Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Darktrace AI Analyst Legacy

Darktrace AI Analyst Legacy

Back
Idffa2977f-3077-4bba-b1bf-f3417699cbb0
RulenameDarktrace AI Analyst (Legacy)
DescriptionThis rule creates Microsoft Sentinel Incidents based on Darktrace AI Analyst Incidents, fetched every 5 minutes.
SeverityHigh
TacticsInitialAccess
Execution
LateralMovement
CommandAndControl
TechniquesT1190
T1059
T1021
T1071
Required data connectorsDarktraceRESTConnector
KindNRT
Query frequency5m
Query period5m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml
Version1.1.1
Arm templateffa2977f-3077-4bba-b1bf-f3417699cbb0.json
Deploy To Azure
darktrace_model_alerts_CL 
| where dtProduct_s =="AI Analyst"
| project-rename  EventStartTime=startTime_s, EventEndTime = endTime_s, NetworkRuleName=title_s, DtCurrentGroup=externalId_g, ThreatCategory=dtProduct_s, ThreatRiskLevel=score_d, SrcHostname=hostname_s, SrcIpAddr=deviceIP_s, DtURL=url_s, DtSummary=summary_s, DtGroupScore=groupScore_d, DtGroupCategory=groupCategory_s, DtSrcDeviceName=bestDeviceName_s, DtIndentifier=identifier_s, ActivityID=activityId_s, DtGroupingID=groupingId_s, DtGroupByActivity=groupByActivity_b, DtSummaryFirstSentence=summaryFirstSentence_s, DtNewEvent=newEvent_b, DtCGLegacy=currentGroup_s, DtGroupPreviousGroups=groupPreviousGroups_s, DtTime=time_s, DtSeverity=Severity, DtLongitude=longitude_d, DtLatitude=latitude_d  
| extend EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", DtSentinelCategory=DtGroupCategory
| extend DtSentinelCategory = case (DtGroupCategory == "compliance", "Low", 
                                    DtGroupCategory == "suspicious", "Medium",
                                    "High") //compliance -> low, suspcious -> medium, critical -> high

entityMappings:
- entityType: Host
  fieldMappings:
  - identifier: HostName
    columnName: SrcHostname
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIpAddr
tactics:
- InitialAccess
- Execution
- LateralMovement
- CommandAndControl
requiredDataConnectors:
- dataTypes:
  - darktrace_model_alerts_CL
  connectorId: DarktraceRESTConnector
alertDetailsOverride:
  alertDescriptionFormat: '{{DtSummary}}'
  alertTacticsColumnName: 
  alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}'
  alertDynamicProperties:
  - value: DtURL
    alertProperty: AlertLink
  - value: EventVendor
    alertProperty: ProviderName
  - value: EventProduct
    alertProperty: ProductName
  - value: ThreatCategory
    alertProperty: ProductComponentName
  - value: DtSentinelCategory
    alertProperty: Severity
  alertSeverityColumnName: 
id: ffa2977f-3077-4bba-b1bf-f3417699cbb0
severity: High
eventGroupingSettings:
  aggregationKind: AlertPerResult
customDetails:
  DtCurrentGroup: DtCurrentGroup
  EventEndTime: EventEndTime
  DtGroupScore: DtGroupScore
  DtSentinelCategory: DtSentinelCategory
  DtSummary: DtSummary
  DtSeverity: DtSeverity
  NetworkRuleName: NetworkRuleName
  DtGroupCategory: DtGroupCategory
  DtSrcDeviceName: DtSrcDeviceName
  ThreatRiskLevel: ThreatRiskLevel
  EventStartTime: EventStartTime
  DtNewEvent: DtNewEvent
query: |
  darktrace_model_alerts_CL 
  | where dtProduct_s =="AI Analyst"
  | project-rename  EventStartTime=startTime_s, EventEndTime = endTime_s, NetworkRuleName=title_s, DtCurrentGroup=externalId_g, ThreatCategory=dtProduct_s, ThreatRiskLevel=score_d, SrcHostname=hostname_s, SrcIpAddr=deviceIP_s, DtURL=url_s, DtSummary=summary_s, DtGroupScore=groupScore_d, DtGroupCategory=groupCategory_s, DtSrcDeviceName=bestDeviceName_s, DtIndentifier=identifier_s, ActivityID=activityId_s, DtGroupingID=groupingId_s, DtGroupByActivity=groupByActivity_b, DtSummaryFirstSentence=summaryFirstSentence_s, DtNewEvent=newEvent_b, DtCGLegacy=currentGroup_s, DtGroupPreviousGroups=groupPreviousGroups_s, DtTime=time_s, DtSeverity=Severity, DtLongitude=longitude_d, DtLatitude=latitude_d  
  | extend EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", DtSentinelCategory=DtGroupCategory
  | extend DtSentinelCategory = case (DtGroupCategory == "compliance", "Low", 
                                      DtGroupCategory == "suspicious", "Medium",
                                      "High") //compliance -> low, suspcious -> medium, critical -> high  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml
kind: NRT
queryPeriod: 5m
version: 1.1.1
name: Darktrace AI Analyst (Legacy)
queryFrequency: 5m
triggerThreshold: 0
relevantTechniques:
- T1190
- T1059
- T1021
- T1071
description: |
    'This rule creates Microsoft Sentinel Incidents based on Darktrace AI Analyst Incidents, fetched every 5 minutes.'
triggerOperator: gt