Integrate Darktrace ActiveAI Security Platform with Red Canary

Integrate your Darktrace ActiveAI Security Platform to effortlessly forward alert data to Red Canary, enabling our Threat Hunters to utilize it as a valuable alert source. The integration setup includes the following steps:

1. Adding the integration in Red Canary

2. Generating a unique collector

3. Configuring your Darktrace ActiveAI Security Platform settings to forward alerts to Red Canary via the collector

4. Activating the integration

Prerequisites

Before you start the Darktrace integration, please make sure the following requirements are met:

• You’re an admin-level user logged into your Darktrace ActiveAI Security Platform

1 Red Canary | Add the Integration

1. In your Red Canary portal, go to the Integrations page and click Add Integration.

   

2. Search for “Darktrace ActiveAI Security Platform” and click Configure.

   

3. From the Ingest Format/Method dropdown, select one of the following options:

   • Darktrace ActiveAI Security Platform via Email: The preferred method, offering enhanced data parsing.

   • Darktrace ActiveAI Security Platform via HTTP: An alternative option, supported but not recommended due to limited support.
     

4. If you selected the email ingestion method, check the Require alerts to be delivered for ingest over TLS? box.
   

5. Click Provision. This will create a unique collector used to forward your Darktrace alerts to Red Canary.
   

6. Copy the generated collector.
   

2 Darktrace ActiveAI Security Platform | Configure Darktrace Settings

1. In your Darktrace ActiveAI Security Platform, go to Admin > System Config and click Modules.

2. Scroll down to Workflow Integrations and click Email.

3. Under the Settings tab:

   • Enable the Send Alerts option.

   • In the Recipients field, paste your Red Canary collector email.

   • In the Custom Label field, enter “Red Canary SOC.”

   • Enable the JSON Format option.
     

   • Enable the Send AI Analysts Alerts option.

   • In the Minimum AI Analyst Incident Event Score field, enter “0.”

   • In the Minimum AI Analyst Incident Score field, enter “20.”
     

   • Enable the Send Model Breach Alerts option.

   • Enable the Send System Status Alerts option.

   • Enable the Send Resolved System Status Alerts option.

   • Enable the Send RESPOND Alerts option.
     

3 Red Canary | Activate the Integration

1. In Red Canary, check the I’ve configured this integration to send data to Red Canary box and click Next.
   

2. (Optional) Check the Process Correlation box if appropriate.

   What is Process Correlation?

   If a third-party alert platform lets you create your own rules to trigger alerts, Red Canary can correlate with the rule metadata when it displays the alerts in the timeline. To conserve API bandwidth and compute cycles, process correlation for user-defined alerts is disabled by default.

   

3. (Optional) If you have a subscription for Red Canary Security Data Lake, check the Store in the Security Data Lake box and specify the data retention period.
   

4. Click Save.

To view alert data, click the newly created Darktrace ActiveAI Security Platform at the bottom of the Integrations page. You should start seeing new alert data around 15 to 30 minutes after completing steps above. If you’re still not seeing data, contact Support.