ブログ
/
Endpoint
/
December 12, 2022

ML Integration for Third-Party EDR Alerts

The advantages and benefits of combining EDR technologies with Darktrace: how this integration can enhance your cybersecurity strategy.
Written by
Max Heinemeyer
Global Field CISO
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Max Heinemeyer
Global Field CISO
Default blog image
12
Dec 2022

This blog demonstrates how we use EDR integration in Darktrace for detection & investigation. We’ll look at four key features, which are summarized with an example below:  

1)    Contextualizing existing Darktrace information – E.g. ‘There was a Microsoft Defender for Endpoint (MDE) alert 5 minutes after Darktrace saw the device beacon to an unusual destination on the internet. Let me pivot back into the Defender UI’
2)    Cross-data detection engineering‘Darktrace, create an alert or trigger a response if you see a specific MDE alert and a native Darktrace detection on the same entity over a period of time’
3)    Applying unsupervised machine learning to third-party EDR alerts ‘Darktrace, create an alert or trigger a response if there is a specific MDE alert that is unusual for the entity, given the context’
4)    Use third-party EDR alerts to trigger AI Analyst ‘AI Analyst, this low-fidelity MDE alert flagged something on the endpoint. Please take a deep look at that device at the time of the Defender alert, conduct an investigation on Darktrace data and share your conclusions about whether there is more to it or not’ 

MDE is used as an example above, but Darktrace’s EDR integration capabilities extend beyond MDE to other EDRs as well, for example to Sentinel One and CrowdStrike EDR.

Darktrace brings its Self-Learning AI to your data, no matter where it resides. The data can be anywhere – in email environments, cloud, SaaS, OT, endpoints, or the network, for example. Usually, we want to get as close to the raw data as possible to get the maximum context for our machine learning. 

We will explain how we leverage high-value integrations from our technology partners to bring further context to Darktrace, but also how we apply our Self-Learning AI to third-party data. While there are a broad range of integrations and capabilities available, we will primarily look at Microsoft Defender for Endpoint, CrowdStrike, and SentinelOne and focus on detection in this blog post. 

The Nuts and Bolts – Setting up the Integration

Darktrace is an open platform – almost everything it does is API-driven. Our system and machine learning are flexible enough to ingest new types of data & combine it with already existing information.  

The EDR integrations mentioned here are part of our 1-click integrations. All it requires is the right level of API access from the EDR solutions and the ability for Darktrace to communicate with the EDR’s API. This type of integration can be setup within minutes – it currently doesn’t require additional Darktrace licenses.

Figure 1: Set-up of Darktrace Graph Security API integration

As soon as the setup is complete, it enables various additional capabilities. 
Let’s look at some of the key detection & investigation-focussed capabilities step-by-step.

Contextualizing Existing Darktrace Information

The most basic, but still highly-useful integration is enriching existing Darktrace information with EDR alerts. Darktrace shows a chronological history of associated telemetry and machine learning for each entity observed in the entities event log. 

With an EDR integration enabled, we now start to see EDR alerts for the respective entities turn up in the entity’s event log at the correct point in time – with a ton of context and a 1-click pivot back to the native EDR console: 

Figure 2: A pivot from the Darktrace Threat Visualizer to Microsoft Defender

This context is extremely useful to have in a single screen during investigations. Context is king – it reduces time-to-meaning and skill required to understand alerts.

Cross-Data Detection Engineering

When an EDR integration is activated, Darktrace enables an additional set of detections that leverage the new EDR alerts. This comes out of the box and doesn’t require any further detection engineering. It is worth mentioning though that the new EDR information is being made available in the background for bespoke detection engineering, if advanced users want to leverage these as custom metrics.

The trick here is that the added context provided by the additional EDR alerts allows for more refined detections – primarily to detect malicious activity with higher confidence. A network detection showing us beaconing over an unusual protocol or port combination to a rare destination on the internet is great – but seeing within Darktrace that CrowdStrike detected a potentially hostile file or process three minutes prior to the beaconing detection on the same device will greatly help to prioritize the detections and aid a subsequent investigation.

Here is an example of what this looks like in Darktrace:

Figure 3: A combined model breach in the Threat Visualizer

Applying Unsupervised Machine Learning to Third-Party EDR Alerts


Once we start seeing EDR alerts in Darktrace, we can start treating it like any other data – by applying unsupervised machine learning to it. This means we can then understand how unusual a given EDR detection is for each device in question. This is extremely powerful – it allows to reduce noisy alerts without requiring ongoing EDR alert tuning and opens a whole world of new detection capabilities.

