Darktrace

Darktrace is a network traffic analyzing tool that delivers notification events to downstream systems. With Third Party Alert event sources in SIEM (InsightIDR), you can configure your Collector to capture these notification events and generate SIEM (InsightIDR) investigations around them.

To set up Darktrace:

Configure Darktrace to send data to SIEM (InsightIDR).
Configure SIEM (InsightIDR) to collect data from the event source.
Test the configuration.

You can also:

See how SIEM (InsightIDR) determines alert priority

ℹ️

Visit the third-party vendor's documentation

For the most accurate information on configuring this event source, we recommend that you visit Darktraces’s documentation . You must have a Darktrace account to access this documentation.

Configure Darktrace to send data to SIEM (InsightIDR)

Before you configure the Darktrace event source, determine which data collection method you will use. SIEM (InsightIDR) supports two collection methods for Darktrace: a cloud connection (C2C) or a collector-based connection. Each method has different configuration requirements, so confirm your approach in advance to ensure you complete the correct setup steps.

Configure Darktrace for cloud connection

Before you configure the Darktrace event source in SIEM (InsightIDR) using the cloud connection method, complete these steps in Darktrace to prepare your environment.

ℹ️

Visit the third-party vendor's documentation

For details on generating API tokens and working with Darktrace endpoints, refer to the official Darktrace documentation:

Generating API tokens: https://customerportal.darktrace.com/guides/api-tokens
/modelbreaches endpoint schema: https://customerportal.darktrace.com/guides/api-modelbreaches-schema
/aianalyst/incidentevents endpoint schema: https://customerportal.darktrace.com/guides/api-aianalyst-incidentevents-schema

Darktrace maintains this documentation. Refer to it for the most up-to-date API specifications and usage guidance. You must have a Darktrace account to access this documentation.

To complete this setup, you need:

Access to the Darktrace Threat Visualizer
A user account with permissions to create API tokens
Access to system configuration settings (for global tokens)

Task 1: Retrieve the appliance URL

The appliance URL identifies your Darktrace instance and is required during event source configuration.

To retrieve the appliance URL:

Log in to the Darktrace Threat Visualizer.
Locate the URL in your browser address bar.
Copy the hostname only.
- Do not include https://
- Do not include trailing slashes or paths (for example, /login or /modelbreaches)

Examples:

Browser URL	Appliance URL
`https://example.cloud.darktrace.com/login`	`example.cloud.darktrace.com`
`https://darktrace.mycompany.com/`	`darktrace.mycompany.com`

Task 2: Generate API tokens

SIEM (InsightIDR) uses API tokens to authenticate and collect data from Darktrace.

You must generate a token pair that includes:

Public token – Used as the DTAPI-Token header value
Private token – Used to generate the DTAPI-Signature value

Token types

Darktrace supports two token types:

Global token (recommended) – Provides full API access across the appliance
Per-user token – Limited to the permissions of the associated user

Use a global token to ensure access to all required endpoints.

Generate a global token

To generate a global API token:

In Darktrace Threat Visualizer, go to Admin > System Config.
Select Settings.
Locate the API Token section.
Click New.
Copy the Public and Private tokens.
- The Private token is shown only once.
- Store both tokens securely for later use.

Generate a per-user token (optional)

Use this option only if you require scoped access.

To generate a per-user token:

In Darktrace Threat Visualizer, go to Admin > Permissions Admin.
Go to the Created Accounts tab.
Edit the target user.
Enable API Access in the Flags tab.
Save your changes.
Log in as the target user.
Open Account Settings.
Click New to generate the token pair.
Copy and securely store both tokens.

Configure required permissions (per-user only)

If you use a per-user token, ensure the account has:

Access to unrestricted devices
At least one of the following:
- Visualizer
- Darktrace IDENTITY Console
Additional permissions for /modelbreaches if required

Global tokens do not require additional permission configuration.

Task 3: Verify required API endpoints

Ensure your Darktrace environment allows access to these endpoints:

/modelbreaches
/aianalyst/incidentevents

These endpoints are required for SIEM (InsightIDR) data collection.

