Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Darktrace AI Analyst

Back
Idffa2977f-3077-4bba-b1bf-f3417699cbb0
RulenameDarktrace AI Analyst
DescriptionThis rule creates Microsoft Sentinel Incidents based on Darktrace AI Analyst Incidents, fetched every 5 minutes.
SeverityHigh
Required data connectorsDarktraceRESTConnector
KindNRT
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml
Version1.0.0
Arm templateffa2977f-3077-4bba-b1bf-f3417699cbb0.json
Deploy To Azure
darktrace_model_alerts_CL
| where dtProduct_s == "AI Analyst"
| project-rename  EventStartTime=startTime_s
| project-rename EventEndTime = endTime_s
| project-rename NetworkRuleName=title_s
| project-rename CurrentGroup=externalId_g //externalId is the Current Group ID from Darktrace 
| project-rename ThreatCategory=dtProduct_s
| extend ThreatRiskLevel=score_d //This is the event score, which is different from the GroupScore
| project-rename SrcHostname=hostname_s
| project-rename DarktraceLink=url_s
| project-rename Summary=summary_s
| project-rename GroupScore=groupScore_d
| project-rename GroupCategory=groupCategory_s
| project-rename SrcDeviceName=bestDeviceName_s
name: Darktrace AI Analyst
eventGroupingSettings:
  aggregationKind: AlertPerResult
query: |
  darktrace_model_alerts_CL
  | where dtProduct_s == "AI Analyst"
  | project-rename  EventStartTime=startTime_s
  | project-rename EventEndTime = endTime_s
  | project-rename NetworkRuleName=title_s
  | project-rename CurrentGroup=externalId_g //externalId is the Current Group ID from Darktrace 
  | project-rename ThreatCategory=dtProduct_s
  | extend ThreatRiskLevel=score_d //This is the event score, which is different from the GroupScore
  | project-rename SrcHostname=hostname_s
  | project-rename DarktraceLink=url_s
  | project-rename Summary=summary_s
  | project-rename GroupScore=groupScore_d
  | project-rename GroupCategory=groupCategory_s
  | project-rename SrcDeviceName=bestDeviceName_s  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml
queryFrequency: 5m
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - darktrace_model_alerts_CL
  connectorId: DarktraceRESTConnector
version: 1.0.0
queryPeriod: 5m
id: ffa2977f-3077-4bba-b1bf-f3417699cbb0
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: HostName
    columnName: SrcDeviceName
  entityType: Host
customDetails:
  GroupScore: GroupScore
  CurrentGroupID: CurrentGroup
  DarktraceLink: DarktraceLink
  IncidentSummary: Summary
  EventEndTime: EventEndTime
  SrcDeviceName: SrcDeviceName
  GroupCategory: GroupCategory
  EventScore: ThreatRiskLevel
  Title: NetworkRuleName
  EventStartTime: EventStartTime
relevantTechniques: []
alertDetailsOverride:
  alertSeverityColumnName: 
  alertDescriptionFormat: '{{Summary}}'
  alertDisplayNameFormat: '{{NetworkRuleName}}'
  alertTacticsColumnName: 
severity: High
description: |
    'This rule creates Microsoft Sentinel Incidents based on Darktrace AI Analyst Incidents, fetched every 5 minutes.'
kind: NRT
tactics: []
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ffa2977f-3077-4bba-b1bf-f3417699cbb0')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ffa2977f-3077-4bba-b1bf-f3417699cbb0')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Nrt",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Darktrace AI Analyst",
        "description": "'This rule creates Microsoft Sentinel Incidents based on Darktrace AI Analyst Incidents, fetched every 5 minutes.'\n",
        "severity": "High",
        "enabled": true,
        "query": "darktrace_model_alerts_CL\n| where dtProduct_s == \"AI Analyst\"\n| project-rename  EventStartTime=startTime_s\n| project-rename EventEndTime = endTime_s\n| project-rename NetworkRuleName=title_s\n| project-rename CurrentGroup=externalId_g //externalId is the Current Group ID from Darktrace \n| project-rename ThreatCategory=dtProduct_s\n| extend ThreatRiskLevel=score_d //This is the event score, which is different from the GroupScore\n| project-rename SrcHostname=hostname_s\n| project-rename DarktraceLink=url_s\n| project-rename Summary=summary_s\n| project-rename GroupScore=groupScore_d\n| project-rename GroupCategory=groupCategory_s\n| project-rename SrcDeviceName=bestDeviceName_s\n",
        "queryFrequency": "PT5M",
        "queryPeriod": "PT5M",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [],
        "techniques": [],
        "alertRuleTemplateName": "ffa2977f-3077-4bba-b1bf-f3417699cbb0",
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "alertDetailsOverride": {
          "alertSeverityColumnName": null,
          "alertDescriptionFormat": "{{Summary}}",
          "alertDisplayNameFormat": "{{NetworkRuleName}}",
          "alertTacticsColumnName": null
        },
        "customDetails": {
          "Title": "NetworkRuleName",
          "GroupScore": "GroupScore",
          "DarktraceLink": "DarktraceLink",
          "IncidentSummary": "Summary",
          "EventEndTime": "EventEndTime",
          "SrcDeviceName": "SrcDeviceName",
          "EventStartTime": "EventStartTime",
          "GroupCategory": "GroupCategory",
          "CurrentGroupID": "CurrentGroup",
          "EventScore": "ThreatRiskLevel"
        },
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "HostName",
                "columnName": "SrcDeviceName"
              }
            ],
            "entityType": "Host"
          }
        ],
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml"
      }
    }
  ]
}