diff --git a/.script/tests/KqlvalidationsTests/CustomTables/DarktraceASM_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceASM_CL.json
new file mode 100644
index 00000000000..9af7333f9eb
--- /dev/null
+++ b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceASM_CL.json
@@ -0,0 +1,89 @@
+{
+ "Name": "DarktraceASM_CL",
+ "Properties": [
+ {
+ "name": "action",
+ "type": "string"
+ },
+ {
+ "name": "alertTime",
+ "type": "datetime"
+ },
+ {
+ "name": "alertTimestamp",
+ "type": "int"
+ },
+ {
+ "name": "alertTitle",
+ "type": "string"
+ },
+ {
+ "name": "alertType",
+ "type": "string"
+ },
+ {
+ "name": "assetId",
+ "type": "int"
+ },
+ {
+ "name": "assetName",
+ "type": "string"
+ },
+ {
+ "name": "assetUri",
+ "type": "string"
+ },
+ {
+ "name": "customLabel",
+ "type": "string"
+ },
+ {
+ "name": "darktraceProduct",
+ "type": "string"
+ },
+ {
+ "name": "description",
+ "type": "string"
+ },
+ {
+ "name": "endTime",
+ "type": "string"
+ },
+ {
+ "name": "endTimestamp",
+ "type": "int"
+ },
+ {
+ "name": "previousRating",
+ "type": "string"
+ },
+ {
+ "name": "rating",
+ "type": "string"
+ },
+ {
+ "name": "riskId",
+ "type": "int"
+ },
+ {
+ "name": "riskUri",
+ "type": "string"
+ },
+ {
+ "name": "startTime",
+ "type": "datetime"
+ },
+ {
+ "name": "startTimestamp",
+ "type": "int"
+ },
+ {
+ "name": "state",
+ "type": "string"
+ },
+ {
+ "name": "workbenchUri",
+ "type": "string"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/DarktraceEMAIL_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceEMAIL_CL.json
new file mode 100644
index 00000000000..3a2d8f1a926
--- /dev/null
+++ b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceEMAIL_CL.json
@@ -0,0 +1,81 @@
+{
+ "Name": "DarktraceEMAIL_CL",
+ "Properties": [
+ {
+ "name": "actions",
+ "type": "dynamic"
+ },
+ {
+ "name": "alertTime",
+ "type": "datetime"
+ },
+ {
+ "name": "anomalyScore",
+ "type": "int"
+ },
+ {
+ "name": "attachmentNames",
+ "type": "dynamic"
+ },
+ {
+ "name": "attachmentSha1s",
+ "type": "dynamic"
+ },
+ {
+ "name": "attachmentSha256s",
+ "type": "dynamic"
+ },
+ {
+ "name": "customLabel",
+ "type": "string"
+ },
+ {
+ "name": "darktraceProduct",
+ "type": "string"
+ },
+ {
+ "name": "direction",
+ "type": "string"
+ },
+ {
+ "name": "from",
+ "type": "string"
+ },
+ {
+ "name": "linkHosts",
+ "type": "dynamic"
+ },
+ {
+ "name": "messageId",
+ "type": "string"
+ },
+ {
+ "name": "recipientActions",
+ "type": "dynamic"
+ },
+ {
+ "name": "recipients",
+ "type": "dynamic"
+ },
+ {
+ "name": "subject",
+ "type": "string"
+ },
+ {
+ "name": "tags",
+ "type": "dynamic"
+ },
+ {
+ "name": "timestamp",
+ "type": "datetime"
+ },
+ {
+ "name": "url",
+ "type": "string"
+ },
+ {
+ "name": "uuid",
+ "type": "string"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/DarktraceIncidents_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceIncidents_CL.json
new file mode 100644
index 00000000000..4ad6ec4dd39
--- /dev/null
+++ b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceIncidents_CL.json
@@ -0,0 +1,121 @@
+{
+ "Name": "DarktraceIncidents_CL",
+ "Properties": [
+ {
+ "name": "activityId",
+ "type": "string"
+ },
+ {
+ "name": "aiaScore",
+ "type": "int"
+ },
+ {
+ "name": "bestAssetName",
+ "type": "string"
+ },
+ {
+ "name": "currentGroup",
+ "type": "string"
+ },
+ {
+ "name": "customLabel",
+ "type": "string"
+ },
+ {
+ "name": "darktraceProduct",
+ "type": "string"
+ },
+ {
+ "name": "deviceHostname",
+ "type": "string"
+ },
+ {
+ "name": "deviceIp",
+ "type": "string"
+ },
+ {
+ "name": "deviceIdentifier",
+ "type": "string"
+ },
+ {
+ "name": "deviceMac",
+ "type": "string"
+ },
+ {
+ "name": "deviceSubnet",
+ "type": "string"
+ },
+ {
+ "name": "devices",
+ "type": "dynamic"
+ },
+ {
+ "name": "endTime",
+ "type": "string"
+ },
+ {
+ "name": "externalId",
+ "type": "string"
+ },
+ {
+ "name": "groupByActivity",
+ "type": "boolean"
+ },
+ {
+ "name": "groupCategory",
+ "type": "string"
+ },
+ {
+ "name": "groupPreviousGroups",
+ "type": "dynamic"
+ },
+ {
+ "name": "groupScore",
+ "type": "int"
+ },
+ {
+ "name": "groupingId",
+ "type": "string"
+ },
+ {
+ "name": "incidentEventTime",
+ "type": "datetime"
+ },
+ {
+ "name": "incidentEventTitle",
+ "type": "string"
+ },
+ {
+ "name": "latitude",
+ "type": "real"
+ },
+ {
+ "name": "longitude",
+ "type": "real"
+ },
+ {
+ "name": "newEvent",
+ "type": "boolean"
+ },
+ {
+ "name": "severity",
+ "type": "int"
+ },
+ {
+ "name": "startTime",
+ "type": "string"
+ },
+ {
+ "name": "summary",
+ "type": "string"
+ },
+ {
+ "name": "summaryFirstSentence",
+ "type": "string"
+ },
+ {
+ "name": "url",
+ "type": "string"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/DarktraceModelAlerts_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceModelAlerts_CL.json
new file mode 100644
index 00000000000..05f2c759dc6
--- /dev/null
+++ b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceModelAlerts_CL.json
@@ -0,0 +1,158 @@
+{
+ "Name": "DarktraceModelAlerts_CL",
+ "Properties": [
+ {
+ "name": "alertTime",
+ "type": "datetime"
+ },
+ {
+ "name": "alertUrl",
+ "type": "string"
+ },
+ {
+ "name": "antigena",
+ "type": "boolean"
+ },
+ {
+ "name": "category",
+ "type": "string"
+ },
+ {
+ "name": "cSensor",
+ "type": "boolean"
+ },
+ {
+ "name": "cSensorId",
+ "type": "string"
+ },
+ {
+ "name": "compliance",
+ "type": "boolean"
+ },
+ {
+ "name": "customLabel",
+ "type": "string"
+ },
+ {
+ "name": "darktraceProduct",
+ "type": "string"
+ },
+ {
+ "name": "description",
+ "type": "string"
+ },
+ {
+ "name": "destHost",
+ "type": "string"
+ },
+ {
+ "name": "destIp",
+ "type": "string"
+ },
+ {
+ "name": "destMac",
+ "type": "string"
+ },
+ {
+ "name": "destPort",
+ "type": "string"
+ },
+ {
+ "name": "details",
+ "type": "string"
+ },
+ {
+ "name": "deviceCredentials",
+ "type": "dynamic"
+ },
+ {
+ "name": "deviceHostname",
+ "type": "string"
+ },
+ {
+ "name": "deviceId",
+ "type": "int"
+ },
+ {
+ "name": "deviceLabel",
+ "type": "string"
+ },
+ {
+ "name": "deviceSubnet",
+ "type": "string"
+ },
+ {
+ "name": "deviceType",
+ "type": "string"
+ },
+ {
+ "name": "latitude",
+ "type": "real"
+ },
+ {
+ "name": "longitude",
+ "type": "real"
+ },
+ {
+ "name": "message",
+ "type": "string"
+ },
+ {
+ "name": "mitreTechniques",
+ "type": "dynamic"
+ },
+ {
+ "name": "modelName",
+ "type": "string"
+ },
+ {
+ "name": "modelTags",
+ "type": "dynamic"
+ },
+ {
+ "name": "pid",
+ "type": "int"
+ },
+ {
+ "name": "score",
+ "type": "int"
+ },
+ {
+ "name": "sid",
+ "type": "int"
+ },
+ {
+ "name": "sourceHost",
+ "type": "string"
+ },
+ {
+ "name": "sourceIp",
+ "type": "string"
+ },
+ {
+ "name": "sourceMac",
+ "type": "string"
+ },
+ {
+ "name": "sourcePort",
+ "type": "string"
+ },
+ {
+ "name": "threatId",
+ "type": "int"
+ },
+ {
+ "name": "triggeredComponents",
+ "type": "string"
+ },
+ {
+ "name": "typeLabel",
+ "type": "string"
+ },
+ {
+ "name": "uuid",
+ "type": "string"
+ }
+
+ ]
+}
\ No newline at end of file
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/DarktraceResponseActions_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceResponseActions_CL.json
new file mode 100644
index 00000000000..126b04bd7ec
--- /dev/null
+++ b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceResponseActions_CL.json
@@ -0,0 +1,106 @@
+{
+ "Name": "DarktraceResponseActions_CL",
+ "Properties": [
+ {
+ "name": "action",
+ "type": "string"
+ },
+ {
+ "name": "alertTime",
+ "type": "datetime"
+ },
+ {
+ "name": "changedBy",
+ "type": "string"
+ },
+ {
+ "name": "codeId",
+ "type": "int"
+ },
+ {
+ "name": "customLabel",
+ "type": "string"
+ },
+ {
+ "name": "darktraceProduct",
+ "type": "string"
+ },
+ {
+ "name": "deviceFirstSeen",
+ "type": "string"
+ },
+ {
+ "name": "deviceHostname",
+ "type": "string"
+ },
+ {
+ "name": "deviceIp",
+ "type": "string"
+ },
+ {
+ "name": "deviceLabel",
+ "type": "string"
+ },
+ {
+ "name": "deviceLastSeen",
+ "type": "string"
+ },
+ {
+ "name": "deviceMac",
+ "type": "string"
+ },
+ {
+ "name": "deviceName",
+ "type": "string"
+ },
+ {
+ "name": "deviceType",
+ "type": "string"
+ },
+ {
+ "name": "endTime",
+ "type": "string"
+ },
+ {
+ "name": "inhibitor",
+ "type": "string"
+ },
+ {
+ "name": "model",
+ "type": "string"
+ },
+ {
+ "name": "reason",
+ "type": "string"
+ },
+ {
+ "name": "score",
+ "type": "int"
+ },
+ {
+ "name": "startTime",
+ "type": "string"
+ },
+ {
+ "name": "state",
+ "type": "string"
+ },
+ {
+ "name": "subnetId",
+ "type": "int"
+ },
+ {
+ "name": "subnetLabel",
+ "type": "string"
+ },
+ {
+ "name": "subnetNetwork",
+ "type": "string"
+ },
+ {
+ "name": "url",
+ "type": "string"
+ }
+
+ ]
+}
\ No newline at end of file
diff --git a/.script/tests/KqlvalidationsTests/CustomTables/DarktraceSystemStatusAlerts_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceSystemStatusAlerts_CL.json
new file mode 100644
index 00000000000..28c8a2b5179
--- /dev/null
+++ b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceSystemStatusAlerts_CL.json
@@ -0,0 +1,65 @@
+{
+ "Name": "DarktraceSystemStatusAlerts_CL",
+ "Properties": [
+ {
+ "name": "alertTime",
+ "type": "datetime"
+ },
+ {
+ "name": "customLabel",
+ "type": "string"
+ },
+ {
+ "name": "darktraceHostname",
+ "type": "string"
+ },
+ {
+ "name": "darktraceProduct",
+ "type": "string"
+ },
+ {
+ "name": "deviceIp",
+ "type": "string"
+ },
+ {
+ "name": "friendlyModelName",
+ "type": "string"
+ },
+ {
+ "name": "message",
+ "type": "string"
+ },
+ {
+ "name": "modelName",
+ "type": "string"
+ },
+ {
+ "name": "priority",
+ "type": "string"
+ },
+ {
+ "name": "priorityCode",
+ "type": "int"
+ },
+ {
+ "name": "status",
+ "type": "string"
+ },
+ {
+ "name": "severity",
+ "type": "int"
+ },
+ {
+ "name": "statusName",
+ "type": "string"
+ },
+ {
+ "name": "url",
+ "type": "string"
+ },
+ {
+ "name": "uuid",
+ "type": "string"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
index 5fad6a4f737..416b6ced8aa 100644
--- a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
+++ b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
@@ -76,6 +76,7 @@
"DNS",
"Darktrace",
"DarktraceRESTConnector",
+ "DarktraceActiveAISecurityPlatform",
"DataminrPulseAlerts",
"Dataverse",
"DigitalGuardianDLP",
diff --git a/Logos/Darktrace.svg b/Logos/Darktrace.svg
index 3a31c96888b..c16b0646d8e 100644
--- a/Logos/Darktrace.svg
+++ b/Logos/Darktrace.svg
@@ -1 +1,3 @@
-
\ No newline at end of file
+
diff --git a/Sample Data/DarktraceASM_CL.json b/Sample Data/DarktraceASM_CL.json
new file mode 100644
index 00000000000..0d67f427db3
--- /dev/null
+++ b/Sample Data/DarktraceASM_CL.json
@@ -0,0 +1,25 @@
+[
+ {
+ "action": "Update the software listed in this risk, by contacting your provider or hosting party. Also, take note that this information should not be publicly accessible, as this might help the hacker in their attack preparation.",
+ "alertTime": "2024-08-20 15:52:02",
+ "alertTimestamp": 1733410492,
+ "alertTitle": "Risk rating increased",
+ "alertType": "vulnerable-software",
+ "assetId": 177054,
+ "assetName": "SMTP Server london",
+ "assetUri": "https://instance.example.com/app/#/detail/overview/177054",
+ "customLabel": "Sample Label",
+ "darktraceProduct": "Darktrace / Attack Surface Management",
+ "description": "The rating for vulnerable software Prototype/1.7.3 has increased from a rating B to a rating E",
+ "endTime": "",
+ "endTimestamp": 1733310492,
+ "previousRating": "B",
+ "rating": "E",
+ "riskId": 134244,
+ "riskUri": "https://instance.example.darktrace.com/app/#/detail/direct-risks/177054?risk_id=134244",
+ "startTime": "1970-01-21 01:28:30",
+ "startTimestamp": 1733310492,
+ "state": "Increased Risk Rating",
+ "workbenchUri": "https://instance.example.darktrace.com/app/#/workbench?id=100&name=allowed&query=id+in+(134244,+256638,+256043)"
+ }
+]
\ No newline at end of file
diff --git a/Sample Data/DarktraceEMAIL_CL.json b/Sample Data/DarktraceEMAIL_CL.json
new file mode 100644
index 00000000000..aa071583f6e
--- /dev/null
+++ b/Sample Data/DarktraceEMAIL_CL.json
@@ -0,0 +1,39 @@
+[
+ {
+ "actions": [
+ "notify"
