Darktrace/ EMAIL protects against sophisticated email-based attacks such as phishing, supply chain compromise, account takeover, and social engineering. More information can be found on the Darktrace’s official documentation.
Integration Method: API
Tables: Email Activity (4009), Detection Finding (2004)
This integration supports the following events.
Event | Description |
|---|---|
Email Security | Reports threat detection and email activities that were part of the security findings |
This integration supports the following versions.
Darktrace Email Security version | v1 |
Note:
Darktrace Email Security is a continuously updated SaaS platform. As for this document preparation, the latest release was in May 2025.
Prerequisites
Access to the DataBee console
Access to the Darktrace console with Administrator privileges
Configuration Overview
Generate an API Key from the Darktrace dashboard.
Add Darktrace Email Security data feed in the DataBee console with the below parameters.
DataBee Parameter
Darktrace Parameter
Integration Key
API Key
Secret Key
Secret
Instance
IP or FQDN of the Darktrace instance. for example, https://euw1-1234-01.cloud.darktrace.com
Darktrace Email Configuration
API tokens will be generated on a per-user basis. For more information, click here.
To generate the per-user token, the user must first be granted permission to access the API.
API tokens can only be created by local users - those created within the Threat Visualizer - and are not available to users created via LDAP or SAML SSO.
On the Threat Visualizer of the instance, you wish to request data from, navigate to the permissions Admin page (Main Menu > Admin) as a user who can modify the user intended for API access. Select the Created Accounts tab.
Locate the user and click the pen icon to edit. On the Flags step, turn on API Access. Save the changes.
As the user intended for API access, access the Threat Visualizer or Darktrace ⁄ IDENTITY Console (formerly SaaS Console). If already logged in, a logout/login is recommended to refresh the permissions. Navigate to Account Settings from the main menu.
Locate the API Access button and click on it.
In the popup, click New. Two values will be displayed, a Public and Private token; the Private token will not be displayed again.
Both Tokens are required to generate the DT-API Signature value, which must be passed with every API request made to the appliance, so make sure you record them securely.
The API endpoints accessible by user tokens are restricted to those the user can access in the Threat Visualizer user interface. Please see Minimum Required Permissions for API Endpoints for more information.
DataBee Configuration
Login to the DataBee UI, navigate to Data > Data Feeds and click the Add New Data Feed button.
Search for the Darktrace Email Security and click on it as shown below.
Click on the API Ingest option for collection method.
Enter feed contact information and click Next.
In the configuration page, confirm the following:
Authorization Method: HMAC Auth
API Base URL: This is the base URL DataBee will interact with. The <instance> placeholder must be replaced with the IP or FQDN of the Darktrace instance.
Integration Key: Paste the previously generated API key
Secret Key: Paste the previously generated Secret
Event Types: Preselected for all the event types that integration pulls
Click Submit.
Troubleshooting Tips
Ensure that the Integration Key and Secret Key are pasted correctly. Since you cannot view the API secrets after the 1st time, re-create the API Key, paste it on a text editor to ensure no spaces or unexpected characters are included and reconfigure the DataBee feed.
Ensure the Darktrace scopes/permissions are correct.