Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Darktrace System Status Legacy

Darktrace System Status Legacy

Back
Id2e629769-60eb-4a14-8bfc-bde9be66ebeb
RulenameDarktrace System Status (Legacy)
DescriptionThis rule creates Microsoft Sentinel Alerts based on Darktrace system status alerts for health monitoring, fetched every 5 minutes.
SeverityInformational
TacticsDiscovery
Impact
TechniquesT1082
T1498
Required data connectorsDarktraceRESTConnector
KindScheduled
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromSystemStatus.yaml
Version1.1.1
Arm template2e629769-60eb-4a14-8bfc-bde9be66ebeb.json
Deploy To Azure
darktrace_model_alerts_CL //anything starting with 'Dt' is not an ASIM mapping 
| where dtProduct_s =="System Alert"
| extend EventVendor="Darktrace", EventProduct="Darktrace DETECT"
| project-rename ThreatCategory=dtProduct_s, EventStartTime=time_s, NetworkRuleName=friendlyName_s, SrcIpAddr=deviceIP_s, SrcHostname=hostname_s, ThreatRiskLevel=priority_code_d, ThreatRiskCategory=priority_s, DtSeverity=Severity, DtName=name_s, DtStatus=status_s, DtMessage=Message, DtURL=url_s, DtUUID=uuid_g

entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SrcHostname
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
tactics:
- Discovery
- Impact
requiredDataConnectors:
- dataTypes:
  - darktrace_model_alerts_CL
  connectorId: DarktraceRESTConnector
alertDetailsOverride:
  alertDescriptionFormat: '{{DtMessage}}'
  alertTacticsColumnName: 
  alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}'
  alertDynamicProperties:
  - value: DtURL
    alertProperty: AlertLink
  - value: EventVendor
    alertProperty: ProviderName
  - value: EventProduct
    alertProperty: ProductName
  - value: ThreatCategory
    alertProperty: ProductComponentName
  alertSeverityColumnName: 
id: 2e629769-60eb-4a14-8bfc-bde9be66ebeb
severity: Informational
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  DtName: DtName
  ThreatRiskLevel: ThreatRiskLevel
  EventStartTime: EventStartTime
  NetworkRuleName: NetworkRuleName
  DtStatus: DtStatus
  DtMessage: DtMessage
  DtSeverity: DtSeverity
  ThreatRiskCategory: ThreatRiskCategory
query: |
  darktrace_model_alerts_CL //anything starting with 'Dt' is not an ASIM mapping 
  | where dtProduct_s =="System Alert"
  | extend EventVendor="Darktrace", EventProduct="Darktrace DETECT"
  | project-rename ThreatCategory=dtProduct_s, EventStartTime=time_s, NetworkRuleName=friendlyName_s, SrcIpAddr=deviceIP_s, SrcHostname=hostname_s, ThreatRiskLevel=priority_code_d, ThreatRiskCategory=priority_s, DtSeverity=Severity, DtName=name_s, DtStatus=status_s, DtMessage=Message, DtURL=url_s, DtUUID=uuid_g  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromSystemStatus.yaml
kind: Scheduled
queryPeriod: 5m
version: 1.1.1
name: Darktrace System Status (Legacy)
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1082
- T1498
description: |
    'This rule creates Microsoft Sentinel Alerts based on Darktrace system status alerts for health monitoring, fetched every 5 minutes.'
triggerOperator: gt