Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Darktrace Incident Event

Darktrace Incident Event

Back
Id05de0eaf-01bc-4615-99fc-2ec769864b34
RulenameDarktrace Incident Event
DescriptionThis query searches for Darktrace incident events and creates a Microsoft Sentinel incident for each matching result.
SeverityHigh
TacticsInitialAccess
Execution
LateralMovement
CommandAndControl
TechniquesT1190
T1059
T1021
T1071
Required data connectorsDarktraceActiveAISecurityPlatform
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/DarktraceIncidentEvent.yaml
Version1.0.0
Arm template05de0eaf-01bc-4615-99fc-2ec769864b34.json
Deploy To Azure
DarktraceIncidents_CL
| where TimeGenerated >= ago(5m)
| extend SentinelSeverity = case(groupCategory == "suspicious", "Medium",
groupCategory == "critical", "High", "Informational")
| extend ProviderName = "Darktrace"

description: This query searches for Darktrace incident events and creates a Microsoft Sentinel incident for each matching result.
kind: NRT
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT5M
    matchingMethod: AllEntities
    enabled: false
alertDetailsOverride:
  alertSeverityColumnName: SentinelSeverity
  alertDynamicProperties:
  - value: url
    alertProperty: AlertLink
  - value: darktraceProduct
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
  alertDisplayNameFormat: 'Darktrace Incident Event: {{incidentEventTitle}} '
  alertDescriptionFormat: '{{summary}}'
query: |
  DarktraceIncidents_CL
  | where TimeGenerated >= ago(5m)
  | extend SentinelSeverity = case(groupCategory == "suspicious", "Medium",
  groupCategory == "critical", "High", "Informational")
  | extend ProviderName = "Darktrace"  
requiredDataConnectors:
- connectorId: DarktraceActiveAISecurityPlatform
  dataTypes:
  - DarktraceIncidents_CL
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: deviceIp
  entityType: IP
- fieldMappings:
  - identifier: HostName
    columnName: deviceHostname
  entityType: Host
id: 05de0eaf-01bc-4615-99fc-2ec769864b34
version: 1.0.0
customDetails:
  PreviousGroups: groupPreviousGroups
  IncidentEventScore: aiaScore
  Asset: bestAssetName
  CustomLabel: customLabel
  AssetDetails: devices
  StartTime: startTime
  EndTime: endTime
  CurrentGroup: currentGroup
  IncidentScore: groupScore
tactics:
- InitialAccess
- Execution
- LateralMovement
- CommandAndControl
name: Darktrace Incident Event
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/DarktraceIncidentEvent.yaml
relevantTechniques:
- T1190
- T1059
- T1021
- T1071
eventGroupingSettings:
  aggregationKind: AlertPerResult
severity: High