+ ],
+ "alertTime": "2024-08-20 15:52:02",
+ "anomalyScore": 0,
+ "attachmentNames": [
+ "image-1.jpg"
+ ],
+ "attachmentSha1s": [
+ "f0c31baa0193dde73dd3f96147ae99c7af84a025"
+ ],
+ "attachmentSha256s": [
+ "33b5bb0fb2234c39c8dc210d9bf27d6a32cb7c19d2c49cf91af8229f2a53c2ec"
+ ],
+ "customLabel": "Sample Label",
+ "darktraceProduct": "Darktrace / EMAIL",
+ "direction": "inbound",
+ "from": "test@darktrace.com",
+ "linkHosts": [
+ "darktrace.com"
+ ],
+ "messageId": "5877f022-108f-4cf7-8ced-dcdf8d25770",
+ "recipientActions": [
+ "sanitized@sanitized.com: notify"
+ ],
+ "recipients": [
+ "sanitized@sanitized.com"
+ ],
+ "subject": "Test Darktrace / EMAIL Alert",
+ "tags": [
+ "Test Email"
+ ],
+ "timestamp": "2020-12-15T04:47:29.936",
+ "url": "https://sample-darktrace.com/emailuuid",
+ "uuid": "79D0DD80-5A5E-44E9-A917-7F8567C21877.1"
+ }
+]
\ No newline at end of file
diff --git a/Sample Data/DarktraceIncidents_CL.json b/Sample Data/DarktraceIncidents_CL.json
new file mode 100644
index 00000000000..95482689b14
--- /dev/null
+++ b/Sample Data/DarktraceIncidents_CL.json
@@ -0,0 +1,45 @@
+[
+ {
+ "activityId": "00000000",
+ "aiaScore": 100,
+ "bestAssetName": "Test Device",
+ "currentGroup": "00000000-0000-0000-0000-000000000004",
+ "customLabel": "",
+ "darktraceProduct": "Darktrace Incidents",
+ "deviceHostname": "test-device.example.com",
+ "deviceIp": "0.1.2.3",
+ "deviceIdentifier": "Test Device",
+ "deviceMac": "00:11:22:33:44:55",
+ "deviceSubnet": "example",
+ "devices": [
+ {
+ "deviceDid": 5649,
+ "deviceHostname": "ip-0-0-0-0.eu-west-1.compute.internal",
+ "deviceIp": "0.0.0.0",
+ "deviceIdentifier": "ip-0-0-0-0.eu-west-1.compute.internal",
+ "deviceMac": "00:00:00:00:00:00",
+ "deviceSid": 111,
+ "deviceSubnet": "example"
+ }
+ ],
+ "endTime": "Jan 1st 2000 00:00:00 UTC",
+ "externalId": "00000000-0000-0000-0000-000000000006",
+ "groupByActivity": false,
+ "groupCategory": "compliance",
+ "groupPreviousGroups": [
+ "00000000-0000-0000-0000-000000000005"
+ ],
+ "groupScore": 100,
+ "groupingId": "00000000",
+ "incidentEventTime": "2024-08-20 15:52:02",
+ "incidentEventTitle": "Test AIA Alert",
+ "latitude": 4.598,
+ "longitude": -74.343,
+ "newEvent": false,
+ "severity": 10,
+ "startTime": "Jan 1st 2000 00:00:00 UTC",
+ "summary": "Test AIA alert used for testing alerting configuration.",
+ "summaryFirstSentence": "Test AIA alert used for testing alerting configuration.",
+ "url": ""
+ }
+]
\ No newline at end of file
diff --git a/Sample Data/DarktraceModelAlerts_CL.json b/Sample Data/DarktraceModelAlerts_CL.json
new file mode 100644
index 00000000000..604a75ee111
--- /dev/null
+++ b/Sample Data/DarktraceModelAlerts_CL.json
@@ -0,0 +1,60 @@
+[
+ {
+ "alertTime": "2024-08-20 15:52:02",
+ "alertUrl": "https://example.com/#modelbreach/18754",
+ "antigena": false,
+ "category": "Critical",
+ "cSensor": true,
+ "cSensorId": "5f016ddb-53c2-28d3-19b1-f434713e6a08",
+ "compliance": false,
+ "customLabel": "Sample Label",
+ "darktraceProduct": "Darktrace Model Alerts",
+ "description": "No description is available for this model breach",
+ "destHost": "download.windowsupdate.com",
+ "destIp": "8.7.7.5",
+ "destMac": "00-B0-D0-63-C2-26",
+ "destPort": "443",
+ "details": "https://example.com/#modelbreach/18754",
+ "deviceCredentials": [
+ {
+ "cred": "example_cred",
+ "seen": "2024-08-20 15:52:02"
+ }
+ ],
+ "deviceHostname": "sample_host",
+ "deviceId": 3423,
+ "deviceLabel": "test-device.example.com",
+ "deviceSubnet": "Sample Subnet",
+ "deviceType": "Laptop",
+ "latitude": 4.598,
+ "longitude": -74.076,
+ "message": "FileTransfer::Exe file found with filetype. This is an example.",
+ "mitreTechniques": [
+ {
+ "tactics": [
+ "defense-evasion",
+ "lateral-movement"
+ ],
+ "technique": "Use Alternate Authentication Material",
+ "techniqueId": "T1550"
+ }
+ ],
+ "modelName": "Test Folder/Test Model",
+ "modelTags": [
+ "AP: C2 Comms",
+ "AP: Egress",
+ "OT Engineer"
+ ],
+ "pid": 665,
+ "score": 16,
+ "sid": -9,
+ "sourceHost": "my_host",
+ "sourceIp": "190.137.183.213",
+ "sourceMac": "00-B0-D0-63-C2-25",
+ "sourcePort": "18000",
+ "threatId": 18754,
+ "triggeredComponents": "SaaS Resource Viewed\nRare domain: 0\nRare hostname: 0\nBeaconing score: 0",
+ "typeLabel": "sample_label",
+ "uuid": "539464e9-df49-45e9-a8da-3beece6394e8"
+ }
+]
\ No newline at end of file
diff --git a/Sample Data/DarktraceResponseActions_CL.json b/Sample Data/DarktraceResponseActions_CL.json
new file mode 100644
index 00000000000..65a5ec700bf
--- /dev/null
+++ b/Sample Data/DarktraceResponseActions_CL.json
@@ -0,0 +1,29 @@
+[
+ {
+ "action": "CREATE",
+ "alertTime": "2024-08-20 15:52:02",
+ "changedBy": "darktrace",
+ "codeId": 9896,
+ "customLabel": "Sample Label",
+ "darktraceProduct": "Darktrace Autonomous Response",
+ "deviceFirstSeen": "Jan 1st 2000 00:00:00 UTC",
+ "deviceHostname": "test-device.example.com",
+ "deviceIp": "0.1.2.3",
+ "deviceLabel": "testlabel",
+ "deviceLastSeen": "Jan 1st 2000 00:00:00 UTC",
+ "deviceMac": "00:11:22:33:44:55",
+ "deviceName": "testlabel",
+ "deviceType": "Desktop",
+ "endTime": "Jan 1st 2000 00:00:00 UTC",
+ "inhibitor": "Alert for for testing alerting configuration.",
+ "model": "Test Model",
+ "reason": "This is a test alert for testing alerting configuration.",
+ "score": 0,
+ "startTime": "Jan 1st 2000 00:00:00 UTC",
+ "state": "Created",
+ "subnetId": 0,
+ "subnetLabel": "testsubnetlabel",
+ "subnetNetwork": "testnetwork",
+ "url": "https://darktrace.com"
+ }
+]
\ No newline at end of file
diff --git a/Sample Data/DarktraceSystemStatusAlerts.json b/Sample Data/DarktraceSystemStatusAlerts.json
new file mode 100644
index 00000000000..bb7ef6306dd
--- /dev/null
+++ b/Sample Data/DarktraceSystemStatusAlerts.json
@@ -0,0 +1,19 @@
+[
+ {
+ "alertTime": "2024-08-20 15:52:02",
+ "customLabel": "Sample Label",
+ "darktraceHostname": "darktrace.example.com",
+ "darktraceProduct": "Darktrace System Status Alerts",
+ "deviceIp": "0.1.2.3",
+ "friendlyModelName": "Test System Status Alert",
+ "message": "Test System Status alert used for testing alerting configuration.",
+ "modelName": "test-system-status-alert",
+ "priority": "high",
+ "priorityCode": 100,
+ "status": "Resolved",
+ "severity": 10,
+ "statusName": "Resolved: Test System Status Alert",
+ "url": "https://darktrace.com",
+ "uuid": "00000000-0000-0000-0000-000000000008"
+ }
+]
\ No newline at end of file
diff --git a/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml b/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml
deleted file mode 100644
index 41eca0fb0a1..00000000000
--- a/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml
+++ /dev/null
@@ -1,78 +0,0 @@
-id: a3c7b8ed-56a9-47b7-98e5-2555c16e17c9
-name: Darktrace Model Breach
-description: |
- 'This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.'
-severity: Medium
-requiredDataConnectors:
- - connectorId: DarktraceRESTConnector
- dataTypes:
- - darktrace_model_alerts_CL
-queryFrequency: 5m
-queryPeriod: 5m
-triggerOperator: gt
-triggerThreshold: 0
-tactics: # tactics pulled dynamically
-relevantTechniques:
-query: |
- darktrace_model_alerts_CL
- | where dtProduct_s =="Policy Breach"
- | project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatId=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceID=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category
- | extend EventCount=1, EventType="NetworkSession", EventSchema="NetworkSession", EventSchemaVersion="0.2.2", EventResult="Success", DvcAction = "Allow", EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity
- | extend DtSentinelCategory = case(DtCategory == "Suspicious", "Medium",
- DtCategory == "Critical", "High",
- "Informational")
-eventGroupingSettings:
- aggregationKind: AlertPerResult
-entityMappings:
- - entityType: Host
- fieldMappings:
- - identifier: HostName
- columnName: SrcHostname
- - entityType: Host
- fieldMappings:
- - identifier: HostName
- columnName: DstHostname
- - entityType: IP
- fieldMappings:
- - identifier: Address
- columnName: SrcIpAddr
- - entityType: IP
- fieldMappings:
- - identifier: Address
- columnName: DstIpAddr
-customDetails:
- SrcMacAddr: SrcMacAddr
- EventSeverity: EventSeverity
- EventStartTime: EventStartTime
- NetworkRuleName: NetworkRuleName
- NetworkRuleNumber: NetworkRuleNumber
- ThreatId: ThreatId
- DtSentinelCategory: DtSentinelCategory
- SrcPortNumber: SrcPortNumber
- DstPortNumber: DstPortNumber
- DstMacAddr: DstMacAddr
- DtCompliance: DtCompliance
- DtDescription: DtDescription
- DtCategory: DtCategory
- DtDeviceID: DtDeviceID
-# These are described here - this is why we're leaving tactics and techniques above empty
-alertDetailsOverride:
- # model breach name here
- alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}' # Up to 256 chars and 3 placeholders
- alertDescriptionFormat: '{{DtMessage}}' # Up to 5000 chars and 3 placeholders
- # MITRE tactic
- alertTacticsColumnName: # leave empty
- alertSeverityColumnName: # leave empty
- alertDynamicProperties:
- - alertProperty: AlertLink
- value: DtBreachURL
- - alertProperty: ProviderName
- value: EventVendor
- - alertProperty: ProductName
- value: EventProduct
- - alertProperty: ProductComponentName
- value: ThreatCategory
- - alertProperty: Severity
- value: DtSentinelCategory
-version: 1.1.0
-kind: NRT
\ No newline at end of file
diff --git a/Solutions/Darktrace/Analytic Rules/CreateAlertFromSystemStatus.yaml b/Solutions/Darktrace/Analytic Rules/CreateAlertFromSystemStatus.yaml
deleted file mode 100644
index 06838e6e76e..00000000000
--- a/Solutions/Darktrace/Analytic Rules/CreateAlertFromSystemStatus.yaml
+++ /dev/null
@@ -1,56 +0,0 @@
-id: 2e629769-60eb-4a14-8bfc-bde9be66ebeb
-name: Darktrace System Status
-description: |
- 'This rule creates Microsoft Sentinel Alerts based on Darktrace system status alerts for health monitoring, fetched every 5 minutes.'
-severity: Informational
-requiredDataConnectors:
- - connectorId: DarktraceRESTConnector
- dataTypes:
- - darktrace_model_alerts_CL
-queryFrequency: 5m
-queryPeriod: 5m
-triggerOperator: gt
-triggerThreshold: 0
-tactics: # none
-relevantTechniques: # none
-query: |
- darktrace_model_alerts_CL //anything starting with 'Dt' is not an ASIM mapping
- | where dtProduct_s =="System Alert"
- | extend EventVendor="Darktrace", EventProduct="Darktrace DETECT"
- | project-rename ThreatCategory=dtProduct_s, EventStartTime=time_s, NetworkRuleName=friendlyName_s, SrcIpAddr=deviceIP_s, SrcHostname=hostname_s, ThreatRiskLevel=priority_code_d, ThreatRiskCategory=priority_s, DtSeverity=Severity, DtName=name_s, DtStatus=status_s, DtMessage=Message, DtURL=url_s, DtUUID=uuid_g
-eventGroupingSettings:
- aggregationKind: AlertPerResult
-entityMappings:
- - entityType: Host
- fieldMappings:
- - identifier: HostName
- columnName: SrcHostname
- - entityType: IP
- fieldMappings:
- - identifier: Address
- columnName: SrcIpAddr
-customDetails:
- EventStartTime: EventStartTime
- NetworkRuleName: NetworkRuleName
- ThreatRiskLevel: ThreatRiskLevel
- ThreatRiskCategory: ThreatRiskCategory
- DtName: DtName
- DtStatus: DtStatus
- DtMessage: DtMessage
- DtSeverity: DtSeverity
-alertDetailsOverride:
- alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}'
- alertDescriptionFormat: '{{DtMessage}}'
- alertTacticsColumnName: # none
- alertSeverityColumnName: # none
- alertDynamicProperties:
- - alertProperty: AlertLink
- value: DtURL
- - alertProperty: ProviderName
- value: EventVendor
- - alertProperty: ProductName
- value: EventProduct
- - alertProperty: ProductComponentName
- value: ThreatCategory
-version: 1.1.0
-kind: Scheduled
diff --git a/Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml b/Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml
deleted file mode 100644
index d449cf51b1f..00000000000
--- a/Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml
+++ /dev/null
@@ -1,67 +0,0 @@
-id: ffa2977f-3077-4bba-b1bf-f3417699cbb0
-name: Darktrace AI Analyst
-description: |
- 'This rule creates Microsoft Sentinel Incidents based on Darktrace AI Analyst Incidents, fetched every 5 minutes.'
