From 51ca3fd17ac1794d87c9b33917911fbf8345fe59 Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Thu, 23 Oct 2025 11:08:18 +0100 Subject: [PATCH 1/5] added to solution file --- .../Data/Solution_DarktraceEnterpriseImmuneSystem.json | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json b/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json index bd8197527f7..d53703ffa0e 100644 --- a/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json +++ b/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json @@ -4,15 +4,19 @@ "Logo": "", "Description": "The [Darktrace](https://darktrace.com/) Sentinel Solution lets users connect Darktrace AI-based alerting in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats. \n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\na. [Microsoft Sentinel Data Collector API](https://docs.microsoft.com/azure/sentinel/connect-rest-api-template)\n\n For more details about this solution refer to https://www.darktrace.com/microsoft/sentinel/", "Workbooks": [ - "Workbooks/DarktraceWorkbook.json" + "Workbooks/DarktraceWorkbook.json", + "Workbooks/DarktraceActiveAISecurityPlatform.json" ], "Analytic Rules": [ "Analytic Rules/CreateAlertFromModelBreach.yaml", "Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml", - "Analytic Rules/CreateAlertFromSystemStatus.yaml" + "Analytic Rules/CreateAlertFromSystemStatus.yaml", + "Analytic Rules/DarktraceIncidentEvent.yaml", + "Analytic Rules/DarktraceModelAlert.yaml" ], "Data Connectors": [ - "Data Connectors/DarktraceConnectorRESTAPI.json" + "Data Connectors/DarktraceConnectorRESTAPI.json", + "Data Connectors/DarktraceActiveAISecurityPlatform_Template.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Darktrace", "Version": "2.0.1", From f27524ff5db57a8f94c74e5df2470226b8c3c5da Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Thu, 23 Oct 2025 11:43:35 +0100 Subject: [PATCH 2/5] updated version to 3.0.0 --- .../Data/Solution_DarktraceEnterpriseImmuneSystem.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json b/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json index d53703ffa0e..800ff5153cc 100644 --- a/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json +++ b/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json @@ -19,7 +19,7 @@ "Data Connectors/DarktraceActiveAISecurityPlatform_Template.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Darktrace", - "Version": "2.0.1", + "Version": "3.0.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false From fa3cfc0bfba10a9a6471d45303ef24e494e7bd40 Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Thu, 23 Oct 2025 12:33:23 +0100 Subject: [PATCH 3/5] updated sample desc --- .../DarktraceActiveAISecurityPlatform_Template.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/Darktrace/Data Connectors/DarktraceActiveAISecurityPlatform_Template.json b/Solutions/Darktrace/Data Connectors/DarktraceActiveAISecurityPlatform_Template.json index c52f3e27ca7..5c0049cf7d0 100644 --- a/Solutions/Darktrace/Data Connectors/DarktraceActiveAISecurityPlatform_Template.json +++ b/Solutions/Darktrace/Data Connectors/DarktraceActiveAISecurityPlatform_Template.json @@ -12,7 +12,7 @@ ], "sampleQueries": [ { - "description" : "One-line title for your sample query 1", + "description" : "Last 10 Model Alerts", "query": "DarktraceModelAlerts_CL\n | take 10" } ], From aaf5651c771dc0dfce80b3f3d4aa1ee28904d3e9 Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Tue, 28 Oct 2025 08:55:26 +0000 Subject: [PATCH 4/5] removed references --- .../ValidConnectorIds.json | 1 + .../CreateAlertFromModelBreach.yaml | 78 - .../CreateAlertFromSystemStatus.yaml | 56 - .../CreateIncidentFromAIAnalystIncident.yaml | 67 - ...ution_DarktraceEnterpriseImmuneSystem.json | 4 - .../Workbooks/DarktraceWorkbook.json | 2035 ----------------- 6 files changed, 1 insertion(+), 2240 deletions(-) delete mode 100644 Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml delete mode 100644 Solutions/Darktrace/Analytic Rules/CreateAlertFromSystemStatus.yaml delete mode 100644 Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml delete mode 100644 Solutions/Darktrace/Workbooks/DarktraceWorkbook.json diff --git a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json index 5fad6a4f737..416b6ced8aa 100644 --- a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json +++ b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json @@ -76,6 +76,7 @@ "DNS", "Darktrace", "DarktraceRESTConnector", + "DarktraceActiveAISecurityPlatform", "DataminrPulseAlerts", "Dataverse", "DigitalGuardianDLP", diff --git a/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml b/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml deleted file mode 100644 index 41eca0fb0a1..00000000000 --- a/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml +++ /dev/null @@ -1,78 +0,0 @@ -id: a3c7b8ed-56a9-47b7-98e5-2555c16e17c9 -name: Darktrace Model Breach -description: | - 'This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.' -severity: Medium -requiredDataConnectors: - - connectorId: DarktraceRESTConnector - dataTypes: - - darktrace_model_alerts_CL -queryFrequency: 5m -queryPeriod: 5m -triggerOperator: gt -triggerThreshold: 0 -tactics: # tactics pulled dynamically -relevantTechniques: -query: | - darktrace_model_alerts_CL - | where dtProduct_s =="Policy Breach" - | project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatId=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceID=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category - | extend EventCount=1, EventType="NetworkSession", EventSchema="NetworkSession", EventSchemaVersion="0.2.2", EventResult="Success", DvcAction = "Allow", EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity - | extend DtSentinelCategory = case(DtCategory == "Suspicious", "Medium", - DtCategory == "Critical", "High", - "Informational") -eventGroupingSettings: - aggregationKind: AlertPerResult -entityMappings: - - entityType: Host - fieldMappings: - - identifier: HostName - columnName: SrcHostname - - entityType: Host - fieldMappings: - - identifier: HostName - columnName: DstHostname - - entityType: IP - fieldMappings: - - identifier: Address - columnName: SrcIpAddr - - entityType: IP - fieldMappings: - - identifier: Address - columnName: DstIpAddr -customDetails: - SrcMacAddr: SrcMacAddr - EventSeverity: EventSeverity - EventStartTime: EventStartTime - NetworkRuleName: NetworkRuleName - NetworkRuleNumber: NetworkRuleNumber - ThreatId: ThreatId - DtSentinelCategory: DtSentinelCategory - SrcPortNumber: SrcPortNumber - DstPortNumber: DstPortNumber - DstMacAddr: DstMacAddr - DtCompliance: DtCompliance - DtDescription: DtDescription - DtCategory: DtCategory - DtDeviceID: DtDeviceID -# These are described here - this is why we're leaving tactics and techniques above empty -alertDetailsOverride: - # model breach name here - alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}' # Up to 256 chars and 3 placeholders - alertDescriptionFormat: '{{DtMessage}}' # Up to 5000 chars and 3 placeholders - # MITRE tactic - alertTacticsColumnName: # leave empty - alertSeverityColumnName: # leave empty - alertDynamicProperties: - - alertProperty: AlertLink - value: DtBreachURL - - alertProperty: ProviderName - value: EventVendor - - alertProperty: ProductName - value: EventProduct - - alertProperty: ProductComponentName - value: ThreatCategory - - alertProperty: Severity - value: DtSentinelCategory -version: 1.1.0 -kind: NRT \ No newline at end of file diff --git a/Solutions/Darktrace/Analytic Rules/CreateAlertFromSystemStatus.yaml b/Solutions/Darktrace/Analytic Rules/CreateAlertFromSystemStatus.yaml deleted file mode 100644 index 06838e6e76e..00000000000 --- a/Solutions/Darktrace/Analytic Rules/CreateAlertFromSystemStatus.yaml +++ /dev/null @@ -1,56 +0,0 @@ -id: 2e629769-60eb-4a14-8bfc-bde9be66ebeb -name: Darktrace System Status -description: | - 'This rule creates Microsoft Sentinel Alerts based on Darktrace system status alerts for health monitoring, fetched every 5 minutes.' -severity: Informational -requiredDataConnectors: - - connectorId: DarktraceRESTConnector - dataTypes: - - darktrace_model_alerts_CL -queryFrequency: 5m -queryPeriod: 5m -triggerOperator: gt -triggerThreshold: 0 -tactics: # none -relevantTechniques: # none -query: | - darktrace_model_alerts_CL //anything starting with 'Dt' is not an ASIM mapping - | where dtProduct_s =="System Alert" - | extend EventVendor="Darktrace", EventProduct="Darktrace DETECT" - | project-rename ThreatCategory=dtProduct_s, EventStartTime=time_s, NetworkRuleName=friendlyName_s, SrcIpAddr=deviceIP_s, SrcHostname=hostname_s, ThreatRiskLevel=priority_code_d, ThreatRiskCategory=priority_s, DtSeverity=Severity, DtName=name_s, DtStatus=status_s, DtMessage=Message, DtURL=url_s, DtUUID=uuid_g -eventGroupingSettings: - aggregationKind: AlertPerResult -entityMappings: - - entityType: Host - fieldMappings: - - identifier: HostName - columnName: SrcHostname - - entityType: IP - fieldMappings: - - identifier: Address - columnName: SrcIpAddr -customDetails: - EventStartTime: EventStartTime - NetworkRuleName: NetworkRuleName - ThreatRiskLevel: ThreatRiskLevel - ThreatRiskCategory: ThreatRiskCategory - DtName: DtName - DtStatus: DtStatus - DtMessage: DtMessage - DtSeverity: DtSeverity -alertDetailsOverride: - alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}' - alertDescriptionFormat: '{{DtMessage}}' - alertTacticsColumnName: # none - alertSeverityColumnName: # none - alertDynamicProperties: - - alertProperty: AlertLink - value: DtURL - - alertProperty: ProviderName - value: EventVendor - - alertProperty: ProductName - value: EventProduct - - alertProperty: ProductComponentName - value: ThreatCategory -version: 1.1.0 -kind: Scheduled diff --git a/Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml b/Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml deleted file mode 100644 index d449cf51b1f..00000000000 --- a/Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml +++ /dev/null @@ -1,67 +0,0 @@ -id: ffa2977f-3077-4bba-b1bf-f3417699cbb0 -name: Darktrace AI Analyst -description: | - 'This rule creates Microsoft Sentinel Incidents based on Darktrace AI Analyst Incidents, fetched every 5 minutes.' -severity: High -requiredDataConnectors: - - connectorId: DarktraceRESTConnector - dataTypes: - - darktrace_model_alerts_CL -queryFrequency: 5m -queryPeriod: 5m -triggerOperator: gt -triggerThreshold: 0 -tactics: [] # no tactics are ingested for AIA events at the moment -relevantTechniques: [] -query: | - darktrace_model_alerts_CL - | where dtProduct_s =="AI Analyst" - | project-rename EventStartTime=startTime_s, EventEndTime = endTime_s, NetworkRuleName=title_s, DtCurrentGroup=externalId_g, ThreatCategory=dtProduct_s, ThreatRiskLevel=score_d, SrcHostname=hostname_s, SrcIpAddr=deviceIP_s, DtURL=url_s, DtSummary=summary_s, DtGroupScore=groupScore_d, DtGroupCategory=groupCategory_s, DtSrcDeviceName=bestDeviceName_s, DtIndentifier=identifier_s, ActivityID=activityId_s, DtGroupingID=groupingId_s, DtGroupByActivity=groupByActivity_b, DtSummaryFirstSentence=summaryFirstSentence_s, DtNewEvent=newEvent_b, DtCGLegacy=currentGroup_s, DtGroupPreviousGroups=groupPreviousGroups_s, DtTime=time_s, DtSeverity=Severity, DtLongitude=longitude_d, DtLatitude=latitude_d - | extend EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", DtSentinelCategory=DtGroupCategory - | extend DtSentinelCategory = case (DtGroupCategory == "compliance", "Low", - DtGroupCategory == "suspicious", "Medium", - "High") //compliance -> low, suspcious -> medium, critical -> high -eventGroupingSettings: - aggregationKind: AlertPerResult -entityMappings: - - entityType: Host - fieldMappings: - - identifier: HostName - columnName: SrcHostname - - entityType: IP - fieldMappings: - - identifier: Address - columnName: SrcIpAddr -customDetails: - EventStartTime: EventStartTime - EventEndTime: EventEndTime - NetworkRuleName: NetworkRuleName - DtCurrentGroup: DtCurrentGroup - ThreatRiskLevel: ThreatRiskLevel - DtSummary: DtSummary - DtGroupScore: DtGroupScore - DtGroupCategory: DtGroupCategory - DtSentinelCategory: DtSentinelCategory - DtSrcDeviceName: DtSrcDeviceName - DtNewEvent: DtNewEvent - DtSeverity: DtSeverity -alertDetailsOverride: - alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}' - alertDescriptionFormat: '{{DtSummary}}' - alertTacticsColumnName: # leave empty - alertSeverityColumnName: # leave empty - alertDynamicProperties: - - alertProperty: AlertLink - value: DtURL - - alertProperty: ProviderName - value: EventVendor - - alertProperty: ProductName - value: EventProduct - - alertProperty: ProductComponentName - value: ThreatCategory - - alertProperty: Severity - value: DtSentinelCategory -version: 1.1.0 -kind: NRT - - diff --git a/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json b/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json index 800ff5153cc..5a9b938ac9b 100644 --- a/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json +++ b/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json @@ -4,13 +4,9 @@ "Logo": "", "Description": "The [Darktrace](https://darktrace.com/) Sentinel Solution lets users connect Darktrace AI-based alerting in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats. \n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\na. [Microsoft Sentinel Data Collector API](https://docs.microsoft.com/azure/sentinel/connect-rest-api-template)\n\n For more details about this solution refer to https://www.darktrace.com/microsoft/sentinel/", "Workbooks": [ - "Workbooks/DarktraceWorkbook.json", "Workbooks/DarktraceActiveAISecurityPlatform.json" ], "Analytic Rules": [ - "Analytic Rules/CreateAlertFromModelBreach.yaml", - "Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml", - "Analytic Rules/CreateAlertFromSystemStatus.yaml", "Analytic Rules/DarktraceIncidentEvent.yaml", "Analytic Rules/DarktraceModelAlert.yaml" ], diff --git a/Solutions/Darktrace/Workbooks/DarktraceWorkbook.json b/Solutions/Darktrace/Workbooks/DarktraceWorkbook.json deleted file mode 100644 index 3def177f1ac..00000000000 --- a/Solutions/Darktrace/Workbooks/DarktraceWorkbook.json +++ /dev/null @@ -1,2035 +0,0 @@ -{ - "version": "Notebook/1.0", - "items": [ - { - "type": 11, - "content": { - "version": "LinkItem/1.0", - "style": "tabs", - "links": [ - { - "id": "a4b35478-499a-4fcc-8424-63abbb698bfa", - "cellValue": "tab", - "linkTarget": "parameter", - "linkLabel": "AI Analyst", - "subTarget": "ai-analyst", - "style": "link" - }, - { - "id": "45805ae8-29d7-4774-a10a-8d60af407bbf", - "cellValue": "tab", - "linkTarget": "parameter", - "linkLabel": "DETECT + RESPOND/Network ", - "subTarget": "overview", - "style": "link" - }, - { - "id": "7a64cd79-3a09-4046-8d6f-ba24fc2bab6c", - "cellValue": "tab", - "linkTarget": "parameter", - "linkLabel": "DETECT + RESPOND/Apps", - "subTarget": "cloud", - "style": "link" - }, - { - "id": "0dc4ab10-226f-422f-a7bb-9e905f96fb6c", - "cellValue": "tab", - "linkTarget": "parameter", - "linkLabel": "DETECT + RESPOND/Email", - "subTarget": "email", - "style": "link" - }, - { - "id": "2eac3f00-5164-4a77-9781-118eb681b729", - "cellValue": "tab", - "linkTarget": "parameter", - "linkLabel": "RESPOND", - "subTarget": "agn", - "style": "link" - }, - { - "id": "ff97b7e6-6bbf-401c-aaff-833d5309f00d", - "cellValue": "tab", - "linkTarget": "parameter", - "linkLabel": "System Status", - "subTarget": "status", - "style": "link" - } - ] - }, - "name": "tabs" - }, - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "parameters": [ - { - "id": "96e10804-35d4-4d5c-b2d8-1af544471721", - "version": "KqlParameterItem/1.0", - "name": "Timeframe", - "type": 4, - "description": "Set the global time range for all queries below", - "isRequired": true, - "typeSettings": { - "selectableValues": [ - { - "durationMs": 300000 - }, - { - "durationMs": 900000 - }, - { - "durationMs": 1800000 - }, - { - "durationMs": 3600000 - }, - { - "durationMs": 14400000 - }, - { - "durationMs": 43200000 - }, - { - "durationMs": 86400000 - }, - { - "durationMs": 172800000 - }, - { - "durationMs": 259200000 - }, - { - "durationMs": 604800000 - }, - { - "durationMs": 1209600000 - }, - { - "durationMs": 2419200000 - }, - { - "durationMs": 2592000000 - }, - { - "durationMs": 5184000000 - }, - { - "durationMs": 7776000000 - } - ] - }, - "timeContext": { - "durationMs": 86400000 - }, - "value": { - "durationMs": 604800000 - } - } - ], - "style": "pills", - "doNotRunWhenHidden": true, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "Timescale " - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "parameters": [ - { - "id": "610136a1-b7cf-4eb3-9ef6-51a2d22e1621", - "version": "KqlParameterItem/1.0", - "name": "_severity", - "type": 1, - "description": "parameter to drill down on clicked severity tile", - "value": "", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "label": "severity" - } - ], - "style": "above", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "parameters - 1" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "datatable (Count: long, status: string, status_count: long) [0, \"Compliance\", 1, 0, \"Informational\", 2, 0, \"Suspicious\", 3, 0, \"Critical\", 4]\r\n| union\r\n (\r\n darktrace_model_alerts_CL\r\n | where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n | extend ThreatRiskLevel=score_d\r\n | extend status = case( \r\n compliance_b == false and Category == \"Critical\", \"Critical\",\r\n compliance_b == true, \"Compliance\",\r\n compliance_b == false and Category == \"Suspicious\", \"Suspicious\",\r\n compliance_b == false and Category == \"Informational\", \"Informational\", \r\n \"True\"\r\n )\r\n | where status != \"True\"\r\n | extend status_count = case(status == \"Critical\", 4, status == \"Suspicious\", 3, status == \"Informational\", 2, 1)\r\n | summarize Count = count() by status, status_count\r\n )\r\n| summarize Count=sum(Count) by status, status_count\r\n| sort by status_count asc", - "size": 3, - "title": "Model Breaches by Category", - "timeContextFromParameter": "Timeframe", - "exportFieldName": "status", - "exportParameterName": "_severity", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "tiles", - "tileSettings": { - "titleContent": { - "columnMatch": "status", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "Compliance", - "representation": "turquoise", - "text": "{0}{1}" - }, - { - "operator": "==", - "thresholdValue": "Informational", - "representation": "yellow", - "text": "{0}{1}" - }, - { - "operator": "==", - "thresholdValue": "Suspicious", - "representation": "orange", - "text": "{0}{1}" - }, - { - "operator": "==", - "thresholdValue": "Critical", - "representation": "redBright", - "text": "{0}{1}" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "green", - "text": "{0}{1}" - } - ] - } - }, - "leftContent": { - "columnMatch": "Count", - "formatter": 1, - "numberFormat": { - "unit": 17, - "options": { - "style": "decimal", - "useGrouping": false, - "maximumFractionDigits": 2, - "maximumSignificantDigits": 3 - } - } - }, - "showBorder": true, - "size": "auto" - } - }, - "name": "model breaches by severity" - }, - { - "type": 1, - "content": { - "json": "_Click on the tiles to view more details (maximum 100 entries displayed)_", - "style": "info" - }, - "name": "text - 3" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| project-rename MitreTechniques=mitreTechniques_s\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where compliance_b == true\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n", - "size": 0, - "title": "Compliance Model Breaches", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "TimeGenerated", - "formatter": 6, - "formatOptions": { - "customColumnWidthSetting": "20%" - } - }, - { - "columnMatch": "Activity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url", - "customColumnWidthSetting": "40%" - } - }, - { - "columnMatch": "DeviceName", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "DeviceAddress", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "LogSeverity", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": "Default", - "thresholdValue": null, - "representation": "yellow", - "text": "{0}{1}" - } - ] - } - }, - { - "columnMatch": "DarktraceURL", - "formatter": 5 - }, - { - "columnMatch": "DarktraceUrl", - "formatter": 5, - "formatOptions": { - "linkTarget": "Url" - } - }, - { - "columnMatch": "OtherExtensions", - "formatter": 5, - "formatOptions": { - "customColumnWidthSetting": "50%" - } - } - ], - "labelSettings": [ - { - "columnId": "TimeGenerated", - "label": "Time" - } - ] - } - }, - "conditionalVisibility": { - "parameterName": "_severity", - "comparison": "isEqualTo", - "value": "Compliance" - }, - "name": "Low severity model breaches" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| project-rename MitreTechniques=mitreTechniques_s\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where compliance_b == false and Category == \"Informational\"\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n\r\n", - "size": 0, - "title": "Informational Model Breaches", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "TimeGenerated", - "formatter": 6, - "formatOptions": { - "customColumnWidthSetting": "20%" - } - }, - { - "columnMatch": "Activity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url", - "customColumnWidthSetting": "40%" - } - }, - { - "columnMatch": "DeviceName", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "DeviceAddress", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "LogSeverity", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": "Default", - "thresholdValue": null, - "representation": "orange", - "text": "{0}{1}" - } - ] - } - }, - { - "columnMatch": "DarktraceURL", - "formatter": 5 - }, - { - "columnMatch": "DarktraceUrl", - "formatter": 