Darktrace

the darktrace connector enables seamless integration with swimlane turbine, providing access to darktrace's autonomous cyber defense capabilities and rich data insights darktrace is a leader in cyber ai and autonomous response technology, providing real time threat detection and automated incident response the darktrace turbine connector enables users to integrate darktrace's advanced security analytics and ai capabilities directly into swimlane's low code security automation platform this integration empowers security teams to streamline their workflows, rapidly acknowledge events, add comments to ai analyst events, initiate manual respond actions, and gain operational insights with comprehensive reporting enhance your security posture by leveraging darktrace's telemetry within swimlane turbine to automate responses and accelerate incident resolution prerequisites to effectively utilize the darktrace connector with swimlane turbine, ensure you have the following prerequisites darktrace api authentication with the following parameters url the endpoint url for the darktrace api api token your unique token to authenticate requests to the darktrace api private token a secondary token used for enhanced security measures during authentication capabilities the darktrace integration provides the following capabilities acknowledge event add comment to ai analyst event add comment to model breach antigena manual antigena summary endpoint details execute advanced search get action summary get ai analyst comments get ai analyst events get ai analyst groups get api data get audit events get antigena respond details get comments and so on documentation find full guide on the darktrace api under product guides after https //partnerportal darktrace com/login configurations darktrace api authentication darktrace api authentication configuration parameters parameter description type required url server url address string required api token api token string required private token private token string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions acknowledge event acknowledge breaches in darktrace using the specified pbid, aiding in streamlining incident response workflows endpoint url /modelbreaches/{{pbid}}/acknowledge method post input argument name type required description path parameters pbid number required parameters for the acknowledge event action input example {"path parameters" {"pbid" 40974}} output parameter type description status code number http status code of the response reason string response reason phrase response string output field response output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 13 feb 2024 15 20 16 gmt","content type" "application/json; charset=utf 8","content length" "35","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","content security policy" "script src 'self';img src 'self' data blob data uris;media src 'self';style ","cache control" "no store","servertime" " add comment to ai analyst event adds a user defined comment to a darktrace ai analyst event using the specified incident id endpoint url /aianalyst/incident/comments method post input argument name type required description parameters incident id string required parameters for the add comment to ai analyst event action message string optional response message input example {"parameters" {"incident id" "58b1c336 01b2 4418 86f8 3a53b0856aaa"},"json body" {"message" "test comment"}} output parameter type description status code number http status code of the response reason string response reason phrase comments array output field comments comments username string name of the resource comments time number time value comments incident id string unique identifier comments message string response message output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 02 jul 2024 15 06 00 gmt","content type" "application/json; charset=utf 8","content length" "28","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "script src 'self'; add comment to model breach adds a user defined comment to a specific darktrace model breach using the provided pbid and message endpoint url /modelbreaches/{{pbid}}/comments method post input argument name type required description path parameters pbid number required parameters for the add comment to model breach action message string optional response message input example {"json body" {"message" "this is test comment "},"path parameters" {"pbid" 49411}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 02 jul 2024 13 16 44 gmt","content type" "application/json; charset=utf 8","content length" "10","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "script src 'self'; antigena manual initiate manual darktrace respond/network actions specifying device id, action type, duration, and reason endpoint url /antigena/manual method post input argument name type required description did number optional unique identifier action string optional parameter for antigena manual duration number optional parameter for antigena manual reason string optional response reason phrase connections array optional parameter for antigena manual connections src string optional parameter for antigena manual connections dst string optional parameter for antigena manual connections port number optional parameter for antigena manual input example {"json body" {"did" 1234,"action" "connection","duration" 120,"reason" "","connections" \[{"src" "10 10 10 10","dst" "8 8 8 8","port" 443}]}} output parameter type description status code number http status code of the response reason string response reason phrase codeid number unique identifier output example {"status code" 200,"response headers" {"server" "nginx","date" "fri, 07 jun 2024 06 26 58 gmt","content type" "text/html; charset=utf 8","transfer encoding" "chunked","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "script src 'self' antigena summary provides an overview of active and pending darktrace respond actions for operational insights endpoint url /antigena/summary method get input argument name type required description parameters endtime number optional parameters for the antigena summary action parameters starttime number optional parameters for the antigena summary action parameters responsedata string optional parameters for the antigena summary action input example {"parameters" {"endtime" 100,"starttime" 100,"responsedata" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase pendingcount number count value activecount number count value pendingactiondevices array output field pendingactiondevices activeactiondevices array output field activeactiondevices output example {"status code" 200,"response headers" {"server" "nginx","date" "fri, 07 jun 2024 06 26 58 gmt","content type" "text/html; charset=utf 8","transfer encoding" "chunked","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "script src 'self' endpoint details retrieve detailed information for specified external ip addresses and hostnames using darktrace endpoint url /endpointdetails method get input argument name type required description parameters additionalinfo boolean optional return additional information about the endpoint parameters devices boolean optional return a list of devices which have recently connected to the endpoint parameters hostname string optional return data for this hostname parameters ip string optional return data for this ip address parameters score boolean optional return the popularity scores for external endpoints input example {"parameters" {"additionalinfo"\ true,"devices"\ true,"hostname" "www darktrace com","ip" "8 8 8 8","score"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase ip string output field ip firsttime number time value country string output field country asn string output field asn city string output field city region string output field region name string name of the resource longitude number output field longitude latitude number output field latitude ipage number output field ipage iptime string time value output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 06 feb 2024 08 49 38 gmt","content type" "application/json; charset=utf 8","content length" "186","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","content security policy" "script src 'self';img src 'self' data blob data uris;media src 'self';style ","cache control" "no store","servertime" execute advanced search executes an advanced search in darktrace with a base64 encoded query, exporting the results in json format endpoint url /advancedsearch/api/search/{{base64 query}} method get input argument name type required description path parameters base64 query string required parameters for the execute advanced search action input example {"path parameters" {"base64 