From b78874be7ddebbb1407101f42f54475229905893 Mon Sep 17 00:00:00 2001 From: Sean MacDonald Date: Tue, 14 Oct 2025 21:27:28 -0700 Subject: [PATCH 01/19] Adding new workbook, custom tables, data connector and analytic rules for the new log ingestion api-based integration --- .../DarktraceIncidentEvent.yaml | 56 + .../Analytic Rules/DarktraceModelAlert.yaml | 69 + .../CustomTables/DarktraceASM_CL.json | 89 + .../CustomTables/DarktraceEMAIL_CL.json | 81 + .../CustomTables/DarktraceIncidents_CL.json | 121 + .../CustomTables/DarktraceModelAlerts_CL.json | 158 + .../DarktraceResponseActions_CL.json | 106 + .../DarktraceSystemStatusAlerts_CL.json | 65 + ...raceActiveAISecurityPlatform_Template.json | 133 + .../DarktraceActiveAISecurityPlatform.json | 2623 +++++++++++++++++ 10 files changed, 3501 insertions(+) create mode 100644 Solutions/Darktrace/Analytic Rules/DarktraceIncidentEvent.yaml create mode 100644 Solutions/Darktrace/Analytic Rules/DarktraceModelAlert.yaml create mode 100644 Solutions/Darktrace/CustomTables/DarktraceASM_CL.json create mode 100644 Solutions/Darktrace/CustomTables/DarktraceEMAIL_CL.json create mode 100644 Solutions/Darktrace/CustomTables/DarktraceIncidents_CL.json create mode 100644 Solutions/Darktrace/CustomTables/DarktraceModelAlerts_CL.json create mode 100644 Solutions/Darktrace/CustomTables/DarktraceResponseActions_CL.json create mode 100644 Solutions/Darktrace/CustomTables/DarktraceSystemStatusAlerts_CL.json create mode 100644 Solutions/Darktrace/Data Connectors/DarktraceActiveAISecurityPlatform_Template.json create mode 100644 Solutions/Darktrace/Workbooks/DarktraceActiveAISecurityPlatform.json diff --git a/Solutions/Darktrace/Analytic Rules/DarktraceIncidentEvent.yaml b/Solutions/Darktrace/Analytic Rules/DarktraceIncidentEvent.yaml new file mode 100644 index 00000000000..64f2fd92bba --- /dev/null +++ b/Solutions/Darktrace/Analytic Rules/DarktraceIncidentEvent.yaml @@ -0,0 +1,56 @@ +id: 05DE0EAF-01BC-4615-99FC-2EC769864B34 +name: Darktrace Incident Event +kind: NRT +description: Creates a Sentinel Incident from a Darktrace Incident Event. +severity: High +requiredDataConnectors: + - connectorId: DarktraceLogIngestionAPIConnector + dataTypes: + - DarktraceIncidents_CL +tactics: [] +relevantTechniques: [] +query: | + DarktraceIncidents_CL + | extend SentinelSeverity = case(groupCategory == "suspicious", "Medium", + groupCategory == "critical", "High", "Informational") + | extend ProviderName = "Darktrace" +eventGroupingSettings: + aggregationKind: AlertPerResult +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: deviceIp + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: deviceHostname +customDetails: + Asset: bestAssetName + IncidentEventScore: aiaScore + IncidentScore: groupScore + CurrentGroup: currentGroup + PreviousGroups: groupPreviousGroups + StartTime: startTime + EndTime: endTime + CustomLabel: customLabel + AssetDetails: devices +alertDetailsOverride: + alertDisplayNameFormat: 'Darktrace Incident Event: {{incidentEventTitle}} ' + alertDescriptionFormat: '{{summary}}' + alertSeverityColumnName: SentinelSeverity + alertDynamicProperties: + - alertProperty: AlertLink + value: url + - alertProperty: ProductName + value: darktraceProduct + - alertProperty: ProviderName + value: ProviderName +incidentConfiguration: + createIncident: true + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: PT5M + matchingMethod: AllEntities +version: 1.0.0 \ No newline at end of file diff --git a/Solutions/Darktrace/Analytic Rules/DarktraceModelAlert.yaml b/Solutions/Darktrace/Analytic Rules/DarktraceModelAlert.yaml new file mode 100644 index 00000000000..95178fab0b9 --- /dev/null +++ b/Solutions/Darktrace/Analytic Rules/DarktraceModelAlert.yaml @@ -0,0 +1,69 @@ +id: 9392A06F-63A4-4A5D-8CA3-647064B13C28 +name: Darktrace Model Alert +kind: NRT +description: | + Creates a Sentinel Alert from a Darktrace Model Alert. You will need to edit + this Analytic Rule if you would like it to create Sentinel Incidents. +severity: High +requiredDataConnectors: + - connectorId: DarktraceLogIngestionAPIConnector + dataTypes: + - DarktraceModelAlerts_CL +tactics: [] +relevantTechniques: [] +query: | + DarktraceModelAlerts_CL + | extend SentinelSeverity = case(category == "Informational", "Low", + category == "Suspicious", "Medium", "High") + | extend ProviderName = "Darktrace" + | mv-apply item = mitreTechniques on ( + extend techniqueId = tostring(item.techniqueId) + | summarize techniqueIdArray = make_list(techniqueId, 5) + ) +eventGroupingSettings: + aggregationKind: AlertPerResult +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: sourceIp + - entityType: IP + fieldMappings: + - identifier: Address + columnName: destIp + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: destHost + - entityType: Host + fieldMappings: + - identifier: HostName + columnName: sourceHost +customDetails: + DeviceHostname: deviceHostname + DeviceCredentials: deviceCredentials + Compliance: compliance + Score: score + CustomLabel: customLabel + Category: category +alertDetailsOverride: + alertDisplayNameFormat: 'Darktrace Model Alert: {{modelName}} ' + alertDescriptionFormat: '{{message}}' + alertSeverityColumnName: SentinelSeverity + alertDynamicProperties: + - alertProperty: AlertLink + value: alertUrl + - alertProperty: ProductName + value: darktraceProduct + - alertProperty: ProviderName + value: ProviderName + - alertProperty: Techniques + value: techniqueIdArray +incidentConfiguration: + createIncident: false + groupingConfiguration: + enabled: false + reopenClosedIncident: false + lookbackDuration: PT5H + matchingMethod: AllEntities +version: 1.0.0 \ No newline at end of file diff --git a/Solutions/Darktrace/CustomTables/DarktraceASM_CL.json b/Solutions/Darktrace/CustomTables/DarktraceASM_CL.json new file mode 100644 index 00000000000..9af7333f9eb --- /dev/null +++ b/Solutions/Darktrace/CustomTables/DarktraceASM_CL.json @@ -0,0 +1,89 @@ +{ + "Name": "DarktraceASM_CL", + "Properties": [ + { + "name": "action", + "type": "string" + }, + { + "name": "alertTime", + "type": "datetime" + }, + { + "name": "alertTimestamp", + "type": "int" + }, + { + "name": "alertTitle", + "type": "string" + }, + { + "name": "alertType", + "type": "string" + }, + { + "name": "assetId", + "type": "int" + }, + { + "name": "assetName", + "type": "string" + }, + { + "name": "assetUri", + "type": "string" + }, + { + "name": "customLabel", + "type": "string" + }, + { + "name": "darktraceProduct", + "type": "string" + }, + { + "name": "description", + "type": "string" + }, + { + "name": "endTime", + "type": "string" + }, + { + "name": "endTimestamp", + "type": "int" + }, + { + "name": "previousRating", + "type": "string" + }, + { + "name": "rating", + "type": "string" + }, + { + "name": "riskId", + "type": "int" + }, + { + "name": "riskUri", + "type": "string" + }, + { + "name": "startTime", + "type": "datetime" + }, + { + "name": "startTimestamp", + "type": "int" + }, + { + "name": "state", + "type": "string" + }, + { + "name": "workbenchUri", + "type": "string" + } + ] +} \ No newline at end of file diff --git a/Solutions/Darktrace/CustomTables/DarktraceEMAIL_CL.json b/Solutions/Darktrace/CustomTables/DarktraceEMAIL_CL.json new file mode 100644 index 00000000000..3a2d8f1a926 --- /dev/null +++ b/Solutions/Darktrace/CustomTables/DarktraceEMAIL_CL.json @@ -0,0 +1,81 @@ +{ + "Name": "DarktraceEMAIL_CL", + "Properties": [ + { + "name": "actions", + "type": "dynamic" + }, + { + "name": "alertTime", + "type": "datetime" + }, + { + "name": "anomalyScore", + "type": "int" + }, + { + "name": "attachmentNames", + "type": "dynamic" + }, + { + "name": "attachmentSha1s", + "type": "dynamic" + }, + { + "name": "attachmentSha256s", + "type": "dynamic" + }, + { + "name": "customLabel", + "type": "string" + }, + { + "name": "darktraceProduct", + "type": "string" + }, + { + "name": "direction", + "type": "string" + }, + { + "name": "from", + "type": "string" + }, + { + "name": "linkHosts", + "type": "dynamic" + }, + { + "name": "messageId", + "type": "string" + }, + { + "name": "recipientActions", + "type": "dynamic" + }, + { + "name": "recipients", + "type": "dynamic" + }, + { + "name": "subject", + "type": "string" + }, + { + "name": "tags", + "type": "dynamic" + }, + { + "name": "timestamp", + "type": "datetime" + }, + { + "name": "url", + "type": "string" + }, + { + "name": "uuid", + "type": "string" + } + ] +} \ No newline at end of file diff --git a/Solutions/Darktrace/CustomTables/DarktraceIncidents_CL.json b/Solutions/Darktrace/CustomTables/DarktraceIncidents_CL.json new file mode 100644 index 00000000000..4ad6ec4dd39 --- /dev/null +++ b/Solutions/Darktrace/CustomTables/DarktraceIncidents_CL.json @@ -0,0 +1,121 @@ +{ + "Name": "DarktraceIncidents_CL", + "Properties": [ + { + "name": "activityId", + "type": "string" + }, + { + "name": "aiaScore", + "type": "int" + }, + { + "name": "bestAssetName", + "type": "string" + }, + { + "name": "currentGroup", + "type": "string" + }, + { + "name": "customLabel", + "type": "string" + }, + { + "name": "darktraceProduct", + "type": "string" + }, + { + "name": "deviceHostname", + "type": "string" + }, + { + "name": "deviceIp", + "type": "string" + }, + { + "name": "deviceIdentifier", + "type": "string" + }, + { + "name": "deviceMac", + "type": "string" + }, + { + "name": "deviceSubnet", + "type": "string" + }, + { + "name": "devices", + "type": "dynamic" + }, + { + "name": "endTime", + "type": "string" + }, + { + "name": "externalId", + "type": "string" + }, + { + "name": "groupByActivity", + "type": "boolean" + }, + { + "name": "groupCategory", + "type": "string" + }, + { + "name": "groupPreviousGroups", + "type": "dynamic" + }, + { + "name": "groupScore", + "type": "int" + }, + { + "name": "groupingId", + "type": "string" + }, + { + "name": "incidentEventTime", + "type": "datetime" + }, + { + "name": "incidentEventTitle", + "type": "string" + }, + { + "name": "latitude", + "type": "real" + }, + { + "name": "longitude", + "type": "real" + }, + { + "name": "newEvent", + "type": "boolean" + }, + { + "name": "severity", + "type": "int" + }, + { + "name": "startTime", + "type": "string" + }, + { + "name": "summary", + "type": "string" + }, + { + "name": "summaryFirstSentence", + "type": "string" + }, + { + "name": "url", + "type": "string" + } + ] +} \ No newline at end of file diff --git a/Solutions/Darktrace/CustomTables/DarktraceModelAlerts_CL.json b/Solutions/Darktrace/CustomTables/DarktraceModelAlerts_CL.json new file mode 100644 index 00000000000..05f2c759dc6 --- /dev/null +++ b/Solutions/Darktrace/CustomTables/DarktraceModelAlerts_CL.json @@ -0,0 +1,158 @@ +{ + "Name": "DarktraceModelAlerts_CL", + "Properties": [ + { + "name": "alertTime", + "type": "datetime" + }, + { + "name": "alertUrl", + "type": "string" + }, + { + "name": "antigena", + "type": "boolean" + }, + { + "name": "category", + "type": "string" + }, + { + "name": "cSensor", + "type": "boolean" + }, + { + "name": "cSensorId", + "type": "string" + }, + { + "name": "compliance", + "type": "boolean" + }, + { + "name": "customLabel", + "type": "string" + }, + { + "name": "darktraceProduct", + "type": "string" + }, + { + "name": "description", + "type": "string" + }, + { + "name": "destHost", + "type": "string" + }, + { + "name": "destIp", + "type": "string" + }, + { + "name": "destMac", + "type": "string" + }, + { + "name": "destPort", + "type": "string" + }, + { + "name": "details", + "type": "string" + }, + { + "name": "deviceCredentials", + "type": "dynamic" + }, + { + "name": "deviceHostname", + "type": "string" + }, + { + "name": "deviceId", + "type": "int" + }, + { + "name": "deviceLabel", + "type": "string" + }, + { + "name": "deviceSubnet", + "type": "string" + }, + { + "name": "deviceType", + "type": "string" + }, + { + "name": "latitude", + "type": "real" + }, + { + "name": "longitude", + "type": "real" + }, + { + "name": "message", + "type": "string" + }, + { + "name": "mitreTechniques", + "type": "dynamic" + }, + { + "name": "modelName", + "type": "string" + }, + { + "name": "modelTags", + "type": "dynamic" + }, + { + "name": "pid", + "type": "int" + }, + { + "name": "score", + "type": "int" + }, + { + "name": "sid", + "type": "int" + }, + { + "name": "sourceHost", + "type": "string" + }, + { + "name": "sourceIp", + "type": "string" + }, + { + "name": "sourceMac", + "type": "string" + }, + { + "name": "sourcePort", + "type": "string" + }, + { + "name": "threatId", + "type": "int" + }, + { + "name": "triggeredComponents", + "type": "string" + }, + { + "name": "typeLabel", + "type": "string" + }, + { + "name": "uuid", + "type": "string" + } + + ] +} \ No newline at end of file diff --git a/Solutions/Darktrace/CustomTables/DarktraceResponseActions_CL.json b/Solutions/Darktrace/CustomTables/DarktraceResponseActions_CL.json new file mode 100644 index 00000000000..126b04bd7ec --- /dev/null +++ b/Solutions/Darktrace/CustomTables/DarktraceResponseActions_CL.json @@ -0,0 +1,106 @@ +{ + "Name": "DarktraceResponseActions_CL", + "Properties": [ + { + "name": "action", + "type": "string" + }, + { + "name": "alertTime", + "type": "datetime" + }, + { + "name": "changedBy", + "type": "string" + }, + { + "name": "codeId", + "type": "int" + }, + { + "name": "customLabel", + "type": "string" + }, + { + "name": "darktraceProduct", + "type": "string" + }, + { + "name": "deviceFirstSeen", + "type": "string" + }, + { + "name": "deviceHostname", + "type": "string" + }, + { + "name": "deviceIp", + "type": "string" + }, + { + "name": "deviceLabel", + "type": "string" + }, + { + "name": "deviceLastSeen", + "type": "string" + }, + { + "name": "deviceMac", + "type": "string" + }, + { + "name": "deviceName", + "type": "string" + }, + { + "name": "deviceType", + "type": "string" + }, + { + "name": "endTime", + "type": "string" + }, + { + "name": "inhibitor", + "type": "string" + }, + { + "name": "model", + "type": "string" + }, + { + "name": "reason", + "type": "string" + }, + { + "name": "score", + "type": "int" + }, + { + "name": "startTime", + "type": "string" + }, + { + "name": "state", + "type": "string" + }, + { + "name": "subnetId", + "type": "int" + }, + { + "name": "subnetLabel", + "type": "string" + }, + { + "name": "subnetNetwork", + "type": "string" + }, + { + "name": "url", + "type": "string" + } + + ] +} \ No newline at end of file diff --git a/Solutions/Darktrace/CustomTables/DarktraceSystemStatusAlerts_CL.json b/Solutions/Darktrace/CustomTables/DarktraceSystemStatusAlerts_CL.json new file mode 100644 index 00000000000..28c8a2b5179 --- /dev/null +++ b/Solutions/Darktrace/CustomTables/DarktraceSystemStatusAlerts_CL.json @@ -0,0 +1,65 @@ +{ + "Name": "DarktraceSystemStatusAlerts_CL", + "Properties": [ + { + "name": "alertTime", + "type": "datetime" + }, + { + "name": "customLabel", + "type": "string" + }, + { + "name": "darktraceHostname", + "type": "string" + }, + { + "name": "darktraceProduct", + "type": "string" + }, + { + "name": "deviceIp", + "type": "string" + }, + { + "name": "friendlyModelName", + "type": "string" + }, + { + "name": "message", + "type": "string" + }, + { + "name": "modelName", + "type": "string" + }, + { + "name": "priority", + "type": "string" + }, + { + "name": "priorityCode", + "type": "int" + }, + { + "name": "status", + "type": "string" + }, + { + "name": "severity", + "type": "int" + }, + { + "name": "statusName", + "type": "string" + }, + { + "name": "url", + "type": "string" + }, + { + "name": "uuid", + "type": "string" + } + ] +} \ No newline at end of file diff --git a/Solutions/Darktrace/Data Connectors/DarktraceActiveAISecurityPlatform_Template.json b/Solutions/Darktrace/Data Connectors/DarktraceActiveAISecurityPlatform_Template.json new file mode 100644 index 00000000000..c52f3e27ca7 --- /dev/null +++ b/Solutions/Darktrace/Data Connectors/DarktraceActiveAISecurityPlatform_Template.json @@ -0,0 +1,133 @@ +{ + "id": "DarktraceActiveAISecurityPlatform", + "title": "Darktrace Active AI Security Platform", + "publisher": "Darktrace", + "descriptionMarkdown": "Th Darktrace Active AI Security Platform data connector is used to push real-time events from Darktrace to Microsoft Sentinel. The following data can be sent from Darktrace by using this data connector: Darktrace Incidents, Darktrace Model Alerts, Darktrace / EMAIL logs, Darktrace Response Actions, Darktrace / ASM logs, and Darktrace System Status Alerts.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "All Darktrace Alerts", + "baseQuery": "union DarktraceModelAlerts_CL, DarktraceIncidents_CL, DarktraceASM_CL, DarktraceEMAIL_CL, DarktraceResponseActions_CL, DarktraceSystemStatusAlerts_CL" + } + ], + "sampleQueries": [ + { + "description" : "One-line title for your sample query 1", + "query": "DarktraceModelAlerts_CL\n | take 10" + } + ], + "dataTypes": [ + { + "name": "DarktraceASM_CL", + "lastDataReceivedQuery": "DarktraceASM_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "DarktraceEMAIL_CL", + "lastDataReceivedQuery": "DarktraceEMAIL_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "DarktraceIncidents_CL", + "lastDataReceivedQuery": "DarktraceIncidents_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "DarktraceModelAlerts_CL", + "lastDataReceivedQuery": "DarktraceModelAlerts_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "DarktraceResponseActions_CL", + "lastDataReceivedQuery": "DarktraceResponseActions_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + }, + { + "name": "DarktraceSystemStatusAlerts_CL", + "lastDataReceivedQuery": "DarktraceSystemStatusAlerts_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "union DarktraceModelAlerts_CL, DarktraceIncidents_CL, DarktraceASM_CL, DarktraceEMAIL_CL, DarktraceResponseActions_CL, DarktraceSystemStatusAlerts_CL | summarize LastLogReceived = max(TimeGenerated) | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": true + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "write": true, + "read": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "name": "Darktrace Prerequisites", + "description": "To use this Data Connector a Darktrace master running v7.1+ is required.\n Data is sent to Azure Monitor Logs with [Logs ingesiton API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal) over HTTPs from Darktrace masters, therefore outbound connectivity from the Darktrace master to Microsoft is required." + }, + { + "name": "Filter Darktrace Data", + "description": "During configuration it is possible to set up additional filtering on the Darktrace System Configuration page to constrain the amount or types of data sent." + }, + { + "name": "Entra App", + "description": "An Entra app needs to be registered to authenticate against the Log Ingestion API. See [the Log ingestion tutorial to learn more about Entra App creation, registration and credential configuration.](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-logs-ingestion-portal)" + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": "This Data Connector uses the Microsoft Log Ingestion API to push Darktrace alerts into Microsoft Sentinel." + }, + { + "title": "", + "description": "Detailed setup instructions can be found on the Darktrace Customer Portal.