Skip to content
Find out how we support MDR.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=darktrace-overview

Overview of the Darktrace DETECT integration

Log collector Network

You can integrate Darktrace DETECT with Sophos Central so that it sends alerts to Sophos for analysis.

This page gives you an overview of the integration.

Darktrace DETECT product overview

Darktrace Detect utilizes artificial intelligence to autonomously detect, investigate, and respond to cyber threats in real-time. It learns the unique, 'pattern of life' for each network, device, and user, identifying anomalies that indicate potential threats. By continuously monitoring all digital interactions, it offers early threat detection and autonomous response capabilities, safeguarding the digital environment.

Sophos documents

Integrate Darktrace DETECT

What we ingest

Sample alerts seen by Sophos:

  • System/Device Modelling Change
  • Anomalous Connection/Active Remote Desktop Tunnel
  • Compromise/Repeating Connections Over 4 Days
  • SaaS/Admin/Anomalous M365 Device Changes
  • Extensive Unusual WinRM Connections

Alerts ingested in full

We recomend that you maximize the alerts forwarded to Sophos. Set Minimum AI Analyst Incident Event Score and Minimum AI Analyst Incident Score to 0. See Integrate Darktrace DETECT.

Filtering

We allow only messages in standard CEF format.

Sample threat mappings

For the alert type, we sanitise the field cef.name.

Sample mappings:

{"alertType": "System/System", "threatId": "T1542.001", "threatName": "System Firmware"}
{"alertType": "System/Internal Domain Name Change", "threatId": "T1484.001", "threatName": "Group Policy Modification"}
{"alertType": "Anomalous Connection/High DGA Low DNS TTL", "threatId": "T1568.002", "threatName": "Domain Generation Algorithms"}