5, - "formatOptions": { - "linkTarget": "Url" - } - }, - { - "columnMatch": "OtherExtensions", - "formatter": 5, - "formatOptions": { - "customColumnWidthSetting": "50%" - } - } - ], - "labelSettings": [ - { - "columnId": "TimeGenerated", - "label": "Time" - } - ] - }, - "sortBy": [] - }, - "conditionalVisibility": { - "parameterName": "_severity", - "comparison": "isEqualTo", - "value": "Informational" - }, - "name": "Medium severity model breaches " - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| project-rename MitreTechniques=mitreTechniques_s\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where compliance_b == false and Category == \"Suspicious\"\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| limit 100\r\n| sort by TimeGenerated desc\r\n", - "size": 0, - "title": "Suspicious Model Breaches", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "TimeGenerated", - "formatter": 6, - "formatOptions": { - "customColumnWidthSetting": "20%" - } - }, - { - "columnMatch": "Activity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url", - "customColumnWidthSetting": "40%" - } - }, - { - "columnMatch": "DeviceName", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "DeviceAddress", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "LogSeverity", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": "Default", - "thresholdValue": null, - "representation": "redBright", - "text": "{0}{1}" - } - ] - } - }, - { - "columnMatch": "DarktraceURL", - "formatter": 5 - }, - { - "columnMatch": "DarktraceUrl", - "formatter": 5, - "formatOptions": { - "linkTarget": "Url" - } - }, - { - "columnMatch": "AdditionalExtensions", - "formatter": 5, - "formatOptions": { - "customColumnWidthSetting": "70%" - } - } - ], - "labelSettings": [ - { - "columnId": "TimeGenerated", - "label": "Time" - } - ] - } - }, - "conditionalVisibility": { - "parameterName": "_severity", - "comparison": "isEqualTo", - "value": "Suspicious" - }, - "name": "High severity model breaches " - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| project-rename MitreTechniques=mitreTechniques_s\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where compliance_b == false and Category == \"Critical\"\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| limit 100\r\n| sort by TimeGenerated desc\r\n", - "size": 0, - "title": "Critical Model Breaches", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "TimeGenerated", - "formatter": 6, - "formatOptions": { - "customColumnWidthSetting": "20%" - } - }, - { - "columnMatch": "Activity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url", - "customColumnWidthSetting": "40%" - } - }, - { - "columnMatch": "DeviceName", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "DeviceAddress", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "LogSeverity", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": "Default", - "thresholdValue": null, - "representation": "red", - "text": "{0}{1}" - } - ] - } - }, - { - "columnMatch": "DarktraceURL", - "formatter": 5 - }, - { - "columnMatch": "DarktraceUrl", - "formatter": 5, - "formatOptions": { - "linkTarget": "Url" - } - }, - { - "columnMatch": "AdditionalExtensions", - "formatter": 5, - "formatOptions": { - "customColumnWidthSetting": "70%" - } - } - ], - "labelSettings": [ - { - "columnId": "TimeGenerated", - "label": "Time" - } - ] - } - }, - "conditionalVisibility": { - "parameterName": "_severity", - "comparison": "isEqualTo", - "value": "Critical" - }, - "name": "Critical severity model breaches" - } - ] - }, - "conditionalVisibility": { - "parameterName": "_severity", - "comparison": "isNotEqualTo", - "value": "hidden" - }, - "name": "Drill down group for different severities" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| make-series Count = count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})", - "size": 0, - "title": "Total Model Breaches", - "color": "orange", - "timeContextFromParameter": "Timeframe", - "timeBrushParameterName": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "areachart", - "chartSettings": { - "seriesLabelSettings": [ - { - "seriesName": "Count", - "label": "Model Breaches" - } - ], - "ySettings": { - "numberFormatSettings": { - "unit": 0, - "options": { - "style": "decimal", - "useGrouping": true, - "maximumFractionDigits": 0 - } - } - } - } - }, - "name": "breaches in group" - }, - { - "type": 1, - "content": { - "json": "_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _", - "style": "info" - }, - "name": "text - 11" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| project-rename NetworkRuleName=modelName_s\r\n| summarize event_count=count() by NetworkRuleName\r\n| top 10 by event_count", - "size": 0, - "title": "Top 10 Most Breached Models", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Activity", - "formatter": 0, - "formatOptions": { - "customColumnWidthSetting": "60ch" - } - }, - { - "columnMatch": "event_count", - "formatter": 3, - "formatOptions": { - "palette": "orange" - } - } - ], - "labelSettings": [ - { - "columnId": "event_count", - "label": "Count" - } - ] - } - }, - "customWidth": "55", - "name": "most breached models" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "\r\ndarktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename DstHostname=destHost_s\r\n| where isnotempty(DstHostname) \r\n| summarize count(NetworkRuleName) by DstHostname", - "size": 3, - "title": "Top External Hostnames", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" - }, - "customWidth": "45", - "name": "top external hostnames" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename DtURL=breachUrl_s\r\n| project-rename ThreatRiskLevel=score_d\r\n| project-rename NetworkRuleName=modelName_s\r\n| project TimeGenerated, ThreatRiskLevel, NetworkRuleName, SrcHostname, SrcIpAddr, DtURL\r\n| top 10 by ThreatRiskLevel desc ", - "size": 0, - "title": "Top 10 Model Breaches with Highest Severity", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "TimeGenerated", - "formatter": 0, - "formatOptions": { - "customColumnWidthSetting": "20%" - } - }, - { - "columnMatch": "Activity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url", - "customColumnWidthSetting": "40%" - } - }, - { - "columnMatch": "DeviceName", - "formatter": 0, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "DeviceAddress", - "formatter": 0, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "Severity", - "formatter": 8, - "formatOptions": { - "min": 1, - "max": 10, - "palette": "yellowOrangeRed" - } - }, - { - "columnMatch": "DarktraceURL", - "formatter": 5 - } - ], - "labelSettings": [ - { - "columnId": "TimeGenerated", - "label": "Time" - } - ] - }, - "sortBy": [] - }, - "name": "Top 10 hitting devices" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\n| project-rename DstIpAddr=destIP_s\n| where isnotempty(DstIpAddr) \n| where DstIpAddr !startswith \"10\"\n| where DstIpAddr !startswith \"192\"\n| where DstIpAddr !startswith \"172\"\n| summarize event_count=count() by DstIpAddr\n| top 10 by event_count", - "size": 0, - "title": "Top 10 External IPs", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "barchart" - }, - "customWidth": "80", - "name": "top 10 external IPs" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\") and compliance_b == true\r\n| make-series