diff --git a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
index 5fad6a4f737..416b6ced8aa 100644
--- a/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
+++ b/.script/tests/detectionTemplateSchemaValidation/ValidConnectorIds.json
@@ -76,6 +76,7 @@
"DNS",
"Darktrace",
"DarktraceRESTConnector",
+ "DarktraceActiveAISecurityPlatform",
"DataminrPulseAlerts",
"Dataverse",
"DigitalGuardianDLP",
diff --git a/Logos/Darktrace.svg b/Logos/Darktrace.svg
index 3a31c96888b..c16b0646d8e 100644
--- a/Logos/Darktrace.svg
+++ b/Logos/Darktrace.svg
@@ -1 +1,3 @@
-
\ No newline at end of file
+
diff --git a/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml b/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml
deleted file mode 100644
index 41eca0fb0a1..00000000000
--- a/Solutions/Darktrace/Analytic Rules/CreateAlertFromModelBreach.yaml
+++ /dev/null
@@ -1,78 +0,0 @@
-id: a3c7b8ed-56a9-47b7-98e5-2555c16e17c9
-name: Darktrace Model Breach
-description: |
- 'This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes.'
-severity: Medium
-requiredDataConnectors:
- - connectorId: DarktraceRESTConnector
- dataTypes:
- - darktrace_model_alerts_CL
-queryFrequency: 5m
-queryPeriod: 5m
-triggerOperator: gt
-triggerThreshold: 0
-tactics: # tactics pulled dynamically
-relevantTechniques:
-query: |
- darktrace_model_alerts_CL
- | where dtProduct_s =="Policy Breach"
- | project-rename EventSeverity=score_d, EventStartTime=breachTime_s, NetworkRuleName=modelName_s, NetworkRuleNumber=pid_d, ThreatId=threatID_d, ThreatCategory=dtProduct_s, SrcIpAddr=SourceIP, SrcHostname=hostname_s, SrcMacAddr=sourceMac_s, SrcPortNumber=sourcePort_s, DstIpAddr=destIP_s, DstPortNumber=destPort_s, DstHostname=destHost_s, DstMacAddr=destMac_s, DtCompliance=compliance_b, DtClientSensor=cSensor_b, DtDescription=description_s, DtAntigena=antigena_b, DtDeviceID=deviceId_d, DtSubnetID=sid_d, DtTags=tags_s, DtMitreTechniques=mitreTechniques_s, DtMessage=Message, DtUUID=uuid_g, DtBreachURL=breachUrl_s, DtSrcTypeLabel=typeLabel_s, DtTriggeredComponents=triggeredComponents_s, DtDetails=details_s, DtLongitude=longitude_d, DtLatitude=latitude_d, DtCategory=Category
- | extend EventCount=1, EventType="NetworkSession", EventSchema="NetworkSession", EventSchemaVersion="0.2.2", EventResult="Success", DvcAction = "Allow", EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", EventEndTime=EventStartTime, ThreatName=NetworkRuleName, ThreatRiskLevel=EventSeverity
- | extend DtSentinelCategory = case(DtCategory == "Suspicious", "Medium",
- DtCategory == "Critical", "High",
- "Informational")
-eventGroupingSettings:
- aggregationKind: AlertPerResult
-entityMappings:
- - entityType: Host
- fieldMappings:
- - identifier: HostName
- columnName: SrcHostname
- - entityType: Host
- fieldMappings:
- - identifier: HostName
- columnName: DstHostname
- - entityType: IP
- fieldMappings:
- - identifier: Address
- columnName: SrcIpAddr
- - entityType: IP
- fieldMappings:
- - identifier: Address
- columnName: DstIpAddr
-customDetails:
- SrcMacAddr: SrcMacAddr
- EventSeverity: EventSeverity
- EventStartTime: EventStartTime
- NetworkRuleName: NetworkRuleName
- NetworkRuleNumber: NetworkRuleNumber
- ThreatId: ThreatId
- DtSentinelCategory: DtSentinelCategory
- SrcPortNumber: SrcPortNumber
- DstPortNumber: DstPortNumber
- DstMacAddr: DstMacAddr
- DtCompliance: DtCompliance
- DtDescription: DtDescription
- DtCategory: DtCategory
- DtDeviceID: DtDeviceID