-severity: High
-requiredDataConnectors:
- - connectorId: DarktraceRESTConnector
- dataTypes:
- - darktrace_model_alerts_CL
-queryFrequency: 5m
-queryPeriod: 5m
-triggerOperator: gt
-triggerThreshold: 0
-tactics: [] # no tactics are ingested for AIA events at the moment
-relevantTechniques: []
-query: |
- darktrace_model_alerts_CL
- | where dtProduct_s =="AI Analyst"
- | project-rename EventStartTime=startTime_s, EventEndTime = endTime_s, NetworkRuleName=title_s, DtCurrentGroup=externalId_g, ThreatCategory=dtProduct_s, ThreatRiskLevel=score_d, SrcHostname=hostname_s, SrcIpAddr=deviceIP_s, DtURL=url_s, DtSummary=summary_s, DtGroupScore=groupScore_d, DtGroupCategory=groupCategory_s, DtSrcDeviceName=bestDeviceName_s, DtIndentifier=identifier_s, ActivityID=activityId_s, DtGroupingID=groupingId_s, DtGroupByActivity=groupByActivity_b, DtSummaryFirstSentence=summaryFirstSentence_s, DtNewEvent=newEvent_b, DtCGLegacy=currentGroup_s, DtGroupPreviousGroups=groupPreviousGroups_s, DtTime=time_s, DtSeverity=Severity, DtLongitude=longitude_d, DtLatitude=latitude_d
- | extend EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", DtSentinelCategory=DtGroupCategory
- | extend DtSentinelCategory = case (DtGroupCategory == "compliance", "Low",
- DtGroupCategory == "suspicious", "Medium",
- "High") //compliance -> low, suspcious -> medium, critical -> high
-eventGroupingSettings:
- aggregationKind: AlertPerResult
-entityMappings:
- - entityType: Host
- fieldMappings:
- - identifier: HostName
- columnName: SrcHostname
- - entityType: IP
- fieldMappings:
- - identifier: Address
- columnName: SrcIpAddr
-customDetails:
- EventStartTime: EventStartTime
- EventEndTime: EventEndTime
- NetworkRuleName: NetworkRuleName
- DtCurrentGroup: DtCurrentGroup
- ThreatRiskLevel: ThreatRiskLevel
- DtSummary: DtSummary
- DtGroupScore: DtGroupScore
- DtGroupCategory: DtGroupCategory
- DtSentinelCategory: DtSentinelCategory
- DtSrcDeviceName: DtSrcDeviceName
- DtNewEvent: DtNewEvent
- DtSeverity: DtSeverity
-alertDetailsOverride:
- alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}'
- alertDescriptionFormat: '{{DtSummary}}'
- alertTacticsColumnName: # leave empty
- alertSeverityColumnName: # leave empty
- alertDynamicProperties:
- - alertProperty: AlertLink
- value: DtURL
- - alertProperty: ProviderName
- value: EventVendor
- - alertProperty: ProductName
- value: EventProduct
- - alertProperty: ProductComponentName
- value: ThreatCategory
- - alertProperty: Severity
- value: DtSentinelCategory
-version: 1.1.0
-kind: NRT
-
-
diff --git a/Solutions/Darktrace/Analytic Rules/DarktraceIncidentEvent.yaml b/Solutions/Darktrace/Analytic Rules/DarktraceIncidentEvent.yaml
new file mode 100644
index 00000000000..7172d57f4fa
--- /dev/null
+++ b/Solutions/Darktrace/Analytic Rules/DarktraceIncidentEvent.yaml
@@ -0,0 +1,56 @@
+id: 05DE0EAF-01BC-4615-99FC-2EC769864B34
+name: Darktrace Incident Event
+kind: NRT
+description: Creates a Sentinel Incident from a Darktrace Incident Event.
+severity: High
+requiredDataConnectors:
+ - connectorId: DarktraceActiveAISecurityPlatform
+ dataTypes:
+ - DarktraceIncidents_CL
+tactics: []
+relevantTechniques: []
+query: |
+ DarktraceIncidents_CL
+ | extend SentinelSeverity = case(groupCategory == "suspicious", "Medium",
+ groupCategory == "critical", "High", "Informational")
+ | extend ProviderName = "Darktrace"
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: deviceIp
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: deviceHostname
+customDetails:
+ Asset: bestAssetName
+ IncidentEventScore: aiaScore
+ IncidentScore: groupScore
+ CurrentGroup: currentGroup
+ PreviousGroups: groupPreviousGroups
+ StartTime: startTime
+ EndTime: endTime
+ CustomLabel: customLabel
+ AssetDetails: devices
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Darktrace Incident Event: {{incidentEventTitle}} '
+ alertDescriptionFormat: '{{summary}}'
+ alertSeverityColumnName: SentinelSeverity
+ alertDynamicProperties:
+ - alertProperty: AlertLink
+ value: url
+ - alertProperty: ProductName
+ value: darktraceProduct
+ - alertProperty: ProviderName
+ value: ProviderName
+incidentConfiguration:
+ createIncident: true
+ groupingConfiguration:
+ enabled: false
+ reopenClosedIncident: false
+ lookbackDuration: PT5M
+ matchingMethod: AllEntities
+version: 1.0.0
\ No newline at end of file
diff --git a/Solutions/Darktrace/Analytic Rules/DarktraceModelAlert.yaml b/Solutions/Darktrace/Analytic Rules/DarktraceModelAlert.yaml
new file mode 100644
index 00000000000..296f2eada06
--- /dev/null
+++ b/Solutions/Darktrace/Analytic Rules/DarktraceModelAlert.yaml
@@ -0,0 +1,69 @@
+id: 9392A06F-63A4-4A5D-8CA3-647064B13C28
+name: Darktrace Model Alert
+kind: NRT
+description: |
+ Creates a Sentinel Alert from a Darktrace Model Alert. You will need to edit
+ this Analytic Rule if you would like it to create Sentinel Incidents.
+severity: High
+requiredDataConnectors:
+ - connectorId: DarktraceActiveAISecurityPlatform
+ dataTypes:
+ - DarktraceModelAlerts_CL
+tactics: []
+relevantTechniques: []
+query: |
+ DarktraceModelAlerts_CL
+ | extend SentinelSeverity = case(category == "Informational", "Low",
+ category == "Suspicious", "Medium", "High")
+ | extend ProviderName = "Darktrace"
+ | mv-apply item = mitreTechniques on (
+ extend techniqueId = tostring(item.techniqueId)
+ | summarize techniqueIdArray = make_list(techniqueId, 5)
+ )
+eventGroupingSettings:
+ aggregationKind: AlertPerResult
+entityMappings:
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: sourceIp
+ - entityType: IP
+ fieldMappings:
+ - identifier: Address
+ columnName: destIp
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: destHost
+ - entityType: Host
+ fieldMappings:
+ - identifier: HostName
+ columnName: sourceHost
+customDetails:
+ DeviceHostname: deviceHostname
+ DeviceCredentials: deviceCredentials
+ Compliance: compliance
+ Score: score
+ CustomLabel: customLabel
+ Category: category
+alertDetailsOverride:
+ alertDisplayNameFormat: 'Darktrace Model Alert: {{modelName}} '
+ alertDescriptionFormat: '{{message}}'
+ alertSeverityColumnName: SentinelSeverity
+ alertDynamicProperties:
+ - alertProperty: AlertLink
+ value: alertUrl
+ - alertProperty: ProductName
+ value: darktraceProduct
+ - alertProperty: ProviderName
+ value: ProviderName
+ - alertProperty: Techniques
+ value: techniqueIdArray
+incidentConfiguration:
+ createIncident: false
+ groupingConfiguration:
+ enabled: false
+ reopenClosedIncident: false
+ lookbackDuration: PT5H
+ matchingMethod: AllEntities
+version: 1.0.0
\ No newline at end of file
diff --git a/Solutions/Darktrace/CustomTables/DarktraceASM_CL.json b/Solutions/Darktrace/CustomTables/DarktraceASM_CL.json
new file mode 100644
index 00000000000..9af7333f9eb
--- /dev/null
+++ b/Solutions/Darktrace/CustomTables/DarktraceASM_CL.json
@@ -0,0 +1,89 @@
+{
+ "Name": "DarktraceASM_CL",
+ "Properties": [
+ {
+ "name": "action",
+ "type": "string"
+ },
+ {
+ "name": "alertTime",
+ "type": "datetime"
+ },
+ {
+ "name": "alertTimestamp",
+ "type": "int"
+ },
+ {
+ "name": "alertTitle",
+ "type": "string"
+ },
+ {
+ "name": "alertType",
+ "type": "string"
+ },
+ {
+ "name": "assetId",
+ "type": "int"
+ },
+ {
+ "name": "assetName",
+ "type": "string"
+ },
+ {
+ "name": "assetUri",
+ "type": "string"
+ },
+ {
+ "name": "customLabel",
+ "type": "string"
+ },
+ {
+ "name": "darktraceProduct",
+ "type": "string"
+ },
+ {
+ "name": "description",
+ "type": "string"
+ },
+ {
+ "name": "endTime",
+ "type": "string"
+ },
+ {
+ "name": "endTimestamp",
+ "type": "int"
+ },
+ {
+ "name": "previousRating",
+ "type": "string"
+ },
+ {
+ "name": "rating",
+ "type": "string"
+ },
+ {
+ "name": "riskId",
+ "type": "int"
+ },
+ {
+ "name": "riskUri",
+ "type": "string"
+ },
+ {
+ "name": "startTime",
+ "type": "datetime"
+ },
+ {
+ "name": "startTimestamp",
+ "type": "int"
+ },
+ {
+ "name": "state",
+ "type": "string"
+ },
+ {
+ "name": "workbenchUri",
+ "type": "string"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Solutions/Darktrace/CustomTables/DarktraceEMAIL_CL.json b/Solutions/Darktrace/CustomTables/DarktraceEMAIL_CL.json
new file mode 100644
index 00000000000..3a2d8f1a926
--- /dev/null
+++ b/Solutions/Darktrace/CustomTables/DarktraceEMAIL_CL.json
@@ -0,0 +1,81 @@
+{
+ "Name": "DarktraceEMAIL_CL",
+ "Properties": [
+ {
+ "name": "actions",
+ "type": "dynamic"
+ },
+ {
+ "name": "alertTime",
+ "type": "datetime"
+ },
+ {
+ "name": "anomalyScore",
+ "type": "int"
+ },
+ {
+ "name": "attachmentNames",
+ "type": "dynamic"
+ },
+ {
+ "name": "attachmentSha1s",
+ "type": "dynamic"
+ },
+ {
+ "name": "attachmentSha256s",
+ "type": "dynamic"
+ },
+ {
+ "name": "customLabel",
+ "type": "string"
+ },
+ {
+ "name": "darktraceProduct",
+ "type": "string"
+ },
+ {
+ "name": "direction",
+ "type": "string"
+ },
+ {
+ "name": "from",
+ "type": "string"
+ },
+ {
+ "name": "linkHosts",
+ "type": "dynamic"
+ },
+ {
+ "name": "messageId",
+ "type": "string"
+ },
+ {
+ "name": "recipientActions",
+ "type": "dynamic"
+ },
+ {
+ "name": "recipients",
+ "type": "dynamic"
+ },
+ {
+ "name": "subject",
+ "type": "string"
+ },
+ {
+ "name": "tags",
+ "type": "dynamic"
+ },
+ {
+ "name": "timestamp",
+ "type": "datetime"
+ },
+ {
+ "name": "url",
+ "type": "string"
+ },
+ {
+ "name": "uuid",
+ "type": "string"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Solutions/Darktrace/CustomTables/DarktraceIncidents_CL.json b/Solutions/Darktrace/CustomTables/DarktraceIncidents_CL.json
new file mode 100644
index 00000000000..4ad6ec4dd39
--- /dev/null
+++ b/Solutions/Darktrace/CustomTables/DarktraceIncidents_CL.json
@@ -0,0 +1,121 @@
+{
+ "Name": "DarktraceIncidents_CL",
+ "Properties": [
+ {
+ "name": "activityId",
+ "type": "string"
+ },
+ {
+ "name": "aiaScore",
+ "type": "int"
+ },
+ {
+ "name": "bestAssetName",
+ "type": "string"
+ },
+ {
+ "name": "currentGroup",
+ "type": "string"
+ },
+ {
+ "name": "customLabel",
+ "type": "string"
+ },
+ {
+ "name": "darktraceProduct",
+ "type": "string"
+ },
+ {
+ "name": "deviceHostname",
+ "type": "string"
+ },
+ {
+ "name": "deviceIp",
+ "type": "string"
+ },
+ {
+ "name": "deviceIdentifier",
+ "type": "string"
+ },
+ {
+ "name": "deviceMac",
+ "type": "string"
+ },
+ {
+ "name": "deviceSubnet",
+ "type": "string"
+ },
+ {
+ "name": "devices",
+ "type": "dynamic"
+ },
+ {
+ "name": "endTime",
+ "type": "string"
+ },
+ {
+ "name": "externalId",
+ "type": "string"
+ },
+ {
+ "name": "groupByActivity",
+ "type": "boolean"
+ },
+ {
+ "name": "groupCategory",
+ "type": "string"
+ },
+ {
+ "name": "groupPreviousGroups",
+ "type": "dynamic"
+ },
+ {
+ "name": "groupScore",
+ "type": "int"
+ },
+ {
+ "name": "groupingId",
+ "type": "string"
+ },
+ {
+ "name": "incidentEventTime",
+ "type": "datetime"
+ },
+ {
+ "name": "incidentEventTitle",
+ "type": "string"
+ },
+ {
+ "name": "latitude",
+ "type": "real"
+ },
+ {
+ "name": "longitude",
+ "type": "real"
+ },
+ {
+ "name": "newEvent",
+ "type": "boolean"
+ },
+ {
+ "name": "severity",
+ "type": "int"
+ },
+ {
+ "name": "startTime",
+ "type": "string"
+ },
+ {
+ "name": "summary",
+ "type": "string"
+ },
+ {
+ "name": "summaryFirstSentence",
+ "type": "string"
+ },
+ {
+ "name": "url",
+ "type": "string"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Solutions/Darktrace/CustomTables/DarktraceModelAlerts_CL.json b/Solutions/Darktrace/CustomTables/DarktraceModelAlerts_CL.json
new file mode 100644
index 00000000000..05f2c759dc6
--- /dev/null
+++ b/Solutions/Darktrace/CustomTables/DarktraceModelAlerts_CL.json
@@ -0,0 +1,158 @@
+{
+ "Name": "DarktraceModelAlerts_CL",
+ "Properties": [
+ {
+ "name": "alertTime",
+ "type": "datetime"
+ },
+ {
+ "name": "alertUrl",
+ "type": "string"
+ },
+ {
+ "name": "antigena",
+ "type": "boolean"
+ },
+ {
+ "name": "category",
+ "type": "string"
+ },
+ {
+ "name": "cSensor",
+ "type": "boolean"
+ },
+ {
+ "name": "cSensorId",
+ "type": "string"
+ },
+ {
+ "name": "compliance",
+ "type": "boolean"
+ },
+ {
+ "name": "customLabel",
+ "type": "string"
+ },
+ {
+ "name": "darktraceProduct",
+ "type": "string"
+ },
+ {
+ "name": "description",
+ "type": "string"
+ },
+ {
+ "name": "destHost",
+ "type": "string"
+ },
+ {
+ "name": "destIp",
+ "type": "string"
+ },
+ {
+ "name": "destMac",
