Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Darktrace Model Alert

Darktrace Model Alert

Back
Id9392a06f-63a4-4a5d-8ca3-647064b13c28
RulenameDarktrace Model Alert
DescriptionThis query searches for Darktrace model alerts and creates a Microsoft Sentinel alert

from each matching event. Edit this analytic rule if you would like it to create

Microsoft Sentinel incidents.
SeverityHigh
TacticsInitialAccess
Execution
LateralMovement
CommandAndControl
TechniquesT1190
T1059
T1021
T1071
Required data connectorsDarktraceActiveAISecurityPlatform
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/DarktraceModelAlert.yaml
Version1.0.0
Arm template9392a06f-63a4-4a5d-8ca3-647064b13c28.json
Deploy To Azure
DarktraceModelAlerts_CL
| where TimeGenerated >= ago(5m)
| extend SentinelSeverity = case(
compliance == true, "Informational",
category == "Informational", "Low",
category == "Suspicious", "Medium",
category == "Critical", "High",
"Informational")
| extend ProviderName = "Darktrace"
| mv-apply item = mitreTechniques on (
    extend techniqueId = tostring(item.techniqueId)
    | summarize techniqueIdArray = make_list(techniqueId, 5)
)

description: |
  This query searches for Darktrace model alerts and creates a Microsoft Sentinel alert
  from each matching event. Edit this analytic rule if you would like it to create
  Microsoft Sentinel incidents.  
kind: NRT
incidentConfiguration:
  createIncident: false
  groupingConfiguration:
    reopenClosedIncident: false
    lookbackDuration: PT5H
    matchingMethod: AllEntities
    enabled: false
alertDetailsOverride:
  alertSeverityColumnName: SentinelSeverity
  alertDynamicProperties:
  - value: alertUrl
    alertProperty: AlertLink
  - value: darktraceProduct
    alertProperty: ProductName
  - value: ProviderName
    alertProperty: ProviderName
  - value: techniqueIdArray
    alertProperty: Techniques
  alertDisplayNameFormat: 'Darktrace Model Alert: {{modelName}}  '
  alertDescriptionFormat: '{{message}}'
query: |
  DarktraceModelAlerts_CL
  | where TimeGenerated >= ago(5m)
  | extend SentinelSeverity = case(
  compliance == true, "Informational",
  category == "Informational", "Low",
  category == "Suspicious", "Medium",
  category == "Critical", "High",
  "Informational")
  | extend ProviderName = "Darktrace"
  | mv-apply item = mitreTechniques on (
      extend techniqueId = tostring(item.techniqueId)
      | summarize techniqueIdArray = make_list(techniqueId, 5)
  )  
requiredDataConnectors:
- connectorId: DarktraceActiveAISecurityPlatform
  dataTypes:
  - DarktraceModelAlerts_CL
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: sourceIp
  entityType: IP
- fieldMappings:
  - identifier: Address
    columnName: destIp
  entityType: IP
- fieldMappings:
  - identifier: HostName
    columnName: destHost
  entityType: Host
- fieldMappings:
  - identifier: HostName
    columnName: sourceHost
  entityType: Host
id: 9392a06f-63a4-4a5d-8ca3-647064b13c28
version: 1.0.0
customDetails:
  DeviceHostname: deviceHostname
  DeviceCredentials: deviceCredentials
  CustomLabel: customLabel
  Score: score
  Category: category
  Compliance: compliance
tactics:
- InitialAccess
- Execution
- LateralMovement
- CommandAndControl
name: Darktrace Model Alert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/DarktraceModelAlert.yaml
relevantTechniques:
- T1190
- T1059
- T1021
- T1071
eventGroupingSettings:
  aggregationKind: AlertPerResult
severity: High