query" "eyjzzwfyy2gioijadhlwztpjb25uieforcbazmllbgrzlnbyb3rvonrjccbbtkqgtk9uiebmawvszhmuy29ubl9zdgf0ztpcilmwxcigqu5eie5pvcbazmllbgrzlmnvbm5fc3rhdgu6xcjsrupciibbtkqgkebmawvszhmub3jpz19wa3rzojagt1igqgzpzwxkcy5yzxnwx3brdhm6mckgqu5eichazmllbgrzlmrlc3rfcg9yddpcijq0m1wiie9siebmawvszhmuzgvzdf9wb3j0olwiodbciikilcjmawvszhmioltdlcjvzmzzzxqiojasinrpbwvmcmftzsi6ijqzmjawiiwidgltzsi6eyj1c2vyx2ludgvydmfsijowfx0="}} output parameter type description status code number http status code of the response reason string response reason phrase took number output field took timed out boolean output field timed out shards object output field shards shards total number output field shards total shards successful number whether the operation was successful shards skipped number output field shards skipped shards failed number output field shards failed hits object output field hits hits total number output field hits total hits max score number score value hits hits array output field hits hits hits hits index string output field hits hits index hits hits type string type of the resource hits hits id string unique identifier hits hits score object score value hits hits source object output field hits hits source hits hits source \@fields object output field hits hits source \@fields hits hits source \@fields orig pkts number output field mailto\ hits hits source \@fields orig pkts hits hits source \@type string type of the resource hits hits source \@timestamp string output field hits hits source \@timestamp hits hits source \@message string response message hits hits sort array output field hits hits sort darktracechilderror string error message if any output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 02 jul 2024 13 23 15 gmt","content type" "application/json; charset=utf 8","content length" "297","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "script src 'self' get action summary retrieve a categorized breakdown of actions taken within darktrace for quick analysis and review endpoint url /agemail/api/v1 0/dash/action summary method get input argument name type required description parameters days number optional number of days to query over (minimum value is 1, maximum value is 30) input example {"parameters" {"days" 7}} output parameter type description status code number http status code of the response reason string response reason phrase hold object output field hold hold value number value for the parameter movetojunk object output field movetojunk movetojunk value number value for the parameter attachment actions object output field attachment actions attachment actions value number value for the parameter link actions object output field link actions link actions value number value for the parameter other object output field other other value number value for the parameter output example {"status code" 200,"response headers" {"server" "nginx","date" "thu, 01 aug 2024 09 08 55 gmt","content type" "application/json; charset=utf 8","content length" "91","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "default src 'self'; get ai analyst comments retrieve comments associated with a specific ai analyst event in darktrace using the provided incident id endpoint url /aianalyst/incident/comments method get input argument name type required description parameters incident id string required parameters for the get ai analyst comments action input example {"parameters" {"incident id" "58b1c336 01b2 4418 86f8 3a53b0856aaa"}} output parameter type description status code number http status code of the response reason string response reason phrase comments array output field comments comments username string name of the resource comments time number time value comments incident id string unique identifier comments message string response message output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 02 jul 2024 14 56 00 gmt","content type" "application/json; charset=utf 8","content length" "28","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "script src 'self'; get ai analyst events retrieve anomalies or network activities investigated by cyber ai analyst within darktrace endpoint url /aianalyst/incidentevents method get input argument name type required description parameters groupid string optional parameters for the get ai analyst events action parameters uuid string optional parameters for the get ai analyst events action parameters did number optional parameters for the get ai analyst events action parameters excludedid number optional parameters for the get ai analyst events action parameters sid number optional parameters for the get ai analyst events action parameters excludesid number optional parameters for the get ai analyst events action parameters master number optional parameters for the get ai analyst events action parameters includeacknowledged boolean optional parameters for the get ai analyst events action parameters includeallpinned boolean optional parameters for the get ai analyst events action parameters includeonlypinned boolean optional parameters for the get ai analyst events action parameters includeincidenteventurl boolean optional parameters for the get ai analyst events action parameters locale string optional parameters for the get ai analyst events action parameters endtime string optional parameters for the get ai analyst events action parameters starttime string optional parameters for the get ai analyst events action parameters groupcompliance boolean optional parameters for the get ai analyst events action parameters groupsuspicious boolean optional parameters for the get ai analyst events action parameters groupcritical boolean optional parameters for the get ai analyst events action parameters maxscore number optional parameters for the get ai analyst events action parameters minscore number optional parameters for the get ai analyst events action parameters maxgroupscore number optional parameters for the get ai analyst events action parameters mingroupscore number optional parameters for the get ai analyst events action parameters saasonly boolean optional parameters for the get ai analyst events action input example {"parameters" {"groupid" "g04a3f36e 4u8w v9dh x6lb 894778cf9633","uuid" "04a3f36e 4u8w v9dh x6lb 894778cf9633","did" 123,"excludedid" 123,"sid" 123,"excludesid" 123,"master" 123,"includeacknowledged"\ true,"includeallpinned"\ true,"includeonlypinned"\ true,"includeincidenteventurl"\ true,"locale" "en us","endtime" "1646611200000","starttime" "1646611200000","groupcompliance"\ true,"groupsuspicious"\ true,"groupcritical"\ true,"maxscore" 50,"minscore" 10,"maxgroupscore" 40,"mingroupscore" 10,"saasonly"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 02 jul 2024 14 02 40 gmt","content type" "application/json; charset=utf 8","content length" "3410","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "script src 'self get ai analyst groups retrieve incident groupings from darktrace, detailing the constituent events for each group endpoint url /aianalyst/groups method get input argument name type required description parameters groupid string optional parameters for the get ai analyst groups action parameters uuid string optional parameters for the get ai analyst groups action parameters did number optional parameters for the get ai analyst groups action parameters excludedid number optional parameters for the get ai analyst groups action parameters sid number optional parameters for the get ai analyst groups action parameters excludesid number optional parameters for the get ai analyst groups action parameters master number optional parameters for the get ai analyst groups action parameters includeacknowledged boolean optional parameters for the get ai analyst groups action parameters includeallpinned boolean optional parameters for the get ai analyst groups action parameters includeonlypinned boolean optional parameters for the get ai analyst groups action parameters includegroupurl boolean optional parameters for the get ai analyst groups action parameters locale string optional parameters for the get ai analyst groups action parameters endtime string optional parameters for the get ai analyst groups action parameters starttime string optional parameters for the get ai analyst groups action parameters compliance boolean optional parameters for the get ai analyst groups action parameters suspicious boolean optional parameters for the get ai analyst groups action parameters critical boolean optional parameters for the get ai analyst groups action parameters maxscore number optional parameters for the get ai analyst groups action parameters minscore number optional parameters for the get ai analyst groups action parameters saasonly boolean optional parameters for the get ai analyst groups action input example {"parameters" {"groupid" "g04a3f36e 4u8w v9dh x6lb 894778cf9633","uuid" "04a3f36e 4u8w v9dh x6lb 894778cf9633","did" 123,"excludedid" 