+ "type": "string"
+ },
+ {
+ "name": "destPort",
+ "type": "string"
+ },
+ {
+ "name": "details",
+ "type": "string"
+ },
+ {
+ "name": "deviceCredentials",
+ "type": "dynamic"
+ },
+ {
+ "name": "deviceHostname",
+ "type": "string"
+ },
+ {
+ "name": "deviceId",
+ "type": "int"
+ },
+ {
+ "name": "deviceLabel",
+ "type": "string"
+ },
+ {
+ "name": "deviceSubnet",
+ "type": "string"
+ },
+ {
+ "name": "deviceType",
+ "type": "string"
+ },
+ {
+ "name": "latitude",
+ "type": "real"
+ },
+ {
+ "name": "longitude",
+ "type": "real"
+ },
+ {
+ "name": "message",
+ "type": "string"
+ },
+ {
+ "name": "mitreTechniques",
+ "type": "dynamic"
+ },
+ {
+ "name": "modelName",
+ "type": "string"
+ },
+ {
+ "name": "modelTags",
+ "type": "dynamic"
+ },
+ {
+ "name": "pid",
+ "type": "int"
+ },
+ {
+ "name": "score",
+ "type": "int"
+ },
+ {
+ "name": "sid",
+ "type": "int"
+ },
+ {
+ "name": "sourceHost",
+ "type": "string"
+ },
+ {
+ "name": "sourceIp",
+ "type": "string"
+ },
+ {
+ "name": "sourceMac",
+ "type": "string"
+ },
+ {
+ "name": "sourcePort",
+ "type": "string"
+ },
+ {
+ "name": "threatId",
+ "type": "int"
+ },
+ {
+ "name": "triggeredComponents",
+ "type": "string"
+ },
+ {
+ "name": "typeLabel",
+ "type": "string"
+ },
+ {
+ "name": "uuid",
+ "type": "string"
+ }
+
+ ]
+}
\ No newline at end of file
diff --git a/Solutions/Darktrace/CustomTables/DarktraceResponseActions_CL.json b/Solutions/Darktrace/CustomTables/DarktraceResponseActions_CL.json
new file mode 100644
index 00000000000..126b04bd7ec
--- /dev/null
+++ b/Solutions/Darktrace/CustomTables/DarktraceResponseActions_CL.json
@@ -0,0 +1,106 @@
+{
+ "Name": "DarktraceResponseActions_CL",
+ "Properties": [
+ {
+ "name": "action",
+ "type": "string"
+ },
+ {
+ "name": "alertTime",
+ "type": "datetime"
+ },
+ {
+ "name": "changedBy",
+ "type": "string"
+ },
+ {
+ "name": "codeId",
+ "type": "int"
+ },
+ {
+ "name": "customLabel",
+ "type": "string"
+ },
+ {
+ "name": "darktraceProduct",
+ "type": "string"
+ },
+ {
+ "name": "deviceFirstSeen",
+ "type": "string"
+ },
+ {
+ "name": "deviceHostname",
+ "type": "string"
+ },
+ {
+ "name": "deviceIp",
+ "type": "string"
+ },
+ {
+ "name": "deviceLabel",
+ "type": "string"
+ },
+ {
+ "name": "deviceLastSeen",
+ "type": "string"
+ },
+ {
+ "name": "deviceMac",
+ "type": "string"
+ },
+ {
+ "name": "deviceName",
+ "type": "string"
+ },
+ {
+ "name": "deviceType",
+ "type": "string"
+ },
+ {
+ "name": "endTime",
+ "type": "string"
+ },
+ {
+ "name": "inhibitor",
+ "type": "string"
+ },
+ {
+ "name": "model",
+ "type": "string"
+ },
+ {
+ "name": "reason",
+ "type": "string"
+ },
+ {
+ "name": "score",
+ "type": "int"
+ },
+ {
+ "name": "startTime",
+ "type": "string"
+ },
+ {
+ "name": "state",
+ "type": "string"
+ },
+ {
+ "name": "subnetId",
+ "type": "int"
+ },
+ {
+ "name": "subnetLabel",
+ "type": "string"
+ },
+ {
+ "name": "subnetNetwork",
+ "type": "string"
+ },
+ {
+ "name": "url",
+ "type": "string"
+ }
+
+ ]
+}
\ No newline at end of file
diff --git a/Solutions/Darktrace/CustomTables/DarktraceSystemStatusAlerts_CL.json b/Solutions/Darktrace/CustomTables/DarktraceSystemStatusAlerts_CL.json
new file mode 100644
index 00000000000..28c8a2b5179
--- /dev/null
+++ b/Solutions/Darktrace/CustomTables/DarktraceSystemStatusAlerts_CL.json
@@ -0,0 +1,65 @@
+{
+ "Name": "DarktraceSystemStatusAlerts_CL",
+ "Properties": [
+ {
+ "name": "alertTime",
+ "type": "datetime"
+ },
+ {
+ "name": "customLabel",
+ "type": "string"
+ },
+ {
+ "name": "darktraceHostname",
+ "type": "string"
+ },
+ {
+ "name": "darktraceProduct",
+ "type": "string"
+ },
+ {
+ "name": "deviceIp",
+ "type": "string"
+ },
+ {
+ "name": "friendlyModelName",
+ "type": "string"
+ },
+ {
+ "name": "message",
+ "type": "string"
+ },
+ {
+ "name": "modelName",
+ "type": "string"
+ },
+ {
+ "name": "priority",
+ "type": "string"
+ },
+ {
+ "name": "priorityCode",
+ "type": "int"
+ },
+ {
+ "name": "status",
+ "type": "string"
+ },
+ {
+ "name": "severity",
+ "type": "int"
+ },
+ {
+ "name": "statusName",
+ "type": "string"
+ },
+ {
+ "name": "url",
+ "type": "string"
+ },
+ {
+ "name": "uuid",
+ "type": "string"
+ }
+ ]
+}
\ No newline at end of file
diff --git a/Solutions/Darktrace/Data Connectors/DarktraceActiveAISecurityPlatform_Template.json b/Solutions/Darktrace/Data Connectors/DarktraceActiveAISecurityPlatform_Template.json
new file mode 100644
index 00000000000..5c0049cf7d0
--- /dev/null
+++ b/Solutions/Darktrace/Data Connectors/DarktraceActiveAISecurityPlatform_Template.json
@@ -0,0 +1,133 @@
+{
+ "id": "DarktraceActiveAISecurityPlatform",
+ "title": "Darktrace Active AI Security Platform",
+ "publisher": "Darktrace",
+ "descriptionMarkdown": "Th Darktrace Active AI Security Platform data connector is used to push real-time events from Darktrace to Microsoft Sentinel. The following data can be sent from Darktrace by using this data connector: Darktrace Incidents, Darktrace Model Alerts, Darktrace / EMAIL logs, Darktrace Response Actions, Darktrace / ASM logs, and Darktrace System Status Alerts.",
+ "graphQueries": [
+ {
+ "metricName": "Total data received",
+ "legend": "All Darktrace Alerts",
+ "baseQuery": "union DarktraceModelAlerts_CL, DarktraceIncidents_CL, DarktraceASM_CL, DarktraceEMAIL_CL, DarktraceResponseActions_CL, DarktraceSystemStatusAlerts_CL"
+ }
+ ],
+ "sampleQueries": [
+ {
+ "description" : "Last 10 Model Alerts",
+ "query": "DarktraceModelAlerts_CL\n | take 10"
+ }
+ ],
+ "dataTypes": [
+ {
+ "name": "DarktraceASM_CL",
+ "lastDataReceivedQuery": "DarktraceASM_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "DarktraceEMAIL_CL",
+ "lastDataReceivedQuery": "DarktraceEMAIL_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "DarktraceIncidents_CL",
+ "lastDataReceivedQuery": "DarktraceIncidents_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "DarktraceModelAlerts_CL",
+ "lastDataReceivedQuery": "DarktraceModelAlerts_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "DarktraceResponseActions_CL",
+ "lastDataReceivedQuery": "DarktraceResponseActions_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ },
+ {
+ "name": "DarktraceSystemStatusAlerts_CL",
+ "lastDataReceivedQuery": "DarktraceSystemStatusAlerts_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
+ }
+ ],
+ "connectivityCriterias": [
+ {
+ "type": "IsConnectedQuery",
+ "value": [
+ "union DarktraceModelAlerts_CL, DarktraceIncidents_CL, DarktraceASM_CL, DarktraceEMAIL_CL, DarktraceResponseActions_CL, DarktraceSystemStatusAlerts_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(30d)"
+ ]
+ }
+ ],
+ "availability": {
+ "status": 1,
+ "isPreview": true
+ },
+ "permissions": {
+ "resourceProvider": [
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces",
+ "permissionsDisplayText": "read and write permissions are required.",
+ "providerDisplayName": "Workspace",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "write": true,
+ "read": true,
+ "delete": true
+ }
+ },
+ {
+ "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
+ "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
+ "providerDisplayName": "Keys",
+ "scope": "Workspace",
+ "requiredPermissions": {
+ "action": true
+ }
+ }
+ ],
+ "customs": [
+ {
+ "name": "Darktrace Prerequisites",
+ "description": "To use this Data Connector a Darktrace master running v7.1+ is required.\n Data is sent to Azure Monitor Logs with [Logs ingesiton API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal) over HTTPs from Darktrace masters, therefore outbound connectivity from the Darktrace master to Microsoft is required."
+ },
+ {
+ "name": "Filter Darktrace Data",
+ "description": "During configuration it is possible to set up additional filtering on the Darktrace System Configuration page to constrain the amount or types of data sent."
+ },
+ {
+ "name": "Entra App",
+ "description": "An Entra app needs to be registered to authenticate against the Log Ingestion API. See [the Log ingestion tutorial to learn more about Entra App creation, registration and credential configuration.](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal)"
+ }
+ ]
+ },
+ "instructionSteps": [
+ {
+ "title": "",
+ "description": "This Data Connector uses the Microsoft Log Ingestion API to push Darktrace alerts into Microsoft Sentinel."
+ },
+ {
+ "title": "",
+ "description": "Detailed setup instructions can be found on the Darktrace Customer Portal.\n",
+ "instructions": [
+ {
+ "parameters": {
+ "fillWith": [
+ "WorkspaceName"
+ ],
+ "label": "Workspace Name"
+ },
+ "type": "CopyableLabel"
+ }
+ ]
+ }
+ ],
+ "metadata": {
+ "id": "E8134523-075A-4269-8D92-3CC0688E7C40",
+ "version": "1.0.0",
+ "kind": "dataConnector",
+ "source": {
+ "kind": "solution",
+ "name": "Darktrace"
+ },
+ "author": {
+ "name": "Darktrace"
+ },
+ "support": {
+ "tier": "developer",
+ "name": "Darktrace",
+ "link":"customerportal.darktrace.com"
+ }
+ }
+}
\ No newline at end of file
diff --git a/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json b/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json
index bd8197527f7..5a9b938ac9b 100644
--- a/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json
+++ b/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json
@@ -4,18 +4,18 @@
"Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Darktrace.svg\")
",
"Description": "The [Darktrace](https://darktrace.com/) Sentinel Solution lets users connect Darktrace AI-based alerting in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats. \n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\na. [Microsoft Sentinel Data Collector API](https://docs.microsoft.com/azure/sentinel/connect-rest-api-template)\n\n For more details about this solution refer to https://www.darktrace.com/microsoft/sentinel/",
"Workbooks": [
- "Workbooks/DarktraceWorkbook.json"
+ "Workbooks/DarktraceActiveAISecurityPlatform.json"
],
"Analytic Rules": [
- "Analytic Rules/CreateAlertFromModelBreach.yaml",
- "Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml",
- "Analytic Rules/CreateAlertFromSystemStatus.yaml"
+ "Analytic Rules/DarktraceIncidentEvent.yaml",
+ "Analytic Rules/DarktraceModelAlert.yaml"
],
"Data Connectors": [
- "Data Connectors/DarktraceConnectorRESTAPI.json"
+ "Data Connectors/DarktraceConnectorRESTAPI.json",
+ "Data Connectors/DarktraceActiveAISecurityPlatform_Template.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Darktrace",
- "Version": "2.0.1",
+ "Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/Darktrace/Package/createUiDefinition.json b/Solutions/Darktrace/Package/createUiDefinition.json
index a72e331d8e3..06524ffa580 100644
--- a/Solutions/Darktrace/Package/createUiDefinition.json
+++ b/Solutions/Darktrace/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Darktrace](https://darktrace.com/) Sentinel Solution lets users connect Darktrace AI-based alerting in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats. \n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\na. [Microsoft Sentinel Data Collector API](https://docs.microsoft.com/azure/sentinel/connect-rest-api-template)\n\n For more details about this solution refer to https://www.darktrace.com/microsoft/sentinel/\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Darktrace](https://darktrace.com/) Sentinel Solution lets users connect Darktrace AI-based alerting in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats. \n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\na. [Microsoft Sentinel Log Ingestion API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview)\n\n For more details about this solution refer to https://www.darktrace.com/microsoft/sentinel/\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -60,7 +60,7 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The Darktrace REST API connector pushes real-time events from Darktrace's Product Suite to Microsoft Sentinel and is designed to be used with the Darktrace Solution for Sentinel. The connector writes logs to a custom log table titled \"darktrace_model_alerts_CL\"; Model Breaches, AI Analyst Incidents, System Alerts and Antigena Email alerts can be ingested - additional filters can be set up on Darktrace system configuration page. Data is pushed to Sentinel from Darktrace appliances."
