and Policy Breach. If not specified, all types of events will be returned. | 3 |
Count | Optional | The number of items to return. If this parameter is not defined, but the Start Time and End time parameters are, all connections and events between the specified time range will be returned. If all three parameters are not defined, the default value of 200 will be used for this parameter. | 10 |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Details failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: API SIGNATURE ERROR. |
Error Sample Data Get Details failed. Status Code: 400. Message: API SIGNATURE ERROR. |
Get Device Info
Returns the data used in the “Connections Data” view for the specified device(s) that can be accessed from the Threat Visualizer omnisearch. The data returned covers a 4 week period.
Reader Note
Device ID and Destination Device ID are required parameters to run this command.
Run the List Devices command to obtain Device ID and Destination Device ID. It can be found from the returned raw data at the path $[*].did.
Input
Input Parameter | Required/Optional | Description | Example |
Device ID | Required | The ID of the device to retrieve info about. Device IDs can be obtained using the List Devices command. | [ ** ] |
Data Type | Optional | The type of return data for either Connections, Data Size Out, or Data Size In. If this parameter is not defined, the default value is Connections. | Connections |
Destination Device ID | Optional | The ID of the destination device modeled in the Darktrace system to restrict data to. You can get Device ID using the List Devices command. If this parameter is not defined, all external connectivity will be returned. | ** |
External Domain | Optional | Restricts external data to a particular domain name. | google.com |
Port | Optional | Restricts returned connection data to the port specified. | *** |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Device Info failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Device ID not found. |
Error Sample Data Get Device Info failed. Status Code: 404. Message: Device ID not found. |
Get Device Metric Data
Returns time series metrics data of a device. The default interval is 1 minute. If the Start Time and End Time parameters are not specified, the default time range is from 10 hours ago to the current time. It is suggested not to enter a large time range to avoid oversized return data.
Reader Note
Device ID and Metric Name are required parameters to run this command.
Run the List Devices command to obtain Device ID. Device IDs can be found from the returned raw data at the path $[*].did.
Run the List Metrics command to obtain Metric Name. Metric Name can be found from the returned raw data at the path $[*].name.
Input
Input Parameter | Required/Optional | Description | Example |
Device ID | Required | The ID of the device to retrieve metrics data. Device IDs can be obtained using the List Devices command. | 33 |
Metric Name | Required | The name of the metric to return. Metric names can be obtained using the List Metrics command. | [ "internalconnections", "connections" ] |
Start Time | Optional | The start time of the time range to fetch metrics data in UTC time. | 2023-01-28 00:00 |
End Time | Optional | The end time of the time range to fetch metrics data in UTC time. | 2023-01-29 00:00 |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Device Metric Data failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: API SIGNATURE ERROR. |
Error Sample Data Get Device Metric Data failed. Status Code: 400. Message: API SIGNATURE ERROR. |
Get Device Summary
Returns contextual information for the specified device(s).
Reader Note
Device ID is a required parameter to run this command.
Run the List Devices command to obtain Device ID. Device IDs can be found from the returned raw data at the path $[*].did.
Input
Input Parameter | Required/Optional | Description | Example |
Device ID | Required | The ID of the device to retrieve the summary. Device IDs can be obtained using the List Devices command. | [ ** ] |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Device Summary failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Device ID Not Found. |
Error Sample Data Get Device Summary failed. Status Code: 404. Message: Device ID Not Found. |
Get Device Tags
Retrieves the current tag(s) for the specified device.
Reader Note
Device ID is a required parameter to run this command.
Run the List Devices command to obtain Device ID. Device IDs can be found from the returned raw data at the path $[*].did.
Input
Input Parameter | Required/Optional | Description | Example |
Device ID | Required | The ID of the device to retrieve tags. Device IDs can be obtained using the List Devices command. | 20 |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Device Tags failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Device ID Not Found. |
Error Sample Data Get Device Tags failed. Status Code: 404. Message: Device ID Not Found. |
Get External Endpoint Details
Returns locations, IP address and device connection information for external IPs and hostnames.
Input
Input Parameter | Required/Optional | Description | Example |
Endpoint Value | Required | The IP address or hostname to return details. Both IPv4 and IPv6 addresses are supported. | google.com |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get External Endpoint Details failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 408. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Request Timeout. |
Error Sample Data Get External Endpoint Details failed. Status Code: 408. Message: Request Timeout. |
Get Models
Returns information of the specified model UUIDs.
Reader Note
Model UUIDs is an optional parameter to run this command.
Run the Search Breaches command to obtain Model UUIDs. Module UUIDs are located at the JSON path $.model.uuid in the returned raw data.
Input
Input Parameter | Required/Optional | Description | Example |
Model UUIDs | Optional | The UUID(s) of the model(s) to return. Model UUIDs can be obtained using the Search Breaches command. If this parameter is not defined, all models will be returned. | [ "***-***-***-***-***" ] |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Models failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: DATANOTFOUND ERROR. |
Error Sample Data Get Models failed. Status Code: 404. Message: DATA NOT FOUND ERROR. |
Get Status
Returns detailed system health information.