\n", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceName" + ], + "label": "Workspace Name" + }, + "type": "CopyableLabel" + } + ] + } + ], + "metadata": { + "id": "E8134523-075A-4269-8D92-3CC0688E7C40", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "solution", + "name": "Darktrace" + }, + "author": { + "name": "Darktrace" + }, + "support": { + "tier": "developer", + "name": "Darktrace", + "link":"customerportal.darktrace.com" + } + } +} \ No newline at end of file diff --git a/Solutions/Darktrace/Workbooks/DarktraceActiveAISecurityPlatform.json b/Solutions/Darktrace/Workbooks/DarktraceActiveAISecurityPlatform.json new file mode 100644 index 00000000000..5f1dae92031 --- /dev/null +++ b/Solutions/Darktrace/Workbooks/DarktraceActiveAISecurityPlatform.json @@ -0,0 +1,2623 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "a4b35478-499a-4fcc-8424-63abbb698bfa", + "cellValue": "tab", + "linkTarget": "parameter", + "linkLabel": "Incidents", + "subTarget": "ai-analyst", + "style": "link" + }, + { + "id": "45805ae8-29d7-4774-a10a-8d60af407bbf", + "cellValue": "tab", + "linkTarget": "parameter", + "linkLabel": "NETWORK/CLOUD/OT/ENDPOINT ", + "subTarget": "overview", + "style": "link" + }, + { + "id": "0dc4ab10-226f-422f-a7bb-9e905f96fb6c", + "cellValue": "tab", + "linkTarget": "parameter", + "linkLabel": "EMAIL", + "subTarget": "email", + "style": "link" + }, + { + "id": "7a64cd79-3a09-4046-8d6f-ba24fc2bab6c", + "cellValue": "tab", + "linkTarget": "parameter", + "linkLabel": "IDENTITY", + "subTarget": "cloud", + "style": "link" + }, + { + "id": "2eac3f00-5164-4a77-9781-118eb681b729", + "cellValue": "tab", + "linkTarget": "parameter", + "linkLabel": "Response Actions", + "subTarget": "agn", + "style": "link" + }, + { + "id": "ff97b7e6-6bbf-401c-aaff-833d5309f00d", + "cellValue": "tab", + "linkTarget": "parameter", + "linkLabel": "System Status Alerts", + "subTarget": "status", + "style": "link" + } + ] + }, + "name": "tabs" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "96e10804-35d4-4d5c-b2d8-1af544471721", + "version": "KqlParameterItem/1.0", + "name": "Timeframe", + "type": 4, + "description": "Set the global time range for all queries below", + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 604800000 + } + } + ], + "style": "pills", + "doNotRunWhenHidden": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "Timescale " + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "610136a1-b7cf-4eb3-9ef6-51a2d22e1621", + "version": "KqlParameterItem/1.0", + "name": "_severity", + "type": 1, + "description": "parameter to drill down on clicked severity tile", + "value": "", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "label": "severity" + } + ], + "style": "above", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "datatable (Count: long, status: string, status_count: long) [0, \"Compliance\", 1, 0, \"Informational\", 2, 0, \"Suspicious\", 3, 0, \"Critical\", 4]\r\n| union\r\n (\r\n DarktraceModelAlerts_CL\r\n | where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\")\r\n | extend status = case( \r\n compliance == false and category == \"Critical\", \"Critical\",\r\n compliance == true, \"Compliance\",\r\n compliance == false and category == \"Suspicious\", \"Suspicious\",\r\n compliance == false and category == \"Informational\", \"Informational\", \r\n \"True\"\r\n )\r\n | where status != \"True\"\r\n | extend status_count = case(status == \"Critical\", 4, status == \"Suspicious\", 3, status == \"Informational\", 2, 1)\r\n | summarize Count = count() by status, status_count\r\n )\r\n| summarize Count=sum(Count) by status, status_count\r\n| sort by status_count asc", + "size": 3, + "title": "Model Alerts by Category", + "timeContextFromParameter": "Timeframe", + "exportFieldName": "status", + "exportParameterName": "_severity", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "status", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Compliance", + "representation": "turquoise", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Informational", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Suspicious", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Critical", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "green", + "text": "{0}{1}" + } + ] + } + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "useGrouping": false, + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": true, + "size": "auto" + } + }, + "name": "model breaches by severity" + }, + { + "type": 1, + "content": { + "json": "_Click on the tiles to view more details (maximum 100 entries displayed)_", + "style": "info" + }, + "name": "text - 3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\r\n| where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\")\r\n| where compliance == true\r\n| limit 100\r\n| project TimeGenerated, score, modelName, description, deviceLabel, deviceCredentials, sourceIp, destIp, threatId, alertUrl \r\n| sort by TimeGenerated desc\r\n", + "size": 0, + "title": "Compliance Model Alerts", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TimeGenerated", + "formatter": 6, + "formatOptions": { + "customColumnWidthSetting": "20%" + } + }, + { + "columnMatch": "Activity", + "formatter": 1, + "formatOptions": { + "linkColumn": "DarktraceURL", + "linkTarget": "Url", + "customColumnWidthSetting": "40%" + } + }, + { + "columnMatch": "DeviceName", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "DeviceAddress", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "LogSeverity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "yellow", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "DarktraceURL", + "formatter": 5 + }, + { + "columnMatch": "DarktraceUrl", + "formatter": 5, + "formatOptions": { + "linkTarget": "Url" + } + }, + { + "columnMatch": "OtherExtensions", + "formatter": 5, + "formatOptions": { + "customColumnWidthSetting": "50%" + } + } + ], + "sortBy": [ + { + "itemKey": "TimeGenerated", + "sortOrder": 2 + } + ], + "labelSettings": [ + { + "columnId": "TimeGenerated", + "label": "Time" + } + ] + }, + "sortBy": [ + { + "itemKey": "TimeGenerated", + "sortOrder": 2 + } + ] + }, + "conditionalVisibility": { + "parameterName": "_severity", + "comparison": "isEqualTo", + "value": "Compliance" + }, + "name": "Low severity model breaches" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\r\n| where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\")\r\n| where compliance == false and category == \"Informational\"\r\n| limit 100\r\n| project TimeGenerated, score, modelName, description, deviceLabel, deviceCredentials, sourceIp, destIp, threatId, alertUrl \r\n| sort by TimeGenerated desc\r\n", + "size": 0, + "title": "Informational Model Alerts", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TimeGenerated", + "formatter": 6, + "formatOptions": { + "customColumnWidthSetting": "20%" + } + }, + { + "columnMatch": "Activity", + "formatter": 1, + "formatOptions": { + "linkColumn": "DarktraceURL", + "linkTarget": "Url", + "customColumnWidthSetting": "40%" + } + }, + { + "columnMatch": "DeviceName", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "DeviceAddress", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "LogSeverity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "orange", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "DarktraceURL", + "formatter": 5 + }, + { + "columnMatch": "DarktraceUrl", + "formatter": 5, + "formatOptions": { + "linkTarget": "Url" + } + }, + { + "columnMatch": "OtherExtensions", + "formatter": 5, + "formatOptions": { + "customColumnWidthSetting": "50%" + } + } + ], + "labelSettings": [ + { + "columnId": "TimeGenerated", + "label": "Time" + } + ] + }, + "sortBy": [] + }, + "conditionalVisibility": { + "parameterName": "_severity", + "comparison": "isEqualTo", + "value": "Informational" + }, + "name": "Medium severity model breaches " + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\r\n| where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\")\r\n| where compliance == false and category == \"Suspicious\"\r\n| limit 100\r\n| project TimeGenerated, score, modelName, description, deviceLabel, deviceCredentials, sourceIp, destIp, threatId, alertUrl \r\n| sort by TimeGenerated desc\r\n", + "size": 0, + "title": "Suspicious Model Alerts", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TimeGenerated", + "formatter": 6, + "formatOptions": { + "customColumnWidthSetting": "20%" + } + }, + { + "columnMatch": "Activity", + "formatter": 1, + "formatOptions": { + "linkColumn": "DarktraceURL", + "linkTarget": "Url", + "customColumnWidthSetting": "40%" + } + }, + { + "columnMatch": "DeviceName", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "DeviceAddress", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "LogSeverity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "redBright", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "DarktraceURL", + "formatter": 5 + }, + { + "columnMatch": "DarktraceUrl", + "formatter": 5, + "formatOptions": { + "linkTarget": "Url" + } + }, + { + "columnMatch": "AdditionalExtensions", + "formatter": 5, + "formatOptions": { + "customColumnWidthSetting": "70%" + } + } + ], + "labelSettings": [ + { + "columnId": "TimeGenerated", + "label": "Time" + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "_severity", + "comparison": "isEqualTo", + "value": "Suspicious" + }, + "name": "High severity model breaches " + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\r\n| where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\")\r\n| where compliance == false and category == \"Critical\"\r\n| limit 100\r\n| project TimeGenerated, score, modelName, description, deviceLabel, deviceCredentials, sourceIp, destIp, threatId, alertUrl \r\n| sort by TimeGenerated desc\r\n", + "size": 0, + "title": "Critical Model Alerts", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TimeGenerated", + "formatter": 6, + "formatOptions": { + "customColumnWidthSetting": "20%" + } + }, + { + "columnMatch": "Activity", + "formatter": 1, + "formatOptions": { + "linkColumn": "DarktraceURL", + "linkTarget": "Url", + "customColumnWidthSetting": "40%" + } + }, + { + "columnMatch": "DeviceName", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "DeviceAddress", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "LogSeverity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "red", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "DarktraceURL", + "formatter": 5 + }, + { + "columnMatch": "DarktraceUrl", + "formatter": 5, + "formatOptions": { + "linkTarget": "Url" + } + }, + { + "columnMatch": "AdditionalExtensions", + "formatter": 5, + "formatOptions": { + "customColumnWidthSetting": "70%" + } + } + ], + "labelSettings": [ + { + "columnId": "TimeGenerated", + "label": "Time" + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "_severity", + "comparison": "isEqualTo", + "value": "Critical" + }, + "name": "Critical severity model breaches" + } + ] + }, + "conditionalVisibility": { + "parameterName": "_severity", + "comparison": "isNotEqualTo", + "value": "hidden" + }, + "name": "Drill down group for different severities" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\r\n| where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\")\r\n| make-series Count = count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})", + "size": 0, + "title": "Visualizing Threat Patterns: Model Alerts", + "color": "orange", + "timeContextFromParameter": "Timeframe", + "timeBrushParameterName": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "areachart", + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "Count", + "label": "Model Alerts" + } + ], + "ySettings": { + "numberFormatSettings": { + "unit": 0, + "options": { + "style": "decimal", + "useGrouping": true, + "maximumFractionDigits": 0 + } + } + } + } + }, + "name": "breaches in group" + }, + { + "type": 1, + "content": { + "json": "_ Selecting a timeframe on the graph will change the timeframe for all queries below _", + "style": "info" + }, + "name": "text - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\r\n| where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\")\r\n| summarize event_count=count() by modelName\r\n| top 10 by event_count", + "size": 0, + "title": "Top 10 Most Alerted Models", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Activity", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "60ch" + } + }, + { + "columnMatch": "event_count", + "formatter": 3, + "formatOptions": { + "palette": "orange" + } + } + ], + "labelSettings": [ + { + "columnId": "event_count", + "label": "Count" + } + ] + } + }, + "customWidth": "55", + "name": "most breached models" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "\r\nDarktraceModelAlerts_CL\r\n| where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\")\r\n| where isnotempty(destHost) \r\n| summarize count(modelName) by destHost", + "size": 3, + "title": "Top External Hostnames", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "45", + "name": "top external hostnames" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\r\n| where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\")\r\n| project TimeGenerated, score, modelName, description, deviceLabel, deviceCredentials, sourceIp, destIp, threatId, alertUrl \r\n| top 10 by score desc ", + "size": 0, + "title": "Top 10 Model Alerts with Highest Score", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TimeGenerated", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "20%" + } + }, + { + "columnMatch": "Activity", + "formatter": 1, + "formatOptions": { + "linkColumn": "DarktraceURL", + "linkTarget": "Url", + "customColumnWidthSetting": "40%" + } + }, + { + "columnMatch": "DeviceName", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "DeviceAddress", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "Severity", + "formatter": 8, + "formatOptions": { + "min": 1, + "max": 10, + "palette": "yellowOrangeRed" + } + }, + { + "columnMatch": "DarktraceURL", + "formatter": 5 + } + ], + "labelSettings": [ + { + "columnId": "TimeGenerated", + "label": "Time" + } + ] + }, + "sortBy": [] + }, + "name": "Top 10 hitting devices" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\n| where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\")\n| where isnotempty(destIp) \n| where destIp !startswith \"10\" and destIp !startswith \"192\" and destIp !startswith \"172\"\n| summarize event_count=count() by destIp\n| top 10 by event_count", + "size": 0, + "title": "Top 10 External IPs", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "barchart" + }, + "customWidth": "80", + "name": "top 10 external IPs" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\r\n| where modelName !contains (\"SaaS\") and modelName !contains (\"IaaS\") and compliance == true\r\n| make-series Count = count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\r\n", + "size": 0, + "title": "Compliance Model Alerts Over Time", + "color": "orange", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "areachart", + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "Count", + "label": "Model Alerts" + } + ], + "ySettings": { + "numberFormatSettings": { + "unit": 0, + "options": { + "style": "decimal", + "useGrouping": true, + "maximumFractionDigits": 0 + } + } + } + } + }, + "name": "compliance breaches over time" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "tab", + "comparison": "isEqualTo", + "value": "overview" + }, + "name": "overview" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "610136a1-b7cf-4eb3-9ef6-51a2d22e1621", + "version": "KqlParameterItem/1.0", + "name": "_severity", + "type": 1, + "description": "parameter to drill down on clicked severity tile", + "value": "hidden", + "isHiddenWhenLocked": true, + "timeContext": { + "durationMs": 86400000 + }, + "label": "severity" + } + ], + "style": "above", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "datatable (Count: long, status: string, status_count: long) [0, \"Compliance\", 1, 0, \"Informational\", 2, 0, \"Suspicious\", 3, 0, \"Critical\", 4]\r\n| union\r\n (\r\n DarktraceModelAlerts_CL\r\n | where modelName contains (\"SaaS\") or modelName contains (\"IaaS\")\r\n | extend status = case( \r\n compliance == false and category == \"Critical\", \"Critical\",\r\n compliance == true, \"Compliance\",\r\n compliance == false and category == \"Suspicious\", \"Suspicious\",\r\n compliance == false and category == \"Informational\", \"Informational\", \r\n \"True\"\r\n )\r\n | where status != \"True\"\r\n | extend status_count = case(status == \"Critical\", 4, status == \"Suspicious\", 3, status == \"Informational\", 2, 1)\r\n | summarize Count = count() by status, status_count\r\n )\r\n| summarize Count=sum(Count) by status, status_count\r\n| sort by status_count asc", + "size": 3, + "title": "Model Alerts by Category", + "timeContextFromParameter": "Timeframe", + "exportFieldName": "status", + "exportParameterName": "_severity", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "status", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Compliance", + "representation": "turquoise", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Informational", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Suspicious", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Critical", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "green", + "text": "{0}{1}" + } + ] + } + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "useGrouping": false, + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": true, + "size": "auto" + } + }, + "name": "model breaches by severity" + }, + { + "type": 1, + "content": { + "json": "_Click on the tiles to view more details (maximum 100 entries displayed)_", + "style": "info" + }, + "name": "text - 3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\r\n| where (modelName contains (\"SaaS\") or modelName contains (\"IaaS\"))\r\n| where compliance == true\r\n| limit 100\r\n| project TimeGenerated, score, modelName, description, deviceLabel, sourceIp, threatId, alertUrl \r\n| sort by TimeGenerated desc\r\n", + "size": 0, + "title": "Compliance Model Alerts", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TimeGenerated", + "formatter": 6, + "formatOptions": { + "customColumnWidthSetting": "20%" + } + }, + { + "columnMatch": "Activity", + "formatter": 1, + "formatOptions": { + "linkColumn": "DarktraceURL", + "linkTarget": "Url", + "customColumnWidthSetting": "40%" + } + }, + { + "columnMatch": "DeviceName", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "DeviceAddress", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "LogSeverity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "yellow", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "DarktraceURL", + "formatter": 5 + }, + { + "columnMatch": "DarktraceUrl", + "formatter": 5, + "formatOptions": { + "linkTarget": "Url" + } + }, + { + "columnMatch": "OtherExtensions", + "formatter": 5, + "formatOptions": { + "customColumnWidthSetting": "50%" + } + } + ], + "labelSettings": [ + { + "columnId": "TimeGenerated", + "label": "Time" + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "_severity", + "comparison": "isEqualTo", + "value": "Compliance" + }, + "name": "Low severity model breaches" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\r\n| where (modelName contains (\"SaaS\") or modelName contains (\"IaaS\"))\r\n| where compliance == false and category == \"Informational\"\r\n| limit 100\r\n| project TimeGenerated, score, modelName, description, deviceLabel, sourceIp, threatId, alertUrl \r\n| sort by TimeGenerated desc", + "size": 0, + "title": "Informational Model Alerts", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TimeGenerated", + "formatter": 6, + "formatOptions": { + "customColumnWidthSetting": "20%" + } + }, + { + "columnMatch": "Activity", + "formatter": 1, + "formatOptions": { + "linkColumn": "DarktraceURL", + "linkTarget": "Url", + "customColumnWidthSetting": "40%" + } + }, + { + "columnMatch": "DeviceName", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "DeviceAddress", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "LogSeverity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "orange", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "DarktraceURL", + "formatter": 5 + }, + { + "columnMatch": "DarktraceUrl", + "formatter": 5, + "formatOptions": { + "linkTarget": "Url" + } + }, + { + "columnMatch": "OtherExtensions", + "formatter": 5, + "formatOptions": { + "customColumnWidthSetting": "50%" + } + } + ], + "labelSettings": [ + { + "columnId": "TimeGenerated", + "label": "Time" + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "_severity", + "comparison": "isEqualTo", + "value": "Informational" + }, + "name": "Medium severity model breaches " + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\r\n| where (modelName contains (\"SaaS\") or modelName contains (\"IaaS\"))\r\n| where compliance == false and category == \"Suspicious\"\r\n| limit 100\r\n| project TimeGenerated, score, modelName, description, deviceLabel, sourceIp, threatId, alertUrl \r\n| sort by TimeGenerated desc\r\n", + "size": 0, + "title": "Suspicious Model Alerts", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TimeGenerated", + "formatter": 6, + "formatOptions": { + "customColumnWidthSetting": "20%" + } + }, + { + "columnMatch": "Activity", + "formatter": 1, + "formatOptions": { + "linkColumn": "DarktraceURL", + "linkTarget": "Url", + "customColumnWidthSetting": "40%" + } + }, + { + "columnMatch": "DeviceName", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "DeviceAddress", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "LogSeverity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": null, + "representation": "redBright", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "DarktraceURL", + "formatter": 5 + }, + { + "columnMatch": "DarktraceUrl", + "formatter": 5, + "formatOptions": { + "linkTarget": "Url" + } + }, + { + "columnMatch": "AdditionalExtensions", + "formatter": 