Universal Cloud REST API connector workflow for Darktrace
You can customize your workflow and workflow parameters based on the default workflow.
A workflow is an XML document that describes the alert retrieval process. The workflow defines one or more parameters, which can be explicitly assigned values in the workflow XML or can derive values from the workflow parameter values XML document. The workflow consists of multiple actions that run sequentially.
Darktrace default workflow
Use the following XML to populate the Workflow field in the Universal Cloud REST API connector parameters section.
Click the Copy to clipboard icon at the upper right of the code block, and then paste the content into the Workflow field.
<?xml version="1.0" encoding="UTF-8" ?>
<Workflow name="Darktrace" version="1.0" xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/Workflow/V2">
<Parameters>
<Parameter name="hostname" label="The Base URL For your Darktrace instance." required="true" />
<Parameter name="publicToken" label="Public Authorization Token" required="true" />
<Parameter name="privateToken" label="Private Authorization Token" required="true" secret = "true" />
</Parameters>
<Actions>
<Initialize path="/darktraceAlerts/starttimeMilli" value="${time() - (60000 * 60 * 24 * 7)}"/>
<Set path="/darktraceAlerts/endtimeMilli" value="${time()}"/>
<FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS" timeZone="UTC" savePath="/darktraceAlerts/starttime" time="${/darktraceAlerts/starttimeMilli}"/>
<FormatDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS" timeZone="UTC" savePath="/darktraceAlerts/endtime" time="${/darktraceAlerts/endtimeMilli}"/>
<Set path="/darktraceAlerts/query" value="/modelbreaches?from=${/darktraceAlerts/starttime}&to=${/darktraceAlerts/endtime}&minimal=false&fulldevicedetails=true&expandenums=true&deviceattop=true
${/publicToken}
${/darktraceAlerts/endtime}"/>
<GenerateHMAC algorithm="SHA1" secretKey="${/privateToken}"
message="${/darktraceAlerts/query}"
saveFormat="HEX"
savePath="/darktraceAlerts/signature" />
<!-- GET Model Breaches -->
<CallEndpoint url="https://${/hostname}/modelbreaches" method="GET" savePath="/darktraceAlerts/response">
<QueryParameter name="from" value="${/darktraceAlerts/starttime}" />
<QueryParameter name="to" value="${/darktraceAlerts/endtime}" />
<QueryParameter name="minimal" value="false" />
<QueryParameter name="fulldevicedetails" value="true" />
<QueryParameter name="expandenums" value="true" />
<QueryParameter name="deviceattop" value="true" />
<RequestHeader name="DTAPI-Token" value="${/publicToken}" />
<RequestHeader name="DTAPI-Date" value="${/darktraceAlerts/endtime}" />
<RequestHeader name="DTAPI-Signature" value="${/darktraceAlerts/signature}" />
</CallEndpoint>
<!-- Catch any status code other than 200 (success) -->
<If condition="/darktraceAlerts/response/status_code != 200">
<Abort reason="Failed to pull Model Breaches. ${/darktraceAlerts/response/status_code}: ${/darktraceAlerts/response/status_message}" />
</If>
<Else>
<SetStatus type="INFO" message="Successfully Queried for events." />
</Else>
<Log type="DEBUG" message="We have received ${count(/darktraceAlerts/response/body)} alerts." />
<!-- Post the alerts -->
<PostEvents path="/darktraceAlerts/response/body" source="${/hostname}" />
<ParseDate pattern="yyyy-MM-dd'T'HH:mm:ss.SSS" date="${/darktraceAlerts/endtime}" timeZone="UTC" savePath="/darktraceAlerts/endtimeMilli"/>
<Set path="/darktraceAlerts/starttimeMilli" value="${/darktraceAlerts/endtimeMilli + 1}"/>
<Delete path="/darktraceAlerts/response" />
<Delete path="/darktraceAlerts/signature" />
<Delete path="/darktraceAlerts/query" />
</Actions>
<Tests>
<DNSResolutionTest host="${/hostname}"/>
<TCPConnectionTest host="${/hostname}"/>
<SSLHandshakeTest host="${/hostname}"/>
<HTTPConnectionThroughProxyTest url="https://${/hostname}"/>
</Tests>
</Workflow>
Darktrace default workflow parameter values
Use the following XML to populate the Workflow Parameter Values field in the Universal Cloud REST API connector parameters section.
Click the Copy to clipboard icon at the upper right of the code block, and then paste the content to a text file. Replace the values for <The-hostname-of-your-Darktrace-Threat-Visualizer-(no leading protocol, for example, <tenancyID>.cloud.darktrace.com)>, <your-public-token> and <your-private-token> with your own values. Then copy the updated content into the Workflow Parameter Values field.
<?xml version="1.0" encoding="UTF-8" ?>
<WorkflowParameterValues xmlns="http://qradar.ibm.com/UniversalCloudRESTAPI/WorkflowParameterValues/V2">
<Value name="hostname" value="<The-hostname-of-your-Darktrace-Threat-Visualizer-(no leading protocol, for example, <tenancyID>.cloud.darktrace.com)>"/>
<Value name="publicToken" value="<your-public-token>"/>
<Value name="privateToken" value="<your-private-token>"/>
</WorkflowParameterValues>