As an example – let’s imagine a low-level malware alert keeps appearing from the EDR on a specific device. This might be a false-positive in the EDR, or just not of interest for the security team, but they may not have the resources or knowledge to further tune their EDR and get rid of this noisy alert.

While Darktrace keeps adding this as contextual information in the device’s event log, it could, depending on the context of the device, the EDR alert, and the overall environment, stop alerting on this particular EDR malware alert on this specific device if it stops being unusual. Over time, noise is reduced across the environment – but if that particular EDR alert appears on another device, or on the same device in a different context, it might get flagged again, as it now is unusual in the given context.

Darktrace then goes a step further, taking those unusual EDR alerts and combining them with unusual activity seen in other Darktrace coverage areas, like the network for example. Combining an unusual EDR alert with an unusual lateral movement attempt, for example, allows it to find these combined, high-precision, cross-data set anomalous events that are highly indicative of an active cyber-attack – without having to pre-define the exact nature of what ‘unusual’ looks like.

Figure 4: Combined EDR & network detection using unsupervised machine learning in Darktrace

Use Third-Party EDR Alerts to Trigger AI Analyst

Everything we discussed so far is great for improving precision in initial detections, adding context, and cutting through alert-noise. We don’t stop there though – we can also now use the third-party EDR alerts to trigger our investigation engine, the AI Analyst.

Cyber AI Analyst replicates and automates typical level 1 and level 2 Security Operations Centre (SOC) workflows. It is usually triggered by every native Darktrace detection. This is not a SOAR where playbooks are statically defined – AI Analyst builds hypotheses, gathers data, evaluates the data & reports on its findings based on the context of each individual scenario & investigation. 

Darktrace can use EDR alerts as starting points for its investigation, with every EDR alert ingested now triggering AI Analyst. This is similar to giving a (low-level) EDR alert to a human analyst and telling them: ‘Go and take a look at information in Darktrace and try to conclude whether there is more to this EDR alert or not.’

The AI Analyst subsequently looks at the entity which had triggered the EDR alert and investigates all available Darktrace data on that entity, over a period of time, in light of that EDR alert. It does not pivot outside Darktrace itself for that investigation (e.g. back into the Microsoft console) but looks at all of the context natively available in Darktrace. If concludes that there is more to this EDR alert – e.g. a bigger incident – it will report on that and clearly flag it. The report can of course be directly downloaded as a PDF to be shared with other stakeholders.

This comes in handy for a variety of reasons – primarily to further automate security operations and alleviate pressure from human teams. AI Analyst’s investigative capabilities sit on top of everything we discussed so far (combining EDR detections with detections from other coverage areas, applying unsupervised machine learning to EDR detections, …).

However, it can also come in handy to follow up on low-severity EDR alerts for which you might not have the human resources to do so.

The below screenshot shows an example of a concluded AI Analyst investigation that was triggered by an EDR alert:

Figure 5: An AI Analyst incident trained on third-party data

The Impact of EDR Integrations

The purpose behind all of this is to augment human teams, save them time and drive further security automation.

By ingesting third-party endpoint alerts, combining it with our existing intelligence and applying unsupervised machine learning to it, we achieve that further security automation. 

Analysts don’t have to switch between consoles for investigations. They can leverage our high-fidelity detections that look for unusual endpoint alerts, in combination with our already powerful detections across cloud and email systems, zero trust architecture, IT and OT networks, and more. 

In our experience, this pinpoints the needle in the haystack – it cuts through noise and reduces the mean-time-to-detect and mean-time-to-investigate drastically.

All of this is done out of the box in Darktrace once the endpoint integrations are enabled. It does not need a data scientist to make the machine learning work. Nor does it need a detection engineer or threat hunter to create bespoke, meaningful detections. We want to reduce the barrier to entry for using detection and investigation solutions – in terms of skill and experience required. The system is still flexible, transparent, and open, meaning that advanced users can create their own combined detections, leveraging unsupervised machine learning across different data sets with a few clicks.

There are of course more endpoint integration capabilities available than what we covered here, and we will explore these in future blog posts.