Count = count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\r\n", - "size": 0, - "title": "Compliance Model Breaches Over Time", - "color": "orange", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "areachart", - "chartSettings": { - "seriesLabelSettings": [ - { - "seriesName": "Count", - "label": "Model Breaches" - } - ], - "ySettings": { - "numberFormatSettings": { - "unit": 0, - "options": { - "style": "decimal", - "useGrouping": true, - "maximumFractionDigits": 0 - } - } - } - } - }, - "name": "compliance breaches over time" - } - ], - "exportParameters": true - }, - "conditionalVisibility": { - "parameterName": "tab", - "comparison": "isEqualTo", - "value": "overview" - }, - "name": "overview" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "parameters": [ - { - "id": "610136a1-b7cf-4eb3-9ef6-51a2d22e1621", - "version": "KqlParameterItem/1.0", - "name": "_severity", - "type": 1, - "description": "parameter to drill down on clicked severity tile", - "value": "hidden", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "label": "severity" - } - ], - "style": "above", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "parameters - 1" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "datatable (Count: long, status: string, status_count: long) [0, \"Low\", 1, 0, \"Medium\", 2, 0, \"High\", 3, 0, \"Critical\", 4]\r\n| union\r\n (\r\n darktrace_model_alerts_CL\r\n | where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\"))\r\n | extend ThreatRiskLevel=score_d\r\n | extend status = case( \r\n ThreatRiskLevel >= 75, \"Critical\",\r\n ThreatRiskLevel < 25, \"Low\",\r\n ThreatRiskLevel >= 50 and ThreatRiskLevel < 75, \"High\",\r\n ThreatRiskLevel >= 25 and ThreatRiskLevel < 50, \"Medium\", \r\n \"True\"\r\n )\r\n | where status != \"True\"\r\n | extend status_count = case(status == \"Critical\", 4, status == \"High\", 3, status == \"Medium\", 2, 1)\r\n | summarize Count = count() by status, status_count\r\n )\r\n| summarize Count=sum(Count) by status, status_count\r\n| sort by status_count asc", - "size": 3, - "title": "Model Breaches by Severity", - "timeContextFromParameter": "Timeframe", - "exportFieldName": "status", - "exportParameterName": "_severity", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "tiles", - "tileSettings": { - "titleContent": { - "columnMatch": "status", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "Low", - "representation": "yellow", - "text": "{0}{1}" - }, - { - "operator": "==", - "thresholdValue": "Medium", - "representation": "orange", - "text": "{0}{1}" - }, - { - "operator": "==", - "thresholdValue": "High", - "representation": "redBright", - "text": "{0}{1}" - }, - { - "operator": "==", - "thresholdValue": "Critical", - "representation": "red", - "text": "{0}{1}" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "green", - "text": "{0}{1}" - } - ] - } - }, - "leftContent": { - "columnMatch": "Count", - "formatter": 1, - "numberFormat": { - "unit": 17, - "options": { - "style": "decimal", - "useGrouping": false, - "maximumFractionDigits": 2, - "maximumSignificantDigits": 3 - } - } - }, - "showBorder": true, - "size": "auto" - } - }, - "name": "model breaches by severity" - }, - { - "type": 1, - "content": { - "json": "_Click on the tiles to view more details (maximum 100 entries displayed)_", - "style": "info" - }, - "name": "text - 3" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\"))\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| extend MitreTechniques=parse_json(mitreTechniques_s)\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where ThreatRiskLevel < 25\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n", - "size": 0, - "title": "Low Severity Model Breaches", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "TimeGenerated", - "formatter": 6, - "formatOptions": { - "customColumnWidthSetting": "20%" - } - }, - { - "columnMatch": "Activity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url", - "customColumnWidthSetting": "40%" - } - }, - { - "columnMatch": "DeviceName", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "DeviceAddress", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "LogSeverity", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": "Default", - "thresholdValue": null, - "representation": "yellow", - "text": "{0}{1}" - } - ] - } - }, - { - "columnMatch": "DarktraceURL", - "formatter": 5 - }, - { - "columnMatch": "DarktraceUrl", - "formatter": 5, - "formatOptions": { - "linkTarget": "Url" - } - }, - { - "columnMatch": "OtherExtensions", - "formatter": 5, - "formatOptions": { - "customColumnWidthSetting": "50%" - } - } - ], - "labelSettings": [ - { - "columnId": "TimeGenerated", - "label": "Time" - } - ] - } - }, - "conditionalVisibility": { - "parameterName": "_severity", - "comparison": "isEqualTo", - "value": "Low" - }, - "name": "Low severity model breaches" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\"))\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| extend MitreTechniques=parse_json(mitreTechniques_s)\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where ThreatRiskLevel >= 25 and ThreatRiskLevel < 50\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n", - "size": 0, - "title": "Medium Severity Model Breaches", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "TimeGenerated", - "formatter": 6, - "formatOptions": { - "customColumnWidthSetting": "20%" - } - }, - { - "columnMatch": "Activity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url", - "customColumnWidthSetting": "40%" - } - }, - { - "columnMatch": "DeviceName", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "DeviceAddress", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "LogSeverity", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": "Default", - "thresholdValue": null, - "representation": "orange", - "text": "{0}{1}" - } - ] - } - }, - { - "columnMatch": "DarktraceURL", - "formatter": 5 - }, - { - "columnMatch": "DarktraceUrl", - "formatter": 5, - "formatOptions": { - "linkTarget": "Url" - } - }, - { - "columnMatch": "OtherExtensions", - "formatter": 5, - "formatOptions": { - "customColumnWidthSetting": "50%" - } - } - ], - "labelSettings": [ - { - "columnId": "TimeGenerated", - "label": "Time" - } - ] - } - }, - "conditionalVisibility": { - "parameterName": "_severity", - "comparison": "isEqualTo", - "value": "Medium" - }, - "name": "Medium severity model breaches " - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\"))\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| extend MitreTechniques=parse_json(mitreTechniques_s)\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where ThreatRiskLevel >= 50 and ThreatRiskLevel < 75\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n", - "size": 0, - "title": "High Severity Model Breaches", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "TimeGenerated", - "formatter": 6, - "formatOptions": { - "customColumnWidthSetting": "20%" - } - }, - { - "columnMatch": "Activity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url", - "customColumnWidthSetting": "40%" - } - }, - { - "columnMatch": "DeviceName", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "DeviceAddress", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "LogSeverity", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": "Default", - "thresholdValue": null, - "representation": "redBright", - "text": "{0}{1}" - } - ] - } - }, - { - "columnMatch": "DarktraceURL", - "formatter": 