-# These are described here - this is why we're leaving tactics and techniques above empty
-alertDetailsOverride:
- # model breach name here
- alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}' # Up to 256 chars and 3 placeholders
- alertDescriptionFormat: '{{DtMessage}}' # Up to 5000 chars and 3 placeholders
- # MITRE tactic
- alertTacticsColumnName: # leave empty
- alertSeverityColumnName: # leave empty
- alertDynamicProperties:
- - alertProperty: AlertLink
- value: DtBreachURL
- - alertProperty: ProviderName
- value: EventVendor
- - alertProperty: ProductName
- value: EventProduct
- - alertProperty: ProductComponentName
- value: ThreatCategory
- - alertProperty: Severity
- value: DtSentinelCategory
-version: 1.1.0
-kind: NRT
\ No newline at end of file
diff --git a/Solutions/Darktrace/Analytic Rules/CreateAlertFromSystemStatus.yaml b/Solutions/Darktrace/Analytic Rules/CreateAlertFromSystemStatus.yaml
deleted file mode 100644
index 06838e6e76e..00000000000
--- a/Solutions/Darktrace/Analytic Rules/CreateAlertFromSystemStatus.yaml
+++ /dev/null
@@ -1,56 +0,0 @@
-id: 2e629769-60eb-4a14-8bfc-bde9be66ebeb
-name: Darktrace System Status
-description: |
- 'This rule creates Microsoft Sentinel Alerts based on Darktrace system status alerts for health monitoring, fetched every 5 minutes.'
-severity: Informational
-requiredDataConnectors:
- - connectorId: DarktraceRESTConnector
- dataTypes:
- - darktrace_model_alerts_CL
-queryFrequency: 5m
-queryPeriod: 5m
-triggerOperator: gt
-triggerThreshold: 0
-tactics: # none
-relevantTechniques: # none
-query: |
- darktrace_model_alerts_CL //anything starting with 'Dt' is not an ASIM mapping
- | where dtProduct_s =="System Alert"
- | extend EventVendor="Darktrace", EventProduct="Darktrace DETECT"
- | project-rename ThreatCategory=dtProduct_s, EventStartTime=time_s, NetworkRuleName=friendlyName_s, SrcIpAddr=deviceIP_s, SrcHostname=hostname_s, ThreatRiskLevel=priority_code_d, ThreatRiskCategory=priority_s, DtSeverity=Severity, DtName=name_s, DtStatus=status_s, DtMessage=Message, DtURL=url_s, DtUUID=uuid_g
-eventGroupingSettings:
- aggregationKind: AlertPerResult
-entityMappings:
- - entityType: Host
- fieldMappings:
- - identifier: HostName
- columnName: SrcHostname
- - entityType: IP
- fieldMappings:
- - identifier: Address
- columnName: SrcIpAddr
-customDetails:
- EventStartTime: EventStartTime
- NetworkRuleName: NetworkRuleName
- ThreatRiskLevel: ThreatRiskLevel
- ThreatRiskCategory: ThreatRiskCategory
- DtName: DtName
- DtStatus: DtStatus
- DtMessage: DtMessage
- DtSeverity: DtSeverity
-alertDetailsOverride:
- alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}'
- alertDescriptionFormat: '{{DtMessage}}'
- alertTacticsColumnName: # none
- alertSeverityColumnName: # none
- alertDynamicProperties:
- - alertProperty: AlertLink
- value: DtURL
- - alertProperty: ProviderName
- value: EventVendor
- - alertProperty: ProductName
- value: EventProduct
- - alertProperty: ProductComponentName
- value: ThreatCategory
-version: 1.1.0
-kind: Scheduled
diff --git a/Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml b/Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml
deleted file mode 100644
index d449cf51b1f..00000000000
--- a/Solutions/Darktrace/Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml
+++ /dev/null
@@ -1,67 +0,0 @@
-id: ffa2977f-3077-4bba-b1bf-f3417699cbb0
-name: Darktrace AI Analyst
-description: |
- 'This rule creates Microsoft Sentinel Incidents based on Darktrace AI Analyst Incidents, fetched every 5 minutes.'
