Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Darktrace Model Breach

Darktrace Model Breach

Back
Ida3c7b8ed-56a9-47b7-98e5-2555c16e17c9
RulenameDarktrace Model Breach
DescriptionThis rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.
SeverityMedium
Required data connectorsDarktraceRESTConnector
KindNRT
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml
Version1.1.0
Arm templatea3c7b8ed-56a9-47b7-98e5-2555c16e17c9.json
Deploy To Azure
darktrace_model_alerts_CL 
| where dtProduct_s =="Policy Breach"
| project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatId=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceID=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category
| extend EventCount=1, EventType="NetworkSession", EventSchema="NetworkSession", EventSchemaVersion="0.2.2", EventResult="Success", DvcAction = "Allow", EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity
| extend DtSentinelCategory = case(DtCategory == "Suspicious", "Medium", 
                                  DtCategory == "Critical", "High",
                                  "Informational") 

customDetails:
  DstMacAddr: DstMacAddr
  DstPortNumber: DstPortNumber
  DtDescription: DtDescription
  EventStartTime: EventStartTime
  DtCategory: DtCategory
  DtCompliance: DtCompliance
  DtSentinelCategory: DtSentinelCategory
  NetworkRuleNumber: NetworkRuleNumber
  NetworkRuleName: NetworkRuleName
  EventSeverity: EventSeverity
  ThreatId: ThreatId
  SrcPortNumber: SrcPortNumber
  DtDeviceID: DtDeviceID
  SrcMacAddr: SrcMacAddr
kind: NRT
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml
alertDetailsOverride:
  alertTacticsColumnName: 
  alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}'
  alertDynamicProperties:
  - value: DtBreachURL
    alertProperty: AlertLink
  - value: EventVendor
    alertProperty: ProviderName
  - value: EventProduct
    alertProperty: ProductName
  - value: ThreatCategory
    alertProperty: ProductComponentName
  - value: DtSentinelCategory
    alertProperty: Severity
  alertSeverityColumnName: 
  alertDescriptionFormat: '{{DtMessage}}'
query: |
  darktrace_model_alerts_CL 
  | where dtProduct_s =="Policy Breach"
  | project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatId=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceID=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category
  | extend EventCount=1, EventType="NetworkSession", EventSchema="NetworkSession", EventSchemaVersion="0.2.2", EventResult="Success", DvcAction = "Allow", EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity
  | extend DtSentinelCategory = case(DtCategory == "Suspicious", "Medium", 
                                    DtCategory == "Critical", "High",
                                    "Informational")   
requiredDataConnectors:
- dataTypes:
  - darktrace_model_alerts_CL
  connectorId: DarktraceRESTConnector
tactics: 
name: Darktrace Model Breach
relevantTechniques: 
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: SrcHostname
  entityType: Host
- fieldMappings:
  - identifier: HostName
    columnName: DstHostname
  entityType: Host
- fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
  entityType: IP
- fieldMappings:
  - identifier: Address
    columnName: DstIpAddr
  entityType: IP
queryFrequency: 5m
description: |
    'This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.'
eventGroupingSettings:
  aggregationKind: AlertPerResult
triggerThreshold: 0
triggerOperator: gt
version: 1.1.0
queryPeriod: 5m
id: a3c7b8ed-56a9-47b7-98e5-2555c16e17c9