5 - }, - { - "columnMatch": "DarktraceUrl", - "formatter": 5, - "formatOptions": { - "linkTarget": "Url" - } - }, - { - "columnMatch": "AdditionalExtensions", - "formatter": 5, - "formatOptions": { - "customColumnWidthSetting": "70%" - } - } - ], - "labelSettings": [ - { - "columnId": "TimeGenerated", - "label": "Time" - } - ] - } - }, - "conditionalVisibility": { - "parameterName": "_severity", - "comparison": "isEqualTo", - "value": "High" - }, - "name": "High severity model breaches " - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\"))\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| extend MitreTechniques=parse_json(mitreTechniques_s)\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where ThreatRiskLevel >= 75\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n\r\n", - "size": 0, - "title": "Critical Severity Model Breaches", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "TimeGenerated", - "formatter": 6, - "formatOptions": { - "customColumnWidthSetting": "20%" - } - }, - { - "columnMatch": "Activity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url", - "customColumnWidthSetting": "40%" - } - }, - { - "columnMatch": "DeviceName", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "DeviceAddress", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "Severity", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": ">", - "thresholdValue": "0", - "representation": "red", - "text": "{0}{1}" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "blue", - "text": "{0}{1}" - } - ] - } - }, - { - "columnMatch": "DarktraceURL", - "formatter": 5 - }, - { - "columnMatch": "LogSeverity", - "formatter": 8, - "formatOptions": { - "min": 1, - "max": 10, - "palette": "greenRed" - } - }, - { - "columnMatch": "DarktraceUrl", - "formatter": 5, - "formatOptions": { - "linkTarget": "Url" - } - }, - { - "columnMatch": "AdditionalExtensions", - "formatter": 5, - "formatOptions": { - "customColumnWidthSetting": "70%" - } - } - ], - "labelSettings": [ - { - "columnId": "TimeGenerated", - "label": "Time" - } - ] - }, - "sortBy": [] - }, - "conditionalVisibility": { - "parameterName": "_severity", - "comparison": "isEqualTo", - "value": "Critical" - }, - "name": "Critical severity model breaches" - } - ] - }, - "conditionalVisibility": { - "parameterName": "_severity", - "comparison": "isNotEqualTo", - "value": "hidden" - }, - "name": "Drill down group for different severities" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"SaaS\")\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})", - "size": 3, - "title": "Total SaaS Model Breaches", - "color": "orange", - "timeContextFromParameter": "Timeframe", - "timeBrushParameterName": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "areachart", - "chartSettings": { - "seriesLabelSettings": [ - { - "seriesName": "count_", - "label": "Model Breches" - } - ], - "ySettings": { - "numberFormatSettings": { - "unit": 0, - "options": { - "style": "decimal", - "useGrouping": true, - "maximumFractionDigits": 0 - } - } - } - } - }, - "customWidth": "50", - "name": "saas user graph / time ", - "styleSettings": { - "showBorder": true - } - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"IaaS\")\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})", - "size": 3, - "title": "Total IaaS Model Breaches", - "color": "orange", - "timeContextFromParameter": "Timeframe", - "timeBrushParameterName": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "areachart", - "chartSettings": { - "seriesLabelSettings": [ - { - "seriesName": "count_", - "label": "Model Breaches" - } - ], - "ySettings": { - "numberFormatSettings": { - "unit": 0, - "options": { - "style": "decimal", - "useGrouping": true, - "maximumFractionDigits": 0 - } - } - } - } - }, - "customWidth": "50", - "name": "iaas user graph / time", - "styleSettings": { - "showBorder": true - } - }, - { - "type": 1, - "content": { - "json": "_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _", - "style": "info" - }, - "name": "text - 11" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"SaaS\")\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename SrcHostname=hostname_s\r\n| summarize Count=count() by SrcHostname\r\n| top 10 by Count\r\n| project SrcHostname, Count\r\n\r\n", - "size": 0, - "title": "Top 10 SaaS Users With Most Model Breaches", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Count", - "formatter": 3, - "formatOptions": { - "palette": "orange" - } - }, - { - "columnMatch": "event_count", - "formatter": 3, - "formatOptions": { - "palette": "orange" - } - }, - { - "columnMatch": "Activity", - "formatter": 0, - "formatOptions": { - "customColumnWidthSetting": "60ch" - } - } - ] - } - }, - "name": "most breached SaaS users" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"SaaS\")\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename DtURL=breachUrl_s\r\n| project-rename ThreatRiskLevel=score_d\r\n| project TimeGenerated, ThreatRiskLevel, NetworkRuleName, SrcHostname, SrcIpAddr, DtURL\r\n| top 10 by ThreatRiskLevel desc ", - "size": 0, - "title": "Top 10 Highest Severity SaaS Model Breaches", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "TimeGenerated", - "formatter": 0, - "formatOptions": { - "customColumnWidthSetting": "20%" - } - }, - { - "columnMatch": "Activity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url", - "customColumnWidthSetting": "40%" - } - }, - { - "columnMatch": "DeviceName", - "formatter": 0, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "DeviceAddress", - "formatter": 0, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "Severity", - "formatter": 8, - "formatOptions": { - "min": 1, - "max": 10, - "palette": "yellowOrangeRed" - } - }, - { - "columnMatch": "DarktraceURL", - "formatter": 5 - } - ], - "labelSettings": [ - { - "columnId": "TimeGenerated", - "label": "Time" - } - ] - }, - "sortBy": [] - }, - "name": "Top 10 hitting SaaS devices" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\")) and compliance_b == true\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})", - "size": 0, - "title": "Total XaaS Compliance Model Breaches", - "color": "orange", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "areachart", - "chartSettings": { - "seriesLabelSettings": [ - { - "seriesName": "count_", - "label": "Model Breaches" - } - ], - "ySettings": { - "numberFormatSettings": { - "unit": 0, - "options": { - "style": "decimal", - "useGrouping": true, - "maximumFractionDigits": 0 - } - } - } - } - }, - "name": "compliance breaches over time" - } - ], - "exportParameters": true - }, - "conditionalVisibility": { - "parameterName": "tab", - "comparison": "isEqualTo", - "value": "cloud" - }, - "name": "Cloud group" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"Antigena\") and modelName_s contains (\"Network\")\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename DtURL=breachUrl_s\r\n| project-rename ThreatRiskLevel=score_d\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename EventStartTime = breachTime_s\r\n| extend DtMitreTechniques=parse_json(mitreTechniques_s)\r\n| project-rename