123,"sid" 123,"excludesid" 123,"master" 123,"includeacknowledged"\ true,"includeallpinned"\ true,"includeonlypinned"\ true,"includegroupurl"\ true,"locale" "en us","endtime" "1646611200000","starttime" "1646611200000","compliance"\ true,"suspicious"\ true,"critical"\ true,"maxscore" 50,"minscore" 10,"saasonly"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 02 jul 2024 14 21 53 gmt","content type" "application/json; charset=utf 8","content length" "2506","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "script src 'self get antigena respond details retrieve comprehensive analysis and reporting details on current and historical darktrace respond/network actions endpoint url /antigena method get input argument name type required description parameters fulldevicedetails boolean optional parameters for the get antigena respond details action parameters includecleared boolean optional parameters for the get antigena respond details action parameters includehistory boolean optional parameters for the get antigena respond details action parameters needconfirming boolean optional parameters for the get antigena respond details action parameters endtime number optional parameters for the get antigena respond details action parameters starttime number optional parameters for the get antigena respond details action parameters from string optional parameters for the get antigena respond details action parameters to string optional parameters for the get antigena respond details action parameters includeconnections boolean optional parameters for the get antigena respond details action parameters responsedata string optional parameters for the get antigena respond details action parameters pbid number optional parameters for the get antigena respond details action input example {"parameters" {"fulldevicedetails"\ false,"includecleared"\ false,"includehistory"\ false,"needconfirming"\ false,"endtime" 100,"starttime" 100,"from" "string","to" "string","includeconnections"\ false,"responsedata" "string","pbid" 10}} output parameter type description status code number http status code of the response reason string response reason phrase actions array output field actions actions codeid number unique identifier actions did number unique identifier actions ip string output field actions ip actions action string output field actions action actions manual boolean output field actions manual actions triggerer string output field actions triggerer actions label string output field actions label actions detail string output field actions detail actions score number score value actions pbid number unique identifier actions model string output field actions model actions modeluuid string unique identifier actions start number output field actions start actions expires number output field actions expires actions blocked boolean output field actions blocked actions agemail boolean output field actions agemail actions active boolean output field actions active actions cleared boolean output field actions cleared connections array output field connections connections action string output field connections action connections label string output field connections label connections did number unique identifier output example {"status code" 200,"response headers" {"server" "nginx","date" "fri, 07 jun 2024 06 17 24 gmt","content type" "application/json; charset=utf 8","content length" "10","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "script src 'self'; get api data retrieve specific 'datatype' information from the darktrace api, utilizing path parameters to aid in system configuration endpoint url /{{datatype}}/sourcedevicetypes method get input argument name type required description path parameters datatype string required parameters for the get api data action input example {"path parameters" {"datatype" "filtertypes"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 06 feb 2024 07 01 54 gmt","content type" "application/json; charset=utf 8","content length" "2928","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","content security policy" "script src 'self';img src 'self' data blob data uris;media src 'self';style ","cache control" "no store","servertime" get audit events retrieve audit events from darktrace for a given time range using 'start' and 'end' parameters permissions required audit log endpoint url /agemail/api/v1 0/system/audit/events method get input argument name type required description parameters start number required unix timestamp start of the range to return audit events for parameters end number required unix timestamp end of the range to return audit events for parameters limit number optional maximum number of events to return (minimum 1, maximum 50) parameters offset number optional number of events to offset by for pagination (minimum 0) parameters excludedarktrace string optional string 'true' or 'false' for whether to exclude events for the 'darktrace' user from the response parameters excludesystem string optional string 'true' or 'false' for whether to exclude events for the 'system' user from the response parameters account string optional string account name to return events for parameters eventtype string optional event type to return accepts either the string label or the type id integer input example {"parameters" {"start" 123,"end" 123,"limit" 20,"offset" 123,"excludedarktrace" "string","excludesystem" "string","account" "string","eventtype" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "thu, 01 aug 2024 09 09 55 gmt","content type" "application/json; charset=utf 8","content length" "91","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "default src 'self'; get comments retrieves user comments on darktrace model breaches, providing insights into security events endpoint url /mbcomments method get input argument name type required description parameters count number optional specifies the maximum number of items to return parameters endtime string optional end time of data to return in millisecond format, relative to midnight january 1st 1970 utc parameters pbid number optional id for a model breach parameters starttime string optional start time of data to return in millisecond format, relative to midnight january 1st 1970 utc input example {"parameters" {"count" 30,"endtime" "1704282955000","pbid" 10,"starttime" "1704196555000"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 06 feb 2024 10 43 51 gmt","content type" "application/json; charset=utf 8","content length" "147","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","content security policy" "script src 'self';img src 'self' data blob data uris;media src 'self';style ","cache control" "no store","servertime" get components retrieves component parts of defined models from darktrace, facilitating data referencing in model breaches endpoint url /components method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "mon, 05 feb 2024 10 25 21 gmt","content type" "application/json; charset=utf 8","content length" "940675","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","content security policy" "script src 'self';img src 'self' data blob data uris;media src 'self';style ","cache control" "no store","servertim get dashboard statistics retrieve timeseries statistics from darktrace dashboards, filtering by direction and tag ids endpoint url /agemail/api/v1 0/dash/dash stats method get input argument name type required description parameters dashkey string optional accepts direction and shorthand tag id multiple keys can be comma seperated maximum of 5 allowed parameters days number optional number of days to return data for (minimum value is 1, maximum value is 30) input example {"parameters" {"dashkey" "inbound,outbound","days" 7}} output parameter type description status code number http status code of the response reason string response reason phrase resp object output field resp resp inbound object output field resp inbound resp inbound 1721887200000 object output field resp inbound 1721887200000 resp inbound 1721887200000 dtime number time value resp inbound 1721887200000 volume number output field resp inbound 1721887200000 volume resp inbound 1721887200000 n held number output field resp inbound 1721887200000 n held resp inbound 1721887200000 n junk number output field resp inbound 1721887200000 n junk resp inbound 1721887200000 n other actions number output field resp inbound 1721887200000 n other actions resp inbound 1721887200000 n last period number output field resp inbound 1721887200000 n last period resp inbound 1721908800000 object output field resp inbound 1721908800000 resp inbound 1721908800000 dtime number time value resp inbound 1721908800000 volume number output field resp inbound 1721908800000 volume resp inbound 1721908800000 n held number output field resp inbound 1721908800000 n held