-severity: High
-requiredDataConnectors:
- - connectorId: DarktraceRESTConnector
- dataTypes:
- - darktrace_model_alerts_CL
-queryFrequency: 5m
-queryPeriod: 5m
-triggerOperator: gt
-triggerThreshold: 0
-tactics: [] # no tactics are ingested for AIA events at the moment
-relevantTechniques: []
-query: |
- darktrace_model_alerts_CL
- | where dtProduct_s =="AI Analyst"
- | project-rename EventStartTime=startTime_s, EventEndTime = endTime_s, NetworkRuleName=title_s, DtCurrentGroup=externalId_g, ThreatCategory=dtProduct_s, ThreatRiskLevel=score_d, SrcHostname=hostname_s, SrcIpAddr=deviceIP_s, DtURL=url_s, DtSummary=summary_s, DtGroupScore=groupScore_d, DtGroupCategory=groupCategory_s, DtSrcDeviceName=bestDeviceName_s, DtIndentifier=identifier_s, ActivityID=activityId_s, DtGroupingID=groupingId_s, DtGroupByActivity=groupByActivity_b, DtSummaryFirstSentence=summaryFirstSentence_s, DtNewEvent=newEvent_b, DtCGLegacy=currentGroup_s, DtGroupPreviousGroups=groupPreviousGroups_s, DtTime=time_s, DtSeverity=Severity, DtLongitude=longitude_d, DtLatitude=latitude_d
- | extend EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", DtSentinelCategory=DtGroupCategory
- | extend DtSentinelCategory = case (DtGroupCategory == "compliance", "Low",
- DtGroupCategory == "suspicious", "Medium",
- "High") //compliance -> low, suspcious -> medium, critical -> high
-eventGroupingSettings:
- aggregationKind: AlertPerResult
-entityMappings:
- - entityType: Host
- fieldMappings:
- - identifier: HostName
- columnName: SrcHostname
- - entityType: IP
- fieldMappings:
- - identifier: Address
- columnName: SrcIpAddr
-customDetails:
- EventStartTime: EventStartTime
- EventEndTime: EventEndTime
- NetworkRuleName: NetworkRuleName
- DtCurrentGroup: DtCurrentGroup
- ThreatRiskLevel: ThreatRiskLevel
- DtSummary: DtSummary
- DtGroupScore: DtGroupScore
- DtGroupCategory: DtGroupCategory
- DtSentinelCategory: DtSentinelCategory
- DtSrcDeviceName: DtSrcDeviceName
- DtNewEvent: DtNewEvent
- DtSeverity: DtSeverity
-alertDetailsOverride:
- alertDisplayNameFormat: 'Darktrace: {{ThreatRiskLevel}} - {{NetworkRuleName}}'
- alertDescriptionFormat: '{{DtSummary}}'
- alertTacticsColumnName: # leave empty
- alertSeverityColumnName: # leave empty
- alertDynamicProperties:
- - alertProperty: AlertLink
- value: DtURL
- - alertProperty: ProviderName
- value: EventVendor
- - alertProperty: ProductName
- value: EventProduct
- - alertProperty: ProductComponentName
- value: ThreatCategory
- - alertProperty: Severity
- value: DtSentinelCategory
-version: 1.1.0
-kind: NRT
-
-
diff --git a/Solutions/Darktrace/Data Connectors/DarktraceActiveAISecurityPlatform_Template.json b/Solutions/Darktrace/Data Connectors/DarktraceActiveAISecurityPlatform_Template.json
index c52f3e27ca7..5c0049cf7d0 100644
--- a/Solutions/Darktrace/Data Connectors/DarktraceActiveAISecurityPlatform_Template.json
+++ b/Solutions/Darktrace/Data Connectors/DarktraceActiveAISecurityPlatform_Template.json
@@ -12,7 +12,7 @@
],
"sampleQueries": [
{
- "description" : "One-line title for your sample query 1",