Input
N/A
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Status failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 408. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Request Timeout |
Error Sample Data Get Status failed. Status Code: 408. Message: Request Timeout |
List Actions
Returns information about current and past Darktrace RESPOND/Network (formerly Antigena Network) actions. It can be used to retrieve a list of currently quarantined devices or Darktrace RESPOND Actions requiring approval.
Reader Note
Breach ID is a required parameter to run this command.
Run the Search Breaches command to obtain Breach ID. Breach IDs can be found from the returned raw data at the path $[*].pbid.
Input
Input Parameter | Required/Optional | Description | Example |
From | Optional | The start time of actions to return in UTC time. | 2023-01-23 00:00 |
To | Optional | The end time of actions to return in UTC time. | 2023-01-24 00:00 |
Breach ID | Optional | The ID of the model breach to retrieve corresponding connections and events. Breach ID can be obtained using the Search Breaches command. | *** |
Include Cleared | Optional | The option to return Darktrace RESPOND actions that are already cleared. The default option is False. | True |
Include History | Optional | The option to include additional history information about the action state, such as when it was created or extended. The default option is False. | True |
Need Confirming | Optional | Filters returned Darktrace RESPOND actions by those that need human confirmation or do not need human confirmation. The default option is False. | False |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Actions failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Breach ID Not Found. |
Error Sample Data List Actions failed. Status Code: 404. Message: Breach ID Not Found. |
List Devices
Returns a list of devices identified by Darktrace.
Reader Note
Returned devices are sorted by “dids”, in ascending order.
The minimum input value for the Seen Since parameter is 1 second.
The Seen Since parameter does not accept multiple time unit inputs (e.g. 1 week and 1 min). Only one time unit can be used for one input value.
The valid time units for the Seen Since parameter are as follows:
Second: <number> (you do not need to specify seconds, as it is the default time unit)
Minute: <number>min(s) or <number> min(s)
Hour: <number>hour(s) or <number> hour(s), please note that “hr” is not valid
Day: <number>day(s) or <number> day(s)
Week: <number>week(s) or <number> week(s)
Input
Input Parameter | Required/Optional | Description | Example |
Seen Since | Optional | Filters returned devices by last seen activity time. The valid input can be the number of seconds before the current time, or a number with a time unit modifier such as day or week. If this parameter is not defined, all devices will be returned. | 10min |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Devices failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: API SIGNATURE ERROR. |
Error Sample Data List Devices failed. Status Code: 400. Message: API SIGNATURE ERROR. |
List Metrics
Returns the list of metrics available for filtering other API calls and for use in model making.
Input
N/A
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Metrics failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 403. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: API SIGNATURE ERROR. |
Error Sample Data List Metrics failed. Status Code: 400. Message: API SIGNATURE ERROR. |
Get Model Components
Returns information for the specified components.
Reader Note
Component CIDs is an optional parameter to run this command.
Run the Search Breaches command to obtain the Component CIDs. Component CIDs will be returned in the returned raw data under the key “cid”.
Some Component CIDs may not be retrievable. It is recommended to input the latest component CIDs.
If the input parameter is not defined, all model components will be returned. This may cause the command to run for a long time.
Input
Input Parameter | Required/Optional | Description | Example |
Component CIDs | Optional | The ID(s) of the component(s) to return. Component CIDs can be obtained using the Search Breaches command. If this parameter is not defined, all components will be returned. | [ **] |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Model Components failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: DATANOTFOUND ERROR. |
Error Sample Data Get Model Components failed. Status Code: 404. Message: DATA NOT FOUND ERROR. |
List PCAPs
Returns a list of PCAPs and their status.
Reader Note
Once the Create PCAP command requested PCAP status becomes "state":"finished", it can be retrieved with this command.
Input
N/A
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List PCAPs failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: API SIGNATURE ERROR. |
Error Sample Data List PCAPs failed. Status Code: 400. Message: API SIGNATURE ERROR. |
List Similar Devices
Returns a list of devices similar to the specified device on the network.
Reader Note
Device ID is a required parameter to run this command.
Run the List Devices command to obtain the Device ID. Device IDs can be found from the returned raw data at the path $[*].did.
Input
Input Parameter | Required/Optional | Description | Example |
Device ID | Required | The ID of the device to list similar devices. Device IDs can be obtained using the List Devices command. | ** |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Similar Metrics failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: API DATE ERROR |
Error Sample Data List Similar Metrics failed. Status Code: 400. Message: API DATE ERROR |
List Subnets
Retrieves subnets with activity in the specified time period processed by Darktrace.
Reader Note
Returned subnets are sorted by “mlid”, in ascending order.
The Seen Since parameter does not multiple time unit inputs (e.g. 1 week and 1 min). Only one time unit can be used for one input value.