+ "text": "The Darktrace Log Ingestion API connector pushes real-time events from Darktrace's Product Suite to Microsoft Sentinel and is designed to be used with the Darktrace Solution for Sentinel. The connector writes logs to a custom log tables named accordingly; Model Breaches, AI Analyst Incidents, System Alerts, Response Actions, Attack Surface Management alerts and Email alerts can be ingested - additional filters can be set up on Darktrace system configuration page. Data is pushed to Sentinel from Darktrace appliances."
}
},
{
@@ -88,7 +88,7 @@
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This solution installs workbook to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
+ "text": "This solution installs the workbook to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
}
},
{
@@ -110,7 +110,7 @@
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The Darktrace Workbook visualises Model Breach and AI Analyst data received by the Darktrace Data Connector and visualises events across the network, SaaS, IaaS and Email."
+ "text": "The Darktrace Workbook visualises alert data received by the Darktrace Log Ingestion API and visualises events across the network, SaaS, IaaS and Email."
}
}
]
@@ -146,13 +146,13 @@
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
- "label": "Darktrace Model Breach",
+ "label": "Darktrace Model Alert",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes."
+ "text": "This rule creates Microsoft Sentinel Alerts based on Darktrace Model Alerts, fetched every 5 minutes."
}
}
]
@@ -170,20 +170,6 @@
}
}
]
- },
- {
- "name": "analytic3",
- "type": "Microsoft.Common.Section",
- "label": "Darktrace System Status",
- "elements": [
- {
- "name": "analytic3-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This rule creates Microsoft Sentinel Alerts based on Darktrace system status alerts for health monitoring, fetched every 5 minutes."
- }
- }
- ]
}
]
}
diff --git a/Solutions/Darktrace/Package/mainTemplate.json b/Solutions/Darktrace/Package/mainTemplate.json
index 6dd9aea205c..5657c6e75b7 100644
--- a/Solutions/Darktrace/Package/mainTemplate.json
+++ b/Solutions/Darktrace/Package/mainTemplate.json
@@ -1072,7 +1072,63 @@
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ },
+ {
+ "type": "Microsoft.Insights/dataCollectionEndpoints",
+ "apiVersion": "2021-09-01-preview",
+ "name": "darktrace-log-ingestion-dce",
+ "location": "[parameters('location')]",
+ "properties": {
+ "networkAccess": {
+ "publicNetworkAccess": "Enabled"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "apiVersion": "2021-09-01-preview",
+ "name": "darktrace-log-ingestion-dcr",
+ "location": "[parameters('location')]",
+ "properties": {
+ "dataFlows": [
+ {
+ "streams": [ "Custom-Darktrace" ],
+ "destinations": [ "la-destination" ]
+ }
+ ],
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]",
+ "name": "la-destination"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
+ "apiVersion": "2018-11-30",
+ "name": "darktrace-log-ingestion-app",
+ "location": "[parameters('location')]"
}
],
- "outputs": {}
+ "outputs": {
+ "dceUrl": {
+ "type": "string",
+ "value": "[reference('darktrace-log-ingestion-dce').properties.logsIngestion.endpoint]"
+ },
+ "dcrId": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Insights/dataCollectionRules', 'darktrace-log-ingestion-dcr')]"
+ },
+ "clientId": {
+ "type": "string",
+ "value": "[reference('darktrace-log-ingestion-app').clientId]"
+ },
+ "clientSecret": {
+ "type": "string",
+ "value": "Generated via Key Vault or manual step"
+ }
+ }
}
diff --git a/Solutions/Darktrace/Workbooks/DarktraceWorkbook.json b/Solutions/Darktrace/Workbooks/DarktraceActiveAISecurityPlatform.json
similarity index 64%
rename from Solutions/Darktrace/Workbooks/DarktraceWorkbook.json
rename to Solutions/Darktrace/Workbooks/DarktraceActiveAISecurityPlatform.json
index 3def177f1ac..5f1dae92031 100644
--- a/Solutions/Darktrace/Workbooks/DarktraceWorkbook.json
+++ b/Solutions/Darktrace/Workbooks/DarktraceActiveAISecurityPlatform.json
@@ -11,7 +11,7 @@
"id": "a4b35478-499a-4fcc-8424-63abbb698bfa",
"cellValue": "tab",
"linkTarget": "parameter",
- "linkLabel": "AI Analyst",
+ "linkLabel": "Incidents",
"subTarget": "ai-analyst",
"style": "link"
},
@@ -19,31 +19,31 @@
"id": "45805ae8-29d7-4774-a10a-8d60af407bbf",
"cellValue": "tab",
"linkTarget": "parameter",
- "linkLabel": "DETECT + RESPOND/Network ",
+ "linkLabel": "NETWORK/CLOUD/OT/ENDPOINT ",
"subTarget": "overview",
"style": "link"
},
{
- "id": "7a64cd79-3a09-4046-8d6f-ba24fc2bab6c",
+ "id": "0dc4ab10-226f-422f-a7bb-9e905f96fb6c",
"cellValue": "tab",
"linkTarget": "parameter",
- "linkLabel": "DETECT + RESPOND/Apps",
- "subTarget": "cloud",
+ "linkLabel": "EMAIL",
+ "subTarget": "email",
"style": "link"
},
{
- "id": "0dc4ab10-226f-422f-a7bb-9e905f96fb6c",
+ "id": "7a64cd79-3a09-4046-8d6f-ba24fc2bab6c",
"cellValue": "tab",
"linkTarget": "parameter",
- "linkLabel": "DETECT + RESPOND/Email",
- "subTarget": "email",
+ "linkLabel": "IDENTITY",
+ "subTarget": "cloud",
"style": "link"
},
{
"id": "2eac3f00-5164-4a77-9781-118eb681b729",
"cellValue": "tab",
"linkTarget": "parameter",
- "linkLabel": "RESPOND",
+ "linkLabel": "Response Actions",
"subTarget": "agn",
"style": "link"
},
@@ -51,7 +51,7 @@
"id": "ff97b7e6-6bbf-401c-aaff-833d5309f00d",
"cellValue": "tab",
"linkTarget": "parameter",
- "linkLabel": "System Status",
+ "linkLabel": "System Status Alerts",
"subTarget": "status",
"style": "link"
}
@@ -170,9 +170,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "datatable (Count: long, status: string, status_count: long) [0, \"Compliance\", 1, 0, \"Informational\", 2, 0, \"Suspicious\", 3, 0, \"Critical\", 4]\r\n| union\r\n (\r\n darktrace_model_alerts_CL\r\n | where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n | extend ThreatRiskLevel=score_d\r\n | extend status = case( \r\n compliance_b == false and Category == \"Critical\", \"Critical\",\r\n compliance_b == true, \"Compliance\",\r\n compliance_b == false and Category == \"Suspicious\", \"Suspicious\",\r\n compliance_b == false and Category == \"Informational\", \"Informational\", \r\n \"True\"\r\n )\r\n | where status != \"True\"\r\n | extend status_count = case(status == \"Critical\", 4, status == \"Suspicious\", 3, status == \"Informational\", 2, 1)\r\n | summarize Count = count() by status, status_count\r\n )\r\n| summarize Count=sum(Count) by status, status_count\r\n| sort by status_count asc",
+ "query": "datatable (Count: long, status: string, status_count: long) [0, \"Compliance\", 1, 0, \"Informational\", 2, 0, \"Suspicious\", 3, 0, \"Critical\", 4]\r\n| union\r\n (\r\n DarktraceModelAlerts_CL\r\n | where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\")\r\n | extend status = case( \r\n compliance == false and category == \"Critical\", \"Critical\",\r\n compliance == true, \"Compliance\",\r\n compliance == false and category == \"Suspicious\", \"Suspicious\",\r\n compliance == false and category == \"Informational\", \"Informational\", \r\n \"True\"\r\n )\r\n | where status != \"True\"\r\n | extend status_count = case(status == \"Critical\", 4, status == \"Suspicious\", 3, status == \"Informational\", 2, 1)\r\n | summarize Count = count() by status, status_count\r\n )\r\n| summarize Count=sum(Count) by status, status_count\r\n| sort by status_count asc",
"size": 3,
- "title": "Model Breaches by Category",
+ "title": "Model Alerts by Category",
"timeContextFromParameter": "Timeframe",
"exportFieldName": "status",
"exportParameterName": "_severity",
@@ -256,9 +256,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| project-rename MitreTechniques=mitreTechniques_s\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where compliance_b == true\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n",
+ "query": "DarktraceModelAlerts_CL\r\n| where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\")\r\n| where compliance == true\r\n| limit 100\r\n| project TimeGenerated, score, modelName, description, deviceLabel, deviceCredentials, sourceIp, destIp, threatId, alertUrl \r\n| sort by TimeGenerated desc\r\n",
"size": 0,
- "title": "Compliance Model Breaches",
+ "title": "Compliance Model Alerts",
"timeContextFromParameter": "Timeframe",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@@ -329,13 +329,25 @@
}
}
],
+ "sortBy": [
+ {
+ "itemKey": "TimeGenerated",
+ "sortOrder": 2
+ }
+ ],
"labelSettings": [
{
"columnId": "TimeGenerated",
"label": "Time"
}
]
- }
+ },
+ "sortBy": [
+ {
+ "itemKey": "TimeGenerated",
+ "sortOrder": 2
+ }
+ ]
},
"conditionalVisibility": {
"parameterName": "_severity",
@@ -348,9 +360,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| project-rename MitreTechniques=mitreTechniques_s\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where compliance_b == false and Category == \"Informational\"\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n\r\n",
+ "query": "DarktraceModelAlerts_CL\r\n| where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\")\r\n| where compliance == false and category == \"Informational\"\r\n| limit 100\r\n| project TimeGenerated, score, modelName, description, deviceLabel, deviceCredentials, sourceIp, destIp, threatId, alertUrl \r\n| sort by TimeGenerated desc\r\n",
"size": 0,
- "title": "Informational Model Breaches",
+ "title": "Informational Model Alerts",
"timeContextFromParameter": "Timeframe",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@@ -441,9 +453,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| project-rename MitreTechniques=mitreTechniques_s\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where compliance_b == false and Category == \"Suspicious\"\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| limit 100\r\n| sort by TimeGenerated desc\r\n",
+ "query": "DarktraceModelAlerts_CL\r\n| where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\")\r\n| where compliance == false and category == \"Suspicious\"\r\n| limit 100\r\n| project TimeGenerated, score, modelName, description, deviceLabel, deviceCredentials, sourceIp, destIp, threatId, alertUrl \r\n| sort by TimeGenerated desc\r\n",
"size": 0,
- "title": "Suspicious Model Breaches",
+ "title": "Suspicious Model Alerts",
"timeContextFromParameter": "Timeframe",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@@ -533,9 +545,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| project-rename MitreTechniques=mitreTechniques_s\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where compliance_b == false and Category == \"Critical\"\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| limit 100\r\n| sort by TimeGenerated desc\r\n",
+ "query": "DarktraceModelAlerts_CL\r\n| where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\")\r\n| where compliance == false and category == \"Critical\"\r\n| limit 100\r\n| project TimeGenerated, score, modelName, description, deviceLabel, deviceCredentials, sourceIp, destIp, threatId, alertUrl \r\n| sort by TimeGenerated desc\r\n",
"size": 0,
- "title": "Critical Model Breaches",
+ "title": "Critical Model Alerts",
"timeContextFromParameter": "Timeframe",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@@ -634,9 +646,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| make-series Count = count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})",
+ "query": "DarktraceModelAlerts_CL\r\n| where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\")\r\n| make-series Count = count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})",
"size": 0,
- "title": "Total Model Breaches",
+ "title": "Visualizing Threat Patterns: Model Alerts",
"color": "orange",
"timeContextFromParameter": "Timeframe",
"timeBrushParameterName": "Timeframe",
@@ -647,7 +659,7 @@
"seriesLabelSettings": [
{
"seriesName": "Count",
- "label": "Model Breaches"
+ "label": "Model Alerts"
}
],
"ySettings": {
@@ -667,7 +679,7 @@
{
"type": 1,
"content": {
- "json": "_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _",
+ "json": "_ Selecting a timeframe on the graph will change the timeframe for all queries below _",
"style": "info"
},
"name": "text - 11"
@@ -676,9 +688,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| project-rename NetworkRuleName=modelName_s\r\n| summarize event_count=count() by NetworkRuleName\r\n| top 10 by event_count",
+ "query": "DarktraceModelAlerts_CL\r\n| where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\")\r\n| summarize event_count=count() by modelName\r\n| top 10 by event_count",
"size": 0,
- "title": "Top 10 Most Breached Models",
+ "title": "Top 10 Most Alerted Models",
"timeContextFromParameter": "Timeframe",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@@ -714,7 +726,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "\r\ndarktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename DstHostname=destHost_s\r\n| where isnotempty(DstHostname) \r\n| summarize count(NetworkRuleName) by DstHostname",
+ "query": "\r\nDarktraceModelAlerts_CL\r\n| where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\")\r\n| where isnotempty(destHost) \r\n| summarize count(modelName) by destHost",
"size": 3,
"title": "Top External Hostnames",
"timeContextFromParameter": "Timeframe",
@@ -729,9 +741,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename DtURL=breachUrl_s\r\n| project-rename ThreatRiskLevel=score_d\r\n| project-rename NetworkRuleName=modelName_s\r\n| project TimeGenerated, ThreatRiskLevel, NetworkRuleName, SrcHostname, SrcIpAddr, DtURL\r\n| top 10 by ThreatRiskLevel desc ",
+ "query": "DarktraceModelAlerts_CL\r\n| where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\")\r\n| project TimeGenerated, score, modelName, description, deviceLabel, deviceCredentials, sourceIp, destIp, threatId, alertUrl \r\n| top 10 by score desc ",