執筆者
Max Heinemeyer
Global Field CISO
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Max Heinemeyer
Global Field CISO

When Open Source Is Weaponized: Analysis of a Trojanized 7 Zip Installer

Network
May 19, 2026
Justin Torres
Cyber Analyst
Watch the NIS2 Webinar
よく読まれているブログ
1
ダークトレース、2026年度Gartner® CPS Protection Platforms部門のMagic Quadrant™ において唯一のVisionaryの評価を受ける
Mar 20, 2026
2
How Empowering End Users can Improve Your Email Security and Decrease the Burden on the SOC
May 8, 2024
3
Elevating Network Security: Confronting Trust, Ransomware, & Novel Attacks
Jun 21, 2024
4
The State of AI in Cybersecurity: Unveiling Global Insights from 1,800 Security Practitioners
Apr 9, 2024
5
The State of AI in Cybersecurity: The Impact of AI on Cybersecurity Solutions
May 13, 2024

More in this series

No items found.
さらに読む
Endpoint
January 30, 2026

ClearFake: From Fake CAPTCHAs to Blockchain-Driven Payload Retrieval

Darktrace detected a potential ClearFake‑related incident involving signs of EtherHiding activity and interactions with blockchain‑based infrastructure. A single device showed repeated suspicious command‑line behavior, primarily involving Microsoft HTML Application Host. The activity occurred over the course of a day and indicated early‑stage attempts to load malicious content associated with the ClearFake campaign.
Vivek Rajan
Cyber Analyst
Read more
Endpoint
December 1, 2022

Prevent Data Exfiltration & Know When to Respond

Over 300GB of data was exfiltrated from a customer network before Darktrace services intervened. Learn the power of Darktrace in autonomous mode.
Anna Gilbertson
Cyber Security Analyst
Read more
Endpoint
November 23, 2022

How Darktrace Could Have Stopped a Surprise DDoS Incident

Learn how Darktrace could revolutionize DDoS defense, enabling companies to stop threats without 24/7 monitoring. Read more about how we thwart attacks!
Steven Sosa
Analyst Team Lead
Read more

Blog

/

Proactive Security

/

June 3, 2026

Stopping Stealth Attacks with Precision: How Núclea Prevented a Breach Without Disruption

Default blog imageDefault blog image

Núclea is a Brazilian data and technology company that supports the country’s financial system by delivering digital services exclusively to banks and financial institutions. Operating in an environment where trust, availability, and data integrity are critical, the company faces a threat landscape that has evolved rapidly—particularly with the rise of AI-driven cyberattacks.

Brazil has experienced a wave of successful cyber incidents targeting financial institutions, many of them enabled by insiders or compromised credentials. The result was a noticeable shift in attacker strategy: instead of focusing on end customers, threat actors began targeting the institutions and platforms that underpin the financial ecosystem itself.

“Attacks became far more directed and contextual,” explains Guilherme, who leads incident response within Núclea’s security platform engineering team. “They weren’t noisy or obviously malicious—they were precise, patient, and designed to blend into normal operations.”

That precision was on full display in January 2026, when Núclea faced one of the most convincing phishing attacks the team had seen.

A real attack, built on trust and context

The attack began with a seemingly routine email.

It was sent from a real Brazilian government institution, using legitimate infrastructure and valid credentials that were later confirmed to have been compromised. Núclea had an established, ongoing relationship with this organization, and the email’s language, tone, and subject matter aligned perfectly with the type of communication the recipient team handled every day.

Attached to the email was a PDF document containing content that looked entirely legitimate.

The problem? A single URL embedded inside that PDF.

“The message itself was correct. The sender was real. The context was familiar. Even the document content made sense,” Guilherme explains. “There was just one small element that didn’t belong.”

That small detail was enough to initiate a full attack chain.

What the attackers were trying to do

If clicked, the URL would have downloaded a malicious payload designed to:

  • Collect information about the user and device
  • Identify where the system was located within the financial ecosystem
  • Install remote access tools to maintain control
  • Deploy an infostealer to extract sensitive data
  • Execute anti-forensic scripts to erase traces of the intrusion

In other words, it was a carefully engineered operation designed for persistence and stealth, not immediate disruption.

The attack also employed urgency—a classic social engineering technique. When the link didn’t open as expected, employees requested assistance from the security team, insisting the document was important and needed to be accessed quickly.

This is precisely the kind of scenario where traditional security tools struggle: almost everything about the interaction is legitimate.

Where Darktrace made the difference

Instead of blocking the entire message or relying on known indicators of compromise, Darktrace focused on behavioral context.

Darktrace recognized:

  • That the sending organization was normally trusted
  • That the communication pattern matched historical behavior
  • That the PDF content itself was not suspicious

But it also identified that the URL embedded within the document deviated from established behavioral patterns.

