darktrace_model_alerts_CL
| where dtProduct_s =="AI Analyst"
| project-rename EventStartTime=startTime_s, EventEndTime = endTime_s, NetworkRuleName=title_s, DtCurrentGroup=externalId_g, ThreatCategory=dtProduct_s, ThreatRiskLevel=score_d, SrcHostname=hostname_s, SrcIpAddr=deviceIP_s, DtURL=url_s, DtSummary=summary_s, DtGroupScore=groupScore_d, DtGroupCategory=groupCategory_s, DtSrcDeviceName=bestDeviceName_s, DtIndentifier=identifier_s, ActivityID=activityId_s, DtGroupingID=groupingId_s, DtGroupByActivity=groupByActivity_b, DtSummaryFirstSentence=summaryFirstSentence_s, DtNewEvent=newEvent_b, DtCGLegacy=currentGroup_s, DtGroupPreviousGroups=groupPreviousGroups_s, DtTime=time_s, DtSeverity=Severity, DtLongitude=longitude_d, DtLatitude=latitude_d
| extend EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", DtSentinelCategory=DtGroupCategory
| extend DtSentinelCategory = case (DtGroupCategory == "compliance", "Low",
DtGroupCategory == "suspicious", "Medium",
"High") //compliance -> low, suspcious -> medium, critical -> high
entityMappings:
- fieldMappings:
- columnName: SrcHostname
identifier: HostName
entityType: Host
- fieldMappings:
- columnName: SrcIpAddr
identifier: Address
entityType: IP
triggerOperator: gt
tactics: []
eventGroupingSettings:
aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml
alertDetailsOverride:
alertDescriptionFormat: '{{DtSummary}}'
alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}'
alertTacticsColumnName:
alertSeverityColumnName:
alertDynamicProperties:
- alertProperty: AlertLink
value: DtURL
- alertProperty: ProviderName
value: EventVendor
- alertProperty: ProductName
value: EventProduct
- alertProperty: ProductComponentName
value: ThreatCategory
- alertProperty: Severity
value: DtSentinelCategory
version: 1.1.0
customDetails:
DtSrcDeviceName: DtSrcDeviceName
DtSummary: DtSummary
DtGroupCategory: DtGroupCategory
DtGroupScore: DtGroupScore
DtNewEvent: DtNewEvent
ThreatRiskLevel: ThreatRiskLevel
DtSeverity: DtSeverity
DtSentinelCategory: DtSentinelCategory
NetworkRuleName: NetworkRuleName
DtCurrentGroup: DtCurrentGroup
EventStartTime: EventStartTime
EventEndTime: EventEndTime
triggerThreshold: 0
relevantTechniques: []
queryPeriod: 5m
query: |
darktrace_model_alerts_CL
| where dtProduct_s =="AI Analyst"
| project-rename EventStartTime=startTime_s, EventEndTime = endTime_s, NetworkRuleName=title_s, DtCurrentGroup=externalId_g, ThreatCategory=dtProduct_s, ThreatRiskLevel=score_d, SrcHostname=hostname_s, SrcIpAddr=deviceIP_s, DtURL=url_s, DtSummary=summary_s, DtGroupScore=groupScore_d, DtGroupCategory=groupCategory_s, DtSrcDeviceName=bestDeviceName_s, DtIndentifier=identifier_s, ActivityID=activityId_s, DtGroupingID=groupingId_s, DtGroupByActivity=groupByActivity_b, DtSummaryFirstSentence=summaryFirstSentence_s, DtNewEvent=newEvent_b, DtCGLegacy=currentGroup_s, DtGroupPreviousGroups=groupPreviousGroups_s, DtTime=time_s, DtSeverity=Severity, DtLongitude=longitude_d, DtLatitude=latitude_d
| extend EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", DtSentinelCategory=DtGroupCategory
| extend DtSentinelCategory = case (DtGroupCategory == "compliance", "Low",
DtGroupCategory == "suspicious", "Medium",
"High") //compliance -> low, suspcious -> medium, critical -> high
severity: High
kind: NRT
name: Darktrace AI Analyst
queryFrequency: 5m
id: ffa2977f-3077-4bba-b1bf-f3417699cbb0
description: |
'This rule creates Microsoft Sentinel Incidents based on Darktrace AI Analyst Incidents, fetched every 5 minutes.'
requiredDataConnectors:
- dataTypes:
- darktrace_model_alerts_CL
connectorId: DarktraceRESTConnector