"size": 0,
- "title": "Top 10 Model Breaches with Highest Severity",
+ "title": "Top 10 Model Alerts with Highest Score",
"timeContextFromParameter": "Timeframe",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@@ -797,7 +809,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\n| project-rename DstIpAddr=destIP_s\n| where isnotempty(DstIpAddr) \n| where DstIpAddr !startswith \"10\"\n| where DstIpAddr !startswith \"192\"\n| where DstIpAddr !startswith \"172\"\n| summarize event_count=count() by DstIpAddr\n| top 10 by event_count",
+ "query": "DarktraceModelAlerts_CL\n| where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\")\n| where isnotempty(destIp) \n| where destIp !startswith \"10\" and destIp !startswith \"192\" and destIp !startswith \"172\"\n| summarize event_count=count() by destIp\n| top 10 by event_count",
"size": 0,
"title": "Top 10 External IPs",
"timeContextFromParameter": "Timeframe",
@@ -812,9 +824,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\") and compliance_b == true\r\n| make-series Count = count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\r\n",
+ "query": "DarktraceModelAlerts_CL\r\n| where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\") and compliance == true\r\n| make-series Count = count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\r\n",
"size": 0,
- "title": "Compliance Model Breaches Over Time",
+ "title": "Compliance Model Alerts Over Time",
"color": "orange",
"timeContextFromParameter": "Timeframe",
"queryType": 0,
@@ -824,7 +836,7 @@
"seriesLabelSettings": [
{
"seriesName": "Count",
- "label": "Model Breaches"
+ "label": "Model Alerts"
}
],
"ySettings": {
@@ -886,9 +898,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "datatable (Count: long, status: string, status_count: long) [0, \"Low\", 1, 0, \"Medium\", 2, 0, \"High\", 3, 0, \"Critical\", 4]\r\n| union\r\n (\r\n darktrace_model_alerts_CL\r\n | where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\"))\r\n | extend ThreatRiskLevel=score_d\r\n | extend status = case( \r\n ThreatRiskLevel >= 75, \"Critical\",\r\n ThreatRiskLevel < 25, \"Low\",\r\n ThreatRiskLevel >= 50 and ThreatRiskLevel < 75, \"High\",\r\n ThreatRiskLevel >= 25 and ThreatRiskLevel < 50, \"Medium\", \r\n \"True\"\r\n )\r\n | where status != \"True\"\r\n | extend status_count = case(status == \"Critical\", 4, status == \"High\", 3, status == \"Medium\", 2, 1)\r\n | summarize Count = count() by status, status_count\r\n )\r\n| summarize Count=sum(Count) by status, status_count\r\n| sort by status_count asc",
+ "query": "datatable (Count: long, status: string, status_count: long) [0, \"Compliance\", 1, 0, \"Informational\", 2, 0, \"Suspicious\", 3, 0, \"Critical\", 4]\r\n| union\r\n (\r\n DarktraceModelAlerts_CL\r\n | where modelName contains (\"SaaS\") or modelName contains (\"IaaS\")\r\n | extend status = case( \r\n compliance == false and category == \"Critical\", \"Critical\",\r\n compliance == true, \"Compliance\",\r\n compliance == false and category == \"Suspicious\", \"Suspicious\",\r\n compliance == false and category == \"Informational\", \"Informational\", \r\n \"True\"\r\n )\r\n | where status != \"True\"\r\n | extend status_count = case(status == \"Critical\", 4, status == \"Suspicious\", 3, status == \"Informational\", 2, 1)\r\n | summarize Count = count() by status, status_count\r\n )\r\n| summarize Count=sum(Count) by status, status_count\r\n| sort by status_count asc",
"size": 3,
- "title": "Model Breaches by Severity",
+ "title": "Model Alerts by Category",
"timeContextFromParameter": "Timeframe",
"exportFieldName": "status",
"exportParameterName": "_severity",
@@ -904,26 +916,26 @@
"thresholdsGrid": [
{
"operator": "==",
- "thresholdValue": "Low",
- "representation": "yellow",
+ "thresholdValue": "Compliance",
+ "representation": "turquoise",
"text": "{0}{1}"
},
{
"operator": "==",
- "thresholdValue": "Medium",
- "representation": "orange",
+ "thresholdValue": "Informational",
+ "representation": "yellow",
"text": "{0}{1}"
},
{
"operator": "==",
- "thresholdValue": "High",
- "representation": "redBright",
+ "thresholdValue": "Suspicious",
+ "representation": "orange",
"text": "{0}{1}"
},
{
"operator": "==",
"thresholdValue": "Critical",
- "representation": "red",
+ "representation": "redBright",
"text": "{0}{1}"
},
{
@@ -972,9 +984,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\"))\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| extend MitreTechniques=parse_json(mitreTechniques_s)\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where ThreatRiskLevel < 25\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n",
+ "query": "DarktraceModelAlerts_CL\r\n| where (modelName contains (\"SaaS\") or modelName contains (\"IaaS\"))\r\n| where compliance == true\r\n| limit 100\r\n| project TimeGenerated, score, modelName, description, deviceLabel, sourceIp, threatId, alertUrl \r\n| sort by TimeGenerated desc\r\n",
"size": 0,
- "title": "Low Severity Model Breaches",
+ "title": "Compliance Model Alerts",
"timeContextFromParameter": "Timeframe",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@@ -1056,7 +1068,7 @@
"conditionalVisibility": {
"parameterName": "_severity",
"comparison": "isEqualTo",
- "value": "Low"
+ "value": "Compliance"
},
"name": "Low severity model breaches"
},
@@ -1064,9 +1076,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\"))\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| extend MitreTechniques=parse_json(mitreTechniques_s)\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where ThreatRiskLevel >= 25 and ThreatRiskLevel < 50\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n",
+ "query": "DarktraceModelAlerts_CL\r\n| where (modelName contains (\"SaaS\") or modelName contains (\"IaaS\"))\r\n| where compliance == false and category == \"Informational\"\r\n| limit 100\r\n| project TimeGenerated, score, modelName, description, deviceLabel, sourceIp, threatId, alertUrl \r\n| sort by TimeGenerated desc",
"size": 0,
- "title": "Medium Severity Model Breaches",
+ "title": "Informational Model Alerts",
"timeContextFromParameter": "Timeframe",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@@ -1148,7 +1160,7 @@
"conditionalVisibility": {
"parameterName": "_severity",
"comparison": "isEqualTo",
- "value": "Medium"
+ "value": "Informational"
},
"name": "Medium severity model breaches "
},
@@ -1156,9 +1168,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\"))\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| extend MitreTechniques=parse_json(mitreTechniques_s)\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where ThreatRiskLevel >= 50 and ThreatRiskLevel < 75\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n",
+ "query": "DarktraceModelAlerts_CL\r\n| where (modelName contains (\"SaaS\") or modelName contains (\"IaaS\"))\r\n| where compliance == false and category == \"Suspicious\"\r\n| limit 100\r\n| project TimeGenerated, score, modelName, description, deviceLabel, sourceIp, threatId, alertUrl \r\n| sort by TimeGenerated desc\r\n",
"size": 0,
- "title": "High Severity Model Breaches",
+ "title": "Suspicious Model Alerts",
"timeContextFromParameter": "Timeframe",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@@ -1240,7 +1252,7 @@
"conditionalVisibility": {
"parameterName": "_severity",
"comparison": "isEqualTo",
- "value": "High"
+ "value": "Suspicious"
},
"name": "High severity model breaches "
},
@@ -1248,9 +1260,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\"))\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| extend MitreTechniques=parse_json(mitreTechniques_s)\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where ThreatRiskLevel >= 75\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n\r\n",
+ "query": "DarktraceModelAlerts_CL\r\n| where (modelName contains (\"SaaS\") or modelName contains (\"IaaS\"))\r\n| where compliance == false and category == \"Critical\"\r\n| limit 100\r\n| project TimeGenerated, score, modelName, description, deviceLabel, sourceIp, threatId, alertUrl \r\n| sort by TimeGenerated desc\r\n",
"size": 0,
- "title": "Critical Severity Model Breaches",
+ "title": "Critical Model Alerts",
"timeContextFromParameter": "Timeframe",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@@ -1365,12 +1377,13 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"SaaS\")\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})",
+ "query": "DarktraceModelAlerts_CL\r\n| where modelName contains (\"SaaS\")\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})",
"size": 3,
- "title": "Total SaaS Model Breaches",
+ "title": "Visualizing Threat Patterns: SaaS Model Alerts",
"color": "orange",
"timeContextFromParameter": "Timeframe",
"timeBrushParameterName": "Timeframe",
+ "timeBrushExportOnlyWhenBrushed": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart",
@@ -1378,7 +1391,7 @@
"seriesLabelSettings": [
{
"seriesName": "count_",
- "label": "Model Breches"
+ "label": "Model Alerts"
}
],
"ySettings": {
@@ -1403,12 +1416,13 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"IaaS\")\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})",
+ "query": "DarktraceModelAlerts_CL\r\n| where modelName contains (\"IaaS\")\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})",
"size": 3,
- "title": "Total IaaS Model Breaches",
+ "title": "Visualizing Threat Patterns: IaaS Model Alerts",
"color": "orange",
"timeContextFromParameter": "Timeframe",
"timeBrushParameterName": "Timeframe",
+ "timeBrushExportOnlyWhenBrushed": true,
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
"visualization": "areachart",
@@ -1416,7 +1430,7 @@
"seriesLabelSettings": [
{
"seriesName": "count_",
- "label": "Model Breaches"
+ "label": "Model Alerts"
}
],
"ySettings": {
@@ -1449,9 +1463,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"SaaS\")\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename SrcHostname=hostname_s\r\n| summarize Count=count() by SrcHostname\r\n| top 10 by Count\r\n| project SrcHostname, Count\r\n\r\n",
+ "query": "DarktraceModelAlerts_CL\r\n| where modelName contains (\"SaaS\")\r\n| summarize Count=count() by deviceLabel\r\n| top 10 by Count\r\n| project deviceLabel, Count\r\n\r\n",
"size": 0,
- "title": "Top 10 SaaS Users With Most Model Breaches",
+ "title": "Top 10 SaaS Users With Most Model Alerts",
"timeContextFromParameter": "Timeframe",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@@ -1487,9 +1501,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"SaaS\")\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename DtURL=breachUrl_s\r\n| project-rename ThreatRiskLevel=score_d\r\n| project TimeGenerated, ThreatRiskLevel, NetworkRuleName, SrcHostname, SrcIpAddr, DtURL\r\n| top 10 by ThreatRiskLevel desc ",
+ "query": "DarktraceModelAlerts_CL\r\n| where modelName contains (\"SaaS\")\r\n| project TimeGenerated, score, modelName, description, deviceLabel, sourceIp, threatId, alertUrl \r\n| top 10 by score desc ",
"size": 0,
- "title": "Top 10 Highest Severity SaaS Model Breaches",
+ "title": "Top 10 Highest Severity SaaS Model Alerts",
"timeContextFromParameter": "Timeframe",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@@ -1555,9 +1569,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\")) and compliance_b == true\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})",
+ "query": "DarktraceModelAlerts_CL\r\n| where (modelName contains (\"SaaS\") or modelName contains (\"IaaS\")) and compliance == true\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})",
"size": 0,
- "title": "Total XaaS Compliance Model Breaches",
+ "title": "Total XaaS Compliance Model Alerts",
"color": "orange",
"timeContextFromParameter": "Timeframe",
"queryType": 0,
@@ -1567,7 +1581,7 @@
"seriesLabelSettings": [
{
"seriesName": "count_",
- "label": "Model Breaches"
+ "label": "Model Alerts"
}
],
"ySettings": {
@@ -1604,9 +1618,30 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"Antigena\") and modelName_s contains (\"Network\")\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename DtURL=breachUrl_s\r\n| project-rename ThreatRiskLevel=score_d\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename EventStartTime = breachTime_s\r\n| extend DtMitreTechniques=parse_json(mitreTechniques_s)\r\n| project-rename ThreatId=threatID_d\r\n| limit 100\r\n| project TimeGenerated, ThreatRiskLevel, NetworkRuleName, ThreatId, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, DtURL, EventStartTime, DtMitreTechniques\r\n| sort by TimeGenerated desc\r\n",
+ "query": "DarktraceResponseActions_CL\n| limit 100\n| project TimeGenerated, deviceHostname, deviceIp, deviceLabel, deviceType, model, reason, score, state, url\n| sort by TimeGenerated desc",
+ "size": 0,
+ "title": "Response Actions",
+ "timeContextFromParameter": "Timeframe",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ },
+ "name": "query - 5"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "Below are RESPOND (Antigena) Model Alerts",
+ "style": "info"
+ },
+ "name": "text - 4"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "DarktraceModelAlerts_CL\r\n| where modelName contains (\"Antigena\") and modelName contains (\"Network\")\r\n| limit 100\r\n| project TimeGenerated, score, modelName, threatId, deviceLabel, sourceHost, sourceIp, destHost, destIp, alertUrl, mitreTechniques\r\n| sort by TimeGenerated desc\r\n",
"size": 0,
- "title": "/Network ",
+ "title": "NETWORK",