Rather than disrupting business operations, Darktrace took precise action: it rewrote the URL, preventing the malicious download while leaving the rest of the email untouched.

“When we analyzed it afterward, it became clear how dangerous the attack would have been,” says Guilherme. “But it never progressed—because Darktrace acted at exactly the right point.”

Subsequent forensic analysis confirmed the payload’s malicious intent. The attack never succeeded.

Precision over disruption

For Núclea, this incident reinforced a critical lesson: modern attacks don’t always look malicious—they hide within normal activity.

“What stands out to me is the precision,” Guilherme says. “Darktrace doesn’t rely on big, obvious signals. It’s effective in situations that fall outside the standard patterns we all know.”

Building resilience in a high trust ecosystem

For Núclea, cybersecurity is not just a defensive measure—it’s a business enabler.

Availability failures or successful breaches in the financial ecosystem can have immediate, large-scale consequences, from financial loss to reputational damage. Preventing those outcomes protects not just Núclea, but its partners and customers as well.

“Cyber resilience means keeping the business running—even under attack,” Guilherme explains. “And that requires people, processes, and technology working together.”

As AI continues to accelerate both attacks and defenses, the role of security is evolving. Precision, behavioral understanding, and intelligent automation are no longer optional—they’re essential.

“The easy days were yesterday,” Guilherme says. “The challenges ahead are bigger. We need to be prepared—internally and with partners that help us build resilience.”

Continue reading
About the author

Blog

/

AI

/

June 2, 2026

効率化の裏にあるリスク:AI導入が製造現場にもたらす見えない脆弱性

Default blog imageDefault blog image

AIエージェントが製造業に与える影響

製造業界のセキュリティチームやIT担当者は、生産を守り、稼働時間を維持し、重要資産を保護するという絶え間ないプレッシャー下にあります。そしてAIは非常に大きなチャンスとともに、新たなサイバーリスクももたらしています。製造業全体で、AIはワークフローや意思決定に組み込まれつつあり、自律型AIエージェントが従業員やシステムに代わって行動する場面が増えています。

エージェント型システムは独立して行動できるため強力ですが、その同じ自律性がサイバーリスク、運用上のリスクも生み出します。エージェントは広範な権限を持ち、複雑なタスクの実行、意思決定、ツールや外部システムとのやり取りを、ほとんどまたは全く人間の介入なしに行うことができます。

あらかじめ定義されたタスクを実行する従来のAIモデルとは異なり、AIエージェントは高度なテクニックを使用して人間の意思決定プロセスを模倣することにより、新たな課題に動的に適応し、また自らの判断に基づいて意思決定し、アクションを実行します。彼らは業務の上では従業員のように見えますが、人間が持つ判断力、倫理観、または行動の結果に対する恐れが欠けています。これは、サイバー犯罪者によって簡単に操られる可能性があることを意味しており、OTネットワーク全体に埋め込まれたAIエージェントは、データ漏洩をはるかに超える脅威を生み出します。たとえば、BMWでは、AI は溶接プロセスのエラーの発生を識別するのに使われています。同社のスパータンバーグ(米サウスカロライナ州)の工場では、すべてのSUVフレーム上の300-400個のスタッドの溶接をAIが監視し、スタッドの配置間違いや欠陥を検知し直ちに修正します。このAIシステムが破損すれば壊滅的な品質管理問題につながる恐れがあります。

製造全体にエージェント型AIシステムを導入することについて多くのセキュリティチームはさまざまな懸念を示しています。ダークトレースの行ったAIサイバーセキュリティの現状調査では、製造業のセキュリティプロフェッショナルの78%が従業員によるAIエージェントの利用に懸念を抱いており、これは彼らの最も大きな危惧でした。それに続く問題点が従業員によるCopilotやChatGPT等の生成AIツールの使用であり、製造業のセキュリティプロフェッショナルの76%が懸念を抱いていました。これらのツールがますます多くのビジネスデータやプロセスにアクセスし、組織内でより多くの自律性を持つようになるにつれ、エージェントのアクティビティがほとんど可視化されていない現在、セキュリティチームにおいては機密データの露出(60%)や偶発的なポリシーおよび規制違反(59%)への懸念が高まっています。