ThreatId=threatID_d\r\n| limit 100\r\n| project TimeGenerated, ThreatRiskLevel, NetworkRuleName, ThreatId, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, DtURL, EventStartTime, DtMitreTechniques\r\n| sort by TimeGenerated desc\r\n", - "size": 0, - "title": "/Network ", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "tileSettings": { - "titleContent": { - "columnMatch": "agnActivity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url" - } - }, - "subtitleContent": { - "columnMatch": "TimeGenerated", - "formatter": 6 - }, - "leftContent": { - "columnMatch": "Device" - }, - "secondaryContent": { - "columnMatch": "msgInfo", - "formatter": 1 - }, - "showBorder": true, - "sortCriteriaField": "TimeGenerated", - "sortOrderField": 2, - "size": "full" - } - }, - "name": "top level query " - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"Antigena\") and modelName_s contains (\"SaaS\")\n| project-rename SrcIpAddr=SourceIP\n| project-rename SrcHostname=hostname_s\n| project-rename DtURL=breachUrl_s\n| project-rename ThreatRiskLevel=score_d\n| project-rename NetworkRuleName=modelName_s\n| project-rename DstIpAddr=destIP_s\n| project-rename DstHostname=destHost_s\n| project-rename EventStartTime = breachTime_s\n| extend DtMitreTechniques=parse_json(mitreTechniques_s)\n| project-rename ThreatId=threatID_d\n| limit 100\n| project TimeGenerated, ThreatRiskLevel, NetworkRuleName, ThreatId, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, DtURL, EventStartTime, DtMitreTechniques\n| sort by TimeGenerated desc\n", - "size": 0, - "title": "/Apps", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "query - 1" - } - ] - }, - "conditionalVisibility": { - "parameterName": "tab", - "comparison": "isEqualTo", - "value": "agn" - }, - "name": "agn group" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "parameters": [ - { - "id": "cd64e441-332e-4f47-8602-a25828ebc053", - "version": "KqlParameterItem/1.0", - "name": "aia_type", - "label": "AI Analyst Incident Types", - "type": 2, - "description": "Filter out the types of AI Analyst Incidents available.", - "isRequired": true, - "typeSettings": { - "additionalResourceOptions": [], - "showDefault": false - }, - "jsonData": "[\n {\"value\": \"darktrace_model_alerts_CL | where dtProduct_s =='AI Analyst' | project-rename DtIncidentName=title_s | project-rename DtCurrentGroup=externalId_g | project-rename GroupScore=groupScore_d | project-rename SrcDeviceName=bestDeviceName_s | limit 100 | summarize DtMaxIncidentScore=max(GroupScore), take_any(SrcDeviceName, DtIncidentName) by DtCurrentGroup | project DtMaxIncidentScore, DtIncidentName, SrcDeviceName, DtCurrentGroup\", \"label\": \"All\"},\n {\"value\": \"darktrace_model_alerts_CL | where dtProduct_s =='AI Analyst' | project-rename DtIncidentName=title_s | project-rename DtCurrentGroup=externalId_g | project-rename GroupScore=groupScore_d | project-rename SrcDeviceName=bestDeviceName_s | where SrcDeviceName !contains 'SaaS' | limit 100 | summarize DtMaxIncidentScore=max(GroupScore), take_any(SrcDeviceName, DtIncidentName) by DtCurrentGroup | project DtMaxIncidentScore, DtIncidentName, SrcDeviceName, DtCurrentGroup\", \"label\": \"Network\"},\n {\"value\": \"darktrace_model_alerts_CL | where dtProduct_s =='AI Analyst' | project-rename DtIncidentName=title_s | project-rename DtCurrentGroup=externalId_g | project-rename GroupScore=groupScore_d | project-rename SrcDeviceName=bestDeviceName_s | where SrcDeviceName contains 'SaaS' | limit 100 | summarize DtMaxIncidentScore=max(GroupScore), take_any(SrcDeviceName, DtIncidentName) by DtCurrentGroup | project DtMaxIncidentScore, DtIncidentName, SrcDeviceName, DtCurrentGroup\", \"label\": \"SaaS\"}\n]", - "timeContext": { - "durationMs": 86400000 - }, - "value": "darktrace_model_alerts_CL | where dtProduct_s =='AI Analyst' | project-rename DtIncidentName=title_s | project-rename DtCurrentGroup=externalId_g | project-rename GroupScore=groupScore_d | project-rename SrcDeviceName=bestDeviceName_s | limit 100 | summarize DtMaxIncidentScore=max(GroupScore), take_any(SrcDeviceName, DtIncidentName) by DtCurrentGroup | project DtMaxIncidentScore, DtIncidentName, SrcDeviceName, DtCurrentGroup" - } - ], - "style": "pills", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "parameters - 6" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "{aia_type}", - "size": 0, - "title": "AI Analyst Incidents", - "timeContextFromParameter": "Timeframe", - "exportFieldName": "DtCurrentGroup", - "exportParameterName": "SelectedAIAGroup", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "query - 7" - }, - { - "type": 1, - "content": { - "json": "_ Selecting an AI Analyst Incident in the table above will put its corresponding Events in focus below _", - "style": "info" - }, - "name": "text - 6" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\n| where dtProduct_s ==\"AI Analyst\"\n| project-rename EventStartTime=startTime_s\n| project-rename EventEndTime = endTime_s\n| project-rename DtIncidentEventName=title_s\n| project-rename DtCurrentGroup=externalId_g //externalId is the Current Group ID from Darktrace \n| project-rename ThreatCategory=dtProduct_s\n| extend ThreatRiskLevel=score_d //This is the event score, which is different from the GroupScore\n| project-rename SrcHostname=hostname_s\n| project-rename DtURL=url_s\n| project-rename DtSummary=summary_s\n| project-rename DtGroupScore=groupScore_d\n| project-rename DtGroupCategory=groupCategory_s\n| project-rename SrcDeviceName=bestDeviceName_s\n| where DtCurrentGroup contains \"{SelectedAIAGroup}\"\n| limit 100\n| project TimeGenerated, DtIncidentEventName, ThreatCategory, ThreatRiskLevel, DtSummary, SrcDeviceName, SrcHostname, DtURL, DtCurrentGroup, DtGroupScore, DtGroupCategory, EventStartTime, EventEndTime\n| sort by TimeGenerated desc\n\n", - "size": 0, - "title": "Selected AI Analyst Incident Events", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table" - }, - "name": "query - 5" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"AI Analyst\"\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})", - "size": 3, - "title": "Total AI Analyst Incident Events", - "color": "lightBlue", - "timeContextFromParameter": "Timeframe", - "timeBrushParameterName": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "areachart", - "chartSettings": { - "showMetrics": false, - "ySettings": { - "numberFormatSettings": { - "unit": 17, - "options": { - "style": "decimal", - "useGrouping": true, - "minimumFractionDigits": 0, - "maximumFractionDigits": 0 - } - } - } - } - }, - "name": "incidents in group" - }, - { - "type": 1, - "content": { - "json": "_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _", - "style": "info" - }, - "name": "text - 6" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"AI Analyst\"\r\n| extend DtIncidentEventName = title_s\r\n| summarize event_count=count() by DtIncidentEventName\r\n| top 10 by event_count", - "size": 0, - "title": "Top 10 Most Frequent AI Analyst Incident Events", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "event_count", - "formatter": 3, - "formatOptions": { - "palette": "blue" - } - } - ], - "labelSettings": [ - { - "columnId": "event_count", - "label": "Count" - } - ] - } - }, - "name": "Top 10 