Darktrace

Important

Some information in this article relates to a prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.

Darktrace offers cybersecurity AI services to provide preemptive visibility into security posture, real-time detection, and autonomous response to known and unknown threats. You can use the Darktrace plugin with Microsoft Copilot for Security to proactively detect, investigate, and respond to threats across your digital ecosystem.

  • Query Darktrace's rich and high fidelity security data using natural language, streamlining the investigation process and enabling faster threat response.
  • Leverage Copilot's generative AI capabilities to interact with Darktrace's security alerts, device information, and email security insights, enhancing the overall understanding of your security landscape.
  • Gain comprehensive visibility into your organization's security posture, including device connections, external endpoints, AI Analyst incidents, and email-related threats.

By integrating Darktrace's unparalleled AI-driven threat detection and mitigation with Microsoft Copilot for Security, this plugin improves the capabilities of security teams across the board. Obtain real-time insights into possible security incidents, privileged accounts, and unusual user activities through an easy-to-use, natural language interface.

Note

This article contains information about third-party plugins. This is provided to help complete integration scenarios. However, Microsoft does not provide troubleshooting support for third-party plugins. Contact the third-party vendor for support.

Know before you begin

Integration with Copilot for Security requires a Client Credentials Application (CCA). You'll need to take the following steps before using the plugin.

  1. Sign into your Darktrace Customer Portal, and create your CCA. Save the following information to a secure location:

    • Your Darktrace API URL
    • Client ID
    • Client Secret
    • Your Scopes
    • Token Endpoint
  2. Sign in to Microsoft Copilot for Security.

  3. Access Manage Plugins by selecting the Plugin button from the prompt bar.

  4. Next to Darktrace, select the toggle to enable it.

  5. In the settings pane for the plugin, provide the information you saved from step 1.

  6. Save your changes.

Sample Darktrace prompts

After the Darktrace plugin is configured, you can use it by typing Darktrace in your Copilot for Security prompt bar, followed by an action. The following table lists example prompts to try.

Capability Example prompts
Get Model Breaches What were the top 5 high-scoring Darktrace alerts in the last week?

Show me all the model breaches involving device ID 500 in the past month from Darktrace.

Retrieve the model breach information for pbid 1234 and explain what occurred.

Display Darktrace model breaches for subnet ID 250 with a minimum score of 0.7 in the last 72 hours.
Get Model Breach Comments What are the latest comments on the Darktrace model breach with pbid 4567?

Has anyone added any valuable information to the model breach with pbid 1234 in Darktrace?
Get AI Analyst Incident Groups Show me the Darktrace AI Analyst incidents with a score higher than 90 from the past week.

List all critical incidents involving device ID 1500 in the last month from Darktrace.

Retrieve incidents associated with subnet ID 300 in the past 7 days from Darktrace and display them in the German language.

Are there any Darktrace AI Analyst incidents with the unique identifier "abcd-1234-efgh-5678" in the system?
Get AI Analyst Incident Events Give me a detailed breakdown of the Darktrace incident with groupid "g04a3f36e-4u8w-v9dh-x6lb-894778cf9633".

Show me more information about this Darktrace incident in Spanish.

What are the Darktrace AI Analyst events for device ID 1000 that are part of critical incidents?
Get AI Analyst Incident Comments What are the recent comments on the Darktrace AI Analyst event with incident_id "04a3f36e-4u8w-v9dh-x6lb-894778cf9633"?

Has anyone from the security team added any context to this Darktrace incident?
Get Device Information Can you provide detailed information about device ID 1234 from Darktrace, including any tags associated with it?

What is the current IP address of device ID 9 in the Darktrace system?

Retrieve the device information for the entity with MAC address "AA:BB:CC:DD:EE:FF" from Darktrace.
Search Devices Find all devices in subnet 10.0.1.0/24 with a "Respond" tag and sort them by last seen using Darktrace.

Has Darktrace seen a laptop with the IP address 8.8.8.8?

Show me a list of devices that could be owned by "sarah" in Darktrace, sorted by last seen activity.
Format Model Breaches as Table Get me high scoring model alerts from Darktrace in the past week, format the results as a table, and give me definitions of any complex terminology.

Display all Darktrace model breaches involving device ID 250 in the past month in a table format, and include a column with descriptions of the breach categories.

Present Darktrace model breaches for subnet ID 100 with a minimum score of 0.8 in the last 72 hours as a table, and include a column with the involved devices' hostnames.
Analyze AI Analyst Incident Trends What are the common themes among the Darktrace AI Analyst incidents with a score higher than 90 from the past month?

Analyze the Darktrace AI Analyst incidents involving device ID 1500 in the last month and identify any patterns or trends in the security events.

Are there any recurring issues or attack vectors in the Darktrace AI Analyst incidents associated with subnet ID 200 in the past 7 days?
Investigate AI Analyst Incident Event Can you provide a detailed analysis of the Darktrace AI Analyst event with incident_id "04a3f36e-4u8w-v9dh-x6lb-894778cf9633" and suggest possible mitigations?

Investigate the Darktrace AI Analyst event with incident_id "04a3f36e-4u8w-v9dh-x6lb-894778cf9633" in depth and provide a report on its potential impact on our network.
Device Owner Identification Can you identify the owner of the device with IP address 8.8.8.8 in Darktrace based on its activity patterns and associated user accounts?

Determine the likely owner of the device with MAC address "AA:BB:CC:DD:EE:FF" in Darktrace by analyzing its usage patterns and associated services.

Troubleshooting the Darktrace plugin

Timestamp Support

To filter data to a specific time frame, this plugin may require timestamps in Epoch/UNIX format. To retrieve the relevant time frame in the correct format, use a service such as https://epochconverter.com or https://unixtime.org.

Provide feedback

To provide feedback, contact Darktrace.

See also

Other plugins for Microsoft Copilot for Security

Manage plugins in Microsoft Copilot for Security