The valid time units for the Seen Since parameter are as follows:
Second: <number> (you do not need to specify seconds, as it is the default time unit)
Minute: <number>min(s) or <number> min(s)
Hour: <number>hour(s) or <number> hour(s), please note that “hr” is not valid
Day: <number>day(s) or <number> day(s)
Week: <number>week(s) or <number> week(s)
Month: <number>month(s) or <number> month(s) (max 6 months to input)
Input
Input Parameter | Required/Optional | Description | Example |
Seen Since | Optional | Filters returned subnets by last seen activity time. The valid input can be the number of seconds before the current time, or a number with a time unit modifier such as day or week (e.g. 2hour or 1day). Note: The minimum input value is 1second, and the maximum is 6months. | 5min |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Subnets failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400 |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: API SIGNATURE ERROR. |
Error Sample Data List Subnets failed. Status Code: 400 Message: API SIGNATURE ERROR. |
List Tags
Returns the details for all current tags.
Input
Input Parameter | Required/Optional | Description | Example |
Tag Names | Optional | The name(s) of the tag(s) to retrieve. Tag Names are case insensitive. | [ "active threat" ] |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Tags failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Tag Name not found. |
Error Sample Data List Tags failed. Status Code: 404. Message: Tag name Not Found. |
Search Breaches
Returns a time-sorted list of model breaches, filtered by the specified parameters.
Reader Note
Device ID is an optional parameter to run this command.
Run the List Devices command to obtain Device ID. Device IDs can be found from the returned raw data at the path $[*].did.
If no input parameters are defined, up to 100 non-acknowledged breaches will be returned.
If only the Start Time and End Time parameters are defined, all non-acknowledged breaches within the time range will be returned.
Input
Input Parameter | Required/Optional | Description | Example |
Start Time | Optional | The start time of the time range to search breaches in UTC time. | 2023-01-26 00:00 |
End Time | Optional | The end time of the time range to search breaches in UTC time. | 2023-01-27 00:00 |
Minimum Score | Optional | The minimum score to filter searched breaches. | 0.5 |
Device ID | Optional | The ID of the device modeled in Darktrace to search breaches. Device IDs can be obtained using the List Devices command. | ** |
Include Acknowledged | Optional | The option to return acknowledged breaches in the search. If this parameter is not defined, the returned data will exclude acknowledged breaches. | True |
Count | Optional | The number of breaches to return. Note: If this parameter is not defined, but the Start Time and End time parameters are, all items between the specified time range will be returned. If all three parameters are not defined, the default value of 100 for this parameter will be used. | 3 |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Search Breaches failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: API SIGNATURE ERROR. |
Error Sample Data Search Breaches failed. Status Code: 400. Message: API SIGNATURE ERROR. |
Tag Devices
Adds tag(s) to the specified device(s).
Reader Note
Device ID and Tags are required parameters to run this command.
Run the List Devices command to obtain Device IDs. Device IDs can be found from the returned raw data at the path $[*].did.
Run the List Tags command to obtain Tags. Tags referring to the Tag Names, which can be found in the returned raw data at the path $.name.
Input
Input Parameter | Required/Optional | Description | Example |
Device IDs | Required | The IDs of the devices modeled in the Darktrace system to add tags to. Device IDs can be obtained using the List Devices command. | [ ** ] |
Tags | Required | The existing tag name(s) to add to the devices. You can obtain existing tag names using the List Tags command. | [ "Admin" ] |
Duration | Optional | How long the tag should be set for the device in seconds. The tag will be removed once this duration has expired. | 3600 |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Tags failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Device IDs Not Found. |
Error Sample Data List Tags failed. Status Code: 404. Message: Device IDs Not Found. |
Unacknowledge
Unacknowledges the specified model breaches.
Reader Note
Input parameter Breach IDs is required to run this command.
Run the Search Breaches command to obtain Breach IDs.
Breaches can either be acknowledged or unacknowledged, but can not be both. You may check the breach IDs’ acknowledge status from the response data of the Fetch Event command, at the JSON path $.[*].acknowledge. You can acknowledge the breaches that are unacknowledged (“false”). The breach IDs are returned under the key “pbid”.
Input
Input Parameter | Required/Optional | Description | Example |
Breach IDs | Required | The ID(s) of the model breach(es) to unacknowledge. Breach IDs can be obtained using the Search Breaches command. | [ ** ] |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Unacknowledge failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: API DATE ERROR |
Error Sample Data Unacknowledge failed. Status Code: 400. Message: API DATE ERROR |
Test Connection
Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Error Handling
If the Return Data is failed, an Error tab will appear in the Test Result window.
The error tab contains the responses from the third-party API calls including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Test Connection failed. Failed to check the connector. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Darktrace portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: API SIGNATURE ERROR. |
Error Sample Data Test Connection failed. Failed to check the connector. Status Code: 400. Message: API SIGNATURE ERROR. |