resp inbound 1721908800000 n junk number output field resp inbound 1721908800000 n junk resp inbound 1721908800000 n other actions number output field resp inbound 1721908800000 n other actions resp inbound 1721908800000 n last period number output field resp inbound 1721908800000 n last period resp inbound 1721930400000 object output field resp inbound 1721930400000 resp inbound 1721930400000 dtime number time value resp inbound 1721930400000 volume number output field resp inbound 1721930400000 volume resp inbound 1721930400000 n held number output field resp inbound 1721930400000 n held resp inbound 1721930400000 n junk number output field resp inbound 1721930400000 n junk resp inbound 1721930400000 n other actions number output field resp inbound 1721930400000 n other actions resp inbound 1721930400000 n last period number output field resp inbound 1721930400000 n last period output example {"resp" {"inbound" {"1721887200000" {},"1721908800000" {},"1721930400000" {},"1721952000000" {},"1721973600000" {},"1721995200000" {},"1722016800000" {},"1722038400000" {},"1722060000000" {},"1722081600000" {},"1722103200000" {},"1722124800000" {},"1722146400000" {},"1722168000000" {},"1722189600000" {}},"outbound" {"1721887200000" {},"1721908800000" {},"1721930400000" {},"1721952000000" {},"1721973600000" {},"1721995200000" {},"1722016800000" {},"1722038400000" {},"1722060000000" {},"1722081600 get data loss retrieve data loss prevention (dlp) statistics for users, sorted by total breach count endpoint url /agemail/api/v1 0/dash/data loss method get input argument name type required description parameters days number optional number of days to return data for (minimum 1, maximum 30) parameters limit number optional number of items to return (minimum 1, maximum 100) input example {"parameters" {"days" 7,"limit" 5}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "thu, 01 aug 2024 10 18 24 gmt","content type" "application/json; charset=utf 8","content length" "10","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "default src 'self'; get details retrieves a time sorted list of connections and events for a specified device or entity in darktrace using the 'externalhostname' parameter endpoint url /details method get input argument name type required description parameters application protocol string optional this filter can be used to filter the returned data by application protocol see /enums (api data task) for the list of application protocols parameters count number optional max number of items to return parameters ddid number optional identification number of a destination device modelled in the darktrace system to restrict data to parameters deduplicate boolean optional display only one equivalent connection per hour parameters destinationport number optional this filter can be used to filter the returned data by destination port parameters did number optional identification number of a device modelled in the darktrace system parameters externalhostname string required specifies an hostname to return details for parameters eventtype string optional specifies an hostname to return details for parameters from string optional start time of data to return in yyyy mm dd hh\ mm \ ss format parameters fulldevicedetails boolean optional returns the full device detail objects for all devices referenced by data in an api response use of this parameter will alter the json structure of the api response for certain calls parameters intext string optional returns the full device detail objects for all devices referenced by data in an api response use of this parameter will alter the json structure of the api response for certain calls parameters msg string optional specifies the value of the message field in notice events to return details for typically used to specify user credential strings parameters odid number optional identification number of a device modelled in the darktrace system to restrict data to typically used with ddid and odid to specifiy device pairs regardless of source/destination parameters pbid number optional id for a model breach parameters port number optional this filter can be used to filter the returned data by source or destination port parameters protocol string optional this filter can be used to filter the returned data by ip protocol see /enums for the list of protocols parameters sourceport number optional this filter can be used to filter the returned data by source port parameters endtime string optional end time of data to return in millisecond format, relative to midnight january 1st 1970 utc parameters starttime string optional start time of data to return in millisecond format, relative to midnight january 1st 1970 utc parameters to string optional end time of data to return in yyyy mm dd hh\ mm \ ss format parameters uid string optional specifies a connection uid to return input example {"parameters" {"application protocol" "smb","count" 50,"ddid" 2,"deduplicate"\ false,"destinationport" 443,"did" 3,"externalhostname" "google com","eventtype" "unusualconnection","from" "2014 12 01t01 00 00","fulldevicedetails"\ true,"intext" "internal","msg" "user123","odid" 1,"pbid" 6,"port" 443,"protocol" "tcp","sourceport" 443,"endtime" "1704282955000","starttime" "1704196555000","to" "2014 12 01t01 00 00","uid" "ccdxo43n8b75cdyyi5"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 06 feb 2024 07 38 27 gmt","content type" "application/json; charset=utf 8","content length" "682","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","content security policy" "script src 'self';img src 'self' data blob data uris;media src 'self';style ","cache control" "no store","servertime" get device info retrieve detailed connectivity and activity data for a device in darktrace using the unique device id endpoint url /deviceinfo method get input argument name type required description parameters datatype string optional parameters for the get device info action parameters did number required identification number of a device modelled in the darktrace system parameters externaldomain string optional restrict external data to an particular domain name parameters fulldevicedetails boolean optional returns the full device detail objects for all devices referenced by data in an api response use of this parameter will alter the json structure of the api response for certain calls parameters odid number optional identification number of a device modelled in the darktrace system to restrict data to typically used with ddid and odid to specifiy device pairs regardless of source/destination parameters showallgraphdata boolean optional return an entry for all time intervals in the graph data, including zero counts parameters similardevices number optional return data for the primary device and this number of similar devices input example {"parameters" {"datatype" "return data for either connections, data size out or data size in ","did" 1,"externaldomain" "restrict external data to an particular domain name ","fulldevicedetails"\ true,"odid" 2,"showallgraphdata"\ false,"similardevices" 5}} output parameter type description status code number http status code of the response reason string response reason phrase deviceinfo array output field deviceinfo deviceinfo did number unique identifier deviceinfo similarityscore number score value deviceinfo domain string output field deviceinfo domain deviceinfo graphdata array response data deviceinfo graphdata file name string response data deviceinfo graphdata file string response data deviceinfo info object output field deviceinfo info deviceinfo info totalused number output field deviceinfo info totalused deviceinfo info totalserved number output field deviceinfo info totalserved deviceinfo info totaldevicesandports number output field deviceinfo info totaldevicesandports deviceinfo info devicesandports array output field deviceinfo info devicesandports deviceinfo info devicesandports file name string name of the resource deviceinfo info devicesandports file string output field deviceinfo info devicesandports file deviceinfo info portsused array output field deviceinfo info portsused deviceinfo info portsused file name string name of the resource deviceinfo info portsused file string output field deviceinfo info portsused file deviceinfo info portsserved array output field deviceinfo info portsserved deviceinfo info portsserved file name string name of the resource deviceinfo info portsserved file string output field deviceinfo info portsserved file deviceinfo info devicesused array output field deviceinfo info devicesused deviceinfo info devicesused file name string name of the resource deviceinfo info devicesused file string output field deviceinfo info devicesused file output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 06 feb 2024 08 44 58 gmt","content