5, + "formatOptions": { + "customColumnWidthSetting": "70%" + } + } + ], + "labelSettings": [ + { + "columnId": "TimeGenerated", + "label": "Time" + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "_severity", + "comparison": "isEqualTo", + "value": "Suspicious" + }, + "name": "High severity model breaches " + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\r\n| where (modelName contains (\"SaaS\") or modelName contains (\"IaaS\"))\r\n| where compliance == false and category == \"Critical\"\r\n| limit 100\r\n| project TimeGenerated, score, modelName, description, deviceLabel, sourceIp, threatId, alertUrl \r\n| sort by TimeGenerated desc\r\n", + "size": 0, + "title": "Critical Model Alerts", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TimeGenerated", + "formatter": 6, + "formatOptions": { + "customColumnWidthSetting": "20%" + } + }, + { + "columnMatch": "Activity", + "formatter": 1, + "formatOptions": { + "linkColumn": "DarktraceURL", + "linkTarget": "Url", + "customColumnWidthSetting": "40%" + } + }, + { + "columnMatch": "DeviceName", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "DeviceAddress", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": ">", + "thresholdValue": "0", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "DarktraceURL", + "formatter": 5 + }, + { + "columnMatch": "LogSeverity", + "formatter": 8, + "formatOptions": { + "min": 1, + "max": 10, + "palette": "greenRed" + } + }, + { + "columnMatch": "DarktraceUrl", + "formatter": 5, + "formatOptions": { + "linkTarget": "Url" + } + }, + { + "columnMatch": "AdditionalExtensions", + "formatter": 5, + "formatOptions": { + "customColumnWidthSetting": "70%" + } + } + ], + "labelSettings": [ + { + "columnId": "TimeGenerated", + "label": "Time" + } + ] + }, + "sortBy": [] + }, + "conditionalVisibility": { + "parameterName": "_severity", + "comparison": "isEqualTo", + "value": "Critical" + }, + "name": "Critical severity model breaches" + } + ] + }, + "conditionalVisibility": { + "parameterName": "_severity", + "comparison": "isNotEqualTo", + "value": "hidden" + }, + "name": "Drill down group for different severities" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\r\n| where modelName contains (\"SaaS\")\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})", + "size": 3, + "title": "Visualizing Threat Patterns: SaaS Model Alerts", + "color": "orange", + "timeContextFromParameter": "Timeframe", + "timeBrushParameterName": "Timeframe", + "timeBrushExportOnlyWhenBrushed": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "areachart", + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "count_", + "label": "Model Alerts" + } + ], + "ySettings": { + "numberFormatSettings": { + "unit": 0, + "options": { + "style": "decimal", + "useGrouping": true, + "maximumFractionDigits": 0 + } + } + } + } + }, + "customWidth": "50", + "name": "saas user graph / time ", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\r\n| where modelName contains (\"IaaS\")\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})", + "size": 3, + "title": "Visualizing Threat Patterns: IaaS Model Alerts", + "color": "orange", + "timeContextFromParameter": "Timeframe", + "timeBrushParameterName": "Timeframe", + "timeBrushExportOnlyWhenBrushed": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "areachart", + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "count_", + "label": "Model Alerts" + } + ], + "ySettings": { + "numberFormatSettings": { + "unit": 0, + "options": { + "style": "decimal", + "useGrouping": true, + "maximumFractionDigits": 0 + } + } + } + } + }, + "customWidth": "50", + "name": "iaas user graph / time", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 1, + "content": { + "json": "_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _", + "style": "info" + }, + "name": "text - 11" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\r\n| where modelName contains (\"SaaS\")\r\n| summarize Count=count() by deviceLabel\r\n| top 10 by Count\r\n| project deviceLabel, Count\r\n\r\n", + "size": 0, + "title": "Top 10 SaaS Users With Most Model Alerts", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Count", + "formatter": 3, + "formatOptions": { + "palette": "orange" + } + }, + { + "columnMatch": "event_count", + "formatter": 3, + "formatOptions": { + "palette": "orange" + } + }, + { + "columnMatch": "Activity", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "60ch" + } + } + ] + } + }, + "name": "most breached SaaS users" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\r\n| where modelName contains (\"SaaS\")\r\n| project TimeGenerated, score, modelName, description, deviceLabel, sourceIp, threatId, alertUrl \r\n| top 10 by score desc ", + "size": 0, + "title": "Top 10 Highest Severity SaaS Model Alerts", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TimeGenerated", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "20%" + } + }, + { + "columnMatch": "Activity", + "formatter": 1, + "formatOptions": { + "linkColumn": "DarktraceURL", + "linkTarget": "Url", + "customColumnWidthSetting": "40%" + } + }, + { + "columnMatch": "DeviceName", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "DeviceAddress", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "Severity", + "formatter": 8, + "formatOptions": { + "min": 1, + "max": 10, + "palette": "yellowOrangeRed" + } + }, + { + "columnMatch": "DarktraceURL", + "formatter": 5 + } + ], + "labelSettings": [ + { + "columnId": "TimeGenerated", + "label": "Time" + } + ] + }, + "sortBy": [] + }, + "name": "Top 10 hitting SaaS devices" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\r\n| where (modelName contains (\"SaaS\") or modelName contains (\"IaaS\")) and compliance == true\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})", + "size": 0, + "title": "Total XaaS Compliance Model Alerts", + "color": "orange", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "areachart", + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "count_", + "label": "Model Alerts" + } + ], + "ySettings": { + "numberFormatSettings": { + "unit": 0, + "options": { + "style": "decimal", + "useGrouping": true, + "maximumFractionDigits": 0 + } + } + } + } + }, + "name": "compliance breaches over time" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "tab", + "comparison": "isEqualTo", + "value": "cloud" + }, + "name": "Cloud group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceResponseActions_CL\n| limit 100\n| project TimeGenerated, deviceHostname, deviceIp, deviceLabel, deviceType, model, reason, score, state, url\n| sort by TimeGenerated desc", + "size": 0, + "title": "Response Actions", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "query - 5" + }, + { + "type": 1, + "content": { + "json": "Below are RESPOND (Antigena) Model Alerts", + "style": "info" + }, + "name": "text - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\r\n| where modelName contains (\"Antigena\") and modelName contains (\"Network\")\r\n| limit 100\r\n| project TimeGenerated, score, modelName, threatId, deviceLabel, sourceHost, sourceIp, destHost, destIp, alertUrl, mitreTechniques\r\n| sort by TimeGenerated desc\r\n", + "size": 0, + "title": "NETWORK", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "tileSettings": { + "titleContent": { + "columnMatch": "agnActivity", + "formatter": 1, + "formatOptions": { + "linkColumn": "DarktraceURL", + "linkTarget": "Url" + } + }, + "subtitleContent": { + "columnMatch": "TimeGenerated", + "formatter": 6 + }, + "leftContent": { + "columnMatch": "Device" + }, + "secondaryContent": { + "columnMatch": "msgInfo", + "formatter": 1 + }, + "showBorder": true, + "sortCriteriaField": "TimeGenerated", + "sortOrderField": 2, + "size": "full" + } + }, + "name": "top level query " + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\n| where modelName contains (\"Antigena\") and modelName contains (\"SaaS\")\n| limit 100\n| project TimeGenerated, score, modelName, threatId, deviceLabel, sourceHost, sourceIp, destHost, destIp, alertUrl, mitreTechniques\n| sort by TimeGenerated desc\n", + "size": 0, + "title": "IDENTITY", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "query - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\n| where modelName contains (\"Antigena\") and modelName contains (\"MDR\")\n| limit 100\n| project TimeGenerated, score, modelName, threatId, deviceLabel, sourceHost, sourceIp, destHost, destIp, alertUrl, mitreTechniques\n| sort by TimeGenerated desc\n", + "size": 0, + "title": "MDR", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceModelAlerts_CL\n| where modelName contains (\"Antigena\") and modelName contains (\"CLOUD\")\n| limit 100\n| project TimeGenerated, score, modelName, threatId, deviceLabel, sourceHost, sourceIp, destHost, destIp, alertUrl, mitreTechniques\n| sort by TimeGenerated desc", + "size": 0, + "title": "CLOUD", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "query - 3" + } + ] + }, + "conditionalVisibility": { + "parameterName": "tab", + "comparison": "isEqualTo", + "value": "agn" + }, + "name": "agn group" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "cd64e441-332e-4f47-8602-a25828ebc053", + "version": "KqlParameterItem/1.0", + "name": "aia_type", + "label": "Darktrace Incident Types", + "type": 2, + "description": "Filter out the types of AI Analyst Incidents available.", + "isRequired": true, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\n {\"value\": \"DarktraceIncidents_CL | project TimeGenerated, aiaScore, bestAssetName, currentGroup, groupPreviousGroups, incidentEventTitle\", \"label\": \"All\"},\n {\"value\": \"DarktraceIncidents_CL | where deviceHostname !contains 'SaaS' | project TimeGenerated, aiaScore, bestAssetName, currentGroup, groupPreviousGroups, incidentEventTitle\", \"label\": \"/ NETWORK\"},\n {\"value\": \"DarktraceIncidents_CL | where deviceHostname contains 'SaaS' | project TimeGenerated, aiaScore, bestAssetName, currentGroup, groupPreviousGroups, incidentEventTitle\", \"label\": \"/ IDENTITY\"}\n]", + "timeContext": { + "durationMs": 86400000 + }, + "value": "DarktraceIncidents_CL | project TimeGenerated, aiaScore, bestAssetName, currentGroup, groupPreviousGroups, incidentEventTitle" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{aia_type}", + "size": 0, + "title": "All Darktrace Incident Events", + "timeContextFromParameter": "Timeframe", + "exportFieldName": "currentGroup", + "exportParameterName": "SelectedAIAGroup", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "sortBy": [ + { + "itemKey": "TimeGenerated", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "TimeGenerated", + "sortOrder": 2 + } + ] + }, + "name": "query - 7" + }, + { + "type": 1, + "content": { + "json": "_ Selecting a Darktrace Incident Event in the table above will group all the related Darktrace Incident Events below within the set timeframe _", + "style": "info" + }, + "name": "text - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let relatedGroups =\n DarktraceIncidents_CL\n | where groupPreviousGroups has \"{SelectedAIAGroup}\" or \"{SelectedAIAGroup}\" == currentGroup\n | extend allGroups = array_concat(groupPreviousGroups, pack_array(currentGroup))\n | mv-expand group = allGroups\n | project groupStr = tostring(group)\n | summarize by groupStr;\nDarktraceIncidents_CL\n| where currentGroup in (relatedGroups)", + "size": 0, + "title": "Darktrace Incident", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "sortBy": [ + { + "itemKey": "incidentEventTime", + "sortOrder": 1 + } + ] + }, + "sortBy": [ + { + "itemKey": "incidentEventTime", + "sortOrder": 1 + } + ] + }, + "name": "query - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceIncidents_CL\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})", + "size": 3, + "title": "Visualizing Threat Patterns: Darktrace Incident Events", + "color": "lightBlue", + "timeContextFromParameter": "Timeframe", + "timeBrushParameterName": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "areachart", + "chartSettings": { + "showMetrics": false, + "ySettings": { + "numberFormatSettings": { + "unit": 17, + "options": { + "style": "decimal", + "useGrouping": true, + "minimumFractionDigits": 0, + "maximumFractionDigits": 0 + } + } + } + } + }, + "name": "incidents in group" + }, + { + "type": 1, + "content": { + "json": "_ Selecting a timeframe on the graph will change the timeframe for queries below _", + "style": "info" + }, + "name": "text - 6" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceIncidents_CL\r\n| summarize event_count=count() by incidentEventTitle\r\n| top 10 by event_count", + "size": 0, + "title": "Most Frequent Darktrace Incident Events", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "event_count", + "formatter": 3, + "formatOptions": { + "palette": "blue" + } + } + ], + "labelSettings": [ + { + "columnId": "event_count", + "label": "Count" + } + ] + } + }, + "name": "Top 10 Most Frequent Incidents" + } + ], + "exportParameters": true + }, + "conditionalVisibility": { + "parameterName": "tab", + "comparison": "isEqualTo", + "value": "ai-analyst" + }, + "name": "ai- analyst group " + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceEMAIL_CL\n| extend Actions = parse_json(actions)\n| extend Hold_Email=set_has_element(Actions, \"Hold\")\n| extend Junk_Email=set_has_element(Actions, \"Move to Junk\")\n| extend Lock_Link=set_has_element(Actions, \"Lock Link\")\n| extend Lock_All_Links=set_has_element(Actions, \"Lock All Links\")\n| extend Double_Lock_Link=set_has_element(Actions, \"Double Lock Link\")\n| extend Double_Lock_All_Links=set_has_element(Actions, \"Double Lock All Links\")\n| extend Strip_Attachment=set_has_element(Actions, \"Stip Attachment\")\n| extend Strip_All_Attachments=set_has_element(Actions, \"Strip All Attachments\")\n| extend Convert_Attachment=set_has_element(Actions, \"Convert Attachment\")\n| extend Convert_All_Attachments=set_has_element(Actions, \"Convert All Attachments\")\n| extend Unspoof=set_has_element(Actions, \"Unspoof\")\n| extend XAxis=set_has_element(Actions, \"Unspoof\")\n| summarize XAxis=countif(XAxis == true), Hold_Email=countif(Hold_Email == true), Junk_Email=countif(Junk_Email == true), Lock_Link=countif(Lock_Link == true), Lock_All_Links=countif(Lock_All_Links == true), Double_Lock_Link=countif(Double_Lock_Link == true), Double_Lock_All_Links=countif(Double_Lock_All_Links == true), Convert_Attachment=countif(Convert_Attachment == true), Convert_All_Attachments=countif(Convert_All_Attachments == true), Strip_Attachment=countif(Strip_Attachment == true), Strip_All_Attachments=countif(Strip_All_Attachments == true), Unspoof=countif(Unspoof == true)", + "size": 0, + "title": "Total Actions Taken", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar", + "gridSettings": { + "sortBy": [ + { + "itemKey": "Hold_Email", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "Hold_Email", + "sortOrder": 2 + } + ], + "tileSettings": { + "showBorder": false + }, + "graphSettings": { + "type": 0 + }, + "chartSettings": { + "seriesLabelSettings": [ + { + "seriesName": "Junk_Email", + "label": "Junk Email", + "color": "redBright" + }, + { + "seriesName": "Lock_Link", + "label": "Lock Link", + "color": "lightBlue" + }, + { + "seriesName": "Double_Lock_Link", + "label": "Double Lock Link", + "color": "green" + }, + { + "seriesName": "Strip_Attachment", + "label": "Strip Attachment", + "color": "purple" + }, + { + "seriesName": "Convert_Attachment", + "label": "Convert Attachment", + "color": "orange" + }, + { + "seriesName": "Unspoof", + "label": "Unspoof", + "color": "pink" + }, + { + "seriesName": "Hold_Email", + "label": "Hold Email", + "color": "redDark" + }, + { + "seriesName": "Lock_All_Links", + "label": "Lock All Links", + "color": "blueDark" + }, + { + "seriesName": "Double_Lock_All_Links", + "label": "Double Lock All Links", + "color": "greenDark" + }, + { + "seriesName": "Convert_All_Attachments", + "label": "Convert All Attachments", + "color": "orangeDark" + }, + { + "seriesName": "Strip_All_Attachments", + "label": "Strip All Attachments", + "color": "purpleDark" + } + ] + }, + "mapSettings": { + "locInfo": "LatLong", + "sizeSettings": "Hold_Email", + "sizeAggregation": "Sum", + "legendMetric": "Hold_Email", + "legendAggregation": "Sum", + "itemColorSettings": { + "type": "heatmap", + "colorAggregation": "Sum", + "nodeColorField": "Hold_Email", + "heatmapPalette": "greenRed" + } + } + }, + "name": "query - 0" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "ac642d55-be90-4144-8bc3-ce0cb7fcc161", + "version": "KqlParameterItem/1.0", + "name": "SearchRecipient", + "label": "Search Recipient", + "type": 1, + "description": "Filter for held emails", + "value": "test", + "timeContext": { + "durationMs": 86400000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceEMAIL_CL\n| extend Actions = parse_json(actions)\n| extend Hold_Email=set_has_element(Actions, \"Hold\")\n| where Hold_Email == true \n| extend recipients=parse_json(recipients)\n| where recipients contains \"{SearchRecipient}\"\n| project subject, from, recipients, anomalyScore, timestamp, direction, tags, attachmentNames, url, uuid", + "size": 0, + "title": "Held Emails", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceEMAIL_CL\n| where direction == \"inbound\"\n| project-rename Sender=from\n| summarize Count=count() by Sender\n| top 10 by Count", + "size": 0, + "title": "Top 10 Most Frequent External Senders ", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Count", + "formatter": 3, + "formatOptions": { + "palette": "orange" + } + }, + { + "columnMatch": "event_count", + "formatter": 3, + "formatOptions": { + "palette": "orange" + } + } + ] + } + }, + "name": "query - 1" + } + ] + }, + "conditionalVisibility": { + "parameterName": "tab", + "comparison": "isEqualTo", + "value": "email" + }, + "name": "group - 7" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "4727607c-4f65-4373-b0e8-33b0e2accbac", + "version": "KqlParameterItem/1.0", + "name": "_severity", + "label": "severity", + "description": "parameter to drill down on clicked severity tile", + "value": "hidden", + "isHiddenWhenLocked": true, + "type": 1, + "timeContext": { + "durationMs": 86400000 + } + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "datatable (Count: long, status: string, status_count: long) [0, \"Low\", 1, 0, \"Medium\", 2, 0, \"High\", 3, 0, \"Critical\", 4]\n| union\n (\n DarktraceSystemStatusAlerts_CL\n | extend status = case( \n priority == \"low\", \"Low\",\n priority == \"medium\", \"Medium\",\n priority == \"high\", \"High\",\n priority == \"critical\", \"Critical\", \n \"True\"\n )\n | where status != \"True\"\n | extend status_count = case(status == \"Critical\", 4, status == \"High\", 3, status == \"Medium\", 2, 1)\n | summarize Count = count() by status, status_count\n )\n| summarize Count=sum(Count) by status, status_count\n| sort by status_count asc", + "size": 3, + "title": "System Status Alerts by Priority", + "timeContextFromParameter": "Timeframe", + "exportFieldName": "status", + "exportParameterName": "_severity", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "tiles", + "tileSettings": { + "titleContent": { + "columnMatch": "status", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Low", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Medium", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "High", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Critical", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": null, + "representation": null, + "text": "{0}{1}" + } + ] + } + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "style": "decimal", + "maximumFractionDigits": 2, + "maximumSignificantDigits": 3 + } + } + }, + "showBorder": true, + "size": "auto" + } + }, + "name": "query - 2" + }, + { + "type": 1, + "content": { + "json": "_Click on the tiles to view more details (maximum 100 entries displayed)_", + "style": "info" + }, + "name": "text - 3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceSystemStatusAlerts_CL\r\n| where priority == \"low\"\r\n| limit 100\r\n| project TimeGenerated, customLabel, darktraceHostname, deviceIp, friendlyModelName, message, modelName, priority, priorityCode, severity, status, statusName, url, uuid\r\n| sort by TimeGenerated desc\r\n", + "size": 0, + "title": "Low Priority System Status Alerts", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TimeGenerated", + "formatter": 6, + "formatOptions": { + "customColumnWidthSetting": "20%" + } + }, + { + "columnMatch": "Activity", + "formatter": 