Configure Darktrace for collector connection

Before SIEM (InsightIDR) can start ingesting data from Darktrace using the collector connection method, a Darktrace administrator with UI access must configure Darktrace to send syslog to the SIEM (InsightIDR) Collector.

Configure syslog forawrding in Darktrace

To configure syslog forwarding in Darktrace:

In Darktrace Threat Visualizer, go to Admin > System Config.
Select Modules and choose Syslog from the available Workflow Integrations.
In the configuration window, select Syslog JSON and click New to open the configuration settings.
Set the JSON Syslog Alerts field to true.
In the JSON Syslog Server field, specify the IP address of the SIEM (InsightIDR) Collector.
In the JSON Syslog Server Port field, specify a unique port over 1024 that you will use with the SIEM (InsightIDR) event source.
Set the JSON Syslog TCP Alerts field to true.

Darktrace will automatically save your changes.

Configure SIEM (InsightIDR) to collect data from the event source

After you complete the prerequisite steps and configure the event source to send data, you must add the event source in SIEM (InsightIDR).

Task 1: Select Darktrace

In the Command Platform, go to Data Connectors > Data Collectors.
Go to the Event Sources tab, then click Add Event Source.
Do one of the following:
- Search for Darktrace in the event sources search bar.
- In the Product Type filter, select Third Party Alerts.
Select the Darktrace event source tile.

Task 2: Set up your collection method

There are two methods of collecting data from Darktrace: through a cloud connection or through a collector.

Use the cloud connection method

In the Add Event Source panel, select Run On Cloud.
Name the event source. This will be the name of the log that contains the event data in Log Search.
Click Add a New Connection.
1. In the Create a Cloud Connection screen, enter a name for the new connection.
2. In the Appliance URL field, enter the Appliance URL that you retrieved in the previous section, Task 1: Retrieve the appliance URL.
3. In the Public Token field, enter the Public Token that you retreived in the previous section, generate a global token.
4. In the Private Token field, add a new credential:
  - Name your credential.
  - Describe your credential.
  - Select the credential type.
  - Enter the Private Token that you obtained in the previous section, generate a global token.
5. Click Save & Test Connection.
Optionally, choose to send unparsed data.
Click Save.

Use the collector method

In the Add Event Source panel, select Run On Collector.
Name the event source. This will be the name of the log that contains the event data in Log Search.
Select your collector.
Enter the port you chose in the Darktrace interface in the previous section,.
Select TCP as your protocol.
Optionally, choose to send unparsed data.
Click Save.

Test the Configuration

After you configure the SIEM (InsightIDR) event source, you can send a test alert from Darktrace to SIEM (InsightIDR) to verify everything is working properly.

To send a test alert:

In Darktrace, go to Admin > System Config.
In the Alerting section, click Verify Alert Settings.

You will see a message that reads “1 Alert Sent. IMAP settings valid.”

To test that event data is flowing into SIEM (InsightIDR):

In the Command Platform, go to Data Connectors > Data Collectors.
Go to the Event Sources tab.
Find the event source you created and click View raw log. If the Raw Logs modal displays raw log entries, logs are successfully flowing to the Collector.

How SIEM (InsightIDR) determines alert priority

In SIEM (InsightIDR), ingested Darktrace events can generate alerts , which are assigned a priority. Investigations created from these alerts inherit the same priority, depending on the detection rule configuration.

SIEM (InsightIDR) determines priority based on these fields:

Category
Score
Priority

The Category field indicates whether an event is likely to represent a threat:

Informational – Does not generate alerts. These events are unlikely to indicate a threat.
Suspicious – Always generates alerts.

SIEM (InsightIDR) also suppresses alerts for events that include Antigena Response data to reduce alert noise in your environment.

If a Score value is present, SIEM (InsightIDR) uses it to assign priority. The Score ranges from 0 to 1:

0.80–1.00 – High priority
0.50–0.79 – Medium priority
0.00–0.49 – Low priority

If the Score field is not available, SIEM (InsightIDR) uses the Priority field instead. The Priority ranges from 0 to 5:

3–5 – High priority
1–2 – Medium priority
0–1 – Low priority

This prioritization model helps ensure that alerts reflect the relative risk of activity in your environment and supports efficient triage and investigation workflows.