type" "application/json; charset=utf 8","content length" "173","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","content security policy" "script src 'self';img src 'self' data blob data uris;media src 'self';style ","cache control" "no store","servertime" get devices retrieve a comprehensive list of devices with detailed information as identified by darktrace endpoint url /devices method get input argument name type required description parameters seensince string optional relative offset for activity devices with activity in the specified time period are returned the format is either a number representing a number of seconds before the current time, or a number with a modifier such as day or week parameters ip string optional return data for this ip address parameters iptime string optional return the device which had the ip at a given time parameters mac string optional return the device with this mac address input example {"parameters" {"seensince" "14days","ip" "8 8 8 8","iptime" "2019 01 01t12 00 00","mac" "11 22 33 44 55 66"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "mon, 05 feb 2024 10 09 21 gmt","content type" "application/json; charset=utf 8","content length" "1926","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","content security policy" "script src 'self';img src 'self' data blob data uris;media src 'self';style ","cache control" "no store","servertime" get email by uuid retrieve a summary of an email from darktrace using the provided unique identifier (uuid) endpoint url /agemail/api/v1 0/emails/{{uuid}} method get input argument name type required description path parameters uuid string required uuid of the email parameters dtime number optional approximate timestamp of the email optional but will increase speed of the response input example {"path parameters" {"uuid" "12345678 1234 1234 1234 123456789abc"},"parameters" {"dtime" 123}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "thu, 01 aug 2024 09 09 55 gmt","content type" "application/json; charset=utf 8","content length" "91","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "default src 'self'; get email search search for emails within darktrace using specified criteria and filters; requires a data body input endpoint url /agemail/api/v1 0/emails/search method post input argument name type required description data body object required response data data body page number required the page number (starting at 0) to choose data body itemsperpage number required number of items to be returned per page maximum is 50 data body timefrom number required unix timestamp (seconds or millisends) to start the search from data body timeto number required unix timestamp (seconds or millisends) to search until data body query object required object containing the filters to apply data body query criterialist array required response data data body query criterialist apifilter string required apifilter to apply see /resources/filters data body query criterialist value string required value to compare against not required if the type is flag (flag is true or not present) data body query criterialist operator string required response data data body query mode string optional mode to apply the filters in either 'and' or 'or' input example {"data body" {"page" 0,"itemsperpage" 20,"timefrom" 1677159576,"timeto" 1677245976,"query" {"criterialist" \[{"apifilter" "email antigena email anomaly","value" "50","operator" ">"},{"apifilter" "recipient email","value" "test\@holdingsinc com","operator" "="}],"mode" "and"}}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "wed, 10 jul 2024 09 46 34 gmt","content type" "application/json; charset=utf 8","content length" "33","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "script src 'self'; get filters obtain a comprehensive list of available filters and their values for the darktrace /emails/search endpoint endpoint url /agemail/api/v1 0/resources/filters method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "fri, 02 aug 2024 08 22 33 gmt","content type" "application/json; charset=utf 8","content length" "1418","cross origin embedder policy" "require corp","cross origin opener policy" "same origin","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "default src 'self';base uri 's get incidents retrieve a list of incidents from darktrace based on time range and acknowledgment status, using 'start time', 'end time', and 'include ack' endpoint url /aianalyst/incidents method get input argument name type required description parameters start time string required start of time range parameters end time string required end of time range parameters include ack boolean required include acknowledged incidents in output input example {"parameters" {"start time" " 1days","end time" "now","include ack"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 06 feb 2024 08 54 41 gmt","content type" "application/json; charset=utf 8","content length" "4248","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","content security policy" "script src 'self';img src 'self' data blob data uris;media src 'self';style ","cache control" "no store","servertime" get intelfeed retrieve the latest threat intelligence information from darktrace intelfeed endpoint url /intelfeed method get input argument name type required description parameters addentry string optional parameters for the get intelfeed action parameters add list array optional parameters for the get intelfeed action parameters description string optional parameters for the get intelfeed action parameters expiry string optional parameters for the get intelfeed action parameters fulldetails string optional parameters for the get intelfeed action parameters hostname string optional parameters for the get intelfeed action parameters removeall string optional parameters for the get intelfeed action parameters remove entry string optional parameters for the get intelfeed action parameters source string optional parameters for the get intelfeed action parameters sources string optional parameters for the get intelfeed action input example {"parameters" {"addentry" "www badmalware com","add list" \["www badmalware com,www mymalware com"],"description" "this is a description","expiry" "2020 12 31t12 00 00","fulldetails" "true","hostname" "true","removeall" "false","remove entry" "www badmalware com","source" "google","sources" "true"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 13 feb 2024 15 50 31 gmt","content type" "application/json; charset=utf 8","content length" "67","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","content security policy" "script src 'self';img src 'self' data blob data uris;media src 'self';style ","cache control" "no store","servertime" " get metric data retrieve time series values for metrics related to a device, enabling graph creation within darktrace endpoint url /metricdata method get input argument name type required description parameters application protocol string optional this filter can be used to filter the returned data by application protocol see /enums (api data task) for the list of application protocols parameters breachtimes boolean optional return additional information for the model breach times for the device parameters ddid number optional identification number of a destination device modelled in the darktrace system to restrict data to parameters destinationport number optional this filter can be used to filter the returned data by destination port parameters did number optional identification number of a device modelled in the darktrace system parameters from string optional start time of data to return in yyyy mm dd hh\ mm \ ss format parameters fulldevicedetails boolean optional returns the full device detail objects for all devices referenced by data in an api response use of this parameter will alter the json structure of the api response for certain calls parameters interval number optional time interval size in seconds the maximum value for any minute in interval is returned parameters metric string optional name of a metric see /metrics for the full list of current metrics parameters odid number optional identification number of a device modelled in the darktrace system to restrict data to typically used with ddid and odid to specifiy device pairs regardless of source/destination parameters port number optional this filter can be used to filter the returned data by source or destination port parameters protocol string optional this filter can be used to filter the returned data by ip protocol see /enums for the list of protocols parameters sourceport number optional this filter can be used to filter the returned data by source port parameters starttime string optional start time of data to return in millisecond format, relative to midnight january 1st 1970 utc parameters endtime string optional