1, + "formatOptions": { + "linkColumn": "DarktraceURL", + "linkTarget": "Url", + "customColumnWidthSetting": "40%" + } + }, + { + "columnMatch": "DeviceName", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "DeviceAddress", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "LogSeverity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "representation": "yellow", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "DarktraceURL", + "formatter": 5 + }, + { + "columnMatch": "DarktraceUrl", + "formatter": 5, + "formatOptions": { + "linkTarget": "Url" + } + }, + { + "columnMatch": "OtherExtensions", + "formatter": 5, + "formatOptions": { + "customColumnWidthSetting": "50%" + } + } + ], + "labelSettings": [ + { + "columnId": "TimeGenerated", + "label": "Time" + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "_severity", + "comparison": "isEqualTo", + "value": "Low" + }, + "name": "Low" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceSystemStatusAlerts_CL\r\n| where priority == \"medium\"\r\n| limit 100\r\n| project TimeGenerated, customLabel, darktraceHostname, deviceIp, friendlyModelName, message, modelName, priority, priorityCode, severity, status, statusName, url, uuid\r\n| sort by TimeGenerated desc", + "size": 0, + "title": "Medium Priority System Status Alerts", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TimeGenerated", + "formatter": 6, + "formatOptions": { + "customColumnWidthSetting": "20%" + } + }, + { + "columnMatch": "Activity", + "formatter": 1, + "formatOptions": { + "linkColumn": "DarktraceURL", + "linkTarget": "Url", + "customColumnWidthSetting": "40%" + } + }, + { + "columnMatch": "DeviceName", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "DeviceAddress", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "LogSeverity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "representation": "orange", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "DarktraceURL", + "formatter": 5 + }, + { + "columnMatch": "DarktraceUrl", + "formatter": 5, + "formatOptions": { + "linkTarget": "Url" + } + }, + { + "columnMatch": "OtherExtensions", + "formatter": 5, + "formatOptions": { + "customColumnWidthSetting": "50%" + } + } + ], + "labelSettings": [ + { + "columnId": "TimeGenerated", + "label": "Time" + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "_severity", + "comparison": "isEqualTo", + "value": "Medium" + }, + "name": "medium" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceSystemStatusAlerts_CL\r\n| where priority == \"high\"\r\n| limit 100\r\n| project TimeGenerated, customLabel, darktraceHostname, deviceIp, friendlyModelName, message, modelName, priority, priorityCode, severity, status, statusName, url, uuid\r\n| sort by TimeGenerated desc", + "size": 0, + "title": "High Priority System Status Alerts", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TimeGenerated", + "formatter": 6, + "formatOptions": { + "customColumnWidthSetting": "20%" + } + }, + { + "columnMatch": "Activity", + "formatter": 1, + "formatOptions": { + "linkColumn": "DarktraceURL", + "linkTarget": "Url", + "customColumnWidthSetting": "40%" + } + }, + { + "columnMatch": "DeviceName", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "DeviceAddress", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "LogSeverity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": "Default", + "representation": "redBright", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "DarktraceURL", + "formatter": 5 + }, + { + "columnMatch": "DarktraceUrl", + "formatter": 5, + "formatOptions": { + "linkTarget": "Url" + } + }, + { + "columnMatch": "AdditionalExtensions", + "formatter": 5, + "formatOptions": { + "customColumnWidthSetting": "70%" + } + } + ], + "labelSettings": [ + { + "columnId": "TimeGenerated", + "label": "Time" + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "_severity", + "comparison": "isEqualTo", + "value": "High" + }, + "name": "high" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceSystemStatusAlerts_CL\r\n| where priority == \"critical\"\r\n| limit 100\r\n| project TimeGenerated, customLabel, darktraceHostname, deviceIp, friendlyModelName, message, modelName, priority, priorityCode, severity, status, statusName, url, uuid\r\n| sort by TimeGenerated desc", + "size": 0, + "title": "Critical Priority System Status Alerts", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "table", + "gridSettings": { + "formatters": [ + { + "columnMatch": "TimeGenerated", + "formatter": 6, + "formatOptions": { + "customColumnWidthSetting": "20%" + } + }, + { + "columnMatch": "Activity", + "formatter": 1, + "formatOptions": { + "linkColumn": "DarktraceURL", + "linkTarget": "Url", + "customColumnWidthSetting": "40%" + } + }, + { + "columnMatch": "DeviceName", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "DeviceAddress", + "formatter": 1, + "formatOptions": { + "customColumnWidthSetting": "17.5%" + } + }, + { + "columnMatch": "Severity", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": ">", + "thresholdValue": "0", + "representation": "red", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "DarktraceURL", + "formatter": 5 + }, + { + "columnMatch": "LogSeverity", + "formatter": 8, + "formatOptions": { + "min": 1, + "max": 10, + "palette": "greenRed" + } + }, + { + "columnMatch": "DarktraceUrl", + "formatter": 5, + "formatOptions": { + "linkTarget": "Url" + } + }, + { + "columnMatch": "AdditionalExtensions", + "formatter": 5, + "formatOptions": { + "customColumnWidthSetting": "70%" + } + } + ], + "labelSettings": [ + { + "columnId": "TimeGenerated", + "label": "Time" + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "_severity", + "comparison": "isEqualTo", + "value": "Critical" + }, + "name": "critical" + } + ] + }, + "conditionalVisibility": { + "parameterName": "_severity", + "comparison": "isNotEqualTo", + "value": "hidden" + }, + "name": "Drill down group for different severities" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "DarktraceSystemStatusAlerts_CL\n| project TimeGenerated, customLabel, darktraceHostname, deviceIp, friendlyModelName, message, modelName, priority, priorityCode, severity, status, statusName, url, uuid\n| sort by TimeGenerated desc", + "size": 0, + "title": "All System Status Alerts", + "timeContextFromParameter": "Timeframe", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "query - 0" + } + ] + }, + "conditionalVisibility": { + "parameterName": "tab", + "comparison": "isEqualTo", + "value": "status" + }, + "name": "group - 8" + } + ], + "fallbackResourceIds": [], + "fromTemplateId": "sentinel-DarktraceActiveAISecurityPlatform", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file From 51ca3fd17ac1794d87c9b33917911fbf8345fe59 Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Thu, 23 Oct 2025 11:08:18 +0100 Subject: [PATCH 02/19] added to solution file --- .../Data/Solution_DarktraceEnterpriseImmuneSystem.json | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json b/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json index bd8197527f7..d53703ffa0e 100644 --- a/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json +++ b/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json @@ -4,15 +4,19 @@ "Logo": "", "Description": "The [Darktrace](https://darktrace.com/) Sentinel Solution lets users connect Darktrace AI-based alerting in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats. \n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\na. [Microsoft Sentinel Data Collector API](https://docs.microsoft.com/azure/sentinel/connect-rest-api-template)\n\n For more details about this solution refer to https://www.darktrace.com/microsoft/sentinel/", "Workbooks": [ - "Workbooks/DarktraceWorkbook.json" + "Workbooks/DarktraceWorkbook.json", + "Workbooks/DarktraceActiveAISecurityPlatform.json" ], "Analytic Rules": [ "Analytic Rules/CreateAlertFromModelBreach.yaml", "Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml", - "Analytic Rules/CreateAlertFromSystemStatus.yaml" + "Analytic Rules/CreateAlertFromSystemStatus.yaml", + "Analytic Rules/DarktraceIncidentEvent.yaml", + "Analytic Rules/DarktraceModelAlert.yaml" ], "Data Connectors": [ - "Data Connectors/DarktraceConnectorRESTAPI.json" + "Data Connectors/DarktraceConnectorRESTAPI.json", + "Data Connectors/DarktraceActiveAISecurityPlatform_Template.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Darktrace", "Version": "2.0.1", From f27524ff5db57a8f94c74e5df2470226b8c3c5da Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Thu, 23 Oct 2025 11:43:35 +0100 Subject: [PATCH 03/19] updated version to 3.0.0 --- .../Data/Solution_DarktraceEnterpriseImmuneSystem.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json b/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json index d53703ffa0e..800ff5153cc 100644 --- a/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json +++ b/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json @@ -19,7 +19,7 @@ "Data Connectors/DarktraceActiveAISecurityPlatform_Template.json" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Darktrace", - "Version": "2.0.1", + "Version": "3.0.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false From fa3cfc0bfba10a9a6471d45303ef24e494e7bd40 Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Thu, 23 Oct 2025 12:33:23 +0100 Subject: [PATCH 04/19] updated sample desc --- .../DarktraceActiveAISecurityPlatform_Template.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/Darktrace/Data Connectors/DarktraceActiveAISecurityPlatform_Template.json b/Solutions/Darktrace/Data Connectors/DarktraceActiveAISecurityPlatform_Template.json index c52f3e27ca7..5c0049cf7d0 100644 --- a/Solutions/Darktrace/Data Connectors/DarktraceActiveAISecurityPlatform_Template.json +++ b/Solutions/Darktrace/Data Connectors/DarktraceActiveAISecurityPlatform_Template.json @@ -12,7 +12,7 @@ ], "sampleQueries": [ { - "description" : "One-line title for your sample query 1", + "description" : "Last 10 Model Alerts", "query": "DarktraceModelAlerts_CL\n | take 10" } ], From aaf5651c771dc0dfce80b3f3d4aa1ee28904d3e9 Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Tue, 28 Oct 2025 08:55:26 +0000 Subject: [PATCH 05/19] removed references --- .../ValidConnectorIds.json | 1 + .../CreateAlertFromModelBreach.yaml | 78 - .../CreateAlertFromSystemStatus.yaml | 56 - .../CreateIncidentFromAIAnalystIncident.yaml | 67 - ...ution_DarktraceEnterpriseImmuneSystem.json | 4 - .../Workbooks/DarktraceWorkbook.json | 2035 ----------------- 6 files changed, 1 insertion(+), 2240 deletions(-) delete mode 100644 Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml delete mode 100644 Solutions/Darktrace/Analytic Rules/CreateAlertFromSystemStatus.yaml delete mode 100644 Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml delete mode 100644 Solutions/Darktrace/Workbooks/DarktraceWorkbook.json diff --git a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json index 5fad6a4f737..416b6ced8aa 100644 --- a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json +++ b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json @@ -76,6 +76,7 @@ "DNS", "Darktrace", "DarktraceRESTConnector", + "DarktraceActiveAISecurityPlatform", "DataminrPulseAlerts", "Dataverse", "DigitalGuardianDLP", diff --git a/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml b/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml deleted file mode 100644 index 41eca0fb0a1..00000000000 --- a/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml +++ /dev/null @@ -1,78 +0,0 @@ -id: a3c7b8ed-56a9-47b7-98e5-2555c16e17c9 -name: Darktrace Model Breach -description: | - 'This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.' -severity: Medium -requiredDataConnectors: - - connectorId: DarktraceRESTConnector - dataTypes: - - darktrace_model_alerts_CL -queryFrequency: 5m -queryPeriod: 5m -triggerOperator: gt -triggerThreshold: 0 -tactics: # tactics pulled dynamically -relevantTechniques: -query: | - darktrace_model_alerts_CL - | where dtProduct_s =="Policy Breach" - | project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatId=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceID=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category - | extend EventCount=1, EventType="NetworkSession", EventSchema="NetworkSession", EventSchemaVersion="0.2.2", EventResult="Success", DvcAction = "Allow", EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity - | extend DtSentinelCategory = case(DtCategory == "Suspicious", "Medium", - DtCategory == "Critical", "High", - "Informational") -eventGroupingSettings: - aggregationKind: AlertPerResult -entityMappings: - - entityType: Host - fieldMappings: - - identifier: HostName - columnName: SrcHostname - - entityType: Host - fieldMappings: - - identifier: HostName - columnName: DstHostname - - entityType: IP - fieldMappings: - - identifier: Address - columnName: SrcIpAddr - - entityType: IP - fieldMappings: - - identifier: Address - columnName: DstIpAddr -customDetails: - SrcMacAddr: SrcMacAddr - EventSeverity: EventSeverity - EventStartTime: EventStartTime - NetworkRuleName: NetworkRuleName - NetworkRuleNumber: NetworkRuleNumber - ThreatId: ThreatId - DtSentinelCategory: DtSentinelCategory - SrcPortNumber: SrcPortNumber - DstPortNumber: DstPortNumber - DstMacAddr: DstMacAddr - DtCompliance: DtCompliance - DtDescription: DtDescription - DtCategory: DtCategory - DtDeviceID: DtDeviceID -# These are described here - this is why we're leaving tactics and techniques above empty -alertDetailsOverride: - # model breach name here - alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}' # Up to 256 chars and 3 placeholders - alertDescriptionFormat: '{{DtMessage}}' # Up to 5000 chars and 3 placeholders - # MITRE tactic - alertTacticsColumnName: # leave empty - alertSeverityColumnName: # leave empty - alertDynamicProperties: - - alertProperty: AlertLink - value: DtBreachURL - - alertProperty: ProviderName - value: EventVendor - - alertProperty: ProductName - value: EventProduct - - alertProperty: ProductComponentName - value: ThreatCategory - - alertProperty: Severity - value: DtSentinelCategory -version: 1.1.0 -kind: NRT \ No newline at end of file diff --git a/Solutions/Darktrace/Analytic Rules/CreateAlertFromSystemStatus.yaml b/Solutions/Darktrace/Analytic Rules/CreateAlertFromSystemStatus.yaml deleted file mode 100644 index 06838e6e76e..00000000000 --- a/Solutions/Darktrace/Analytic Rules/CreateAlertFromSystemStatus.yaml +++ /dev/null @@ -1,56 +0,0 @@ -id: 2e629769-60eb-4a14-8bfc-bde9be66ebeb -name: Darktrace System Status -description: | - 'This rule creates Microsoft Sentinel Alerts based on Darktrace system status alerts for health monitoring, fetched every 5 minutes.' -severity: Informational -requiredDataConnectors: - - connectorId: DarktraceRESTConnector - dataTypes: - - darktrace_model_alerts_CL -queryFrequency: 5m -queryPeriod: 5m -triggerOperator: gt -triggerThreshold: 0 -tactics: # none -relevantTechniques: # none -query: | - darktrace_model_alerts_CL //anything starting with 'Dt' is not an ASIM mapping - | where dtProduct_s =="System Alert" - | extend EventVendor="Darktrace", EventProduct="Darktrace DETECT" - | project-rename ThreatCategory=dtProduct_s, EventStartTime=time_s, NetworkRuleName=friendlyName_s, SrcIpAddr=deviceIP_s, SrcHostname=hostname_s, ThreatRiskLevel=priority_code_d, ThreatRiskCategory=priority_s, DtSeverity=Severity, DtName=name_s, DtStatus=status_s, DtMessage=Message, DtURL=url_s, DtUUID=uuid_g -eventGroupingSettings: - aggregationKind: AlertPerResult -entityMappings: - - entityType: Host - fieldMappings: - - identifier: HostName - columnName: SrcHostname - - entityType: IP - fieldMappings: - - identifier: Address - columnName: SrcIpAddr -customDetails: - EventStartTime: EventStartTime - NetworkRuleName: NetworkRuleName - ThreatRiskLevel: ThreatRiskLevel - ThreatRiskCategory: ThreatRiskCategory - DtName: DtName - DtStatus: DtStatus - DtMessage: DtMessage - DtSeverity: DtSeverity -alertDetailsOverride: - alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}' - alertDescriptionFormat: '{{DtMessage}}' - alertTacticsColumnName: # none - alertSeverityColumnName: # none - alertDynamicProperties: - - alertProperty: AlertLink - value: DtURL - - alertProperty: ProviderName - value: EventVendor - - alertProperty: ProductName - value: EventProduct - - alertProperty: ProductComponentName - value: ThreatCategory -version: 1.1.0 -kind: Scheduled diff --git a/Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml b/Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml deleted file mode 100644 index d449cf51b1f..00000000000 --- a/Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml +++ /dev/null @@ -1,67 +0,0 @@ -id: ffa2977f-3077-4bba-b1bf-f3417699cbb0 -name: Darktrace AI Analyst -description: | - 'This rule creates Microsoft Sentinel Incidents based on Darktrace AI Analyst Incidents, fetched every 5 minutes.' -severity: High -requiredDataConnectors: - - connectorId: DarktraceRESTConnector - dataTypes: - - darktrace_model_alerts_CL -queryFrequency: 5m -queryPeriod: 5m -triggerOperator: gt -triggerThreshold: 0 -tactics: [] # no tactics are ingested for AIA events at the moment -relevantTechniques: [] -query: | - darktrace_model_alerts_CL - | where dtProduct_s =="AI Analyst" - | project-rename EventStartTime=startTime_s, EventEndTime = endTime_s, NetworkRuleName=title_s, DtCurrentGroup=externalId_g, ThreatCategory=dtProduct_s, ThreatRiskLevel=score_d, SrcHostname=hostname_s, SrcIpAddr=deviceIP_s, DtURL=url_s, DtSummary=summary_s, DtGroupScore=groupScore_d, DtGroupCategory=groupCategory_s, DtSrcDeviceName=bestDeviceName_s, DtIndentifier=identifier_s, ActivityID=activityId_s, DtGroupingID=groupingId_s, DtGroupByActivity=groupByActivity_b, DtSummaryFirstSentence=summaryFirstSentence_s, DtNewEvent=newEvent_b, DtCGLegacy=currentGroup_s, DtGroupPreviousGroups=groupPreviousGroups_s, DtTime=time_s, DtSeverity=Severity, DtLongitude=longitude_d, DtLatitude=latitude_d - | extend EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", DtSentinelCategory=DtGroupCategory - | extend DtSentinelCategory = case (DtGroupCategory == "compliance", "Low", - DtGroupCategory == "suspicious", "Medium", - "High") //compliance -> low, suspcious -> medium, critical -> high -eventGroupingSettings: - aggregationKind: AlertPerResult -entityMappings: - - entityType: Host - fieldMappings: - - identifier: HostName - columnName: SrcHostname - - entityType: IP - fieldMappings: - - identifier: Address - columnName: SrcIpAddr -customDetails: - EventStartTime: EventStartTime - EventEndTime: EventEndTime - NetworkRuleName: NetworkRuleName - DtCurrentGroup: DtCurrentGroup - ThreatRiskLevel: ThreatRiskLevel - DtSummary: DtSummary - DtGroupScore: DtGroupScore - DtGroupCategory: DtGroupCategory - DtSentinelCategory: DtSentinelCategory - DtSrcDeviceName: DtSrcDeviceName - DtNewEvent: DtNewEvent - DtSeverity: DtSeverity -alertDetailsOverride: - alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}' - alertDescriptionFormat: '{{DtSummary}}' - alertTacticsColumnName: # leave empty - alertSeverityColumnName: # leave empty - alertDynamicProperties: - - alertProperty: AlertLink - value: DtURL - - alertProperty: ProviderName - value: EventVendor - - alertProperty: ProductName - value: EventProduct - - alertProperty: ProductComponentName - value: ThreatCategory - - alertProperty: Severity - value: DtSentinelCategory -version: 1.1.0 -kind: NRT - - diff --git a/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json b/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json index 800ff5153cc..5a9b938ac9b 100644 --- a/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json +++ b/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json @@ -4,13 +4,9 @@ "Logo": "", "Description": "The [Darktrace](https://darktrace.com/) Sentinel Solution lets users connect Darktrace AI-based alerting in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats. \n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\na. [Microsoft Sentinel Data Collector API](https://docs.microsoft.com/azure/sentinel/connect-rest-api-template)\n\n For more details about this solution refer to https://www.darktrace.com/microsoft/sentinel/", "Workbooks": [ - "Workbooks/DarktraceWorkbook.json", "Workbooks/DarktraceActiveAISecurityPlatform.json" ], "Analytic Rules": [ - "Analytic Rules/CreateAlertFromModelBreach.yaml", - "Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml", - "Analytic Rules/CreateAlertFromSystemStatus.yaml", "Analytic Rules/DarktraceIncidentEvent.yaml", "Analytic Rules/DarktraceModelAlert.yaml" ], diff --git a/Solutions/Darktrace/Workbooks/DarktraceWorkbook.json b/Solutions/Darktrace/Workbooks/DarktraceWorkbook.json