# Darktrace Email

Darktrace Email is an AI-driven email security product that detects phishing, account takeover attempts, and other email-borne threats. Connecting Darktrace Email forwards email alerts to Radiant Security via the Darktrace API. 

At the end of this configuration, you provide Radiant Security with the following values:

* **Darktrace URL**
* **Public Token**
* **Private Token**
* **Anomaly Score Threshold**

### Prerequisites

* [ ] Admin access to Darktrace

### Create a local user

Darktrace API tokens are user-specific and available only for local users created directly within the Darktrace Threat Visualizer. API tokens are not supported for users authenticated via LDAP or SAML SSO.

If you already have a local Admin user, use that account to generate API tokens. Otherwise, follow the steps below to create one.

{% stepper %}
{% step %}

#### **Open the Permissions Admin**

On the Threat Visualizer of the instance from which you want to request data, click **Menu**, then click **Admin** > **Permissions Admin**.

<div align="left"><figure><img src="/files/Blm3wpf3dNp6ys4tpiPw" alt="" width="516"><figcaption></figcaption></figure></div>
{% endstep %}

{% step %}

#### **Start a new user**

Click the **Created Accounts** tab, then on the left side click **Create new user**.

<div align="left"><figure><img src="/files/vCiPzLDbgqZpQdfl4OmV" alt="" width="297"><figcaption></figcaption></figure> <figure><img src="/files/uk3oZ51ikI32JdeHyvDc" alt="" width="516"><figcaption></figcaption></figure></div>
{% endstep %}

{% step %}

#### **Enter user details**

Give the user a recognizable **Username** (e.g., `radiant_connector`) and a **Password**, then click **User Templates**.

<div align="left"><figure><img src="/files/aYC5829r8g5aLlzdPPkL" alt=""><figcaption></figcaption></figure></div>
{% endstep %}

{% step %}

#### **Apply the Administrator template**

For **Select a user template**, select **Administrator**, then click **Threat Tray Behavior Categories** to continue.
{% endstep %}

{% step %}

#### **Continue past the default behavior categories**

Keep all default settings for **Threat Tray Behavior Categories** unchanged, then click **Flags**.

<div align="left"><figure><img src="/files/bHwxq41PtcR4Vdc6JZA0" alt=""><figcaption></figcaption></figure></div>

<div align="left"><figure><img src="/files/dvkiojA98lnFGSd7DwZJ" alt=""><figcaption></figcaption></figure></div>
{% endstep %}

{% step %}

#### **Enable API access**

Toggle the **API Access** selector to **Yes**.

<div align="left"><figure><img src="/files/eUTPJXBgAL6z1giNKA2U" alt=""><figcaption></figcaption></figure></div>

{% hint style="warning" %}
If this selector cannot be changed, keep proceeding with the user creation and refer to Troubleshoot users with no API access after you finish.
{% endhint %}
{% endstep %}

{% step %}

#### **Add the user to the Admins group**

Add this user to the **Darktrace Admins Group**, then click **Add Threat Visualizer permissions**.

<div align="left"><figure><img src="/files/Bu8aNrLCGJ8bGrvql9Vl" alt=""><figcaption></figcaption></figure></div>
{% endstep %}

{% step %}

#### **Save the user**

Leave the remaining setup steps unchanged by clicking the proceeding buttons. On the **Summary** page, click **Update user** to save changes.
{% endstep %}
{% endstepper %}

### Troubleshoot users with no API access

If you were not able to toggle the **API Access** selector to **Yes**, contact Darktrace support. In most cases this happens because the API has never been used on the instance and can be quickly resolved. After Darktrace support enables the API, all icons in the **Flags** column should be green for the new user.

<div align="left"><figure><img src="/files/gx9HmTPNcmHozYKE2uG8" alt="" width="263"><figcaption></figcaption></figure></div>

### Generate the API token

{% stepper %}
{% step %}

#### **Sign in as the new user**

Sign in to the Darktrace Threat Visualizer with the user created in the previous section.
{% endstep %}

{% step %}

#### **Open Account Settings**

Click **Account Settings** from the main menu.

<div align="left"><figure><img src="/files/dMlmerBG1pztAJhfqzoP" alt=""><figcaption></figcaption></figure></div>
{% endstep %}

{% step %}

#### **Open API Access**

Click the **API Access** button.

<div align="left"><figure><img src="/files/iNba4725pYj9Uhh9lIye" alt=""><figcaption></figcaption></figure></div>
{% endstep %}

{% step %}

#### **Generate the tokens**

In the pop-up, click **New**. A **Public Token** and **Private Token** appear.

<div align="left"><figure><img src="/files/ZydqVRiHLqU9lbcn7W53" alt="" width="516"><figcaption></figcaption></figure></div>

{% hint style="warning" %}
Copy both token values now. The **Private Token** cannot be retrieved later. You will provide these values to Radiant Security in the next section.
{% endhint %}
{% endstep %}
{% endstepper %}

### Add the credentials in Radiant Security

1. Sign in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, select **Settings** > **Credentials** and click **+ Add Credential**.
3. Search for and select **Darktrace API** from the list, then click **Configure Credential**.
4. Enter an identifiable name for the credential (e.g., `Darktrace API Tokens`) and complete the required fields:
   * **Tenant URL**: your Darktrace Console URL, in the format `https://xxxxxx.cloud.darktrace.com`.
   * **Public Token**: the 40-digit Public Token copied in the previous section.
   * **Private Token**: the 40-digit Private Token copied in the previous section.
   * **Anomaly Score Threshold**: a value from 0 to 100 representing the Antigena Email Score Darktrace assigns to each analyzed email. A threshold of 0 sends every email for triage; a threshold of 100 sends only emails Darktrace deems highly likely to be malicious. A starting value of 80 avoids triaging every email while ensuring those with lower Darktrace confidence scores still undergo further analysis.

### Add the data connector in Radiant Security

1. From the navigation menu, select **Settings** > **Data Connectors** and click **+ Add Connector**.
2. Search for and select **Darktrace API**, then click **Data Feeds**.
3. Select **Darktrace Email Alerts**, then click **Credentials**.
4. Select the credential created in the previous section, then click **Add Connector**.

### Verify ingestion

After Darktrace Email begins forwarding, confirm alerts are reaching Radiant.

1. In Radiant, navigate to [Log Management](https://app.radiantsecurity.ai/logs).
2. Filter by `rs_connectorType:"darktrace_email"`.
3. Confirm recent alerts appear.

{% hint style="info" %}
Allow several minutes for alerts to be parsed, indexed, and available for search.
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/darktrace-email.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.