start time of data to return in millisecond format, relative to midnight january 1st 1970 utc input example {"parameters" {"application protocol" "smb","breachtimes"\ true,"ddid" 2,"destinationport" 443,"did" 2,"from" "2014 12 01t01 00 00","fulldevicedetails"\ true,"interval" 3600,"metric" "connections","odid" 2,"port" 443,"protocol" "tcp","sourceport" 22,"starttime" "1704196555000","endtime" "1704282955000"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 06 feb 2024 15 19 47 gmt","content type" "application/json; charset=utf 8","content length" "3656","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","content security policy" "script src 'self';img src 'self' data blob data uris;media src 'self';style ","cache control" "no store","servertime" get network info retrieve a summary of metric data detailing device interactions and communication patterns within the network endpoint url /network method get input argument name type required description parameters application protocol string optional this filter can be used to filter the returned data by application protocol see /enums (api data task) for the list of application protocols parameters destinationport number optional this filter can be used to filter the returned data by destination port parameters intext string optional returns the full device detail objects for all devices referenced by data in an api response use of this parameter will alter the json structure of the api response for certain calls parameters did number optional identification number of a device modelled in the darktrace system parameters ip string optional return data for this ip address parameters from string optional start time of data to return in yyyy mm dd hh\ mm \ ss format parameters to string optional end time of data to return in yyyy mm dd hh\ mm \ ss format parameters fulldevicedetails boolean optional returns the full device detail objects for all devices referenced by data in an api response use of this parameter will alter the json structure of the api response for certain calls parameters metric string optional name of a metric see /metrics for the full list of current metrics parameters port number optional this filter can be used to filter the returned data by source or destination port parameters protocol string optional this filter can be used to filter the returned data by ip protocol see /enums for the list of protocols parameters sourceport number optional this filter can be used to filter the returned data by source port parameters starttime string optional start time of data to return in millisecond format, relative to midnight january 1st 1970 utc parameters endtime string optional end time of data to return in millisecond format, relative to midnight january 1st 1970 utc input example {"parameters" {"application protocol" "smb","destinationport" 443,"intext" "internal","did" 2,"ip" "8 8 8 8","from" "2023 12 01t01 00 00","to" "2023 12 01t01 00 00","fulldevicedetails"\ true,"metric" "connections","port" 443,"protocol" "tcp","sourceport" 22,"starttime" "1704196555000","endtime" "1704282955000"}} output parameter type description status code number http status code of the response reason string response reason phrase statistics array output field statistics statistics views array output field statistics views statistics views view string output field statistics views view statistics views in boolean output field statistics views in statistics views out boolean output field statistics views out statistics connection status array status value statistics connection status connections string status value statistics connection status in boolean status value statistics connection status out boolean status value statistics applicationprotocols array output field statistics applicationprotocols statistics applicationprotocols file name string name of the resource statistics applicationprotocols file string output field statistics applicationprotocols file subnets array output field subnets subnets file name string name of the resource subnets file string output field subnets file devices array output field devices devices file name string name of the resource devices file string output field devices file metric object output field metric metric mlid number unique identifier metric name string name of the resource metric label string output field metric label metric units string output field metric units output example {"status code" 200,"response headers" {"server" "nginx","date" "wed, 07 feb 2024 07 37 43 gmt","content type" "application/json; charset=utf 8","content length" "1329","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","content security policy" "script src 'self';img src 'self' data blob data uris;media src 'self';style ","cache control" "no store","servertime" get similar devices retrieve a list of devices with similar characteristics or behaviors to a specified device in darktrace endpoint url /similardevices method get input argument name type required description parameters count number optional parameters for the get similar devices action parameters did number optional identification number of a device modelled in the darktrace system input example {"parameters" {"count" 20,"did" 2}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "wed, 07 feb 2024 08 57 34 gmt","content type" "application/json; charset=utf 8","content length" "10","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","content security policy" "script src 'self';img src 'self' data blob data uris;media src 'self';style ","cache control" "no store","servertime" " get status retrieve current system health and operational metrics from darktrace for status monitoring endpoint url /status method get input argument name type required description parameters include children boolean optional return information for child instances, probes and sensors input example {"parameters" {"include children"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase excesstraffic boolean output field excesstraffic time string time value installed string output field installed mobileappconfigured boolean output field mobileappconfigured version string output field version ipaddress string output field ipaddress modelsupdated string output field modelsupdated modelpackageversion string output field modelpackageversion bundleversion string output field bundleversion bundledate string date value bundleinstalleddate string date value metadata object response data maximumossensors number output field maximumossensors hostname string name of the resource uuid string unique identifier inoculation boolean output field inoculation applianceoscode string output field applianceoscode license string output field license saasconnectorlicense string output field saasconnectorlicense antigenasaaslicense string output field antigenasaaslicense syslogtlssha1fingerprint string output field syslogtlssha1fingerprint syslogtlssha256fingerprint string output field syslogtlssha256fingerprint antigenanetworkenabled boolean output field antigenanetworkenabled output example {"status code" 200,"response headers" {"server" "nginx","date" "wed, 07 feb 2024 09 27 02 gmt","content type" "application/json; charset=utf 8","content length" "1976","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","cache control" "no store","servertime" "0 074","content encoding" "deflate","vary" "accept encoding","x frame options" "sameorigin","x xss protection" get subnets obtain a detailed list of identified subnets from darktrace without the need for additional input parameters endpoint url /subnets method get input argument name type required description parameters seensince string optional parameters for the get subnets action input example {"parameters" {"seensince" "7days"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "wed, 07 feb 2024 09 45 05 gmt","content type" "application/json; charset=utf 8","content length" "523","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","content security policy" "script src 'self';img src 'self' data blob data uris;media src 'self';style ","cache control" "no store","servertime" get tags retrieves comprehensive details for all tags in the darktrace ecosystem, including metadata and associated information endpoint url /tags method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 06 feb 2024 10 08 13 gmt","content type" "application/json; charset=utf 8","content length" "4137","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","content security policy" "script src 'self';img src 'self' data blob data uris;media src 'self';style ","cache control" "no store","servertime" get user anomaly retrieve user anomaly statistics from darktrace, ranked by anomaly level to identify potential threats endpoint url /agemail/api/v1 0/dash/user anomaly method get input argument name type required