What Changed
Darktrace introduces a comprehensive CCF-based integration to replace their deprecated REST API connector. The new connector ingests data across six custom tables: ASM, Email, Incidents, Model Alerts, Response Actions, and System Status Alerts. All legacy content is now labeled “(Legacy)” while new detections target the CCF data streams.
New CCF Connector Architecture
The connector uses DCR-based ingestion with six distinct data streams:
- DarktraceASM_CL: Attack Surface Management events
- DarktraceEMAIL_CL: Email security events and threats
- DarktraceIncidents_CL: AI Analyst incident data
- DarktraceModelAlerts_CL: Behavioral model breach alerts
- DarktraceResponseActions_CL: Autonomous response actions taken
- DarktraceSystemStatusAlerts_CL: Platform health and status events
Each stream includes structured field mapping with proper timestamp handling via TimeGenerated fields.
Detection Coverage
Two new analytic rules target the CCF data:
- DarktraceIncidentEvent: Creates incidents from AI Analyst findings in DarktraceIncidents_CL
- DarktraceModelAlert: Processes behavioral model alerts from DarktraceModelAlerts_CL
Legacy detections remain active but now clearly marked for eventual deprecation.
MITRE Mapping
The updated detections include expanded MITRE ATT&CK coverage:
- T1021 (Remote Services)
- T1059 (Command and Scripting Interpreter)
- T1071 (Application Layer Protocol)
- T1082 (System Information Discovery)
- T1190 (Exploit Public-Facing Application)
- T1498 (Network Denial of Service)
Security Impact
Organizations using the legacy REST API connector should migrate to CCF to maintain data ingestion after the deprecation timeline. The new connector provides enhanced data fidelity across multiple Darktrace product areas including email security, attack surface management, and autonomous response tracking.
Affected Files
.script/tests/KqlvalidationsTests/CustomTables/DarktraceASM_CL.json
.script/tests/KqlvalidationsTests/CustomTables/DarktraceEMAIL_CL.json
.script/tests/KqlvalidationsTests/CustomTables/DarktraceIncidents_CL.json
.script/tests/KqlvalidationsTests/CustomTables/DarktraceModelAlerts_CL.json
.script/tests/KqlvalidationsTests/CustomTables/DarktraceResponseActions_CL.json
.script/tests/KqlvalidationsTests/CustomTables/DarktraceSystemStatusAlerts_CL.json
.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
Logos/Darktrace.svg
Solutions/AI Analyst Darktrace/Data/system_generated_metadata.json
Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml
Solutions/Darktrace/Analytic Rules/CreateAlertFromSystemStatus.yaml
Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml
Solutions/Darktrace/Analytic Rules/DarktraceIncidentEvent.yaml
Solutions/Darktrace/Analytic Rules/DarktraceModelAlert.yaml
Solutions/Darktrace/Data Connectors/DarktraceConnectorRESTAPI.json
Solutions/Darktrace/Data Connectors/ccf/DarktraceASM_CL.json
Solutions/Darktrace/Data Connectors/ccf/DarktraceEMAIL_CL.json
Solutions/Darktrace/Data Connectors/ccf/DarktraceIncidents_CL.json
Solutions/Darktrace/Data Connectors/ccf/DarktraceModelAlerts_CL.json
Solutions/Darktrace/Data Connectors/ccf/DarktraceResponseActions_CL.json
Solutions/Darktrace/Data Connectors/ccf/DarktraceSystemStatusAlerts_CL.json
Solutions/Darktrace/Data Connectors/ccf/Darktrace_ConnectorDefinition.json
Solutions/Darktrace/Data Connectors/ccf/Darktrace_DCR.json
Solutions/Darktrace/Data Connectors/ccf/Darktrace_DataConnector.json
Solutions/Darktrace/Package/testParameters.json
Solutions/Darktrace/Workbooks/DarktraceActiveAISecurityPlatformWorkbook.json
Solutions/Darktrace/Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookBlack01.png
Solutions/Darktrace/Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookBlack02.png
Solutions/Darktrace/Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookBlack03.png
Solutions/Darktrace/Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookBlack04.png
Solutions/Darktrace/Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookBlack05.png
Solutions/Darktrace/Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookBlack06.png
Solutions/Darktrace/Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookBlack07.png
Solutions/Darktrace/Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookWhite01.png
Solutions/Darktrace/Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookWhite02.png
Solutions/Darktrace/Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookWhite03.png
Solutions/Darktrace/Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookWhite04.png
Solutions/Darktrace/Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookWhite05.png
Solutions/Darktrace/Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookWhite06.png
Solutions/Darktrace/Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookWhite07.png
Tools/Solutions Analyzer/solutions.csv
Tools/Solutions Analyzer/solutions_connectors_tables_mapping.csv
Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookBlack01.png
Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookBlack02.png
Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookBlack03.png
Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookBlack04.png
Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookBlack05.png
Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookBlack06.png
Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookBlack07.png
Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookWhite01.png
Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookWhite02.png
Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookWhite03.png
Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookWhite04.png
Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookWhite05.png
Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookWhite06.png
Workbooks/Images/Preview/DarktraceActiveAISecurityPlatformWorkbookWhite07.png
Workbooks/WorkbooksMetadata.json
(packaging artefacts: 3.0.0.zip, 3.0.2.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_AIAnalystDarktrace.json, Solution_DarktraceEnterpriseImmuneSystem.json, createUiDefinition.json, mainTemplate.json)