Email Infrastructure, IAM and Audit Logs
      Back to home
      1. Radiant Help Center
      2. Getting Started
      3. Email Infrastructure, IAM and Audit Logs

      DarkTrace Email

      Configure the DarkTrace email connector.

      Overview

      In this guide, you will create an API token in DarkTrace and instantiate a Radiant Security email connector to pull suspicious emails for triaging.

      To do this, you’ll need to complete the following steps:

      At the end of this configuration, you will provide Radiant Security with these values:

      • Your DarkTrace URL

      Important note: The domain should be in the following form https://xxxxxx.cloud.darktrace.com.

      • Public Token
      • Private Token
      • Anomaly Score Threshold

      Prerequisites

      You need Admin access on DarkTrace Threat Visualizer.

      Create a local user

      DarkTrace’s API tokens are per-user based, and for local users only (those created within the DarkTrace Threat Visualizer) meaning they are not available to users created via LDAP or SAML SSO. The next steps are going to guide you on how to create a user with a set of API tokens for Radiant Security. If you already have an Admin Local user, it is preferred to execute the following steps with it, otherwise, use your regular Admin user.

      1.   On the Threat Visualizer of the instance from which you wish to request data, click Menu > Admin > Permissions Admin. image
      2.   Click the Created Accounts tab. image(1)
      3.   On the left side, click Create new user. image(2)
      4.   Give the user a recognizable Username (e.g. radiant_connector) and a Password.
      5.   Click User Templates.      		 image(3)
      6.   For Select a user template, select Administrator.
      7.   Click Threat Tray Behavior Categories to go to the next step.      		 image(4)
      8.   Keep all default settings for Threat Tray Behavior Categories unchanged and then click Flags. image(5)
      9.   Toggle the API Access selector to Yes. image(6)

      Note: If this selector cannot be changed, keep proceeding with the user creation. The next section Troubleshooting user with no API access will guide you on troubleshooting this.

      10.   Add this user to the DarkTrace Admins Group
      11.   Click Add Threat Visualizer permissions.

      		 image(7)
      12.   Leave the next setup steps unchanged by clicking the proceeding buttons.
      13.   In the Summary page, click Update user to save changes.

      Troubleshooting user with no API access

      If you weren’t able to toggle the API access in step 9, then you must contact DarkTrace support. In most cases, this happens because the API was never used before and it can be quickly resolved. After contacting support, all icons in the Flags column should be green for the newly created user.


      image(8)

      Generate the API token

      1. Log in to Threat Visualizer with the user you created previously.
      2. Click Account Settings from the main menu.image(9)
      3. Click the API Access button.image(10)
      4. In the pop-up, click New. A Public and Private Token will appear.image(11)

       

      Important note: Ensure you copy the token values as you won’t be able to retrieve the Private Token again. You will need to provide these values to Radiant Security at the end of the configuration.

       

      Add the credentials in Radiant Security

      1. Log in to Radiant Security.
      2. From the navigation menu, select Settings > Credentials and click + Add Credential.
      3. Select the DarkTrace API from the list and click Configure Credential.
      4. Give the credential an identifiable name (e.g. DarkTrace <user> API Tokens) and add the following required fields:

        • Tenant URL: Your DarkTrace Console URL, it will look like https://name.cloud.darktrace.com

        • Public Token: The 40 digit Public Token copied in the previous step

        • Private Token: The 40 digit Private Token copied in the previous step

        • Anomaly Score Threshold: This value ranges from 0 to 100 and represents the Antigena Email Score assigned by DarkTrace to each analyzed email

          • A threshold of 0 means every email will be triaged by Radiant.
          • A threshold of 100 means only emails that DarkTrace deems highly likely to be malicious will be triaged.

          A good starting value is 80 because it avoids triaging all emails while ensuring those with lower confidence scores by DarkTrace still undergo further analysis.image(12)

       

      Add the data connector in Radiant Security

      1.   From the navigation menu, select Settings > Data Connectors and click + Add Connector to create a data action connector.
      2.   Select DarkTrace API and click Data Feeds.      		  image(13)
      3.   Select DarkTrace Email Alerts and click Credentials.  image(14)
      4.   Select the credentials created previously and click Add Connector.  image(15)

       

      We value your opinion. Did you find this article helpful? Share your thoughts by clicking here or reach to our Product and Customer Success teams at support@radiantsecurity.ai

      Last updated: 2024-09-30