Darkmon v1.0.0
Stay ahead of cyber threats with Darkmon TIP - real-time threat intelligence from the Clear, Deep, and Dark Web tailored to your assets. The pack provides indicator enrichment, compromised-credentials monitoring, board-level VIP email protection, ransomware mention tracking, brand-targeting NRD detection, and critical CVE pipelines, plus provider-agnostic incident response playbooks ready to plug into any SOC stack.
- Author:
- Darkmon
- Support:
- developer
- URL:
- https://darkmon.com
Classifiers (4)
Generics (6)
- Darkmon - Brand-Targeted NRD Watch
- Darkmon - Compromised Credentials Sweep
- Darkmon - Compromised Employee Auto-Disable
- Darkmon - Critical CVE Pipeline
- Darkmon - Ransomware Mentions Watch
- Darkmon - VIP Email Monitor
Incident fields (24)
- Darkmon Account ID
- Darkmon Action Taken
- Darkmon Affected Components
- Darkmon Brand
- Darkmon CVE Severity
- Darkmon Directory User
- Darkmon Distance
- Darkmon Employee Email
- Darkmon First Compromise
- Darkmon Last Compromise
- Darkmon Leak ID
- Darkmon Leak Type
- Darkmon Observed Domain
- Darkmon Password (Redacted)
- Darkmon Protected Email
- Darkmon Published At
- Darkmon Registered At
- Darkmon Screenshot URL
- Darkmon Source
- Darkmon Stealer
- Darkmon Threat Actor
- Darkmon URL
- Darkmon Username
- Darkmon Victim Name
Incident types (6)
Indicator fields (5)
- Darkmon Classification
- Darkmon Compromise Sources
- Darkmon First Compromise
- Darkmon Last Compromise
- Darkmon Stealer Families
Integrations (2)
Layouts (12)
Lists (14)
- Darkmon - Auto-Disable Allowlist
- Darkmon - Block Provider
- Darkmon - Brand Names
- Darkmon - Customer Domains
- Darkmon - Identity Provider
- Darkmon - Notification Provider
- Darkmon - Seen CVEs
- Darkmon - Seen Compromised Accounts
- Darkmon - Seen Compromised Employees
- Darkmon - Seen NRDs
- Darkmon - Seen Ransomware Mentions
- Darkmon - Seen VIP Leaks
- Darkmon - Tech Stack Tags
- Darkmon - Umbrella Block List ID
Playbooks (20)
- Darkmon - Block IOC
- Darkmon - Brand-Targeted NRD Watch
- Darkmon - Compromised Account Response
- Darkmon - Compromised Credentials Sweep
- Darkmon - Compromised Employee Auto-Disable
- Darkmon - Critical CVE Pipeline
- Darkmon - EDR Alert Enrichment
- Darkmon - Email Deep Dive
- Darkmon - Enrich Domain
- Darkmon - Enrich Email
- Darkmon - Enrich File
- Darkmon - Enrich IP
- Darkmon - Enrich URL
- Darkmon - Generic Block Indicator
- Darkmon - Generic Notify
- Darkmon - Generic User Action
- Darkmon - Phishing Email Triage
- Darkmon - Ransomware Mentions Watch
- Darkmon - Ransomware Victim Response
- Darkmon - VIP Email Monitor
Scripts (6)
README
Darkmon Threat Intelligence Pack
Stay ahead of cyber threats with Darkmon TIP - real-time threat intelligence
from the Clear, Deep, and Dark Web, tailored to your assets and operationalized
inside Cortex XSOAR.
What’s in the box
This is an end-to-end content pack, not just an integration. It ships
everything a SOC team needs to put Darkmon intelligence into action.
Integration
- Darkmon - 18 commands covering indicator enrichment, IOC feed ingestion
(TIM), compromised data discovery, board-level VIP email protection,
ransomware tracking, newly-registered-domain monitoring, vulnerability
intelligence, and a fully dynamic global search.
Indicator enrichment (sub-playbooks)
Darkmon - Enrich IPDarkmon - Enrich DomainDarkmon - Enrich URLDarkmon - Enrich File HashDarkmon - Enrich Email
These are wired into XSOAR’s reputation system via DBotScore + Common.<Type>
contracts so they slot into any existing playbook with no rewrites.
Continuous monitoring
Darkmon - Compromised Credentials Sweep(every 4h)Darkmon - VIP Email Monitor(hourly)Darkmon - Ransomware Mentions Watch(every 6h)Darkmon - Brand-Targeted NRD Watch(daily)Darkmon - Critical CVE Pipeline(daily)
Each ships with its own incident type, layout, dedup pre-process rule, and a
List of tunables (customer domains, brand names, tech stack, severity rules)
so multi-tenant deployments customize without forking.
Incident response
Darkmon - Phishing Email TriageDarkmon - Compromised Account ResponseDarkmon - EDR Alert EnrichmentDarkmon - Ransomware Victim ResponseDarkmon - Email Deep Dive
These response playbooks call provider-agnostic switchboard sub-playbooks so
they work whatever your stack looks like.
Provider-agnostic adapters (Tier 4)
-
Darkmon - Generic Notify(SlackTeams Email ServiceNow Jira) -
Darkmon - Generic Block Indicator(Palo Alto NGFWFortinet Cisco Umbrella CloudFlare) Darkmon - Generic User Action(suspend, force password reset on
Active Directory | Okta | Azure AD)
Quick start
- Install this pack from the Cortex Marketplace.
- Open Settings → Integrations → Darkmon and click Add instance.
- Paste your Darkmon API key. Leave API Base URL at the default unless
instructed otherwise. - Click the Test button on the instance configuration page. Expect “Success”.
For full configuration, command examples, and playbook docs, see the
per-artifact READMEs under each subfolder.
Compliance posture
The pack defaults to GDPR-strict + secrets redaction. Passwords, card
numbers, and SSNs never appear in War Room markdown unless the integration’s
redact_secrets toggle is explicitly set to false. Raw values remain
available to playbooks via rawJSON so automation isn’t blocked.
Support
This pack is maintained by Darkmon as a developer-supported pack.
Visit darkmon.com or contact support@darkmon.com.
Versioning
Semantic versioning. See ReleaseNotes/ for change history.