Darktrace AI Analyst
| Id | ffa2977f-3077-4bba-b1bf-f3417699cbb0 |
| Rulename | Darktrace AI Analyst |
| Description | This rule creates Microsoft Sentinel Incidents based on Darktrace AI Analyst Incidents, fetched every 5 minutes. |
| Severity | High |
| Required data connectors | DarktraceRESTConnector |
| Kind | NRT |
| Query frequency | 5m |
| Query period | 5m |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml |
| Version | 1.0.0 |
| Arm template | ffa2977f-3077-4bba-b1bf-f3417699cbb0.json |
darktrace_model_alerts_CL
| where dtProduct_s == "AI Analyst"
| project-rename EventStartTime=startTime_s
| project-rename EventEndTime = endTime_s
| project-rename NetworkRuleName=title_s
| project-rename CurrentGroup=externalId_g //externalId is the Current Group ID from Darktrace
| project-rename ThreatCategory=dtProduct_s
| extend ThreatRiskLevel=score_d //This is the event score, which is different from the GroupScore
| project-rename SrcHostname=hostname_s
| project-rename DarktraceLink=url_s
| project-rename Summary=summary_s
| project-rename GroupScore=groupScore_d
| project-rename GroupCategory=groupCategory_s
| project-rename SrcDeviceName=bestDeviceName_s
name: Darktrace AI Analyst
eventGroupingSettings:
aggregationKind: AlertPerResult
query: |
darktrace_model_alerts_CL
| where dtProduct_s == "AI Analyst"
| project-rename EventStartTime=startTime_s
| project-rename EventEndTime = endTime_s
| project-rename NetworkRuleName=title_s
| project-rename CurrentGroup=externalId_g //externalId is the Current Group ID from Darktrace
| project-rename ThreatCategory=dtProduct_s
| extend ThreatRiskLevel=score_d //This is the event score, which is different from the GroupScore
| project-rename SrcHostname=hostname_s
| project-rename DarktraceLink=url_s
| project-rename Summary=summary_s
| project-rename GroupScore=groupScore_d
| project-rename GroupCategory=groupCategory_s
| project-rename SrcDeviceName=bestDeviceName_s
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml
queryFrequency: 5m
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
- darktrace_model_alerts_CL
connectorId: DarktraceRESTConnector
version: 1.0.0
queryPeriod: 5m
id: ffa2977f-3077-4bba-b1bf-f3417699cbb0
triggerOperator: gt
entityMappings:
- fieldMappings:
- identifier: HostName
columnName: SrcDeviceName
entityType: Host
customDetails:
GroupScore: GroupScore
CurrentGroupID: CurrentGroup
DarktraceLink: DarktraceLink
IncidentSummary: Summary
EventEndTime: EventEndTime
SrcDeviceName: SrcDeviceName
GroupCategory: GroupCategory
EventScore: ThreatRiskLevel
Title: NetworkRuleName
EventStartTime: EventStartTime
relevantTechniques: []
alertDetailsOverride:
alertSeverityColumnName:
alertDescriptionFormat: '{{Summary}}'
alertDisplayNameFormat: '{{NetworkRuleName}}'
alertTacticsColumnName:
severity: High
description: |
'This rule creates Microsoft Sentinel Incidents based on Darktrace AI Analyst Incidents, fetched every 5 minutes.'
kind: NRT
tactics: []
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ffa2977f-3077-4bba-b1bf-f3417699cbb0')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ffa2977f-3077-4bba-b1bf-f3417699cbb0')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Nrt",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Darktrace AI Analyst",
"description": "'This rule creates Microsoft Sentinel Incidents based on Darktrace AI Analyst Incidents, fetched every 5 minutes.'\n",
"severity": "High",
"enabled": true,
"query": "darktrace_model_alerts_CL\n| where dtProduct_s == \"AI Analyst\"\n| project-rename EventStartTime=startTime_s\n| project-rename EventEndTime = endTime_s\n| project-rename NetworkRuleName=title_s\n| project-rename CurrentGroup=externalId_g //externalId is the Current Group ID from Darktrace \n| project-rename ThreatCategory=dtProduct_s\n| extend ThreatRiskLevel=score_d //This is the event score, which is different from the GroupScore\n| project-rename SrcHostname=hostname_s\n| project-rename DarktraceLink=url_s\n| project-rename Summary=summary_s\n| project-rename GroupScore=groupScore_d\n| project-rename GroupCategory=groupCategory_s\n| project-rename SrcDeviceName=bestDeviceName_s\n",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [],
"techniques": [],
"alertRuleTemplateName": "ffa2977f-3077-4bba-b1bf-f3417699cbb0",
"eventGroupingSettings": {
"aggregationKind": "AlertPerResult"
},
"alertDetailsOverride": {
"alertSeverityColumnName": null,
"alertDescriptionFormat": "{{Summary}}",
"alertDisplayNameFormat": "{{NetworkRuleName}}",
"alertTacticsColumnName": null
},
"customDetails": {
"Title": "NetworkRuleName",
"GroupScore": "GroupScore",
"DarktraceLink": "DarktraceLink",
"IncidentSummary": "Summary",
"EventEndTime": "EventEndTime",
"SrcDeviceName": "SrcDeviceName",
"EventStartTime": "EventStartTime",
"GroupCategory": "GroupCategory",
"CurrentGroupID": "CurrentGroup",
"EventScore": "ThreatRiskLevel"
},
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "HostName",
"columnName": "SrcDeviceName"
}
],
"entityType": "Host"
}
],
"templateVersion": "1.0.0",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml"
}
}
]
}