Darktrace: Getting Started

Table of Contents

Introduction

The Recorded Future for Darktrace integration polls Recorded Future risk lists (IPs and Domains) for malicious indicators that then can be used for correlation use cases. 

Partner Website: https://darktrace.com/

Prerequisites

  • Valid Recorded Future API Key passed to the service via X-RFToken header
  • Make sure that the Threat Indicator Module (Darktrace) is turned on. This is controlled by the Darktrace engineers
  • Docker Compose: Python 3.5 - taxii2client - cybox - STIX
  • Parser for each XML tag
  • Parsed data stored in sqlite
  • Relevant data sent to User Interface and to other backend APIs to be visualized and modeled for potential alerting needs
  • No binary from STIX is ingested
  • Recorded Future STIX data is “disguised as” Darktrace’s Inoculation feed 

Installation Steps

  1. On the Darktrace UI navigate to Intel → Taxii Config
  2. Confirm that the “Taxii polling” has been enabled
  3. Click on ‘Add new Taxii service’
  4. For the "Collection" name, two collections cover different types of entities (IP, Domain). They need to be added separately:
    • ip_full
    • Domain_full

The following settings are required to enable Recorded Future's integration with DarkTrace:

For IPs

Hostname : https://api.recordedfuture.com

Username: RF_DarkTrace

Password: API token

Collection: ip_full

Discovery: /taxii

version :1.1

poll:3600

For Domain

Hostname : https://api.recordedfuture.com

Username: RF_DarkTrace

Password: API token

Collection: domain_full

Discovery: /taxii

version :1.1

poll:7200

  1. A successful entry and poll will present itself in “green” writing. Feeds can be checked by navigating to Intel → Taxii config → Taxii Exchange Service

Support

For more information, please contact support@darktrace.com.

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
1 out of 1 found this helpful

Articles in this section

See more