Most Frequent Incidents" - } - ], - "exportParameters": true - }, - "conditionalVisibility": { - "parameterName": "tab", - "comparison": "isEqualTo", - "value": "ai-analyst" - }, - "name": "ai- analyst group " - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\n| where dtProduct_s == \"Antigena Email\"\n| extend Actions = parse_json(actions_s)\n| extend Hold_Email=set_has_element(Actions, \"Hold\")\n| extend Junk_Email=set_has_element(Actions, \"Move to Junk\")\n| extend Lock_Link=set_has_element(Actions, \"Lock Link\")\n| extend Lock_All_Links=set_has_element(Actions, \"Lock All Links\")\n| extend Double_Lock_Link=set_has_element(Actions, \"Double Lock Link\")\n| extend Double_Lock_All_Links=set_has_element(Actions, \"Double Lock All Links\")\n| extend Strip_Attachment=set_has_element(Actions, \"Stip Attachment\")\n| extend Strip_All_Attachments=set_has_element(Actions, \"Strip All Attachments\")\n| extend Convert_Attachment=set_has_element(Actions, \"Convert Attachment\")\n| extend Convert_All_Attachments=set_has_element(Actions, \"Convert All Attachments\")\n| extend Unspoof=set_has_element(Actions, \"Unspoof\")\n| extend XAxis=set_has_element(Actions, \"Unspoof\")\n| summarize XAxis=countif(XAxis == true), Hold_Email=countif(Hold_Email == true), Junk_Email=countif(Junk_Email == true), Lock_Link=countif(Lock_Link == true), Lock_All_Links=countif(Lock_All_Links == true), Double_Lock_Link=countif(Double_Lock_Link == true), Double_Lock_All_Links=countif(Double_Lock_All_Links == true), Convert_Attachment=countif(Convert_Attachment == true), Convert_All_Attachments=countif(Convert_All_Attachments == true), Strip_Attachment=countif(Strip_Attachment == true), Strip_All_Attachments=countif(Strip_All_Attachments == true), Unspoof=countif(Unspoof == true)", - "size": 0, - "title": "Total Actions Taken", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "categoricalbar", - "gridSettings": { - "sortBy": [ - { - "itemKey": "Hold_Email", - "sortOrder": 2 - } - ] - }, - "sortBy": [ - { - "itemKey": "Hold_Email", - "sortOrder": 2 - } - ], - "tileSettings": { - "showBorder": false - }, - "graphSettings": { - "type": 0 - }, - "chartSettings": { - "seriesLabelSettings": [ - { - "seriesName": "Junk_Email", - "label": "Junk Email", - "color": "redBright" - }, - { - "seriesName": "Lock_Link", - "label": "Lock Link", - "color": "lightBlue" - }, - { - "seriesName": "Double_Lock_Link", - "label": "Double Lock Link", - "color": "green" - }, - { - "seriesName": "Strip_Attachment", - "label": "Strip Attachment", - "color": "purple" - }, - { - "seriesName": "Convert_Attachment", - "label": "Convert Attachment", - "color": "orange" - }, - { - "seriesName": "Unspoof", - "label": "Unspoof", - "color": "pink" - }, - { - "seriesName": "Hold_Email", - "label": "Hold Email", - "color": "redDark" - }, - { - "seriesName": "Lock_All_Links", - "label": "Lock All Links", - "color": "blueDark" - }, - { - "seriesName": "Double_Lock_All_Links", - "label": "Double Lock All Links", - "color": "greenDark" - }, - { - "seriesName": "Convert_All_Attachments", - "label": "Convert All Attachments", - "color": "orangeDark" - }, - { - "seriesName": "Strip_All_Attachments", - "label": "Strip All Attachments", - "color": "purpleDark" - } - ] - }, - "mapSettings": { - "locInfo": "LatLong", - "sizeSettings": "Hold_Email", - "sizeAggregation": "Sum", - "legendMetric": "Hold_Email", - "legendAggregation": "Sum", - "itemColorSettings": { - "type": "heatmap", - "colorAggregation": "Sum", - "nodeColorField": "Hold_Email", - "heatmapPalette": "greenRed" - } - } - }, - "name": "query - 0" - }, - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "parameters": [ - { - "id": "ac642d55-be90-4144-8bc3-ce0cb7fcc161", - "version": "KqlParameterItem/1.0", - "name": "SearchRecipient", - "label": "Search Recipient", - "type": 1, - "description": "Filter for held emails", - "value": "", - "timeContext": { - "durationMs": 86400000 - } - } - ], - "style": "pills", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "parameters - 3" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\n| where dtProduct_s == \"Antigena Email\"\n| extend Actions = parse_json(actions_s)\n| extend Hold_Email=set_has_element(Actions, \"Hold\")\n| where Hold_Email == true \n| extend Recipients=parse_json(recipients_s)\n| where Recipients contains \"{SearchRecipient}\"\n| project-rename ThreatRiskLevel=anomaly_score_d\n| project-rename AttachmentSHA1s=attachment_sha1s_s\n| project-rename Sender=from_s\n| project-rename Subject=subject_s\n| project-rename Tags=tags_s\n| project-rename TimestampUTC=timestamp_t\n| project-rename UUID=uuid_s\n| project-rename DarktraceLink=url_s\n| project-rename Direction=direction_s\n| project Subject, Sender, Recipients, ThreatRiskLevel, TimestampUTC, Direction, Tags, AttachmentSHA1s, DarktraceLink, UUID", - "size": 0, - "title": "Held Emails", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "query - 2" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\n| where dtProduct_s == \"Antigena Email\"\n| where direction_s == \"inbound\"\n| project-rename Sender=from_s\n| summarize Count=count() by Sender\n| top 10 by Count", - "size": 0, - "title": "Top 10 Most Frequent External Senders ", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Count", - "formatter": 3, - "formatOptions": { - "palette": "orange" - } - }, - { - "columnMatch": "event_count", - "formatter": 3, - "formatOptions": { - "palette": "orange" - } - } - ] - } - }, - "name": "query - 1" - } - ] - }, - "conditionalVisibility": { - "parameterName": "tab", - "comparison": "isEqualTo", - "value": "email" - }, - "name": "group - 7" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL //anything starting with 'Dt' is not an ASIM mapping \n| where dtProduct_s ==\"System Alert\"\n| extend EventVendor = \"Darktrace\"\n| extend EventProduct = \"Darktrace DETECT\"\n| project-rename NetworkRuleName=friendlyName_s\n| project-rename ThreatRiskLevel=priority_code_d\n| project-rename ThreatRiskCategory=priority_s\n| project-rename EventStartTime = time_s\n| project-rename SrcIpAddr=deviceIP_s\n| project-rename SrcHostname=hostname_s\n| project-rename DtStatus=status_s\n| project-rename DtURL=url_s\n| project-rename DtSeverity=Severity\n| project-rename DtName=name_s\n| project-rename DtMessage=Message\n| project EventVendor, EventProduct, NetworkRuleName, ThreatRiskLevel, ThreatRiskCategory, SrcIpAddr, SrcHostname, DtStatus, DtURL, DtName, DtMessage", - "size": 0, - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "query - 0" - } - ] - }, - "conditionalVisibility": { - "parameterName": "tab", - "comparison": "isEqualTo", - "value": "status" - }, - "name": "group - 8" - } - ], - "fallbackResourceIds": [], - "fromTemplateId": "sentinel-Darktrace", - "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" -} \ No newline at end of file From 8497d4e1d5fdf08d5a1160d1d0381918f359abe8 Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Tue, 28 Oct 2025 10:18:04 +0000 Subject: [PATCH 5/5] replaced logo --- Logos/Darktrace.svg | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Logos/Darktrace.svg b/Logos/Darktrace.svg index 3a31c96888b..c16b0646d8e 100644 --- a/Logos/Darktrace.svg +++ b/Logos/Darktrace.svg @@ -1 +1,3 @@ - \ No newline at end of file + + +