# Darktrace NDR

Darktrace NDR is a network detection and response platform that uses self-learning AI to identify anomalous behavior, lateral movement, and emerging threats across on-premises, cloud, and hybrid networks. Connecting Darktrace NDR forwards AI Analyst alerts, Model Breach alerts, and system status alerts to Radiant Security via syslog through a Radiant Agent. Radiant uses these alerts during the Enrichment stage to correlate network anomalies with other telemetry, giving analysts the network-side context needed to assign a verdict.

### Prerequisites

* [ ] Administrator access to the Darktrace Console
* [ ] A deployed [Radiant Agent](/radiant-connectors/data-connectors/install-the-radiant-security-agent.md) reachable from the Darktrace appliance
* [ ] Administrator role in Radiant Security

### Add the data connector in Radiant Security

1. Log in to [Radiant Security](https://app.radiantsecurity.ai/).
2. From the navigation menu, click **Settings** > **Data Connectors**, then click **+ Add Connector**.
3. Search for and select **Radiant Agent**, then click **Data Feeds**.
4. Under **Select your data feeds**, select **Darktrace NDR**, then click **Credentials**.
5. Under **Credential Name**, enter an identifiable name for the Radiant Agent integration (e.g., `Radiant Agent integration`). To reuse an existing Radiant Agent credential, select it from the drop-down menu.
6. Click **Add Connector**.

### Configure Darktrace NDR to forward syslog

Before starting, confirm the IP address of the Radiant Agent and the port configured to receive Darktrace NDR data. If you do not know the port, contact your Customer Success representative.

1. Log in to the Darktrace Console.
2. Navigate to the **Admin** panel.
3. Under **System Configuration**, navigate to **Modules** > **Darktrace/Cloud**. 

<figure><img src="/files/af8TPR6xGjW7FqXHsk14" alt=""><figcaption></figcaption></figure>

4. Under **Workflow Integrations**, click **Syslog**.
5. Click the **Syslog JSON** tab.
6. Enter the following values:
   * **Send Alerts**: Enabled
   * **Server**: the IP address of the Radiant Agent
   * **Server Port**: the port configured on the Radiant Agent to receive Darktrace NDR data
   * **Use Application Name**: Enabled
   * **Application Name**: `darktrace`
   * **Send AI Analyst Alerts**: Enabled
   * **AI Analyst Behavior Filter**: Compliance, Critical, Suspicious
   * **Send Model Breach Alerts**: Enabled
   * **Model Breach Behavior Filter**: Compliance, Critical, Suspicious
   * **Send System Status Alerts**: Enabled
   * **Send Resolved System Status Alerts**: Enabled
   * **Minimum System Status Priority**: High
   * **Master**: All
7. At the top of the **Syslog Workflow Integration** window, toggle on the **Enabled** button.
8. Click **Save**.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/radiant-connectors/data-connectors/darktrace-ndr.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.