外部からのAIによる脅威も急激に進化

製造業を変革しているのと同じAIの能力が、サイバー攻撃の形も変貌させています。

AIにより攻撃者は偵察を自動化し、標的をより高度に絞り込み、リアルタイムで適応できるようになっています。かつては人手による作業と時間を要していたことが、今では継続的かつ大規模に実行できるようになりました。そして、製造業はすでにその影響を実感しています。当社が調査した製造業のセキュリティプロフェッショナルの76%は、すでにAIを活用した脅威の影響を受けており、90%がAIによってソーシャルエンジニアリング攻撃の成功率が高まっていると回答しています。

また、攻撃のテクニック自体も進化しています。製造業界全体で、AIを利用した攻撃の経路の多様化に対する懸念が高まっています。特にリアルタイムで進化する適応型マルウェアについて、調査対象の製造業のセキュリティプロフェッショナルの半数近く(49%)が懸念しており、これは全産業の平均よりも9%高い数値です。AIを使った適応型マルウェアに続くその他の懸念には次が含まれます:

  • 自動化された脆弱性スキャンとエクスプロイトチェイニング(48%):Anthropicの新しいMythos AIモデルにより脆弱性探索が深刻化する中で、この問題は一層差し迫ったものとなっています。
  • 超パーソナライズされたフィッシングキャンペーン(46%):フィッシングは依然としてハッカーの主力兵器の1つであり、AIによってフィッシングメールはより説得力が高く検知困難なものとなり、その効果は増幅されました。

これは単に攻撃の量の増加だけでなく、攻撃の展開につれて静的な防御が対応できるよりも速く進化する脅威への変化なのです。

こうした認識が高まっているにもかかわらず、製造業の多くはまだこの変化に対応する準備ができていません。半数以上(51%)がAI駆動の脅威への準備が十分にできていないと回答し、AIの導入を管理する正式なポリシーを持っている組織はわずか37%でした。  

可視性、コンテキスト、およびガードレールを通じてAIのセキュリティを確保

これらの問題に対処するためにAIイノベーションを遅らせる必要はありません。それには、AIと同じスピードと規模で動作できる、これまでとは異なるアプローチのセキュリティが必要です。具体的には、製造業がAIの力を活用する上で、次の3つの優先課題が浮上しています。

可視性はすべての土台  

AIがどこで使用されているか、何にアクセスできるか、そしてITおよびOT環境にわたってどのように動作するかを理解する必要があります。それがなければ、リスクを測定したり管理したりすることはできません。ダークトレースの調査において、製造業のセキュリティプロフェッショナルの91%が、AIを信頼する前に、それがどのように意思決定を行うかを理解する必要があると回答したのは当然のことです。OT環境においてこのことはさらに重要です。稼働の中断は安全や環境、財務、および評判に大きな影響を及ぼすからです。

可視性をアクションにつなげるにはコンテキストが必要  

AIによって形作られる環境において、正常とされる挙動は絶えず変化します。つまり、脅威を検知するにはビヘイビアベースのアプローチが必要なのです。組織全体で生活パターンを理解し、わずかな逸脱をリアルタイムに検知すること- これは従来のセキュリティとリスク管理に対するアプローチからの根本的な変化です。

エージェントからの露出を防ぐガードレール  

AIシステムがより大きな責任を担うようになるなかで、組織はAIが何をできるか、そしていつ独立して行動できるかについて、明確な境界を設ける必要があります。これらのコントロールは何かがあってから適用されるのではなく、システム自体に組み込んでおかなければなりません。  

製造業のITおよびOT環境におけるAIエージェントのセキュリティ

エージェント型AIの出現は製造業を変革し、次世代のオペレーションを支える一方で、脅威ランドスケープも一変させています。これは単なる脅威の増加ではなく、自律型システムへの移行、挙動の絶え間ない変化、そしてマシンスピードで進行するリスクです。AIを活用しつつリスクを管理するという課題に取り組む組織にとって、可視性、コンテキスト、ガードレールはセキュリティの基盤となります。

Darktraceはこの基盤を実現することにより、製造業の安全なAIアプローチ構築を支援します。ITおよびOT環境全体を可視化し、異常なアクティビティに対するリアルタイムの検知および対応を提供することにより、従業員が使用するプロンプトや構築するエージェントから、それらのエージェントの環境全体での動作に至るまで、AIアクティビティの理解を可能にします。これにより、AIの導入を拡大する製造業はコントロールを犠牲にすることなくイノベーションの基盤を構築することができます。

Continue reading
About the author
Dr. Oakley Cox-Robinson
Senior Director of Product
あなたのデータ × DarktraceのAI
唯一無二のDarktrace AIで、ネットワークセキュリティを次の次元へ