Darktrace is an Intrusion Detection Device (IDS) that leverages machine learning to detect emerging threats, including insider threats, low-and-slow attacks, and automated viruses.
Step 1: Enable console access
Having read-only access to the interface of your technology allows Expel to dig deeper when performing incident investigations. Our device health team uses this access to investigate potential health issues with your tech.
Expel requires a Darktrace user account to review Alerts and Models within the console.
How to setup the user account
- From the menu located at the top left, select Add New User.
- Username: Expel.
- Password: Set a temporary password — this is changed on initial login.
- Account Permissions: Select all available permissions, except User Admin or Group Admin. These can be left cleared.
- Click OK.
Step 2: Generate API credentials
To integrate the technology with Expel, we need to create secure credentials to the API. Depending on the permissions allowed in Step 1, Expel may be able to generate API credentials. If you're unsure, reach out to your Expel Customer Success Engineer, or email firstname.lastname@example.org.
- Login to the Darktrace console.
- Navigate to Admin > System Config.
- Near the bottom of the page, under API Token, click New.
- The Darktrace system generates a Token and a Private Token. The Private Token can only be seen 1 time when the token pair is initially generated. Make note of the tokens for onboarding in Expel Workbench. The system can only have 1 token pair, so if one already exists and you don't have a record of this, you must generate another token pair.
Caution: If a replacement Token pair is generated, other clients using the API need to be reconfigured with the new credentials.
Step 3: Configure the technology in Workbench
Now that we have all the correct access configured and noted the credentials, we can integrate your tech with Expel.
Register device in Expel Workbench
- In a new browser tab, login to https://workbench.expel.io.
- On the console page, Settings and click Security Devices.
- At the top right of the page, select Add Security Device.
- Search for and select your technology.
- Select an Assembler from the list. Select the assembler you set up in Step 2 of the Getting Started with Expel guide.
- Enter Name and Location.
- For Private key, enter the private token used to authenticate to the device from Step 2.
- For Public key, enter the API token used to authenticate to the device from Step 2.
- For Server address, enter the server address of the vendor’s server, which must include the port. For example: https://127.0.0.1:443 or myvendordevice.acme.com:443.
- Click Save.
After a few minutes, refresh the Security Devices page and you see your device status reporting as Healthy, or if there is an issue, you see details of what the issue may be.
To check if alerts are coming through, navigate to Alerts on the console page. Click the icon in the upper right to switch to grid view, then check the list for device alerts.