deleted file mode 100644 index 3def177f1ac..00000000000 --- a/Solutions/Darktrace/Workbooks/DarktraceWorkbook.json +++ /dev/null @@ -1,2035 +0,0 @@ -{ - "version": "Notebook/1.0", - "items": [ - { - "type": 11, - "content": { - "version": "LinkItem/1.0", - "style": "tabs", - "links": [ - { - "id": "a4b35478-499a-4fcc-8424-63abbb698bfa", - "cellValue": "tab", - "linkTarget": "parameter", - "linkLabel": "AI Analyst", - "subTarget": "ai-analyst", - "style": "link" - }, - { - "id": "45805ae8-29d7-4774-a10a-8d60af407bbf", - "cellValue": "tab", - "linkTarget": "parameter", - "linkLabel": "DETECT + RESPOND/Network ", - "subTarget": "overview", - "style": "link" - }, - { - "id": "7a64cd79-3a09-4046-8d6f-ba24fc2bab6c", - "cellValue": "tab", - "linkTarget": "parameter", - "linkLabel": "DETECT + RESPOND/Apps", - "subTarget": "cloud", - "style": "link" - }, - { - "id": "0dc4ab10-226f-422f-a7bb-9e905f96fb6c", - "cellValue": "tab", - "linkTarget": "parameter", - "linkLabel": "DETECT + RESPOND/Email", - "subTarget": "email", - "style": "link" - }, - { - "id": "2eac3f00-5164-4a77-9781-118eb681b729", - "cellValue": "tab", - "linkTarget": "parameter", - "linkLabel": "RESPOND", - "subTarget": "agn", - "style": "link" - }, - { - "id": "ff97b7e6-6bbf-401c-aaff-833d5309f00d", - "cellValue": "tab", - "linkTarget": "parameter", - "linkLabel": "System Status", - "subTarget": "status", - "style": "link" - } - ] - }, - "name": "tabs" - }, - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "parameters": [ - { - "id": "96e10804-35d4-4d5c-b2d8-1af544471721", - "version": "KqlParameterItem/1.0", - "name": "Timeframe", - "type": 4, - "description": "Set the global time range for all queries below", - "isRequired": true, - "typeSettings": { - "selectableValues": [ - { - "durationMs": 300000 - }, - { - "durationMs": 900000 - }, - { - "durationMs": 1800000 - }, - { - "durationMs": 3600000 - }, - { - "durationMs": 14400000 - }, - { - "durationMs": 43200000 - }, - { - "durationMs": 86400000 - }, - { - "durationMs": 172800000 - }, - { - "durationMs": 259200000 - }, - { - "durationMs": 604800000 - }, - { - "durationMs": 1209600000 - }, - { - "durationMs": 2419200000 - }, - { - "durationMs": 2592000000 - }, - { - "durationMs": 5184000000 - }, - { - "durationMs": 7776000000 - } - ] - }, - "timeContext": { - "durationMs": 86400000 - }, - "value": { - "durationMs": 604800000 - } - } - ], - "style": "pills", - "doNotRunWhenHidden": true, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "Timescale " - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "parameters": [ - { - "id": "610136a1-b7cf-4eb3-9ef6-51a2d22e1621", - "version": "KqlParameterItem/1.0", - "name": "_severity", - "type": 1, - "description": "parameter to drill down on clicked severity tile", - "value": "", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "label": "severity" - } - ], - "style": "above", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "parameters - 1" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "datatable (Count: long, status: string, status_count: long) [0, \"Compliance\", 1, 0, \"Informational\", 2, 0, \"Suspicious\", 3, 0, \"Critical\", 4]\r\n| union\r\n (\r\n darktrace_model_alerts_CL\r\n | where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n | extend ThreatRiskLevel=score_d\r\n | extend status = case( \r\n compliance_b == false and Category == \"Critical\", \"Critical\",\r\n compliance_b == true, \"Compliance\",\r\n compliance_b == false and Category == \"Suspicious\", \"Suspicious\",\r\n compliance_b == false and Category == \"Informational\", \"Informational\", \r\n \"True\"\r\n )\r\n | where status != \"True\"\r\n | extend status_count = case(status == \"Critical\", 4, status == \"Suspicious\", 3, status == \"Informational\", 2, 1)\r\n | summarize Count = count() by status, status_count\r\n )\r\n| summarize Count=sum(Count) by status, status_count\r\n| sort by status_count asc", - "size": 3, - "title": "Model Breaches by Category", - "timeContextFromParameter": "Timeframe", - "exportFieldName": "status", - "exportParameterName": "_severity", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "tiles", - "tileSettings": { - "titleContent": { - "columnMatch": "status", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "Compliance", - "representation": "turquoise", - "text": "{0}{1}" - }, - { - "operator": "==", - "thresholdValue": "Informational", - "representation": "yellow", - "text": "{0}{1}" - }, - { - "operator": "==", - "thresholdValue": "Suspicious", - "representation": "orange", - "text": "{0}{1}" - }, - { - "operator": "==", - "thresholdValue": "Critical", - "representation": "redBright", - "text": "{0}{1}" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "green", - "text": "{0}{1}" - } - ] - } - }, - "leftContent": { - "columnMatch": "Count", - "formatter": 1, - "numberFormat": { - "unit": 17, - "options": { - "style": "decimal", - "useGrouping": false, - "maximumFractionDigits": 2, - "maximumSignificantDigits": 3 - } - } - }, - "showBorder": true, - "size": "auto" - } - }, - "name": "model breaches by severity" - }, - { - "type": 1, - "content": { - "json": "_Click on the tiles to view more details (maximum 100 entries displayed)_", - "style": "info" - }, - "name": "text - 3" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| project-rename MitreTechniques=mitreTechniques_s\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where compliance_b == true\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n", - "size": 0, - "title": "Compliance Model Breaches", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "TimeGenerated", - "formatter": 6, - "formatOptions": { - "customColumnWidthSetting": "20%" - } - }, - { - "columnMatch": "Activity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url", - "customColumnWidthSetting": "40%" - } - }, - { - "columnMatch": "DeviceName", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "DeviceAddress", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "LogSeverity", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": "Default", - "thresholdValue": null, - "representation": "yellow", - "text": "{0}{1}" - } - ] - } - }, - { - "columnMatch": "DarktraceURL", - "formatter": 5 - }, - { - "columnMatch": "DarktraceUrl", - "formatter": 5, - "formatOptions": { - "linkTarget": "Url" - } - }, - { - "columnMatch": "OtherExtensions", - "formatter": 5, - "formatOptions": { - "customColumnWidthSetting": "50%" - } - } - ], - "labelSettings": [ - { - "columnId": "TimeGenerated", - "label": "Time" - } - ] - } - }, - "conditionalVisibility": { - "parameterName": "_severity", - "comparison": "isEqualTo", - "value": "Compliance" - }, - "name": "Low severity model breaches" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| project-rename MitreTechniques=mitreTechniques_s\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where compliance_b == false and Category == \"Informational\"\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n\r\n", - "size": 0, - "title": "Informational Model Breaches", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "TimeGenerated", - "formatter": 6, - "formatOptions": { - "customColumnWidthSetting": "20%" - } - }, - { - "columnMatch": "Activity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url", - "customColumnWidthSetting": "40%" - } - }, - { - "columnMatch": "DeviceName", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "DeviceAddress", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "LogSeverity", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": "Default", - "thresholdValue": null, - "representation": "orange", - "text": "{0}{1}" - } - ] - } - }, - { - "columnMatch": "DarktraceURL", - "formatter": 5 - }, - { - "columnMatch": "DarktraceUrl", - "formatter": 5, - "formatOptions": { - "linkTarget": "Url" - } - }, - { - "columnMatch": "OtherExtensions", - "formatter": 5, - "formatOptions": { - "customColumnWidthSetting": "50%" - } - } - ], - "labelSettings": [ - { - "columnId": "TimeGenerated", - "label": "Time" - } - ] - }, - "sortBy": [] - }, - "conditionalVisibility": { - "parameterName": "_severity", - "comparison": "isEqualTo", - "value": "Informational" - }, - "name": "Medium severity model breaches " - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| project-rename MitreTechniques=mitreTechniques_s\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where compliance_b == false and Category == \"Suspicious\"\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| limit 100\r\n| sort by TimeGenerated desc\r\n", - "size": 0, - "title": "Suspicious Model Breaches", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "TimeGenerated", - "formatter": 6, - "formatOptions": { - "customColumnWidthSetting": "20%" - } - }, - { - "columnMatch": "Activity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url", - "customColumnWidthSetting": "40%" - } - }, - { - "columnMatch": "DeviceName", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "DeviceAddress", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "LogSeverity", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": "Default", - "thresholdValue": null, - "representation": "redBright", - "text": "{0}{1}" - } - ] - } - }, - { - "columnMatch": "DarktraceURL", - "formatter": 5 - }, - { - "columnMatch": "DarktraceUrl", - "formatter": 5, - "formatOptions": { - "linkTarget": "Url" - } - }, - { - "columnMatch": "AdditionalExtensions", - "formatter": 5, - "formatOptions": { - "customColumnWidthSetting": "70%" - } - } - ], - "labelSettings": [ - { - "columnId": "TimeGenerated", - "label": "Time" - } - ] - } - }, - "conditionalVisibility": { - "parameterName": "_severity", - "comparison": "isEqualTo", - "value": "Suspicious" - }, - "name": "High severity model breaches " - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| project-rename MitreTechniques=mitreTechniques_s\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where compliance_b == false and Category == \"Critical\"\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| limit 100\r\n| sort by TimeGenerated desc\r\n", - "size": 0, - "title": "Critical Model Breaches", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "TimeGenerated", - "formatter": 6, - "formatOptions": { - "customColumnWidthSetting": "20%" - } - }, - { - "columnMatch": "Activity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url", - "customColumnWidthSetting": "40%" - } - }, - { - "columnMatch": "DeviceName", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "DeviceAddress", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "LogSeverity", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": "Default", - "thresholdValue": null, - "representation": "red", - "text": "{0}{1}" - } - ] - } - }, - { - "columnMatch": "DarktraceURL", - "formatter": 5 - }, - { - "columnMatch": "DarktraceUrl", - "formatter": 5, - "formatOptions": { - "linkTarget": "Url" - } - }, - { - "columnMatch": "AdditionalExtensions", - "formatter": 5, - "formatOptions": { - "customColumnWidthSetting": "70%" - } - } - ], - "labelSettings": [ - { - "columnId": "TimeGenerated", - "label": "Time" - } - ] - } - }, - "conditionalVisibility": { - "parameterName": "_severity", - "comparison": "isEqualTo", - "value": "Critical" - }, - "name": "Critical severity model breaches" - } - ] - }, - "conditionalVisibility": { - "parameterName": "_severity", - "comparison": "isNotEqualTo", - "value": "hidden" - }, - "name": "Drill down group for different severities" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| make-series Count = count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})", - "size": 0, - "title": "Total Model Breaches", - "color": "orange", - "timeContextFromParameter": "Timeframe", - "timeBrushParameterName": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "areachart", - "chartSettings": { - "seriesLabelSettings": [ - { - "seriesName": "Count", - "label": "Model Breaches" - } - ], - "ySettings": { - "numberFormatSettings": { - "unit": 0, - "options": { - "style": "decimal", - "useGrouping": true, - "maximumFractionDigits": 0 - } - } - } - } - }, - "name": "breaches in group" - }, - { - "type": 1, - "content": { - "json": "_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _", - "style": "info" - }, - "name": "text - 11" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| project-rename NetworkRuleName=modelName_s\r\n| summarize event_count=count() by NetworkRuleName\r\n| top 10 by event_count", - "size": 0, - "title": "Top 10 Most Breached Models", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Activity", - "formatter": 0, - "formatOptions": { - "customColumnWidthSetting": "60ch" - } - }, - { - "columnMatch": "event_count", - "formatter": 3, - "formatOptions": { - "palette": "orange" - } - } - ], - "labelSettings": [ - { - "columnId": "event_count", - "label": "Count" - } - ] - } - }, - "customWidth": "55", - "name": "most breached models" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "\r\ndarktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename DstHostname=destHost_s\r\n| where isnotempty(DstHostname) \r\n| summarize count(NetworkRuleName) by DstHostname", - "size": 3, - "title": "Top External Hostnames", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "piechart" - }, - "customWidth": "45", - "name": "top external hostnames" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename DtURL=breachUrl_s\r\n| project-rename ThreatRiskLevel=score_d\r\n| project-rename NetworkRuleName=modelName_s\r\n| project TimeGenerated, ThreatRiskLevel, NetworkRuleName, SrcHostname, SrcIpAddr, DtURL\r\n| top 10 by ThreatRiskLevel desc ", - "size": 0, - "title": "Top 10 Model Breaches with Highest Severity", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "TimeGenerated", - "formatter": 0, - "formatOptions": { - "customColumnWidthSetting": "20%" - } - }, - { - "columnMatch": "Activity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url", - "customColumnWidthSetting": "40%" - } - }, - { - "columnMatch": "DeviceName", - "formatter": 0, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "DeviceAddress", - "formatter": 0, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "Severity", - "formatter": 8, - "formatOptions": { - "min": 1, - "max": 10, - "palette": "yellowOrangeRed" - } - }, - { - "columnMatch": "DarktraceURL", - "formatter": 5 - } - ], - "labelSettings": [ - { - "columnId": "TimeGenerated", - "label": "Time" - } - ] - }, - "sortBy": [] - }, - "name": "Top 10 hitting devices" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\n| project-rename DstIpAddr=destIP_s\n| where isnotempty(DstIpAddr) \n| where DstIpAddr !startswith \"10\"\n| where DstIpAddr !startswith \"192\"\n| where DstIpAddr !startswith \"172\"\n| summarize event_count=count() by DstIpAddr\n| top 10 by event_count", - "size": 0, - "title": "Top 10 External IPs", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "barchart" - }, - "customWidth": "80", - "name": "top 10 external IPs" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\") and compliance_b == true\r\n| make-series Count = count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\r\n", - "size": 0, - "title": "Compliance Model Breaches Over Time", - "color": "orange", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "areachart", - "chartSettings": { - "seriesLabelSettings": [ - { - "seriesName": "Count", - "label": "Model Breaches" - } - ], - "ySettings": { - "numberFormatSettings": { - "unit": 0, - "options": { - "style": "decimal", - "useGrouping": true, - "maximumFractionDigits": 0 - } - } - } - } - }, - "name": "compliance breaches over time" - } - ], - "exportParameters": true - }, - "conditionalVisibility": { - "parameterName": "tab", - "comparison": "isEqualTo", - "value": "overview" - }, - "name": "overview" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "parameters": [ - { - "id": "610136a1-b7cf-4eb3-9ef6-51a2d22e1621", - "version": "KqlParameterItem/1.0", - "name": "_severity", - "type": 1, - "description": "parameter to drill down on clicked severity tile", - "value": "hidden", - "isHiddenWhenLocked": true, - "timeContext": { - "durationMs": 86400000 - }, - "label": "severity" - } - ], - "style": "above", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "parameters - 1" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "datatable (Count: long, status: string, status_count: long) [0, \"Low\", 1, 0, \"Medium\", 2, 0, \"High\", 3, 0, \"Critical\", 4]\r\n| union\r\n (\r\n darktrace_model_alerts_CL\r\n | where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\"))\r\n | extend ThreatRiskLevel=score_d\r\n | extend status = case( \r\n ThreatRiskLevel >= 75, \"Critical\",\r\n ThreatRiskLevel < 25, \"Low\",\r\n ThreatRiskLevel >= 50 and ThreatRiskLevel < 75, \"High\",\r\n ThreatRiskLevel >= 25 and ThreatRiskLevel < 50, \"Medium\", \r\n \"True\"\r\n )\r\n | where status != \"True\"\r\n | extend status_count = case(status == \"Critical\", 4, status == \"High\", 3, status == \"Medium\", 2, 1)\r\n | summarize Count = count() by status, status_count\r\n )\r\n| summarize Count=sum(Count) by status, status_count\r\n| sort by status_count asc", - "size": 3, - "title": "Model Breaches by Severity", - "timeContextFromParameter": "Timeframe", - "exportFieldName": "status", - "exportParameterName": "_severity", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "tiles", - "tileSettings": { - "titleContent": { - "columnMatch": "status", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": "==", - "thresholdValue": "Low", - "representation": "yellow", - "text": "{0}{1}" - }, - { - "operator": "==", - "thresholdValue": "Medium", - "representation": "orange", - "text": "{0}{1}" - }, - { - "operator": "==", - "thresholdValue": "High", - "representation": "redBright", - "text": "{0}{1}" - }, - { - "operator": "==", - "thresholdValue": "Critical", - "representation": "red", - "text": "{0}{1}" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "green", - "text": "{0}{1}" - } - ] - } - }, - "leftContent": { - "columnMatch": "Count", - "formatter": 1, - "numberFormat": { - "unit": 17, - "options": { - "style": "decimal", - "useGrouping": false, - "maximumFractionDigits": 2, - "maximumSignificantDigits": 3 - } - } - }, - "showBorder": true, - "size": "auto" - } - }, - "name": "model breaches by severity" - }, - { - "type": 1, - "content": { - "json": "_Click on the tiles to view more details (maximum 100 entries displayed)_", - "style": "info" - }, - "name": "text - 3" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\"))\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| extend MitreTechniques=parse_json(mitreTechniques_s)\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where ThreatRiskLevel < 25\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n", - "size": 0, - "title": "Low Severity Model Breaches", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "TimeGenerated", - "formatter": 6, - "formatOptions": { - "customColumnWidthSetting": "20%" - } - }, - { - "columnMatch": "Activity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url", - "customColumnWidthSetting": "40%" - } - }, - { - "columnMatch": "DeviceName", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "DeviceAddress", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "LogSeverity", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": "Default", - "thresholdValue": null, - "representation": "yellow", - "text": "{0}{1}" - } - ] - } - }, - { - "columnMatch": "DarktraceURL", - "formatter": 5 - }, - { - "columnMatch": "DarktraceUrl", - "formatter": 5, - "formatOptions": { - "linkTarget": "Url" - } - }, - { - "columnMatch": "OtherExtensions", - "formatter": 5, - "formatOptions": { - "customColumnWidthSetting": "50%" - } - } - ], - "labelSettings": [ - { - "columnId": "TimeGenerated", - "label": "Time" - } - ] - } - }, - "conditionalVisibility": { - "parameterName": "_severity", - "comparison": "isEqualTo", - "value": "Low" - }, - "name": "Low severity model breaches" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\"))\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| extend MitreTechniques=parse_json(mitreTechniques_s)\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where ThreatRiskLevel >= 25 and ThreatRiskLevel < 50\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n", - "size": 0, - "title": "Medium Severity Model Breaches", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "TimeGenerated", - "formatter": 