description parameters days number optional number of days to return data for (minimum 1, maximum 30) parameters limit number optional number of items to return (minimum 1, maximum 100) input example {"parameters" {"days" 30,"limit" 100}} output parameter type description status code number http status code of the response reason string response reason phrase leeroy jenkins\@storosta com object output field mailto\ leeroy jenkins\@storosta com leeroy jenkins\@storosta com n emails number output field mailto\ leeroy jenkins\@storosta com n emails leeroy jenkins\@storosta com total emails number output field mailto\ leeroy jenkins\@storosta com total emails leeroy jenkins\@storosta com n last period number output field mailto\ leeroy jenkins\@storosta com n last period leeroy jenkins\@storosta com n last week number output field mailto\ leeroy jenkins\@storosta com n last week leeroy jenkins\@storosta com percentage number output field mailto\ leeroy jenkins\@storosta com percentage leeroy jenkins\@storosta com n links number output field mailto\ leeroy jenkins\@storosta com n links leeroy jenkins\@storosta com n attachments number output field mailto\ leeroy jenkins\@storosta com n attachments output example {"status code" 200,"response headers" {"server" "nginx","date" "thu, 01 aug 2024 10 33 08 gmt","content type" "application/json; charset=utf 8","content length" "133","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "default src 'self' get valid audit event types retrieve a list of valid audit event types from darktrace, verifying audit log permissions endpoint url /agemail/api/v1 0/system/audit/eventtypes method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "thu, 01 aug 2024 09 09 55 gmt","content type" "application/json; charset=utf 8","content length" "91","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "default src 'self'; list endpoint details retrieve detailed information on endpoints, such as location, ip address, and device connection data for external ips and hostnames endpoint url /endpointdetails method get input argument name type required description parameters additionalinfo boolean optional return additional information about the endpoint parameters devices boolean optional return a list of devices which have recently connected to the endpoint parameters score boolean optional return rarity data for this endpoint parameters hostname string optional return data for this hostname parameters ip string optional return data for this ip address parameters responsedata string optional when given the name of a top level field or object, restricts the returned json to only that field or object input example {"parameters" {"additionalinfo"\ true,"devices"\ true,"score"\ true,"hostname" "www google com","ip" "8 8 8 8","responsedata" "devices"}} output parameter type description status code number http status code of the response reason string response reason phrase ip string output field ip firsttime number time value country string output field country asn string output field asn city string output field city region string output field region name string name of the resource longitude number output field longitude latitude number output field latitude subnetlabel string output field subnetlabel subnetid string unique identifier subnetnetwork string output field subnetnetwork ipage number output field ipage iptime string time value devices array output field devices devices did number unique identifier devices macaddress string output field devices macaddress devices vendor string output field devices vendor devices ip string output field devices ip devices ips array output field devices ips devices ips ip string output field devices ips ip devices ips timems number output field devices ips timems devices ips time string time value output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 02 jul 2024 13 34 06 gmt","content type" "application/json; charset=utf 8","content length" "62","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "script src 'self'; list metrics retrieve a comprehensive list of available metrics from the darktrace system for analysis and monitoring endpoint url /metrics method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 06 feb 2024 10 34 27 gmt","content type" "application/json; charset=utf 8","content length" "18804","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","content security policy" "script src 'self';img src 'self' data blob data uris;media src 'self';style ","cache control" "no store","servertime list model breaches retrieve detailed information on identified model breaches within the darktrace ecosystem endpoint url /modelbreaches method get input argument name type required description parameters deviceattop boolean optional return the device json object as a value of the top level object rather than within each matched component parameters did number optional identification number of a device modelled in the darktrace system parameters starttime string optional start time of data to return in millisecond format, relative to midnight january 1st 1970 utc parameters endtime string optional end time of data to return in millisecond format, relative to midnight january 1st 1970 utc parameters from string optional start time of data to return in yyyy mm dd hh\ mm \ ss format parameters to string optional end time of data to return in yyyy mm dd hh\ mm \ ss format parameters historicmodelonly boolean optional return the json for the historic version of the model details only, rather than both the historic and current definition parameters includebreachurl boolean optional return a url for the model breach in the long form of the model breach data, this requires that the fqdn configuration parameter is set parameters includeacknowledged boolean optional include acknowledged breaches in the data parameters minimal boolean optional reduce the amount of data returned for the api call this parameter defaults to false when any of the starttime, from, pid, uuid, pbid or did parameters are used parameters pbid number optional id for a model breach parameters pid number optional only return model breaches for the specified model parameters uuid string optional specifies a connection uid to return input example {"parameters" {"deviceattop"\ true,"did" 1,"starttime" "1704196555000","endtime" "1704282955000","from" "2023 12 12t00 00 00","to" "2024 01 03t00 00 00","historicmodelonly"\ false,"includebreachurl"\ true,"includeacknowledged"\ false,"minimal"\ false,"pbid" 1,"pid" 1,"uuid" ""}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "wed, 07 feb 2024 07 25 14 gmt","content type" "application/json; charset=utf 8","content length" "1601","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","content security policy" "script src 'self';img src 'self' data blob data uris;media src 'self';style ","cache control" "no store","servertime" list models retrieve a list of darktrace models for reference in analyzing model breach data endpoint url /models method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "wed, 07 feb 2024 07 28 00 gmt","content type" "application/json; charset=utf 8","content length" "332557","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","content security policy" "script src 'self';img src 'self' data blob data uris;media src 'self';style ","cache control" "no store","servertim list similar devices retrieves a list of devices with similar characteristics to a specified device within the darktrace network endpoint url /similardevices method get input argument name type required description parameters did number optional parameters for the list similar devices action parameters count number optional specifies the maximum number of items to return parameters fulldevicedetails boolean optional returns the full device detail objects for all devices referenced by data in an api response use of this parameter will alter the json structure of the api response for certain calls parameters token string optional takes a token value returned by a system notice about a change in similar devices for a specified device will return the old and new list of devices parameters responsedata string optional when given the name of a top level field or object, restricts the returned json to only that field or object input example {"parameters" {"did" 123,"count" 10,"fulldevicedetails"\ true,"token" "example","responsedata" "devices"}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 02 jul 2024 13 43 24 gmt","content type" "application/json; charset=utf 8","content length" "10","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "script src 'self'; post action executes a specified action on an email within darktrace, identified by its uuid, subject to user permissions endpoint url /agemail/api/v1 0/emails/{{uuid}}/action method post input