Hello,

I don't have personal experience with the exact device you are referring to, but depending on which area you are looking into had similar cases with the same device type (both IT and OT related).

The short answer is:

You don't need discovery for this. Darktrace has an API definition which is publicly available: Darktrace | Documentation | Postman API Network You can get all device data from there. For OT use cases it is important to understand that ServiceNow does not support (strictly speaking) the use of the Discovery in OT. Therefore, you will have to use the management API.

Personally I would recommend the API here from a long term perspective in any case. If you want to move forward in ITOM, Event Management will use the same API for any darktrace event collection, so doing it via the API is a good idea (note: Build the API authorization separate so you can reuse it later on).

Lastly - for the short part - there is also a Darktrace Integration - ServiceNow Store for ServiceNow. Look into that as well.

Now the long story:
Let's say you are a hobby Discoverist (as I am) and you absolutely want to get this done with the Discovery... Well, i have not so great news for you - this is probably one of the hardest parts to set Discovery up with. To explain it, let's look at a Fortinet discovery case I encountered and how the discovery generally works:

The discovery scans network segments in bulk. If it hits a device (e.g. a Fortinet firewall) it will try to use an ssh credential. These credentials are tried by order (lowest order first). For the firewall each ssh credential access try will be recorded. With one customer, after 3 tries, the firewall went into full lockdown. We knew this, so we prioritized the ssh cerdentials & setup the schedules in a more segmented way to prevent issues. However, someone just tested Linux discovery with ssh in the same time and added a ton of ssh credentials.

And what followed was a full network lockdown for a partial business sector. This was resolved super quick, because we were - obviously - in an early stage and had reported everything to all network teams in advance. Everybody knew what happened and it was resolved quickly.

But it also showed that no matter how well we setup the discovery, in a global environment it just takes one person who wants to try something out (mind you, this could also happen in non-production environments) to make a network go bye-bye.

So let's assume you could discovery these darktrace appliances. I want to raise the question:

Should you?

And the answer to that - i learned it the "hard way" (again, we followed strict project communication plans, so the hard way was "just" a hick-up) - from my perspective is a clear no. Discovery is a great tool, but it has it's limit. And for firewalls and any security-sensitive environments where i can rather use a predefined, publicly documented management API, i would always choose the later.

I hope this helps, even if it is not the exact answer you are looking for.

Regards

Fabian