🚀 Darktrace Python SDK

A modern, Pythonic SDK for the Darktrace Threat Visualizer API.

---

🆕 Latest Updates (v0.8.55)

• Feature: Add 13 missing parameters to devicesummary endpoint - Added support for device_name, ip_address, end_timestamp, start_timestamp, devicesummary_by, devicesummary_by_value, device_type, network_location, network_location_id, peer_id, source, and status parameters to align with Darktrace API specification
• Documentation: Update devicesummary documentation - Added examples and parameter descriptions for new filtering options
• Note: devicesummary HTTP 500 limitation confirmed - Documentation updated to clarify that all devicesummary parameters return HTTP 500 with API token authentication (Darktrace backend limitation, not SDK bug)

📝 Previous Updates (v0.8.54)

• Fix: Multi-parameter devicesearch query format (fixes #45) - Changed query parameter joining from explicit ' AND ' to space separation per Darktrace API specification
• Fix: ensure host URL includes protocol (default to https if missing)

---

✨ Features

• Extensive API Coverage: Most endpoints, parameters, and actions from the official Darktrace API Guide are implemented.
• Modular & Maintainable: Each endpoint group is a separate Python module/class.
• Easy Authentication: Secure HMAC-SHA1 signature generation and token management.
• Async-Ready: Designed for easy extension to async workflows.
• Type Hints & Docstrings: Full typing and documentation for all public methods.
• Comprehensive Documentation: Detailed documentation for every module and endpoint.

---

📦 Installation

pip install darktrace-sdk

After installation, you'll import it in Python as darktrace:

from darktrace import DarktraceClient

Or clone this repository:

git clone https://github.com/yourusername/darktrace.git
cd darktrace
pip install .

---

🚦 Quick Start

from darktrace import DarktraceClient

# Initialize the client
client = DarktraceClient(
    host="https://your-darktrace-instance",
    public_token="YOUR_PUBLIC_TOKEN",
    private_token="YOUR_PRIVATE_TOKEN"
)

# Access endpoint groups
devices = client.devices
all_devices = devices.get()

antigena = client.antigena
actions = antigena.get_actions()

# Use Advanced Search with POST requests (Darktrace 6.1+)
advanced_search = client.advanced_search
query = {
    "search": "@type:\"ssl\" AND @fields.dest_port:\"443\"",
    "fields": [],
    "offset": 0,
    "timeframe": "3600"  # 1 hour
}
results = advanced_search.search(query=query, post_request=True)

print(all_devices)
print(actions)
print(results)

---

📚 Documentation

Comprehensive documentation is available in the docs directory:

• Main Documentation - Overview and getting started
• Authentication - How authentication works
• Antigena - Managing Antigena actions
• Devices - Working with device information
• Model Breaches - Handling model breach alerts
• Status - System status information

And many more modules covering every aspect of the Darktrace API.

See the EXAMPLES.md file for additional usage examples.

---

🛡️ Endpoint Coverage

This SDK aims to cover all endpoints in the Darktrace API Guide, including:

• /advancedsearch (search, analyze, graph)
• /aianalyst (incidentevents, groups, acknowledge, pin, comments, stats, investigations, incidents)
• /antigena (actions, manual, summary)
• /components, /cves, /details, /deviceinfo, /devices, /devicesearch, /devicesummary
• /endpointdetails, /enums, /filtertypes, /intelfeed, /mbcomments, /metricdata, /metrics, /models, /modelbreaches, /network, /pcaps, /similardevices, /status, /subnets, /summarystatistics, /tags, and all /agemail endpoints

If you find a missing endpoint, open an issue or PR and it will be added!

---

⚠️ Known Issues

/devicesummary Endpoint Returns HTTP 500

The /devicesummary endpoint returns a 500 Internal Server Error when accessed with API tokens, even though it works in the browser or with session/cookie authentication. This is a known limitation of the Darktrace API backend and not a bug in the SDK or your code.

Status: Confirmed as Darktrace API backend limitation (tested with SDK v0.8.54 on instance v6.3.18). The SDK implementation is correct and uses the same authentication pattern as other endpoints that work with API tokens.

Workaround: There is currently no programmatic workaround. If you require this endpoint, please contact Darktrace support or use browser-based access where possible.

Status: Tracked as issue #37. If you encounter this, please reference the issue for updates.

---

📝 Contributing

Contributions are welcome! Please:

1. Fork the repo and create your branch.
2. Write clear, tested code and clean code principles.
3. Add/Update docstrings and type hints.
4. Submit a pull request with a detailed description.

---

📄 License

This project is licensed under the MIT License. See LICENSE for details.

---

🙏 Acknowledgements

• Inspired by the official Darktrace API Guide
• Community contributions welcome!

---

Made with ❤️ for the Darktrace community.