Darktrace Email

In this guide, you will create an API token in Darktrace and instantiate a Radiant Security email connector to pull suspicious emails for triaging.

At the end of this configuration, you will provide Radiant Security with these values:

• Your Darktrace URL

• Public Token

• Private Token

• Anomaly Score Threshold

Prerequisites

• Admin access to the DarkTrace Threat Visualizer

Create a local user

Darktrace API tokens are user-specific and available only for local users created directly within the Darktrace Threat Visualizer. This means API tokens are not supported for users authenticated via LDAP or SAML SSO. The following steps guide you through creating a local user and generating API tokens for integration with Radiant Security.

If you already have a local Admin user, use that account to complete the steps. Otherwise, use your regular Admin-level account.

1. On the Threat Visualizer of the instance from which you wish to request data, click Menu and then click Admin > Permissions Admin.

   
2. Click the Created Accounts tab.

   
3. On the left side, click Create new user.

   
4. Give the user a recognizable Username (e.g. radiant_connector ) and a Password.

5. Click User Templates.

   
6. For Select a user template, select Administrator.

7. Click Threat Tray Behavior Categories to go to the next step.

   
8. Keep all default settings for Threat Tray Behavior Categories unchanged and then click Flags.

   
9. Toggle the API Access selector to Yes.

   

1. Add this user to the Darktrace Admins Group.

2. Click Add Threat Visualizer permissions.

   
3. Leave the next setup steps unchanged by clicking the proceeding buttons.

4. In the Summary page, click Update user to save changes.

Troubleshoot users with no API access

If you weren’t able to toggle the API access in step 9, then you must contact DarkTrace support. In most cases, this happens because the API was never used before and it can be quickly resolved. After contacting support, all icons in the Flags column should be green for the newly created user.

Generate the API token

1. Log in to Threat Visualizer with the user created previously.

2. Click Account Settings from the main menu.

   
3. Click the API Access button.

   
4. In the pop-up, click New. A Public and Private Token will appear.

   

Add the credentials in Radiant Security

1. Log in to Radiant Security.

2. From the navigation menu, select Settings > Credentials and click + Add Credential.

3. Search for and select the Darktrace API option from the list and then click Configure Credential.

4. Give the credential an identifiable name (e.g. Darktrace <user> API Tokens) and add the required fields:

   • Tenant URL: Your Darktrace Console URL, it will look like https://name.cloud.darktrace.com

   • Public Token: 40 digit Public Token copied in the previous step.

   • Private Token: 40 digit Private Token copied in the previous step.

   • Anomaly Score Threshold: This value ranges from 0 to 100 and represents the Antigena Email Score assigned by Darktrace to each analyzed email.

     • A threshold of 0 means every email will be triaged by Radiant.

     • A threshold of 100 means only emails that Darktrace deems highly likely to be malicious will be triaged.

     A good starting value is 80 because it avoids triaging all emails while ensuring those with lower confidence scores by Darktrace still undergo further analysis.

Add the data connector in Radiant Security

1. From the navigation menu, select Settings > Data Connectors and click + Add Connector.

2. Search for and select the Darktrace API option and then click Data Feeds.

3. Select Darktrace Email Alerts and click Credentials.

4. Select the credentials created previously and click Add Connector.