darktrace_model_alerts_CL
| where dtProduct_s =="System Alert"
| extend EventVendor = "Darktrace"
| extend EventProduct = "Enterprise Immune System"
queryFrequency: 5m
entityMappings:
severity: Informational
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromSystemStatus.yaml
relevantTechniques:
query: |
darktrace_model_alerts_CL
| where dtProduct_s =="System Alert"
| extend EventVendor = "Darktrace"
| extend EventProduct = "Enterprise Immune System"
id: 2e629769-60eb-4a14-8bfc-bde9be66ebeb
triggerOperator: gt
version: 1.0.0
eventGroupingSettings:
aggregationKind: AlertPerResult
customDetails:
EventMessage: Message
Title: friendlyName_s
description: |
'This rule creates Microsoft Sentinel Alerts based on Darktrace system status alerts for health monitoring, fetched every 5 minutes.'
queryPeriod: 5m
alertDetailsOverride:
alertSeverityColumnName:
alertDescriptionFormat: '{{Message}}'
alertTacticsColumnName:
alertDisplayNameFormat: 'Darktrace: {{friendlyName_s}}'
requiredDataConnectors:
- connectorId: DarktraceRESTConnector
dataTypes:
- darktrace_model_alerts_CL
name: Darktrace System Status
tactics:
kind: NRT
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/2e629769-60eb-4a14-8bfc-bde9be66ebeb')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/2e629769-60eb-4a14-8bfc-bde9be66ebeb')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Nrt",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Darktrace System Status",
"description": "'This rule creates Microsoft Sentinel Alerts based on Darktrace system status alerts for health monitoring, fetched every 5 minutes.'\n",
"severity": "Informational",
"enabled": true,
"query": "darktrace_model_alerts_CL\n| where dtProduct_s ==\"System Alert\"\n| extend EventVendor = \"Darktrace\"\n| extend EventProduct = \"Enterprise Immune System\"\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": null,
"techniques": null,
"alertRuleTemplateName": "2e629769-60eb-4a14-8bfc-bde9be66ebeb",
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertSeverityColumnName": null,
"alertDisplayNameFormat": "Darktrace: {{friendlyName_s}}",
"alertTacticsColumnName": null,
"alertDescriptionFormat": "{{Message}}"
},
"customDetails": {
"EventMessage": "Message",
"Title": "friendlyName_s"
},
"entityMappings": null,
"templateVersion": "1.0.0",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromSystemStatus.yaml"
}
}
]
}