"timeContextFromParameter": "Timeframe",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@@ -1643,14 +1678,40 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"Antigena\") and modelName_s contains (\"SaaS\")\n| project-rename SrcIpAddr=SourceIP\n| project-rename SrcHostname=hostname_s\n| project-rename DtURL=breachUrl_s\n| project-rename ThreatRiskLevel=score_d\n| project-rename NetworkRuleName=modelName_s\n| project-rename DstIpAddr=destIP_s\n| project-rename DstHostname=destHost_s\n| project-rename EventStartTime = breachTime_s\n| extend DtMitreTechniques=parse_json(mitreTechniques_s)\n| project-rename ThreatId=threatID_d\n| limit 100\n| project TimeGenerated, ThreatRiskLevel, NetworkRuleName, ThreatId, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, DtURL, EventStartTime, DtMitreTechniques\n| sort by TimeGenerated desc\n",
+ "query": "DarktraceModelAlerts_CL\n| where modelName contains (\"Antigena\") and modelName contains (\"SaaS\")\n| limit 100\n| project TimeGenerated, score, modelName, threatId, deviceLabel, sourceHost, sourceIp, destHost, destIp, alertUrl, mitreTechniques\n| sort by TimeGenerated desc\n",
"size": 0,
- "title": "/Apps",
+ "title": "IDENTITY",
"timeContextFromParameter": "Timeframe",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
},
"name": "query - 1"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "DarktraceModelAlerts_CL\n| where modelName contains (\"Antigena\") and modelName contains (\"MDR\")\n| limit 100\n| project TimeGenerated, score, modelName, threatId, deviceLabel, sourceHost, sourceIp, destHost, destIp, alertUrl, mitreTechniques\n| sort by TimeGenerated desc\n",
+ "size": 0,
+ "title": "MDR",
+ "timeContextFromParameter": "Timeframe",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ },
+ "name": "query - 2"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "DarktraceModelAlerts_CL\n| where modelName contains (\"Antigena\") and modelName contains (\"CLOUD\")\n| limit 100\n| project TimeGenerated, score, modelName, threatId, deviceLabel, sourceHost, sourceIp, destHost, destIp, alertUrl, mitreTechniques\n| sort by TimeGenerated desc",
+ "size": 0,
+ "title": "CLOUD",
+ "timeContextFromParameter": "Timeframe",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ },
+ "name": "query - 3"
}
]
},
@@ -1676,7 +1737,7 @@
"id": "cd64e441-332e-4f47-8602-a25828ebc053",
"version": "KqlParameterItem/1.0",
"name": "aia_type",
- "label": "AI Analyst Incident Types",
+ "label": "Darktrace Incident Types",
"type": 2,
"description": "Filter out the types of AI Analyst Incidents available.",
"isRequired": true,
@@ -1684,11 +1745,11 @@
"additionalResourceOptions": [],
"showDefault": false
},
- "jsonData": "[\n {\"value\": \"darktrace_model_alerts_CL | where dtProduct_s =='AI Analyst' | project-rename DtIncidentName=title_s | project-rename DtCurrentGroup=externalId_g | project-rename GroupScore=groupScore_d | project-rename SrcDeviceName=bestDeviceName_s | limit 100 | summarize DtMaxIncidentScore=max(GroupScore), take_any(SrcDeviceName, DtIncidentName) by DtCurrentGroup | project DtMaxIncidentScore, DtIncidentName, SrcDeviceName, DtCurrentGroup\", \"label\": \"All\"},\n {\"value\": \"darktrace_model_alerts_CL | where dtProduct_s =='AI Analyst' | project-rename DtIncidentName=title_s | project-rename DtCurrentGroup=externalId_g | project-rename GroupScore=groupScore_d | project-rename SrcDeviceName=bestDeviceName_s | where SrcDeviceName !contains 'SaaS' | limit 100 | summarize DtMaxIncidentScore=max(GroupScore), take_any(SrcDeviceName, DtIncidentName) by DtCurrentGroup | project DtMaxIncidentScore, DtIncidentName, SrcDeviceName, DtCurrentGroup\", \"label\": \"Network\"},\n {\"value\": \"darktrace_model_alerts_CL | where dtProduct_s =='AI Analyst' | project-rename DtIncidentName=title_s | project-rename DtCurrentGroup=externalId_g | project-rename GroupScore=groupScore_d | project-rename SrcDeviceName=bestDeviceName_s | where SrcDeviceName contains 'SaaS' | limit 100 | summarize DtMaxIncidentScore=max(GroupScore), take_any(SrcDeviceName, DtIncidentName) by DtCurrentGroup | project DtMaxIncidentScore, DtIncidentName, SrcDeviceName, DtCurrentGroup\", \"label\": \"SaaS\"}\n]",
+ "jsonData": "[\n {\"value\": \"DarktraceIncidents_CL | project TimeGenerated, aiaScore, bestAssetName, currentGroup, groupPreviousGroups, incidentEventTitle\", \"label\": \"All\"},\n {\"value\": \"DarktraceIncidents_CL | where deviceHostname !contains 'SaaS' | project TimeGenerated, aiaScore, bestAssetName, currentGroup, groupPreviousGroups, incidentEventTitle\", \"label\": \"/ NETWORK\"},\n {\"value\": \"DarktraceIncidents_CL | where deviceHostname contains 'SaaS' | project TimeGenerated, aiaScore, bestAssetName, currentGroup, groupPreviousGroups, incidentEventTitle\", \"label\": \"/ IDENTITY\"}\n]",
"timeContext": {
"durationMs": 86400000
},
- "value": "darktrace_model_alerts_CL | where dtProduct_s =='AI Analyst' | project-rename DtIncidentName=title_s | project-rename DtCurrentGroup=externalId_g | project-rename GroupScore=groupScore_d | project-rename SrcDeviceName=bestDeviceName_s | limit 100 | summarize DtMaxIncidentScore=max(GroupScore), take_any(SrcDeviceName, DtIncidentName) by DtCurrentGroup | project DtMaxIncidentScore, DtIncidentName, SrcDeviceName, DtCurrentGroup"
+ "value": "DarktraceIncidents_CL | project TimeGenerated, aiaScore, bestAssetName, currentGroup, groupPreviousGroups, incidentEventTitle"
}
],
"style": "pills",
@@ -1703,19 +1764,33 @@
"version": "KqlItem/1.0",
"query": "{aia_type}",
"size": 0,
- "title": "AI Analyst Incidents",
+ "title": "All Darktrace Incident Events",
"timeContextFromParameter": "Timeframe",
- "exportFieldName": "DtCurrentGroup",
+ "exportFieldName": "currentGroup",
"exportParameterName": "SelectedAIAGroup",
"queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "gridSettings": {
+ "sortBy": [
+ {
+ "itemKey": "TimeGenerated",
+ "sortOrder": 2
+ }
+ ]
+ },
+ "sortBy": [
+ {
+ "itemKey": "TimeGenerated",
+ "sortOrder": 2
+ }
+ ]
},
"name": "query - 7"
},
{
"type": 1,
"content": {
- "json": "_ Selecting an AI Analyst Incident in the table above will put its corresponding Events in focus below _",
+ "json": "_ Selecting a Darktrace Incident Event in the table above will group all the related Darktrace Incident Events below within the set timeframe _",
"style": "info"
},
"name": "text - 6"
@@ -1724,13 +1799,27 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\n| where dtProduct_s ==\"AI Analyst\"\n| project-rename EventStartTime=startTime_s\n| project-rename EventEndTime = endTime_s\n| project-rename DtIncidentEventName=title_s\n| project-rename DtCurrentGroup=externalId_g //externalId is the Current Group ID from Darktrace \n| project-rename ThreatCategory=dtProduct_s\n| extend ThreatRiskLevel=score_d //This is the event score, which is different from the GroupScore\n| project-rename SrcHostname=hostname_s\n| project-rename DtURL=url_s\n| project-rename DtSummary=summary_s\n| project-rename DtGroupScore=groupScore_d\n| project-rename DtGroupCategory=groupCategory_s\n| project-rename SrcDeviceName=bestDeviceName_s\n| where DtCurrentGroup contains \"{SelectedAIAGroup}\"\n| limit 100\n| project TimeGenerated, DtIncidentEventName, ThreatCategory, ThreatRiskLevel, DtSummary, SrcDeviceName, SrcHostname, DtURL, DtCurrentGroup, DtGroupScore, DtGroupCategory, EventStartTime, EventEndTime\n| sort by TimeGenerated desc\n\n",
+ "query": "let relatedGroups =\n DarktraceIncidents_CL\n | where groupPreviousGroups has \"{SelectedAIAGroup}\" or \"{SelectedAIAGroup}\" == currentGroup\n | extend allGroups = array_concat(groupPreviousGroups, pack_array(currentGroup))\n | mv-expand group = allGroups\n | project groupStr = tostring(group)\n | summarize by groupStr;\nDarktraceIncidents_CL\n| where currentGroup in (relatedGroups)",
"size": 0,
- "title": "Selected AI Analyst Incident Events",
+ "title": "Darktrace Incident",
"timeContextFromParameter": "Timeframe",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "table"
+ "visualization": "table",
+ "gridSettings": {
+ "sortBy": [
+ {
+ "itemKey": "incidentEventTime",
+ "sortOrder": 1
+ }
+ ]
+ },
+ "sortBy": [
+ {
+ "itemKey": "incidentEventTime",
+ "sortOrder": 1
+ }
+ ]
},
"name": "query - 5"
},
@@ -1738,9 +1827,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"AI Analyst\"\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})",
+ "query": "DarktraceIncidents_CL\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})",
"size": 3,
- "title": "Total AI Analyst Incident Events",
+ "title": "Visualizing Threat Patterns: Darktrace Incident Events",
"color": "lightBlue",
"timeContextFromParameter": "Timeframe",
"timeBrushParameterName": "Timeframe",
@@ -1767,7 +1856,7 @@
{
"type": 1,
"content": {
- "json": "_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _",
+ "json": "_ Selecting a timeframe on the graph will change the timeframe for queries below _",
"style": "info"
},
"name": "text - 6"
@@ -1776,9 +1865,9 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"AI Analyst\"\r\n| extend DtIncidentEventName = title_s\r\n| summarize event_count=count() by DtIncidentEventName\r\n| top 10 by event_count",
+ "query": "DarktraceIncidents_CL\r\n| summarize event_count=count() by incidentEventTitle\r\n| top 10 by event_count",
"size": 0,
- "title": "Top 10 Most Frequent AI Analyst Incident Events",
+ "title": "Most Frequent Darktrace Incident Events",
"timeContextFromParameter": "Timeframe",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces",
@@ -1822,7 +1911,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\n| where dtProduct_s == \"Antigena Email\"\n| extend Actions = parse_json(actions_s)\n| extend Hold_Email=set_has_element(Actions, \"Hold\")\n| extend Junk_Email=set_has_element(Actions, \"Move to Junk\")\n| extend Lock_Link=set_has_element(Actions, \"Lock Link\")\n| extend Lock_All_Links=set_has_element(Actions, \"Lock All Links\")\n| extend Double_Lock_Link=set_has_element(Actions, \"Double Lock Link\")\n| extend Double_Lock_All_Links=set_has_element(Actions, \"Double Lock All Links\")\n| extend Strip_Attachment=set_has_element(Actions, \"Stip Attachment\")\n| extend Strip_All_Attachments=set_has_element(Actions, \"Strip All Attachments\")\n| extend Convert_Attachment=set_has_element(Actions, \"Convert Attachment\")\n| extend Convert_All_Attachments=set_has_element(Actions, \"Convert All Attachments\")\n| extend Unspoof=set_has_element(Actions, \"Unspoof\")\n| extend XAxis=set_has_element(Actions, \"Unspoof\")\n| summarize XAxis=countif(XAxis == true), Hold_Email=countif(Hold_Email == true), Junk_Email=countif(Junk_Email == true), Lock_Link=countif(Lock_Link == true), Lock_All_Links=countif(Lock_All_Links == true), Double_Lock_Link=countif(Double_Lock_Link == true), Double_Lock_All_Links=countif(Double_Lock_All_Links == true), Convert_Attachment=countif(Convert_Attachment == true), Convert_All_Attachments=countif(Convert_All_Attachments == true), Strip_Attachment=countif(Strip_Attachment == true), Strip_All_Attachments=countif(Strip_All_Attachments == true), Unspoof=countif(Unspoof == true)",
+ "query": "DarktraceEMAIL_CL\n| extend Actions = parse_json(actions)\n| extend Hold_Email=set_has_element(Actions, \"Hold\")\n| extend Junk_Email=set_has_element(Actions, \"Move to Junk\")\n| extend Lock_Link=set_has_element(Actions, \"Lock Link\")\n| extend Lock_All_Links=set_has_element(Actions, \"Lock All Links\")\n| extend Double_Lock_Link=set_has_element(Actions, \"Double Lock Link\")\n| extend Double_Lock_All_Links=set_has_element(Actions, \"Double Lock All Links\")\n| extend Strip_Attachment=set_has_element(Actions, \"Stip Attachment\")\n| extend Strip_All_Attachments=set_has_element(Actions, \"Strip All Attachments\")\n| extend Convert_Attachment=set_has_element(Actions, \"Convert Attachment\")\n| extend Convert_All_Attachments=set_has_element(Actions, \"Convert All Attachments\")\n| extend Unspoof=set_has_element(Actions, \"Unspoof\")\n| extend XAxis=set_has_element(Actions, \"Unspoof\")\n| summarize XAxis=countif(XAxis == true), Hold_Email=countif(Hold_Email == true), Junk_Email=countif(Junk_Email == true), Lock_Link=countif(Lock_Link == true), Lock_All_Links=countif(Lock_All_Links == true), Double_Lock_Link=countif(Double_Lock_Link == true), Double_Lock_All_Links=countif(Double_Lock_All_Links == true), Convert_Attachment=countif(Convert_Attachment == true), Convert_All_Attachments=countif(Convert_All_Attachments == true), Strip_Attachment=countif(Strip_Attachment == true), Strip_All_Attachments=countif(Strip_All_Attachments == true), Unspoof=countif(Unspoof == true)",
"size": 0,
"title": "Total Actions Taken",
"timeContextFromParameter": "Timeframe",
@@ -1936,7 +2025,7 @@
"label": "Search Recipient",
"type": 1,
"description": "Filter for held emails",
- "value": "",
+ "value": "test",
"timeContext": {
"durationMs": 86400000
}
@@ -1952,7 +2041,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\n| where dtProduct_s == \"Antigena Email\"\n| extend Actions = parse_json(actions_s)\n| extend Hold_Email=set_has_element(Actions, \"Hold\")\n| where Hold_Email == true \n| extend Recipients=parse_json(recipients_s)\n| where Recipients contains \"{SearchRecipient}\"\n| project-rename ThreatRiskLevel=anomaly_score_d\n| project-rename AttachmentSHA1s=attachment_sha1s_s\n| project-rename Sender=from_s\n| project-rename Subject=subject_s\n| project-rename Tags=tags_s\n| project-rename TimestampUTC=timestamp_t\n| project-rename UUID=uuid_s\n| project-rename DarktraceLink=url_s\n| project-rename Direction=direction_s\n| project Subject, Sender, Recipients, ThreatRiskLevel, TimestampUTC, Direction, Tags, AttachmentSHA1s, DarktraceLink, UUID",
+ "query": "DarktraceEMAIL_CL\n| extend Actions = parse_json(actions)\n| extend Hold_Email=set_has_element(Actions, \"Hold\")\n| where Hold_Email == true \n| extend recipients=parse_json(recipients)\n| where recipients contains \"{SearchRecipient}\"\n| project subject, from, recipients, anomalyScore, timestamp, direction, tags, attachmentNames, url, uuid",
"size": 0,
