Darktrace Model Breach
| Id | a3c7b8ed-56a9-47b7-98e5-2555c16e17c9 |
| Rulename | Darktrace Model Breach |
| Description | This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes. |
| Severity | Medium |
| Required data connectors | DarktraceRESTConnector |
| Kind | NRT |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml |
| Version | 1.1.0 |
| Arm template | a3c7b8ed-56a9-47b7-98e5-2555c16e17c9.json |
darktrace_model_alerts_CL
| where dtProduct_s =="Policy Breach"
| project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatId=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceID=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category
| extend EventCount=1, EventType="NetworkSession", EventSchema="NetworkSession", EventSchemaVersion="0.2.2", EventResult="Success", DvcAction = "Allow", EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity
| extend DtSentinelCategory = case(DtCategory == "Suspicious", "Medium",
DtCategory == "Critical", "High",
"Informational")
relevantTechniques:
name: Darktrace Model Breach
requiredDataConnectors:
- dataTypes:
- darktrace_model_alerts_CL
connectorId: DarktraceRESTConnector
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: SrcHostname
entityType: Host
- fieldMappings:
- identifier: HostName
columnName: DstHostname
entityType: Host
- fieldMappings:
- identifier: Address
columnName: SrcIpAddr
entityType: IP
- fieldMappings:
- identifier: Address
columnName: DstIpAddr
entityType: IP
triggerThreshold: 0
id: a3c7b8ed-56a9-47b7-98e5-2555c16e17c9
tactics:
version: 1.1.0
customDetails:
NetworkRuleNumber: NetworkRuleNumber
DtDescription: DtDescription
SrcPortNumber: SrcPortNumber
ThreatId: ThreatId
EventStartTime: EventStartTime
SrcMacAddr: SrcMacAddr
DtCompliance: DtCompliance
DstPortNumber: DstPortNumber
DtDeviceID: DtDeviceID
EventSeverity: EventSeverity
DstMacAddr: DstMacAddr
DtSentinelCategory: DtSentinelCategory
DtCategory: DtCategory
NetworkRuleName: NetworkRuleName
alertDetailsOverride:
alertDescriptionFormat: '{{DtMessage}}'
alertTacticsColumnName:
alertSeverityColumnName:
alertDynamicProperties:
- alertProperty: AlertLink
value: DtBreachURL
- alertProperty: ProviderName
value: EventVendor
- alertProperty: ProductName
value: EventProduct
- alertProperty: ProductComponentName
value: ThreatCategory
- alertProperty: Severity
value: DtSentinelCategory
alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}'
queryPeriod: 5m
kind: NRT
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml
queryFrequency: 5m
severity: Medium
description: |
'This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.'
query: |
darktrace_model_alerts_CL
| where dtProduct_s =="Policy Breach"
| project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatId=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceID=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category
| extend EventCount=1, EventType="NetworkSession", EventSchema="NetworkSession", EventSchemaVersion="0.2.2", EventResult="Success", DvcAction = "Allow", EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity
| extend DtSentinelCategory = case(DtCategory == "Suspicious", "Medium",
DtCategory == "Critical", "High",
"Informational")
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a3c7b8ed-56a9-47b7-98e5-2555c16e17c9')]",
"kind": "NRT",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a3c7b8ed-56a9-47b7-98e5-2555c16e17c9')]",
"properties": {
"alertDetailsOverride": {
"alertDescriptionFormat": "{{DtMessage}}",
"alertDisplayNameFormat": "Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}",
"alertDynamicProperties": [
{
"alertProperty": "AlertLink",
"value": "DtBreachURL"
},
{
"alertProperty": "ProviderName",
"value": "EventVendor"
},
{
"alertProperty": "ProductName",
"value": "EventProduct"
},
{
"alertProperty": "ProductComponentName",
"value": "ThreatCategory"
},
{
"alertProperty": "Severity",
"value": "DtSentinelCategory"
}
],
"alertSeverityColumnName": null,
"alertTacticsColumnName": null
},
"alertRuleTemplateName": "a3c7b8ed-56a9-47b7-98e5-2555c16e17c9",
"customDetails": {
"DstMacAddr": "DstMacAddr",
"DstPortNumber": "DstPortNumber",
"DtCategory": "DtCategory",
"DtCompliance": "DtCompliance",
"DtDescription": "DtDescription",
"DtDeviceID": "DtDeviceID",
"DtSentinelCategory": "DtSentinelCategory",
"EventSeverity": "EventSeverity",
"EventStartTime": "EventStartTime",
"NetworkRuleName": "NetworkRuleName",
"NetworkRuleNumber": "NetworkRuleNumber",
"SrcMacAddr": "SrcMacAddr",
"SrcPortNumber": "SrcPortNumber",
"ThreatId": "ThreatId"
},
"description": "'This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.'\n",
"displayName": "Darktrace Model Breach",
"enabled": true,
"entityMappings": [
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "SrcHostname",
"identifier": "HostName"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"columnName": "DstHostname",
"identifier": "HostName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcIpAddr",
"identifier": "Address"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DstIpAddr",
"identifier": "Address"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml",
"query": "darktrace_model_alerts_CL \n| where dtProduct_s ==\"Policy Breach\"\n| project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatId=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceID=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category\n| extend EventCount=1, EventType=\"NetworkSession\", EventSchema=\"NetworkSession\", EventSchemaVersion=\"0.2.2\", EventResult=\"Success\", DvcAction = \"Allow\", EventVendor = \"Darktrace\", EventProduct = \"Darktrace DETECT\", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity\n| extend DtSentinelCategory = case(DtCategory == \"Suspicious\", \"Medium\", \n DtCategory == \"Critical\", \"High\",\n \"Informational\") \n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": null,
"techniques": null,
"templateVersion": "1.1.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}