argument name type required description path parameters uuid string required uuid of the email parameters dtime number optional approximate timestamp of the email optional but will increase speed of the response data body object required response data data body action string required action to take on the email either 'hold', 'release' or if requested 'approve release' / 'reject release' data body recipients array required list of recipient email addresses to perform the action on for hold, these must be a subset of the original recipients of the email data body returnemail boolean optional boolean to say whether to return the email object as emaildetails format or not after the action is taken if true, will wait up to 5 seconds for the release input example {"data body" {"action" "hold","recipients" \["leeroy jenkins\@storosta com"],"returnemail"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "sun, 04 aug 2024 16 06 16 gmt","content type" "application/json; charset=utf 8","content length" "10","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "default src 'self'; return information about all tags retrieve comprehensive details on all tags within darktrace, including associated permissions and email logs endpoint url /agemail/api/v1 0/resources/tags method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"tag id" "aa","name" "automatic response","status" "info","description" "an email that has been automatically produced as a result of a received email t ","category" "content"} return information about darktrace/email actions retrieve detailed information about email related actions within the darktrace platform endpoint url /agemail/api/v1 0/resources/actions method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "fri, 02 aug 2024 08 15 05 gmt","content type" "application/json; charset=utf 8","content length" "544","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "default src 'self' return the raw body of this email retrieve the raw body of an email from darktrace using the provided unique identifier (uuid) endpoint url /agemail/api/v1 0/emails/{{uuid}}/download method get input argument name type required description path parameters uuid string required uuid of the email input example {"path parameters" {"uuid" "12345678 1234 1234 1234 123456789abc"}} output parameter type description status code number http status code of the response reason string response reason phrase uuid string unique identifier direction string output field direction dtime string time value dtime unix number output field dtime unix header from string output field header from header from email string output field header from email header from personla string output field header from personla header subject string output field header subject in progress boolean output field in progress n links number output field n links n attachments number output field n attachments model score number score value campaign id string unique identifier rcpts array output field rcpts rcpts rcpt to string output field rcpts rcpt to rcpts rcpt status string status value rcpts tags array output field rcpts tags rcpts is read boolean output field rcpts is read rcpts rcpt actions taken array output field rcpts rcpt actions taken rcpts action status boolean status value rcpts is group email boolean output field rcpts is group email rcpts summary array output field rcpts summary output example {"status code" 200,"response headers" {"server" "nginx","date" "thu, 01 aug 2024 09 09 55 gmt","content type" "application/json; charset=utf 8","content length" "91","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "default src 'self'; unacknowledge event reverts the acknowledgment status of an ai analyst event in darktrace using the specified uuid endpoint url /modelbreaches/{{pbid}}/unacknowledge method post input argument name type required description path parameters pbid number required parameters for the unacknowledge event action input example {"path parameters" {"pbid" 40974}} output parameter type description status code number http status code of the response reason string response reason phrase response string output field response output example {"status code" 200,"response headers" {"server" "nginx","date" "tue, 13 feb 2024 15 23 21 gmt","content type" "application/json; charset=utf 8","content length" "35","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","content security policy" "script src 'self';img src 'self' data blob data uris;media src 'self';style ","cache control" "no store","servertime" " unlock a link reverses a previous lock, enabling access to a link initially restricted by darktrace endpoint url /agemail/api/v1 0/admin/decode link method get input argument name type required description parameters url string optional the link to unlock input example {"parameters" {"url" "https //example com/api/resource"}} output parameter type description status code number http status code of the response reason string response reason phrase link string output field link displayhash string output field displayhash output example {"status code" 200,"response headers" {"server" "nginx","date" "thu, 01 aug 2024 09 09 55 gmt","content type" "application/json; charset=utf 8","content length" "91","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "default src 'self'; update antigena respond state modifies or activates darktrace respond actions by using the provided 'codeid' endpoint url /antigena method post input argument name type required description codeid number optional unique identifier activate boolean optional parameter for update antigena respond state duration number optional parameter for update antigena respond state reason string optional response reason phrase clear boolean optional parameter for update antigena respond state input example {"json body" {"codeid" 123,"activate"\ true,"duration" 100,"reason" "string","clear"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"server" "nginx","date" "fri, 07 jun 2024 06 23 27 gmt","content type" "application/json; charset=utf 8","content length" "10","cross origin embedder policy" "require corp","cross origin opener policy" "same origin allow popups","cross origin resource policy" "same origin","x robots tag" "noindex, noindex","permissions policy" "accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), ","content security policy" "script src 'self'; response headers header description example cache control directives for caching mechanisms no store content encoding http response header content encoding gzip content length the length of the response body in bytes 91 content security policy http response header content security policy default src 'self'; script src 'self'; style src 'self' 'unsafe inline'; img src 'self' data blob data uris data content type the media type of the resource application/json; charset=utf 8 cross origin embedder policy http response header cross origin embedder policy require corp cross origin opener policy http response header cross origin opener policy same origin allow popups cross origin resource policy http response header cross origin resource policy same origin date the date and time at which the message was originated wed, 07 feb 2024 07 25 14 gmt etag an identifier for a specific version of a resource w/"2 vygp6pvfo4rvsftpoiwecreyic8" expect ct http response header expect ct max age=0 origin agent cluster http response header origin agent cluster ?1 permissions policy http response header permissions policy accelerometer=(), autoplay= , camera=(), display capture=(), encrypted media=(), fullscreen=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=() referrer policy http response header referrer policy same origin server information about the software used by the origin server nginx servertime http response header servertime 1 045 strict transport security http response header strict transport security max age=31536000; includesubdomains; transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x content security policy http response header x content security policy default src 'self'; script src 'self'; style src 'self' 'unsafe inline'; img src 'self' data blob data uris data x content type options http response header x content type options nosniff x dns prefetch control http response header x dns prefetch control off x download options http response header x download options noopen x frame options http response header x frame options sameorigin x permitted cross domain policies http response header x permitted cross domain policies none x robots tag http response header x robots tag noindex, noindex x webkit csp http response header x webkit csp default src 'self'; script src 'self'; style src 'self' 'unsafe inline'; img src 'self' data blob data uris data x xss protection http response header x xss protection 1; mode=block