6, - "formatOptions": { - "customColumnWidthSetting": "20%" - } - }, - { - "columnMatch": "Activity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url", - "customColumnWidthSetting": "40%" - } - }, - { - "columnMatch": "DeviceName", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "DeviceAddress", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "LogSeverity", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": "Default", - "thresholdValue": null, - "representation": "orange", - "text": "{0}{1}" - } - ] - } - }, - { - "columnMatch": "DarktraceURL", - "formatter": 5 - }, - { - "columnMatch": "DarktraceUrl", - "formatter": 5, - "formatOptions": { - "linkTarget": "Url" - } - }, - { - "columnMatch": "OtherExtensions", - "formatter": 5, - "formatOptions": { - "customColumnWidthSetting": "50%" - } - } - ], - "labelSettings": [ - { - "columnId": "TimeGenerated", - "label": "Time" - } - ] - } - }, - "conditionalVisibility": { - "parameterName": "_severity", - "comparison": "isEqualTo", - "value": "Medium" - }, - "name": "Medium severity model breaches " - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\"))\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| extend MitreTechniques=parse_json(mitreTechniques_s)\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where ThreatRiskLevel >= 50 and ThreatRiskLevel < 75\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n", - "size": 0, - "title": "High Severity Model Breaches", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "TimeGenerated", - "formatter": 6, - "formatOptions": { - "customColumnWidthSetting": "20%" - } - }, - { - "columnMatch": "Activity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url", - "customColumnWidthSetting": "40%" - } - }, - { - "columnMatch": "DeviceName", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "DeviceAddress", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "LogSeverity", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": "Default", - "thresholdValue": null, - "representation": "redBright", - "text": "{0}{1}" - } - ] - } - }, - { - "columnMatch": "DarktraceURL", - "formatter": 5 - }, - { - "columnMatch": "DarktraceUrl", - "formatter": 5, - "formatOptions": { - "linkTarget": "Url" - } - }, - { - "columnMatch": "AdditionalExtensions", - "formatter": 5, - "formatOptions": { - "customColumnWidthSetting": "70%" - } - } - ], - "labelSettings": [ - { - "columnId": "TimeGenerated", - "label": "Time" - } - ] - } - }, - "conditionalVisibility": { - "parameterName": "_severity", - "comparison": "isEqualTo", - "value": "High" - }, - "name": "High severity model breaches " - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\"))\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| extend MitreTechniques=parse_json(mitreTechniques_s)\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where ThreatRiskLevel >= 75\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n\r\n", - "size": 0, - "title": "Critical Severity Model Breaches", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "TimeGenerated", - "formatter": 6, - "formatOptions": { - "customColumnWidthSetting": "20%" - } - }, - { - "columnMatch": "Activity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url", - "customColumnWidthSetting": "40%" - } - }, - { - "columnMatch": "DeviceName", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "DeviceAddress", - "formatter": 1, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "Severity", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": ">", - "thresholdValue": "0", - "representation": "red", - "text": "{0}{1}" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "blue", - "text": "{0}{1}" - } - ] - } - }, - { - "columnMatch": "DarktraceURL", - "formatter": 5 - }, - { - "columnMatch": "LogSeverity", - "formatter": 8, - "formatOptions": { - "min": 1, - "max": 10, - "palette": "greenRed" - } - }, - { - "columnMatch": "DarktraceUrl", - "formatter": 5, - "formatOptions": { - "linkTarget": "Url" - } - }, - { - "columnMatch": "AdditionalExtensions", - "formatter": 5, - "formatOptions": { - "customColumnWidthSetting": "70%" - } - } - ], - "labelSettings": [ - { - "columnId": "TimeGenerated", - "label": "Time" - } - ] - }, - "sortBy": [] - }, - "conditionalVisibility": { - "parameterName": "_severity", - "comparison": "isEqualTo", - "value": "Critical" - }, - "name": "Critical severity model breaches" - } - ] - }, - "conditionalVisibility": { - "parameterName": "_severity", - "comparison": "isNotEqualTo", - "value": "hidden" - }, - "name": "Drill down group for different severities" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"SaaS\")\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})", - "size": 3, - "title": "Total SaaS Model Breaches", - "color": "orange", - "timeContextFromParameter": "Timeframe", - "timeBrushParameterName": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "areachart", - "chartSettings": { - "seriesLabelSettings": [ - { - "seriesName": "count_", - "label": "Model Breches" - } - ], - "ySettings": { - "numberFormatSettings": { - "unit": 0, - "options": { - "style": "decimal", - "useGrouping": true, - "maximumFractionDigits": 0 - } - } - } - } - }, - "customWidth": "50", - "name": "saas user graph / time ", - "styleSettings": { - "showBorder": true - } - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"IaaS\")\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})", - "size": 3, - "title": "Total IaaS Model Breaches", - "color": "orange", - "timeContextFromParameter": "Timeframe", - "timeBrushParameterName": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "areachart", - "chartSettings": { - "seriesLabelSettings": [ - { - "seriesName": "count_", - "label": "Model Breaches" - } - ], - "ySettings": { - "numberFormatSettings": { - "unit": 0, - "options": { - "style": "decimal", - "useGrouping": true, - "maximumFractionDigits": 0 - } - } - } - } - }, - "customWidth": "50", - "name": "iaas user graph / time", - "styleSettings": { - "showBorder": true - } - }, - { - "type": 1, - "content": { - "json": "_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _", - "style": "info" - }, - "name": "text - 11" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"SaaS\")\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename SrcHostname=hostname_s\r\n| summarize Count=count() by SrcHostname\r\n| top 10 by Count\r\n| project SrcHostname, Count\r\n\r\n", - "size": 0, - "title": "Top 10 SaaS Users With Most Model Breaches", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Count", - "formatter": 3, - "formatOptions": { - "palette": "orange" - } - }, - { - "columnMatch": "event_count", - "formatter": 3, - "formatOptions": { - "palette": "orange" - } - }, - { - "columnMatch": "Activity", - "formatter": 0, - "formatOptions": { - "customColumnWidthSetting": "60ch" - } - } - ] - } - }, - "name": "most breached SaaS users" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"SaaS\")\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename DtURL=breachUrl_s\r\n| project-rename ThreatRiskLevel=score_d\r\n| project TimeGenerated, ThreatRiskLevel, NetworkRuleName, SrcHostname, SrcIpAddr, DtURL\r\n| top 10 by ThreatRiskLevel desc ", - "size": 0, - "title": "Top 10 Highest Severity SaaS Model Breaches", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "gridSettings": { - "formatters": [ - { - "columnMatch": "TimeGenerated", - "formatter": 0, - "formatOptions": { - "customColumnWidthSetting": "20%" - } - }, - { - "columnMatch": "Activity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url", - "customColumnWidthSetting": "40%" - } - }, - { - "columnMatch": "DeviceName", - "formatter": 0, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "DeviceAddress", - "formatter": 0, - "formatOptions": { - "customColumnWidthSetting": "17.5%" - } - }, - { - "columnMatch": "Severity", - "formatter": 8, - "formatOptions": { - "min": 1, - "max": 10, - "palette": "yellowOrangeRed" - } - }, - { - "columnMatch": "DarktraceURL", - "formatter": 5 - } - ], - "labelSettings": [ - { - "columnId": "TimeGenerated", - "label": "Time" - } - ] - }, - "sortBy": [] - }, - "name": "Top 10 hitting SaaS devices" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\")) and compliance_b == true\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})", - "size": 0, - "title": "Total XaaS Compliance Model Breaches", - "color": "orange", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "areachart", - "chartSettings": { - "seriesLabelSettings": [ - { - "seriesName": "count_", - "label": "Model Breaches" - } - ], - "ySettings": { - "numberFormatSettings": { - "unit": 0, - "options": { - "style": "decimal", - "useGrouping": true, - "maximumFractionDigits": 0 - } - } - } - } - }, - "name": "compliance breaches over time" - } - ], - "exportParameters": true - }, - "conditionalVisibility": { - "parameterName": "tab", - "comparison": "isEqualTo", - "value": "cloud" - }, - "name": "Cloud group" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"Antigena\") and modelName_s contains (\"Network\")\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename DtURL=breachUrl_s\r\n| project-rename ThreatRiskLevel=score_d\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename EventStartTime = breachTime_s\r\n| extend DtMitreTechniques=parse_json(mitreTechniques_s)\r\n| project-rename ThreatId=threatID_d\r\n| limit 100\r\n| project TimeGenerated, ThreatRiskLevel, NetworkRuleName, ThreatId, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, DtURL, EventStartTime, DtMitreTechniques\r\n| sort by TimeGenerated desc\r\n", - "size": 0, - "title": "/Network ", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table", - "tileSettings": { - "titleContent": { - "columnMatch": "agnActivity", - "formatter": 1, - "formatOptions": { - "linkColumn": "DarktraceURL", - "linkTarget": "Url" - } - }, - "subtitleContent": { - "columnMatch": "TimeGenerated", - "formatter": 6 - }, - "leftContent": { - "columnMatch": "Device" - }, - "secondaryContent": { - "columnMatch": "msgInfo", - "formatter": 1 - }, - "showBorder": true, - "sortCriteriaField": "TimeGenerated", - "sortOrderField": 2, - "size": "full" - } - }, - "name": "top level query " - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"Antigena\") and modelName_s contains (\"SaaS\")\n| project-rename SrcIpAddr=SourceIP\n| project-rename SrcHostname=hostname_s\n| project-rename DtURL=breachUrl_s\n| project-rename ThreatRiskLevel=score_d\n| project-rename NetworkRuleName=modelName_s\n| project-rename DstIpAddr=destIP_s\n| project-rename DstHostname=destHost_s\n| project-rename EventStartTime = breachTime_s\n| extend DtMitreTechniques=parse_json(mitreTechniques_s)\n| project-rename ThreatId=threatID_d\n| limit 100\n| project TimeGenerated, ThreatRiskLevel, NetworkRuleName, ThreatId, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, DtURL, EventStartTime, DtMitreTechniques\n| sort by TimeGenerated desc\n", - "size": 0, - "title": "/Apps", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "query - 1" - } - ] - }, - "conditionalVisibility": { - "parameterName": "tab", - "comparison": "isEqualTo", - "value": "agn" - }, - "name": "agn group" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "parameters": [ - { - "id": "cd64e441-332e-4f47-8602-a25828ebc053", - "version": "KqlParameterItem/1.0", - "name": "aia_type", - "label": "AI Analyst Incident Types", - "type": 2, - "description": "Filter out the types of AI Analyst Incidents available.", - "isRequired": true, - "typeSettings": { - "additionalResourceOptions": [], - "showDefault": false - }, - "jsonData": "[\n {\"value\": \"darktrace_model_alerts_CL | where dtProduct_s =='AI Analyst' | project-rename DtIncidentName=title_s | project-rename DtCurrentGroup=externalId_g | project-rename GroupScore=groupScore_d | project-rename SrcDeviceName=bestDeviceName_s | limit 100 | summarize DtMaxIncidentScore=max(GroupScore), take_any(SrcDeviceName, DtIncidentName) by DtCurrentGroup | project DtMaxIncidentScore, DtIncidentName, SrcDeviceName, DtCurrentGroup\", \"label\": \"All\"},\n {\"value\": \"darktrace_model_alerts_CL | where dtProduct_s =='AI Analyst' | project-rename DtIncidentName=title_s | project-rename DtCurrentGroup=externalId_g | project-rename GroupScore=groupScore_d | project-rename SrcDeviceName=bestDeviceName_s | where SrcDeviceName !contains 'SaaS' | limit 100 | summarize DtMaxIncidentScore=max(GroupScore), take_any(SrcDeviceName, DtIncidentName) by DtCurrentGroup | project DtMaxIncidentScore, DtIncidentName, SrcDeviceName, DtCurrentGroup\", \"label\": \"Network\"},\n {\"value\": \"darktrace_model_alerts_CL | where dtProduct_s =='AI Analyst' | project-rename DtIncidentName=title_s | project-rename DtCurrentGroup=externalId_g | project-rename GroupScore=groupScore_d | project-rename SrcDeviceName=bestDeviceName_s | where SrcDeviceName contains 'SaaS' | limit 100 | summarize DtMaxIncidentScore=max(GroupScore), take_any(SrcDeviceName, DtIncidentName) by DtCurrentGroup | project DtMaxIncidentScore, DtIncidentName, SrcDeviceName, DtCurrentGroup\", \"label\": \"SaaS\"}\n]", - "timeContext": { - "durationMs": 86400000 - }, - "value": "darktrace_model_alerts_CL | where dtProduct_s =='AI Analyst' | project-rename DtIncidentName=title_s | project-rename DtCurrentGroup=externalId_g | project-rename GroupScore=groupScore_d | project-rename SrcDeviceName=bestDeviceName_s | limit 100 | summarize DtMaxIncidentScore=max(GroupScore), take_any(SrcDeviceName, DtIncidentName) by DtCurrentGroup | project DtMaxIncidentScore, DtIncidentName, SrcDeviceName, DtCurrentGroup" - } - ], - "style": "pills", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "parameters - 6" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "{aia_type}", - "size": 0, - "title": "AI Analyst Incidents", - "timeContextFromParameter": "Timeframe", - "exportFieldName": "DtCurrentGroup", - "exportParameterName": "SelectedAIAGroup", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "query - 7" - }, - { - "type": 1, - "content": { - "json": "_ Selecting an AI Analyst Incident in the table above will put its corresponding Events in focus below _", - "style": "info" - }, - "name": "text - 6" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\n| where dtProduct_s ==\"AI Analyst\"\n| project-rename EventStartTime=startTime_s\n| project-rename EventEndTime = endTime_s\n| project-rename DtIncidentEventName=title_s\n| project-rename DtCurrentGroup=externalId_g //externalId is the Current Group ID from Darktrace \n| project-rename ThreatCategory=dtProduct_s\n| extend ThreatRiskLevel=score_d //This is the event score, which is different from the GroupScore\n| project-rename SrcHostname=hostname_s\n| project-rename DtURL=url_s\n| project-rename DtSummary=summary_s\n| project-rename DtGroupScore=groupScore_d\n| project-rename DtGroupCategory=groupCategory_s\n| project-rename SrcDeviceName=bestDeviceName_s\n| where DtCurrentGroup contains \"{SelectedAIAGroup}\"\n| limit 100\n| project TimeGenerated, DtIncidentEventName, ThreatCategory, ThreatRiskLevel, DtSummary, SrcDeviceName, SrcHostname, DtURL, DtCurrentGroup, DtGroupScore, DtGroupCategory, EventStartTime, EventEndTime\n| sort by TimeGenerated desc\n\n", - "size": 0, - "title": "Selected AI Analyst Incident Events", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "table" - }, - "name": "query - 5" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"AI Analyst\"\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})", - "size": 3, - "title": "Total AI Analyst Incident Events", - "color": "lightBlue", - "timeContextFromParameter": "Timeframe", - "timeBrushParameterName": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "areachart", - "chartSettings": { - "showMetrics": false, - "ySettings": { - "numberFormatSettings": { - "unit": 17, - "options": { - "style": "decimal", - "useGrouping": true, - "minimumFractionDigits": 0, - "maximumFractionDigits": 0 - } - } - } - } - }, - "name": "incidents in group" - }, - { - "type": 1, - "content": { - "json": "_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _", - "style": "info" - }, - "name": "text - 6" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"AI Analyst\"\r\n| extend DtIncidentEventName = title_s\r\n| summarize event_count=count() by DtIncidentEventName\r\n| top 10 by event_count", - "size": 0, - "title": "Top 10 Most Frequent AI Analyst Incident Events", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "event_count", - "formatter": 3, - "formatOptions": { - "palette": "blue" - } - } - ], - "labelSettings": [ - { - "columnId": "event_count", - "label": "Count" - } - ] - } - }, - "name": "Top 10 Most Frequent Incidents" - } - ], - "exportParameters": true - }, - "conditionalVisibility": { - "parameterName": "tab", - "comparison": "isEqualTo", - "value": "ai-analyst" - }, - "name": "ai- analyst group " - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\n| where dtProduct_s == \"Antigena Email\"\n| extend Actions = parse_json(actions_s)\n| extend Hold_Email=set_has_element(Actions, \"Hold\")\n| extend Junk_Email=set_has_element(Actions, \"Move to Junk\")\n| extend Lock_Link=set_has_element(Actions, \"Lock Link\")\n| extend Lock_All_Links=set_has_element(Actions, \"Lock All Links\")\n| extend Double_Lock_Link=set_has_element(Actions, \"Double Lock Link\")\n| extend Double_Lock_All_Links=set_has_element(Actions, \"Double Lock All Links\")\n| extend Strip_Attachment=set_has_element(Actions, \"Stip Attachment\")\n| extend Strip_All_Attachments=set_has_element(Actions, \"Strip All Attachments\")\n| extend Convert_Attachment=set_has_element(Actions, \"Convert Attachment\")\n| extend Convert_All_Attachments=set_has_element(Actions, \"Convert All Attachments\")\n| extend Unspoof=set_has_element(Actions, \"Unspoof\")\n| extend XAxis=set_has_element(Actions, \"Unspoof\")\n| summarize XAxis=countif(XAxis == true), Hold_Email=countif(Hold_Email == true), Junk_Email=countif(Junk_Email == true), Lock_Link=countif(Lock_Link == true), Lock_All_Links=countif(Lock_All_Links == true), Double_Lock_Link=countif(Double_Lock_Link == true), Double_Lock_All_Links=countif(Double_Lock_All_Links == true), Convert_Attachment=countif(Convert_Attachment == true), Convert_All_Attachments=countif(Convert_All_Attachments == true), Strip_Attachment=countif(Strip_Attachment == true), Strip_All_Attachments=countif(Strip_All_Attachments == true), Unspoof=countif(Unspoof == true)", - "size": 0, - "title": "Total Actions Taken", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "visualization": "categoricalbar", - "gridSettings": { - "sortBy": [ - { - "itemKey": "Hold_Email", - "sortOrder": 2 - } - ] - }, - "sortBy": [ - { - "itemKey": "Hold_Email", - "sortOrder": 2 - } - ], - "tileSettings": { - "showBorder": false - }, - "graphSettings": { - "type": 0 - }, - "chartSettings": { - "seriesLabelSettings": [ - { - "seriesName": "Junk_Email", - "label": "Junk Email", - "color": "redBright" - }, - { - "seriesName": "Lock_Link", - "label": "Lock Link", - "color": "lightBlue" - }, - { - "seriesName": "Double_Lock_Link", - "label": "Double Lock Link", - "color": "green" - }, - { - "seriesName": "Strip_Attachment", - "label": "Strip Attachment", - "color": "purple" - }, - { - "seriesName": "Convert_Attachment", - "label": "Convert Attachment", - "color": "orange" - }, - { - "seriesName": "Unspoof", - "label": "Unspoof", - "color": "pink" - }, - { - "seriesName": "Hold_Email", - "label": "Hold Email", - "color": "redDark" - }, - { - "seriesName": "Lock_All_Links", - "label": "Lock All Links", - "color": "blueDark" - }, - { - "seriesName": "Double_Lock_All_Links", - "label": "Double Lock All Links", - "color": "greenDark" - }, - { - "seriesName": "Convert_All_Attachments", - "label": "Convert All Attachments", - "color": "orangeDark" - }, - { - "seriesName": "Strip_All_Attachments", - "label": "Strip All Attachments", - "color": "purpleDark" - } - ] - }, - "mapSettings": { - "locInfo": "LatLong", - "sizeSettings": "Hold_Email", - "sizeAggregation": "Sum", - "legendMetric": "Hold_Email", - "legendAggregation": "Sum", - "itemColorSettings": { - "type": "heatmap", - "colorAggregation": "Sum", - "nodeColorField": "Hold_Email", - "heatmapPalette": "greenRed" - } - } - }, - "name": "query - 0" - }, - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "parameters": [ - { - "id": "ac642d55-be90-4144-8bc3-ce0cb7fcc161", - "version": "KqlParameterItem/1.0", - "name": "SearchRecipient", - "label": "Search Recipient", - "type": 1, - "description": "Filter for held emails", - "value": "", - "timeContext": { - "durationMs": 86400000 - } - } - ], - "style": "pills", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "parameters - 3" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\n| where