"title": "Held Emails",
"timeContextFromParameter": "Timeframe",
@@ -1965,7 +2054,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\n| where dtProduct_s == \"Antigena Email\"\n| where direction_s == \"inbound\"\n| project-rename Sender=from_s\n| summarize Count=count() by Sender\n| top 10 by Count",
+ "query": "DarktraceEMAIL_CL\n| where direction == \"inbound\"\n| project-rename Sender=from\n| summarize Count=count() by Sender\n| top 10 by Count",
"size": 0,
"title": "Top 10 Most Frequent External Senders ",
"timeContextFromParameter": "Timeframe",
@@ -2007,12 +2096,511 @@
"version": "NotebookGroup/1.0",
"groupType": "editable",
"items": [
+ {
+ "type": 9,
+ "content": {
+ "version": "KqlParameterItem/1.0",
+ "parameters": [
+ {
+ "id": "4727607c-4f65-4373-b0e8-33b0e2accbac",
+ "version": "KqlParameterItem/1.0",
+ "name": "_severity",
+ "label": "severity",
+ "description": "parameter to drill down on clicked severity tile",
+ "value": "hidden",
+ "isHiddenWhenLocked": true,
+ "type": 1,
+ "timeContext": {
+ "durationMs": 86400000
+ }
+ }
+ ],
+ "style": "pills",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ },
+ "name": "parameters - 1"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "datatable (Count: long, status: string, status_count: long) [0, \"Low\", 1, 0, \"Medium\", 2, 0, \"High\", 3, 0, \"Critical\", 4]\n| union\n (\n DarktraceSystemStatusAlerts_CL\n | extend status = case( \n priority == \"low\", \"Low\",\n priority == \"medium\", \"Medium\",\n priority == \"high\", \"High\",\n priority == \"critical\", \"Critical\", \n \"True\"\n )\n | where status != \"True\"\n | extend status_count = case(status == \"Critical\", 4, status == \"High\", 3, status == \"Medium\", 2, 1)\n | summarize Count = count() by status, status_count\n )\n| summarize Count=sum(Count) by status, status_count\n| sort by status_count asc",
+ "size": 3,
+ "title": "System Status Alerts by Priority",
+ "timeContextFromParameter": "Timeframe",
+ "exportFieldName": "status",
+ "exportParameterName": "_severity",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "tiles",
+ "tileSettings": {
+ "titleContent": {
+ "columnMatch": "status",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "==",
+ "thresholdValue": "Low",
+ "representation": "yellow",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Medium",
+ "representation": "orange",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "High",
+ "representation": "redBright",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "==",
+ "thresholdValue": "Critical",
+ "representation": "red",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "thresholdValue": null,
+ "representation": null,
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ "leftContent": {
+ "columnMatch": "Count",
+ "formatter": 1,
+ "numberFormat": {
+ "unit": 17,
+ "options": {
+ "style": "decimal",
+ "maximumFractionDigits": 2,
+ "maximumSignificantDigits": 3
+ }
+ }
+ },
+ "showBorder": true,
+ "size": "auto"
+ }
+ },
+ "name": "query - 2"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "_Click on the tiles to view more details (maximum 100 entries displayed)_",
+ "style": "info"
+ },
+ "name": "text - 3"
+ },
+ {
+ "type": 12,
+ "content": {
+ "version": "NotebookGroup/1.0",
+ "groupType": "editable",
+ "items": [
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "DarktraceSystemStatusAlerts_CL\r\n| where priority == \"low\"\r\n| limit 100\r\n| project TimeGenerated, customLabel, darktraceHostname, deviceIp, friendlyModelName, message, modelName, priority, priorityCode, severity, status, statusName, url, uuid\r\n| sort by TimeGenerated desc\r\n",
+ "size": 0,
+ "title": "Low Priority System Status Alerts",
+ "timeContextFromParameter": "Timeframe",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "table",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "TimeGenerated",
+ "formatter": 6,
+ "formatOptions": {
+ "customColumnWidthSetting": "20%"
+ }
+ },
+ {
+ "columnMatch": "Activity",
+ "formatter": 1,
+ "formatOptions": {
+ "linkColumn": "DarktraceURL",
+ "linkTarget": "Url",
+ "customColumnWidthSetting": "40%"
+ }
+ },
+ {
+ "columnMatch": "DeviceName",
+ "formatter": 1,
+ "formatOptions": {
+ "customColumnWidthSetting": "17.5%"
+ }
+ },
+ {
+ "columnMatch": "DeviceAddress",
+ "formatter": 1,
+ "formatOptions": {
+ "customColumnWidthSetting": "17.5%"
+ }
+ },
+ {
+ "columnMatch": "LogSeverity",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "representation": "yellow",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "DarktraceURL",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "DarktraceUrl",
+ "formatter": 5,
+ "formatOptions": {
+ "linkTarget": "Url"
+ }
+ },
+ {
+ "columnMatch": "OtherExtensions",
+ "formatter": 5,
+ "formatOptions": {
+ "customColumnWidthSetting": "50%"
+ }
+ }
+ ],
+ "labelSettings": [
+ {
+ "columnId": "TimeGenerated",
+ "label": "Time"
+ }
+ ]
+ }
+ },
+ "conditionalVisibility": {
+ "parameterName": "_severity",
+ "comparison": "isEqualTo",
+ "value": "Low"
+ },
+ "name": "Low"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "DarktraceSystemStatusAlerts_CL\r\n| where priority == \"medium\"\r\n| limit 100\r\n| project TimeGenerated, customLabel, darktraceHostname, deviceIp, friendlyModelName, message, modelName, priority, priorityCode, severity, status, statusName, url, uuid\r\n| sort by TimeGenerated desc",
+ "size": 0,
+ "title": "Medium Priority System Status Alerts",
+ "timeContextFromParameter": "Timeframe",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "table",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "TimeGenerated",
+ "formatter": 6,
+ "formatOptions": {
+ "customColumnWidthSetting": "20%"
+ }
+ },
+ {
+ "columnMatch": "Activity",
+ "formatter": 1,
+ "formatOptions": {
+ "linkColumn": "DarktraceURL",
+ "linkTarget": "Url",
+ "customColumnWidthSetting": "40%"
+ }
+ },
+ {
+ "columnMatch": "DeviceName",
+ "formatter": 1,
+ "formatOptions": {
+ "customColumnWidthSetting": "17.5%"
+ }
+ },
+ {
+ "columnMatch": "DeviceAddress",
+ "formatter": 1,
+ "formatOptions": {
+ "customColumnWidthSetting": "17.5%"
+ }
+ },
+ {
+ "columnMatch": "LogSeverity",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "representation": "orange",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "DarktraceURL",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "DarktraceUrl",
+ "formatter": 5,
+ "formatOptions": {
+ "linkTarget": "Url"
+ }
+ },
+ {
+ "columnMatch": "OtherExtensions",
+ "formatter": 5,
+ "formatOptions": {
+ "customColumnWidthSetting": "50%"
+ }
+ }
+ ],
+ "labelSettings": [
+ {
+ "columnId": "TimeGenerated",
+ "label": "Time"
+ }
+ ]
+ }
+ },
+ "conditionalVisibility": {
+ "parameterName": "_severity",
+ "comparison": "isEqualTo",
+ "value": "Medium"
+ },
+ "name": "medium"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "DarktraceSystemStatusAlerts_CL\r\n| where priority == \"high\"\r\n| limit 100\r\n| project TimeGenerated, customLabel, darktraceHostname, deviceIp, friendlyModelName, message, modelName, priority, priorityCode, severity, status, statusName, url, uuid\r\n| sort by TimeGenerated desc",
+ "size": 0,
+ "title": "High Priority System Status Alerts",
+ "timeContextFromParameter": "Timeframe",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "table",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "TimeGenerated",
+ "formatter": 6,
+ "formatOptions": {
+ "customColumnWidthSetting": "20%"
+ }
+ },
+ {
+ "columnMatch": "Activity",
+ "formatter": 1,
+ "formatOptions": {
+ "linkColumn": "DarktraceURL",
+ "linkTarget": "Url",
+ "customColumnWidthSetting": "40%"
+ }
+ },
+ {
+ "columnMatch": "DeviceName",
+ "formatter": 1,
+ "formatOptions": {
+ "customColumnWidthSetting": "17.5%"
+ }
+ },
+ {
+ "columnMatch": "DeviceAddress",
+ "formatter": 1,
+ "formatOptions": {
+ "customColumnWidthSetting": "17.5%"
+ }
+ },
+ {
+ "columnMatch": "LogSeverity",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": "Default",
+ "representation": "redBright",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "DarktraceURL",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "DarktraceUrl",
+ "formatter": 5,
+ "formatOptions": {
+ "linkTarget": "Url"
+ }
+ },
+ {
+ "columnMatch": "AdditionalExtensions",
+ "formatter": 5,
+ "formatOptions": {
+ "customColumnWidthSetting": "70%"
+ }
+ }
+ ],
+ "labelSettings": [
+ {
+ "columnId": "TimeGenerated",
+ "label": "Time"
+ }
+ ]
+ }
+ },
+ "conditionalVisibility": {
+ "parameterName": "_severity",
+ "comparison": "isEqualTo",
+ "value": "High"
+ },
+ "name": "high"
+ },
+ {
+ "type": 3,
+ "content": {
+ "version": "KqlItem/1.0",
+ "query": "DarktraceSystemStatusAlerts_CL\r\n| where priority == \"critical\"\r\n| limit 100\r\n| project TimeGenerated, customLabel, darktraceHostname, deviceIp, friendlyModelName, message, modelName, priority, priorityCode, severity, status, statusName, url, uuid\r\n| sort by TimeGenerated desc",
+ "size": 0,
+ "title": "Critical Priority System Status Alerts",
+ "timeContextFromParameter": "Timeframe",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces",
+ "visualization": "table",
+ "gridSettings": {
+ "formatters": [
+ {
+ "columnMatch": "TimeGenerated",
+ "formatter": 6,
+ "formatOptions": {
+ "customColumnWidthSetting": "20%"
+ }
+ },
+ {
+ "columnMatch": "Activity",
+ "formatter": 1,
+ "formatOptions": {
+ "linkColumn": "DarktraceURL",
+ "linkTarget": "Url",
+ "customColumnWidthSetting": "40%"
+ }
+ },
+ {
+ "columnMatch": "DeviceName",
+ "formatter": 1,
+ "formatOptions": {
+ "customColumnWidthSetting": "17.5%"
+ }
+ },
+ {
+ "columnMatch": "DeviceAddress",
+ "formatter": 1,
+ "formatOptions": {
+ "customColumnWidthSetting": "17.5%"
+ }
+ },
+ {
+ "columnMatch": "Severity",
+ "formatter": 18,
+ "formatOptions": {
+ "thresholdsOptions": "colors",
+ "thresholdsGrid": [
+ {
+ "operator": ">",
+ "thresholdValue": "0",
+ "representation": "red",
+ "text": "{0}{1}"
+ },
+ {
+ "operator": "Default",
+ "representation": "blue",
+ "text": "{0}{1}"
+ }
+ ]
+ }
+ },
+ {
+ "columnMatch": "DarktraceURL",
+ "formatter": 5
+ },
+ {
+ "columnMatch": "LogSeverity",
+ "formatter": 8,
+ "formatOptions": {
+ "min": 1,
+ "max": 10,
+ "palette": "greenRed"
+ }
+ },
+ {
+ "columnMatch": "DarktraceUrl",
+ "formatter": 5,
+ "formatOptions": {
+ "linkTarget": "Url"
+ }
+ },
+ {
+ "columnMatch": "AdditionalExtensions",
+ "formatter": 5,
+ "formatOptions": {
+ "customColumnWidthSetting": "70%"
+ }
+ }
+ ],
+ "labelSettings": [
+ {
+ "columnId": "TimeGenerated",
+ "label": "Time"
+ }
+ ]
+ }
+ },
+ "conditionalVisibility": {
+ "parameterName": "_severity",
+ "comparison": "isEqualTo",
+ "value": "Critical"
+ },
+ "name": "critical"
+ }
+ ]
+ },
+ "conditionalVisibility": {
+ "parameterName": "_severity",
+ "comparison": "isNotEqualTo",
+ "value": "hidden"
+ },
+ "name": "Drill down group for different severities"
+ },
{
"type": 3,
"content": {
"version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL //anything starting with 'Dt' is not an ASIM mapping \n| where dtProduct_s ==\"System Alert\"\n| extend EventVendor = \"Darktrace\"\n| extend EventProduct = \"Darktrace DETECT\"\n| project-rename NetworkRuleName=friendlyName_s\n| project-rename ThreatRiskLevel=priority_code_d\n| project-rename ThreatRiskCategory=priority_s\n| project-rename EventStartTime = time_s\n| project-rename SrcIpAddr=deviceIP_s\n| project-rename SrcHostname=hostname_s\n| project-rename DtStatus=status_s\n| project-rename DtURL=url_s\n| project-rename DtSeverity=Severity\n| project-rename DtName=name_s\n| project-rename DtMessage=Message\n| project EventVendor, EventProduct, NetworkRuleName, ThreatRiskLevel, ThreatRiskCategory, SrcIpAddr, SrcHostname, DtStatus, DtURL, DtName, DtMessage",
+ "query": "DarktraceSystemStatusAlerts_CL\n| project TimeGenerated, customLabel, darktraceHostname, deviceIp, friendlyModelName, message, modelName, priority, priorityCode, severity, status, statusName, url, uuid\n| sort by TimeGenerated desc",
"size": 0,
+ "title": "All System Status Alerts",
"timeContextFromParameter": "Timeframe",
"queryType": 0,
"resourceType": "microsoft.operationalinsights/workspaces"
@@ -2030,6 +2618,6 @@
}
],
"fallbackResourceIds": [],
- "fromTemplateId": "sentinel-Darktrace",
+ "fromTemplateId": "sentinel-DarktraceActiveAISecurityPlatform",
"$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
}
\ No newline at end of file
diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json
index c0e3a874721..0daffd76140 100644
--- a/Workbooks/WorkbooksMetadata.json
+++ b/Workbooks/WorkbooksMetadata.json
@@ -5132,12 +5132,17 @@
{
"workbookKey": "DarktraceWorkbook",
"logoFileName": "Darktrace.svg",
- "description": "The Darktrace Workbook visualises Model Breach and AI Analyst data received by the Darktrace Data Connector and visualises events across the network, SaaS, IaaS and Email.",
+ "description": "The Darktrace Workbook visualises Model Breaches, AI Analyst incidents, ASM alerts, EMAIL alerts, Response actions and system status alerts data received by the Darktrace Data Connector and visualises events across the network, SaaS, IaaS and Email.",
"dataTypesDependencies": [
- "darktrace_model_alerts_CL"
+ "DarktraceASM_CL",
+ "DarktraceEMAIL_CL",
+ "DarktraceIncidents_CL",
+ "DarktraceModelAlerts_CL",
+ "DarktraceResponseActions_CL",
+ "DarktraceSystemStatusAlerts_CL"
],
"dataConnectorsDependencies": [
- "DarktraceRESTConnector"
+ "DarktraceActiveAISecurityPlatform_Template"
],
"previewImagesFileNames": [
"DarktraceWorkbookBlack01.png",
@@ -5145,7 +5150,7 @@
"DarktraceWorkbookWhite01.png",
"DarktraceWorkbookWhite02.png"
],
- "version": "1.0.1",
+ "version": "2.0.0",
"title": "Darktrace",
"templateRelativePath": "DarktraceWorkbook.json",
"subtitle": "",