dtProduct_s == \"Antigena Email\"\n| extend Actions = parse_json(actions_s)\n| extend Hold_Email=set_has_element(Actions, \"Hold\")\n| where Hold_Email == true \n| extend Recipients=parse_json(recipients_s)\n| where Recipients contains \"{SearchRecipient}\"\n| project-rename ThreatRiskLevel=anomaly_score_d\n| project-rename AttachmentSHA1s=attachment_sha1s_s\n| project-rename Sender=from_s\n| project-rename Subject=subject_s\n| project-rename Tags=tags_s\n| project-rename TimestampUTC=timestamp_t\n| project-rename UUID=uuid_s\n| project-rename DarktraceLink=url_s\n| project-rename Direction=direction_s\n| project Subject, Sender, Recipients, ThreatRiskLevel, TimestampUTC, Direction, Tags, AttachmentSHA1s, DarktraceLink, UUID", - "size": 0, - "title": "Held Emails", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "query - 2" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL\n| where dtProduct_s == \"Antigena Email\"\n| where direction_s == \"inbound\"\n| project-rename Sender=from_s\n| summarize Count=count() by Sender\n| top 10 by Count", - "size": 0, - "title": "Top 10 Most Frequent External Senders ", - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Count", - "formatter": 3, - "formatOptions": { - "palette": "orange" - } - }, - { - "columnMatch": "event_count", - "formatter": 3, - "formatOptions": { - "palette": "orange" - } - } - ] - } - }, - "name": "query - 1" - } - ] - }, - "conditionalVisibility": { - "parameterName": "tab", - "comparison": "isEqualTo", - "value": "email" - }, - "name": "group - 7" - }, - { - "type": 12, - "content": { - "version": "NotebookGroup/1.0", - "groupType": "editable", - "items": [ - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "darktrace_model_alerts_CL //anything starting with 'Dt' is not an ASIM mapping \n| where dtProduct_s ==\"System Alert\"\n| extend EventVendor = \"Darktrace\"\n| extend EventProduct = \"Darktrace DETECT\"\n| project-rename NetworkRuleName=friendlyName_s\n| project-rename ThreatRiskLevel=priority_code_d\n| project-rename ThreatRiskCategory=priority_s\n| project-rename EventStartTime = time_s\n| project-rename SrcIpAddr=deviceIP_s\n| project-rename SrcHostname=hostname_s\n| project-rename DtStatus=status_s\n| project-rename DtURL=url_s\n| project-rename DtSeverity=Severity\n| project-rename DtName=name_s\n| project-rename DtMessage=Message\n| project EventVendor, EventProduct, NetworkRuleName, ThreatRiskLevel, ThreatRiskCategory, SrcIpAddr, SrcHostname, DtStatus, DtURL, DtName, DtMessage", - "size": 0, - "timeContextFromParameter": "Timeframe", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "query - 0" - } - ] - }, - "conditionalVisibility": { - "parameterName": "tab", - "comparison": "isEqualTo", - "value": "status" - }, - "name": "group - 8" - } - ], - "fallbackResourceIds": [], - "fromTemplateId": "sentinel-Darktrace", - "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" -} \ No newline at end of file From 8497d4e1d5fdf08d5a1160d1d0381918f359abe8 Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Tue, 28 Oct 2025 10:18:04 +0000 Subject: [PATCH 06/19] replaced logo --- Logos/Darktrace.svg | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Logos/Darktrace.svg b/Logos/Darktrace.svg index 3a31c96888b..c16b0646d8e 100644 --- a/Logos/Darktrace.svg +++ b/Logos/Darktrace.svg @@ -1 +1,3 @@ - \ No newline at end of file + + + From f82b26d5e9da501ba44ba3ab4a3ce96bd2842f92 Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Fri, 7 Nov 2025 16:10:41 +0000 Subject: [PATCH 07/19] added sanitized sample data --- Sample Data/DarktraceASM_CL.json | 23 ++++++++ Sample Data/DarktraceEMAIL_CL.json | 37 +++++++++++++ Sample Data/DarktraceIncidents_CL.json | 43 +++++++++++++++ Sample Data/DarktraceModelAlerts_CL.json | 58 ++++++++++++++++++++ Sample Data/DarktraceResponseActions_CL.json | 27 +++++++++ Sample Data/DarktraceSystemStatusAlerts.json | 17 ++++++ 6 files changed, 205 insertions(+) create mode 100644 Sample Data/DarktraceASM_CL.json create mode 100644 Sample Data/DarktraceEMAIL_CL.json create mode 100644 Sample Data/DarktraceIncidents_CL.json create mode 100644 Sample Data/DarktraceModelAlerts_CL.json create mode 100644 Sample Data/DarktraceResponseActions_CL.json create mode 100644 Sample Data/DarktraceSystemStatusAlerts.json diff --git a/Sample Data/DarktraceASM_CL.json b/Sample Data/DarktraceASM_CL.json new file mode 100644 index 00000000000..38049bf8ab6 --- /dev/null +++ b/Sample Data/DarktraceASM_CL.json @@ -0,0 +1,23 @@ +{ + "action": "Update the software listed in this risk, by contacting your provider or hosting party. Also, take note that this information should not be publicly accessible, as this might help the hacker in their attack preparation.", + "alertTime": "2024-08-20 15:52:02", + "alertTimestamp": 1733410492, + "alertTitle": "Risk rating increased", + "alertType": "vulnerable-software", + "assetId": 177054, + "assetName": "SMTP Server london", + "assetUri": "https://instance.example.com/app/#/detail/overview/177054", + "customLabel": "Sample Label", + "darktraceProduct": "Darktrace / Attack Surface Management", + "description": "The rating for vulnerable software Prototype/1.7.3 has increased from a rating B to a rating E", + "endTime": "", + "endTimestamp": 1733310492, + "previousRating": "B", + "rating": "E", + "riskId": 134244, + "riskUri": "https://instance.example.darktrace.com/app/#/detail/direct-risks/177054?risk_id=134244", + "startTime": "1970-01-21 01:28:30", + "startTimestamp": 1733310492, + "state": "Increased Risk Rating", + "workbenchUri": "https://instance.example.darktrace.com/app/#/workbench?id=100&name=allowed&query=id+in+(134244,+256638,+256043)" + } \ No newline at end of file diff --git a/Sample Data/DarktraceEMAIL_CL.json b/Sample Data/DarktraceEMAIL_CL.json new file mode 100644 index 00000000000..2477cf89a78 --- /dev/null +++ b/Sample Data/DarktraceEMAIL_CL.json @@ -0,0 +1,37 @@ +{ + "actions": [ + "notify" + ], + "alertTime": "2024-08-20 15:52:02", + "anomalyScore": 0, + "attachmentNames": [ + "image-1.jpg" + ], + "attachmentSha1s": [ + "f0c31baa0193dde73dd3f96147ae99c7af84a025" + ], + "attachmentSha256s": [ + "33b5bb0fb2234c39c8dc210d9bf27d6a32cb7c19d2c49cf91af8229f2a53c2ec" + ], + "customLabel": "Sample Label", + "darktraceProduct": "Darktrace / EMAIL", + "direction": "inbound", + "from": "test@darktrace.com", + "linkHosts": [ + "darktrace.com" + ], + "messageId": "5877f022-108f-4cf7-8ced-dcdf8d25770", + "recipientActions": [ + "test@example.com: notify" + ], + "recipients": [ + "test@example.com" + ], + "subject": "Test Darktrace / EMAIL Alert", + "tags": [ + "Test Email" + ], + "timestamp": "2020-12-15T04:47:29.936", + "url": "https://sample-darktrace.com/emailuuid", + "uuid": "79D0DD80-5A5E-44E9-A917-7F8567C21877.1" + } \ No newline at end of file diff --git a/Sample Data/DarktraceIncidents_CL.json b/Sample Data/DarktraceIncidents_CL.json new file mode 100644 index 00000000000..dc95f7a5750 --- /dev/null +++ b/Sample Data/DarktraceIncidents_CL.json @@ -0,0 +1,43 @@ +{ + "activityId": "00000000", + "aiaScore": 100, + "bestAssetName": "Test Device", + "currentGroup": "00000000-0000-0000-0000-000000000004", + "customLabel": "", + "darktraceProduct": "Darktrace Incidents", + "deviceHostname": "test-device.example.com", + "deviceIp": "0.1.2.3", + "deviceIdentifier": "Test Device", + "deviceMac": "00:11:22:33:44:55", + "deviceSubnet": "example", + "devices": [ + { + "deviceDid": 5649, + "deviceHostname": "ip-0-0-0-0.eu-west-1.compute.internal", + "deviceIp": "0.0.0.0", + "deviceIdentifier": "ip-0-0-0-0.eu-west-1.compute.internal", + "deviceMac": "00:00:00:00:00:00", + "deviceSid": 111, + "deviceSubnet": "example" + } + ], + "endTime": "Jan 1st 2000 00:00:00 UTC", + "externalId": "00000000-0000-0000-0000-000000000006", + "groupByActivity": false, + "groupCategory": "compliance", + "groupPreviousGroups": [ + "00000000-0000-0000-0000-000000000005" + ], + "groupScore": 100, + "groupingId": "00000000", + "incidentEventTime": "2024-08-20 15:52:02", + "incidentEventTitle": "Test AIA Alert", + "latitude": 4.598, + "longitude": -74.343, + "newEvent": false, + "severity": 10, + "startTime": "Jan 1st 2000 00:00:00 UTC", + "summary": "Test AIA alert used for testing alerting configuration.", + "summaryFirstSentence": "Test AIA alert used for testing alerting configuration.", + "url": "" + } \ No newline at end of file diff --git a/Sample Data/DarktraceModelAlerts_CL.json b/Sample Data/DarktraceModelAlerts_CL.json new file mode 100644 index 00000000000..ca8f7af6c57 --- /dev/null +++ b/Sample Data/DarktraceModelAlerts_CL.json @@ -0,0 +1,58 @@ +{ + "alertTime": "2024-08-20 15:52:02", + "alertUrl": "https://example.com/#modelbreach/18754", + "antigena": false, + "category": "Critical", + "cSensor": true, + "cSensorId": "5f016ddb-53c2-28d3-19b1-f434713e6a08", + "compliance": false, + "customLabel": "Sample Label", + "darktraceProduct": "Darktrace Model Alerts", + "description": "No description is available for this model breach", + "destHost": "download.windowsupdate.com", + "destIp": "8.7.7.5", + "destMac": "00-B0-D0-63-C2-26", + "destPort": "443", + "details": "https://example.com/#modelbreach/18754", + "deviceCredentials": [ + { + "cred": "example_cred", + "seen": "2024-08-20 15:52:02" + } + ], + "deviceHostname": "sample_host", + "deviceId": 3423, + "deviceLabel": "test-device.example.com", + "deviceSubnet": "Sample Subnet", + "deviceType": "Laptop", + "latitude": 4.598, + "longitude": -74.076, + "message": "FileTransfer::Exe file found with filetype. This is an example.", + "mitreTechniques": [ + { + "tactics": [ + "defense-evasion", + "lateral-movement" + ], + "technique": "Use Alternate Authentication Material", + "techniqueId": "T1550" + } + ], + "modelName": "Test Folder/Test Model", + "modelTags": [ + "AP: C2 Comms", + "AP: Egress", + "OT Engineer" + ], + "pid": 665, + "score": 16, + "sid": -9, + "sourceHost": "my_host", + "sourceIp": "190.137.183.213", + "sourceMac": "00-B0-D0-63-C2-25", + "sourcePort": "18000", + "threatId": 18754, + "triggeredComponents": "SaaS Resource Viewed\nRare domain: 0\nRare hostname: 0\nBeaconing score: 0", + "typeLabel": "sample_label", + "uuid": "539464e9-df49-45e9-a8da-3beece6394e8" +} \ No newline at end of file diff --git a/Sample Data/DarktraceResponseActions_CL.json b/Sample Data/DarktraceResponseActions_CL.json new file mode 100644 index 00000000000..df45ca9effd --- /dev/null +++ b/Sample Data/DarktraceResponseActions_CL.json @@ -0,0 +1,27 @@ +{ + "action": "CREATE", + "alertTime": "2024-08-20 15:52:02", + "changedBy": "darktrace", + "codeId": 9896, + "customLabel": "Sample Label", + "darktraceProduct": "Darktrace Autonomous Response", + "deviceFirstSeen": "Jan 1st 2000 00:00:00 UTC", + "deviceHostname": "test-device.example.com", + "deviceIp": "0.1.2.3", + "deviceLabel": "testlabel", + "deviceLastSeen": "Jan 1st 2000 00:00:00 UTC", + "deviceMac": "00:11:22:33:44:55", + "deviceName": "testlabel", + "deviceType": "Desktop", + "endTime": "Jan 1st 2000 00:00:00 UTC", + "inhibitor": "Alert for for testing alerting configuration.", + "model": "Test Model", + "reason": "This is a test alert for testing alerting configuration.", + "score": 0, + "startTime": "Jan 1st 2000 00:00:00 UTC", + "state": "Created", + "subnetId": 0, + "subnetLabel": "testsubnetlabel", + "subnetNetwork": "testnetwork", + "url": "https://darktrace.com" + } \ No newline at end of file diff --git a/Sample Data/DarktraceSystemStatusAlerts.json b/Sample Data/DarktraceSystemStatusAlerts.json new file mode 100644 index 00000000000..71bac99d8d2 --- /dev/null +++ b/Sample Data/DarktraceSystemStatusAlerts.json @@ -0,0 +1,17 @@ +{ + "alertTime": "2024-08-20 15:52:02", + "customLabel": "Sample Label", + "darktraceHostname": "darktrace.example.com", + "darktraceProduct": "Darktrace System Status Alerts", + "deviceIp": "0.1.2.3", + "friendlyModelName": "Test System Status Alert", + "message": "Test System Status alert used for testing alerting configuration.", + "modelName": "test-system-status-alert", + "priority": "high", + "priorityCode": 100, + "status": "Resolved", + "severity": 10, + "statusName": "Resolved: Test System Status Alert", + "url": "https://darktrace.com", + "uuid": "00000000-0000-0000-0000-000000000008" + } \ No newline at end of file From 24be68b6ecbbea5606aa067f848a100434a1ab51 Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Mon, 10 Nov 2025 08:21:44 +0000 Subject: [PATCH 08/19] added custom tables --- .../CustomTables/DarktraceASM_CL.json | 89 ++++++++++ .../CustomTables/DarktraceEMAIL_CL.json | 81 +++++++++ .../CustomTables/DarktraceIncidents_CL.json | 121 ++++++++++++++ .../CustomTables/DarktraceModelAlerts_CL.json | 158 ++++++++++++++++++ .../DarktraceResponseActions_CL.json | 106 ++++++++++++ .../DarktraceSystemStatusAlerts_CL.json | 65 +++++++ 6 files changed, 620 insertions(+) create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/DarktraceASM_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/DarktraceEMAIL_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/DarktraceIncidents_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/DarktraceModelAlerts_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/DarktraceResponseActions_CL.json create mode 100644 .script/tests/KqlvalidationsTests/CustomTables/DarktraceSystemStatusAlerts_CL.json diff --git a/.script/tests/KqlvalidationsTests/CustomTables/DarktraceASM_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceASM_CL.json new file mode 100644 index 00000000000..9af7333f9eb --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceASM_CL.json @@ -0,0 +1,89 @@ +{ + "Name": "DarktraceASM_CL", + "Properties": [ + { + "name": "action", + "type": "string" + }, + { + "name": "alertTime", + "type": "datetime" + }, + { + "name": "alertTimestamp", + "type": "int" + }, + { + "name": "alertTitle", + "type": "string" + }, + { + "name": "alertType", + "type": "string" + }, + { + "name": "assetId", + "type": "int" + }, + { + "name": "assetName", + "type": "string" + }, + { + "name": "assetUri", + "type": "string" + }, + { + "name": "customLabel", + "type": "string" + }, + { + "name": "darktraceProduct", + "type": "string" + }, + { + "name": "description", + "type": "string" + }, + { + "name": "endTime", + "type": "string" + }, + { + "name": "endTimestamp", + "type": "int" + }, + { + "name": "previousRating", + "type": "string" + }, + { + "name": "rating", + "type": "string" + }, + { + "name": "riskId", + "type": "int" + }, + { + "name": "riskUri", + "type": "string" + }, + { + "name": "startTime", + "type": "datetime" + }, + { + "name": "startTimestamp", + "type": "int" + }, + { + "name": "state", + "type": "string" + }, + { + "name": "workbenchUri", + "type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/DarktraceEMAIL_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceEMAIL_CL.json new file mode 100644 index 00000000000..3a2d8f1a926 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceEMAIL_CL.json @@ -0,0 +1,81 @@ +{ + "Name": "DarktraceEMAIL_CL", + "Properties": [ + { + "name": "actions", + "type": "dynamic" + }, + { + "name": "alertTime", + "type": "datetime" + }, + { + "name": "anomalyScore", + "type": "int" + }, + { + "name": "attachmentNames", + "type": "dynamic" + }, + { + "name": "attachmentSha1s", + "type": "dynamic" + }, + { + "name": "attachmentSha256s", + "type": "dynamic" + }, + { + "name": "customLabel", + "type": "string" + }, + { + "name": "darktraceProduct", + "type": "string" + }, + { + "name": "direction", + "type": "string" + }, + { + "name": "from", + "type": "string" + }, + { + "name": "linkHosts", + "type": "dynamic" + }, + { + "name": "messageId", + "type": "string" + }, + { + "name": "recipientActions", + "type": "dynamic" + }, + { + "name": "recipients", + "type": "dynamic" + }, + { + "name": "subject", + "type": "string" + }, + { + "name": "tags", + "type": "dynamic" + }, + { + "name": "timestamp", + "type": "datetime" + }, + { + "name": "url", + "type": "string" + }, + { + "name": "uuid", + "type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/DarktraceIncidents_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceIncidents_CL.json new file mode 100644 index 00000000000..4ad6ec4dd39 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceIncidents_CL.json @@ -0,0 +1,121 @@ +{ + "Name": "DarktraceIncidents_CL", + "Properties": [ + { + "name": "activityId", + "type": "string" + }, + { + "name": "aiaScore", + "type": "int" + }, + { + "name": "bestAssetName", + "type": "string" + }, + { + "name": "currentGroup", + "type": "string" + }, + { + "name": "customLabel", + "type": "string" + }, + { + "name": "darktraceProduct", + "type": "string" + }, + { + "name": "deviceHostname", + "type": "string" + }, + { + "name": "deviceIp", + "type": "string" + }, + { + "name": "deviceIdentifier", + "type": "string" + }, + { + "name": "deviceMac", + "type": "string" + }, + { + "name": "deviceSubnet", + "type": "string" + }, + { + "name": "devices", + "type": "dynamic" + }, + { + "name": "endTime", + "type": "string" + }, + { + "name": "externalId", + "type": "string" + }, + { + "name": "groupByActivity", + "type": "boolean" + }, + { + "name": "groupCategory", + "type": "string" + }, + { + "name": "groupPreviousGroups", + "type": "dynamic" + }, + { + "name": "groupScore", + "type": "int" + }, + { + "name": "groupingId", + "type": "string" + }, + { + "name": "incidentEventTime", + "type": "datetime" + }, + { + "name": "incidentEventTitle", + "type": "string" + }, + { + "name": "latitude", + "type": "real" + }, + { + "name": "longitude", + "type": "real" + }, + { + "name": "newEvent", + "type": "boolean" + }, + { + "name": "severity", + "type": "int" + }, + { + "name": "startTime", + "type": "string" + }, + { + "name": "summary", + "type": "string" + }, + { + "name": "summaryFirstSentence", + "type": "string" + }, + { + "name": "url", + "type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/DarktraceModelAlerts_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceModelAlerts_CL.json new file mode 100644 index 00000000000..05f2c759dc6 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceModelAlerts_CL.json @@ -0,0 +1,158 @@ +{ + "Name": "DarktraceModelAlerts_CL", + "Properties": [ + { + "name": "alertTime", + "type": "datetime" + }, + { + "name": "alertUrl", + "type": "string" + }, + { + "name": "antigena", + "type": "boolean" + }, + { + "name": "category", + "type": "string" + }, + { + "name": "cSensor", + "type": "boolean" + }, + { + "name": "cSensorId", + "type": "string" + }, + { + "name": "compliance", + "type": "boolean" + }, + { + "name": "customLabel", + "type": "string" + }, + { + "name": "darktraceProduct", + "type": "string" + }, + { + "name": "description", + "type": "string" + }, + { + "name": "destHost", + "type": "string" + }, + { + "name": "destIp", + "type": "string" + }, + { + "name": "destMac", + "type": "string" + }, + { + "name": "destPort", + "type": "string" + }, + { + "name": "details", + "type": "string" + }, + { + "name": "deviceCredentials", + "type": "dynamic" + }, + { + "name": "deviceHostname", + "type": "string" + }, + { + "name": "deviceId", + "type": "int" + }, + { + "name": "deviceLabel", + "type": "string" + }, + { + "name": "deviceSubnet", + "type": "string" + }, + { + "name": "deviceType", + "type": "string" + }, + { + "name": "latitude", + "type": "real" + }, + { + "name": "longitude", + "type": "real" + }, + { + "name": "message", + "type": "string" + }, + { + "name": "mitreTechniques", + "type": "dynamic" + }, + { + "name": "modelName", + "type": "string" + }, + { + "name": "modelTags", + "type": "dynamic" + }, + { + "name": "pid", + "type": "int" + }, + { + "name": "score", + "type": "int" + }, + { + "name": "sid", + "type": "int" + }, + { + "name": "sourceHost", + "type": "string" + }, + { + "name": "sourceIp", + "type": "string" + }, + { + "name": "sourceMac", + "type": "string" + }, + { + "name": "sourcePort", + "type": "string" + }, + { + "name": "threatId", + "type": "int" + }, + { + "name": "triggeredComponents", + "type": "string" + }, + { + "name": "typeLabel", + "type": "string" + }, + { + "name": "uuid", + "type": "string" + } + + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/DarktraceResponseActions_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceResponseActions_CL.json new file mode 100644 index 00000000000..126b04bd7ec --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceResponseActions_CL.json @@ -0,0 +1,106 @@ +{ + "Name": "DarktraceResponseActions_CL", + "Properties": [ + { + "name": "action", + "type": "string" + }, + { + "name": "alertTime", + "type": "datetime" + }, + { + "name": "changedBy", + "type": "string" + }, + { + "name": "codeId", + "type": "int" + }, + { + "name": "customLabel", + "type": "string" + }, + { + "name": "darktraceProduct", + "type": "string" + }, + { + "name": "deviceFirstSeen", + "type": "string" + }, + { + "name": "deviceHostname", + "type": "string" + }, + { + "name": "deviceIp", + "type": "string" + }, + { + "name": "deviceLabel", + "type": "string" + }, + { + "name": "deviceLastSeen", + "type": "string" + }, + { + "name": "deviceMac", + "type": "string" + }, + { + "name": "deviceName", + "type": "string" + }, + { + "name": "deviceType", + "type": "string" + }, + { + "name": "endTime", + "type": "string" + }, + { + "name": "inhibitor", + "type": "string" + }, + { + "name": "model", + "type": "string" + }, + { + "name": "reason", + "type": "string" + }, + { + "name": "score", + "type": "int" + }, + { + "name": "startTime", + "type": "string" + }, + { + "name": "state", + "type": "string" + }, + { + "name": "subnetId", + "type": "int" + }, + { + "name": "subnetLabel", + "type": "string" + }, + { + "name": "subnetNetwork", + "type": "string" + }, + { + "name": "url", + "type": "string" + } + + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/DarktraceSystemStatusAlerts_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceSystemStatusAlerts_CL.json new file mode 100644 index 00000000000..28c8a2b5179 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceSystemStatusAlerts_CL.json @@ -0,0 +1,65 @@ +{ + "Name": "DarktraceSystemStatusAlerts_CL", + "Properties": [ + { + "name": "alertTime", + "type": "datetime" + }, + { + "name": "customLabel", + "type": "string" + }, + { + "name": "darktraceHostname", + "type": "string" + }, + { + "name": "darktraceProduct", + "type": "string" + }, + { + "name": "deviceIp", + "type": "string" + }, + { + "name": "friendlyModelName", + "type": "string" + }, + { + "name": "message", + "type": "string" + }, + { + "name": "modelName", + "type": "string" + }, + { + "name": "priority", + "type": "string" + }, + { + "name": "priorityCode", + "type": "int" + }, + { + "name": "status", + "type": "string" + }, + { + "name": "severity", + "type": "int" + }, + { + "name": "statusName", + "type": "string" + }, + { + "name": "url", + "type": "string" + }, + { + "name": "uuid", + "type": "string" + } + ] +} \ No newline at end of file From f5eff17af8d5b6a52e8258a663c9cbf5fe3b4196 Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Mon, 10 Nov 2025 08:28:09 +0000 Subject: [PATCH 09/19] updated metadata --- Workbooks/WorkbooksMetadata.json | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index c0e3a874721..0daffd76140 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -5132,12 +5132,17 @@ { "workbookKey": "DarktraceWorkbook", "logoFileName": "Darktrace.svg", - "description": "The Darktrace Workbook visualises Model Breach and AI Analyst data received by the Darktrace Data Connector and visualises events across the network, SaaS, IaaS and Email.", + "description": "The Darktrace Workbook visualises Model Breaches, AI Analyst incidents, ASM alerts, EMAIL alerts, Response actions and system status alerts data received by the Darktrace Data Connector and visualises events across the network, SaaS, IaaS and Email.", "dataTypesDependencies": [ - "darktrace_model_alerts_CL" + "DarktraceASM_CL", + "DarktraceEMAIL_CL", + "DarktraceIncidents_CL", + "DarktraceModelAlerts_CL", + "DarktraceResponseActions_CL", + "DarktraceSystemStatusAlerts_CL" ], "dataConnectorsDependencies": [ - "DarktraceRESTConnector" + "DarktraceActiveAISecurityPlatform_Template" ], "previewImagesFileNames": [ "DarktraceWorkbookBlack01.png", @@ -5145,7 +5150,7 @@ "DarktraceWorkbookWhite01.png", "DarktraceWorkbookWhite02.png" ], - "version": "1.0.1", + "version": "2.0.0", "title": "Darktrace", "templateRelativePath": "DarktraceWorkbook.json", "subtitle": "", From 0ffe216648ef24d4a132671ff3126b6fb0f2722e Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Mon, 10 Nov 2025 09:57:40 +0000 Subject: [PATCH 10/19] wrap in array --- Sample Data/DarktraceASM_CL.json | 6 ++++-- Sample Data/DarktraceEMAIL_CL.json | 6 ++++-- Sample Data/DarktraceIncidents_CL.json | 6 ++++-- Sample Data/DarktraceModelAlerts_CL.json | 6 ++++-- Sample Data/DarktraceResponseActions_CL.json | 6 ++++-- Sample Data/DarktraceSystemStatusAlerts.json | 6 ++++-- 6 files changed, 24 insertions(+), 12 deletions(-) diff --git a/Sample Data/DarktraceASM_CL.json b/Sample Data/DarktraceASM_CL.json index 38049bf8ab6..0d67f427db3 100644 --- a/Sample Data/DarktraceASM_CL.json +++ b/Sample Data/DarktraceASM_CL.json @@ -1,4 +1,5 @@ -{ +[ + { "action": "Update the software listed in this risk, by contacting your provider or hosting party. Also, take note that this information should not be publicly accessible, as this might help the hacker in their attack preparation.", "alertTime": "2024-08-20 15:52:02", "alertTimestamp": 1733410492, @@ -20,4 +21,5 @@ "startTimestamp": 1733310492, "state": "Increased Risk Rating", "workbenchUri": "https://instance.example.darktrace.com/app/#/workbench?id=100&name=allowed&query=id+in+(134244,+256638,+256043)" - } \ No newline at end of file + } +] \ No newline at end of file diff --git a/Sample Data/DarktraceEMAIL_CL.json b/Sample Data/DarktraceEMAIL_CL.json index 2477cf89a78..79c41af76ba 100644 --- a/Sample Data/DarktraceEMAIL_CL.json +++ b/Sample Data/DarktraceEMAIL_CL.json @@ -1,4 +1,5 @@ -{ +[ + { "actions": [ "notify" ], @@ -34,4 +35,5 @@ "timestamp": "2020-12-15T04:47:29.936", "url": "https://sample-darktrace.com/emailuuid", "uuid": "79D0DD80-5A5E-44E9-A917-7F8567C21877.1" - } \ No newline at end of file + } +] \ No newline at end of file diff --git a/Sample Data/DarktraceIncidents_CL.json b/Sample Data/DarktraceIncidents_CL.json index dc95f7a5750..95482689b14 100644 --- a/Sample Data/DarktraceIncidents_CL.json +++ b/Sample Data/DarktraceIncidents_CL.json @@ -1,4 +1,5 @@ -{ +[ + { "activityId": "00000000", "aiaScore": 100, "bestAssetName": "Test Device", @@ -40,4 +41,5 @@ "summary": "Test AIA alert used for testing alerting configuration.", "summaryFirstSentence": "Test AIA alert used for testing alerting configuration.", "url": "" - } \ No newline at end of file + } +] \ No newline at end of file diff --git a/Sample Data/DarktraceModelAlerts_CL.json b/Sample Data/DarktraceModelAlerts_CL.json index ca8f7af6c57..604a75ee111 100644 --- a/Sample Data/DarktraceModelAlerts_CL.json +++ b/Sample Data/DarktraceModelAlerts_CL.json @@ -1,4 +1,5 @@ -{ +[ + { "alertTime": "2024-08-20 15:52:02", "alertUrl": "https://example.com/#modelbreach/18754", "antigena": false, @@ -55,4 +56,5 @@ "triggeredComponents": "SaaS Resource Viewed\nRare domain: 0\nRare hostname: 0\nBeaconing score: 0", "typeLabel": "sample_label", "uuid": "539464e9-df49-45e9-a8da-3beece6394e8" -} \ No newline at end of file + } +] \ No newline at end of file diff --git a/Sample Data/DarktraceResponseActions_CL.json b/Sample Data/DarktraceResponseActions_CL.json index df45ca9effd..65a5ec700bf 100644 --- a/Sample Data/DarktraceResponseActions_CL.json +++ b/Sample Data/DarktraceResponseActions_CL.json @@ -1,4 +1,5 @@ -{ +[ + { "action": "CREATE", "alertTime": "2024-08-20 15:52:02", "changedBy": "darktrace", @@ -24,4 +25,5 @@ "subnetLabel": "testsubnetlabel", "subnetNetwork": "testnetwork", "url": "https://darktrace.com" - } \ No newline at end of file + } +] \ No newline at end of file diff --git a/Sample Data/DarktraceSystemStatusAlerts.json b/Sample Data/DarktraceSystemStatusAlerts.json index 71bac99d8d2..bb7ef6306dd 100644 --- a/Sample Data/DarktraceSystemStatusAlerts.json +++ b/Sample Data/DarktraceSystemStatusAlerts.json @@ -1,4 +1,5 @@ -{ +[ + { "alertTime": "2024-08-20 15:52:02", "customLabel": "Sample Label", "darktraceHostname": "darktrace.example.com", @@ -14,4 +15,5 @@ "statusName": "Resolved: Test System Status Alert", "url": "https://darktrace.com", "uuid": "00000000-0000-0000-0000-000000000008" - } \ No newline at end of file + } +] \ No newline at end of file From 3b1aa61e5570904d83a45334c447c93a585991b9 Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Thu, 13 Nov 2025 16:02:11 +0000 Subject: [PATCH 11/19] changed connector id --- Solutions/Darktrace/Analytic Rules/DarktraceIncidentEvent.yaml | 2 +- Solutions/Darktrace/Analytic Rules/DarktraceModelAlert.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/Solutions/Darktrace/Analytic Rules/DarktraceIncidentEvent.yaml b/Solutions/Darktrace/Analytic Rules/DarktraceIncidentEvent.yaml index 64f2fd92bba..7172d57f4fa 100644 --- a/Solutions/Darktrace/Analytic Rules/DarktraceIncidentEvent.yaml +++ b/Solutions/Darktrace/Analytic Rules/DarktraceIncidentEvent.yaml @@ -4,7 +4,7 @@ kind: NRT description: Creates a Sentinel Incident from a Darktrace Incident Event. severity: High requiredDataConnectors: - - connectorId: DarktraceLogIngestionAPIConnector + - connectorId: DarktraceActiveAISecurityPlatform dataTypes: - DarktraceIncidents_CL tactics: [] diff --git a/Solutions/Darktrace/Analytic Rules/DarktraceModelAlert.yaml b/Solutions/Darktrace/Analytic Rules/DarktraceModelAlert.yaml index 95178fab0b9..296f2eada06 100644 --- a/Solutions/Darktrace/Analytic Rules/DarktraceModelAlert.yaml +++ b/Solutions/Darktrace/Analytic Rules/DarktraceModelAlert.yaml @@ -6,7 +6,7 @@ description: | this Analytic Rule if you would like it to create Sentinel Incidents. severity: High requiredDataConnectors: - - connectorId: DarktraceLogIngestionAPIConnector + - connectorId: DarktraceActiveAISecurityPlatform dataTypes: - DarktraceModelAlerts_CL tactics: [] From 6658236a85c71f79ca1d7e5c983220f328ac1191 Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Thu, 13 Nov 2025 16:04:57 +0000 Subject: [PATCH 12/19] sanitize email --- Sample Data/DarktraceEMAIL_CL.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Sample Data/DarktraceEMAIL_CL.json b/Sample Data/DarktraceEMAIL_CL.json index 79c41af76ba..aa071583f6e 100644 --- a/Sample Data/DarktraceEMAIL_CL.json +++ b/Sample Data/DarktraceEMAIL_CL.json @@ -23,10 +23,10 @@ ], "messageId": "5877f022-108f-4cf7-8ced-dcdf8d25770", "recipientActions": [ - "test@example.com: notify" + "sanitized@sanitized.com: notify" ], "recipients": [ - "test@example.com" + "sanitized@sanitized.com" ], "subject": "Test Darktrace / EMAIL Alert", "tags": [ From 662596f96fa1197689758d2d65653d04478cbf65 Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Mon, 12 Jan 2026 15:31:19 +0000 Subject: [PATCH 13/19] refer to new api --- Solutions/Darktrace/Package/createUiDefinition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/Darktrace/Package/createUiDefinition.json b/Solutions/Darktrace/Package/createUiDefinition.json index a72e331d8e3..a79a8826609 100644 --- a/Solutions/Darktrace/Package/createUiDefinition.json +++ b/Solutions/Darktrace/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Darktrace](https://darktrace.com/) Sentinel Solution lets users connect Darktrace AI-based alerting in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats. \n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\na. [Microsoft Sentinel Data Collector API](https://docs.microsoft.com/azure/sentinel/connect-rest-api-template)\n\n For more details about this solution refer to https://www.darktrace.com/microsoft/sentinel/\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Darktrace](https://darktrace.com/) Sentinel Solution lets users connect Darktrace AI-based alerting in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats. \n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\na. [Microsoft Sentinel Log Ingestion API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview)\n\n For more details about this solution refer to https://www.darktrace.com/microsoft/sentinel/\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", From af7d11bb0e6582496541fc54391418fc2fcdf9ea Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Tue, 13 Jan 2026 16:04:26 +0000 Subject: [PATCH 14/19] added outputs [NEED TO SET VARIABLES] --- Solutions/Darktrace/Package/mainTemplate.json | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/Solutions/Darktrace/Package/mainTemplate.json b/Solutions/Darktrace/Package/mainTemplate.json index 6dd9aea205c..4afaa04e214 100644 --- a/Solutions/Darktrace/Package/mainTemplate.json +++ b/Solutions/Darktrace/Package/mainTemplate.json @@ -1074,5 +1074,22 @@ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" } ], - "outputs": {} + "outputs": { + "dceUrl": { + "type": "string", + "value": "[reference('darktrace-dce').properties.logsIngestion.endpoint]" + }, + "dcrId": { + "type": "string", + "value": "[resourceId('Microsoft.Insights/dataCollectionRules', 'darktrace-dcr')]" + }, + "clientId": { + "type": "string", + "value": "[reference('darktrace-app').clientId]" + }, + "clientSecret": { + "type": "string", + "value": "Generated via Key Vault or manual step" + } + } } From 21d21cce77b06ac6f0b942d8acae67a5579477a6 Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Tue, 13 Jan 2026 16:07:23 +0000 Subject: [PATCH 15/19] added resources --- Solutions/Darktrace/Package/mainTemplate.json | 41 ++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/Solutions/Darktrace/Package/mainTemplate.json b/Solutions/Darktrace/Package/mainTemplate.json index 4afaa04e214..f0bfcdc75c3 100644 --- a/Solutions/Darktrace/Package/mainTemplate.json +++ b/Solutions/Darktrace/Package/mainTemplate.json @@ -1072,9 +1072,48 @@ } }, "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]" + }, + { + "type": "Microsoft.Insights/dataCollectionEndpoints", + "apiVersion": "2021-09-01-preview", + "name": "darktrace-dce", + "location": "[parameters('location')]", + "properties": { + "networkAccess": { + "publicNetworkAccess": "Enabled" + } + } + }, + { + "type": "Microsoft.Insights/dataCollectionRules", + "apiVersion": "2021-09-01-preview", + "name": "darktrace-dcr", + "location": "[parameters('location')]", + "properties": { + "dataFlows": [ + { + "streams": [ "Custom-Darktrace" ], + "destinations": [ "la-destination" ] + } + ], + "destinations": { + "logAnalytics": [ + { + "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]", + "name": "la-destination" + } + ] + } + } + }, + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2018-11-30", + "name": "darktrace-app", // Need to think of better name or label + "location": "[parameters('location')]" } ], - "outputs": { + "outputs": { // used for setting up in alert translator "dceUrl": { "type": "string", "value": "[reference('darktrace-dce').properties.logsIngestion.endpoint]" From b9c7e25de48ab71511ba1c6197fe52095d0cff44 Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Tue, 13 Jan 2026 16:17:43 +0000 Subject: [PATCH 16/19] changed naming --- Solutions/Darktrace/Package/mainTemplate.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Solutions/Darktrace/Package/mainTemplate.json b/Solutions/Darktrace/Package/mainTemplate.json index f0bfcdc75c3..5657c6e75b7 100644 --- a/Solutions/Darktrace/Package/mainTemplate.json +++ b/Solutions/Darktrace/Package/mainTemplate.json @@ -1076,7 +1076,7 @@ { "type": "Microsoft.Insights/dataCollectionEndpoints", "apiVersion": "2021-09-01-preview", - "name": "darktrace-dce", + "name": "darktrace-log-ingestion-dce", "location": "[parameters('location')]", "properties": { "networkAccess": { @@ -1087,7 +1087,7 @@ { "type": "Microsoft.Insights/dataCollectionRules", "apiVersion": "2021-09-01-preview", - "name": "darktrace-dcr", + "name": "darktrace-log-ingestion-dcr", "location": "[parameters('location')]", "properties": { "dataFlows": [ @@ -1109,22 +1109,22 @@ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", "apiVersion": "2018-11-30", - "name": "darktrace-app", // Need to think of better name or label + "name": "darktrace-log-ingestion-app", "location": "[parameters('location')]" } ], - "outputs": { // used for setting up in alert translator + "outputs": { "dceUrl": { "type": "string", - "value": "[reference('darktrace-dce').properties.logsIngestion.endpoint]" + "value": "[reference('darktrace-log-ingestion-dce').properties.logsIngestion.endpoint]" }, "dcrId": { "type": "string", - "value": "[resourceId('Microsoft.Insights/dataCollectionRules', 'darktrace-dcr')]" + "value": "[resourceId('Microsoft.Insights/dataCollectionRules', 'darktrace-log-ingestion-dcr')]" }, "clientId": { "type": "string", - "value": "[reference('darktrace-app').clientId]" + "value": "[reference('darktrace-log-ingestion-app').clientId]" }, "clientSecret": { "type": "string", From 4f3cd36055087c96fb0f4abd7aa97231c0909744 Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Tue, 13 Jan 2026 16:20:40 +0000 Subject: [PATCH 17/19] update step --- Solutions/Darktrace/Package/createUiDefinition.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Solutions/Darktrace/Package/createUiDefinition.json b/Solutions/Darktrace/Package/createUiDefinition.json index a79a8826609..6aea82b9811 100644 --- a/Solutions/Darktrace/Package/createUiDefinition.json +++ b/Solutions/Darktrace/Package/createUiDefinition.json @@ -60,7 +60,7 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The Darktrace REST API connector pushes real-time events from Darktrace's Product Suite to Microsoft Sentinel and is designed to be used with the Darktrace Solution for Sentinel. The connector writes logs to a custom log table titled \"darktrace_model_alerts_CL\"; Model Breaches, AI Analyst Incidents, System Alerts and Antigena Email alerts can be ingested - additional filters can be set up on Darktrace system configuration page. Data is pushed to Sentinel from Darktrace appliances." + "text": "The Darktrace Log Ingestion API connector pushes real-time events from Darktrace's Product Suite to Microsoft Sentinel and is designed to be used with the Darktrace Solution for Sentinel. The connector writes logs to a custom log tables named accordingly; Model Breaches, AI Analyst Incidents, System Alerts, Response Actions, Attack Surface Management alerts and Email alerts can be ingested - additional filters can be set up on Darktrace system configuration page. Data is pushed to Sentinel from Darktrace appliances." } }, { From 7040597520d34ec4e7fd569c24a6106d9e398f28 Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Tue, 13 Jan 2026 16:21:53 +0000 Subject: [PATCH 18/19] more steps --- Solutions/Darktrace/Package/createUiDefinition.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Solutions/Darktrace/Package/createUiDefinition.json b/Solutions/Darktrace/Package/createUiDefinition.json index 6aea82b9811..5364ced8af4 100644 --- a/Solutions/Darktrace/Package/createUiDefinition.json +++ b/Solutions/Darktrace/Package/createUiDefinition.json @@ -88,7 +88,7 @@ "name": "workbooks-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This solution installs workbook to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + "text": "This solution installs the workbook to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." } }, { @@ -110,7 +110,7 @@ "name": "workbook1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "The Darktrace Workbook visualises Model Breach and AI Analyst data received by the Darktrace Data Connector and visualises events across the network, SaaS, IaaS and Email." + "text": "The Darktrace Workbook visualises alert data received by the Darktrace Log Ingestion API and visualises events across the network, SaaS, IaaS and Email." } } ] From 77bd4b53cf3536e740de72f3193caad0649c371f Mon Sep 17 00:00:00 2001 From: Dylan O'Sullivan Date: Tue, 13 Jan 2026 16:29:06 +0000 Subject: [PATCH 19/19] removed stapi as no rule yet --- .../Darktrace/Package/createUiDefinition.json | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/Solutions/Darktrace/Package/createUiDefinition.json b/Solutions/Darktrace/Package/createUiDefinition.json index 5364ced8af4..06524ffa580 100644 --- a/Solutions/Darktrace/Package/createUiDefinition.json +++ b/Solutions/Darktrace/Package/createUiDefinition.json @@ -146,13 +146,13 @@ { "name": "analytic1", "type": "Microsoft.Common.Section", - "label": "Darktrace Model Breach", + "label": "Darktrace Model Alert", "elements": [ { "name": "analytic1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes." + "text": "This rule creates Microsoft Sentinel Alerts based on Darktrace Model Alerts, fetched every 5 minutes." } } ] @@ -170,20 +170,6 @@ } } ] - }, - { - "name": "analytic3", - "type": "Microsoft.Common.Section", - "label": "Darktrace System Status", - "elements": [ - { - "name": "analytic3-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This rule creates Microsoft Sentinel Alerts based on Darktrace system status alerts for health monitoring, fetched every 5 minutes." - } - } - ] } ] }