+ "description" : "Last 10 Model Alerts",
"query": "DarktraceModelAlerts_CL\n | take 10"
}
],
diff --git a/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json b/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json
index bd8197527f7..5a9b938ac9b 100644
--- a/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json
+++ b/Solutions/Darktrace/Data/Solution_DarktraceEnterpriseImmuneSystem.json
@@ -4,18 +4,18 @@
"Logo": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Darktrace.svg\")
",
"Description": "The [Darktrace](https://darktrace.com/) Sentinel Solution lets users connect Darktrace AI-based alerting in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats. \n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\na. [Microsoft Sentinel Data Collector API](https://docs.microsoft.com/azure/sentinel/connect-rest-api-template)\n\n For more details about this solution refer to https://www.darktrace.com/microsoft/sentinel/",
"Workbooks": [
- "Workbooks/DarktraceWorkbook.json"
+ "Workbooks/DarktraceActiveAISecurityPlatform.json"
],
"Analytic Rules": [
- "Analytic Rules/CreateAlertFromModelBreach.yaml",
- "Analytic Rules/CreateIncidentFromAIAnalystIncident.yaml",
- "Analytic Rules/CreateAlertFromSystemStatus.yaml"
+ "Analytic Rules/DarktraceIncidentEvent.yaml",
+ "Analytic Rules/DarktraceModelAlert.yaml"
],
"Data Connectors": [
- "Data Connectors/DarktraceConnectorRESTAPI.json"
+ "Data Connectors/DarktraceConnectorRESTAPI.json",
+ "Data Connectors/DarktraceActiveAISecurityPlatform_Template.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Darktrace",
- "Version": "2.0.1",
+ "Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
diff --git a/Solutions/Darktrace/Workbooks/DarktraceWorkbook.json b/Solutions/Darktrace/Workbooks/DarktraceWorkbook.json
deleted file mode 100644
index 3def177f1ac..00000000000
--- a/Solutions/Darktrace/Workbooks/DarktraceWorkbook.json
+++ /dev/null
@@ -1,2035 +0,0 @@
-{
- "version": "Notebook/1.0",
- "items": [
- {
- "type": 11,
- "content": {
- "version": "LinkItem/1.0",
- "style": "tabs",
- "links": [
- {
- "id": "a4b35478-499a-4fcc-8424-63abbb698bfa",
- "cellValue": "tab",
- "linkTarget": "parameter",
- "linkLabel": "AI Analyst",
- "subTarget": "ai-analyst",
- "style": "link"
- },
- {
- "id": "45805ae8-29d7-4774-a10a-8d60af407bbf",
- "cellValue": "tab",
- "linkTarget": "parameter",
- "linkLabel": "DETECT + RESPOND/Network ",
- "subTarget": "overview",
- "style": "link"
- },
- {
- "id": "7a64cd79-3a09-4046-8d6f-ba24fc2bab6c",
- "cellValue": "tab",
- "linkTarget": "parameter",
- "linkLabel": "DETECT + RESPOND/Apps",
- "subTarget": "cloud",
- "style": "link"
- },
- {
- "id": "0dc4ab10-226f-422f-a7bb-9e905f96fb6c",
- "cellValue": "tab",
- "linkTarget": "parameter",
- "linkLabel": "DETECT + RESPOND/Email",
- "subTarget": "email",
- "style": "link"
- },
- {
- "id": "2eac3f00-5164-4a77-9781-118eb681b729",
- "cellValue": "tab",
- "linkTarget": "parameter",
- "linkLabel": "RESPOND",
- "subTarget": "agn",
- "style": "link"
- },
- {
- "id": "ff97b7e6-6bbf-401c-aaff-833d5309f00d",
- "cellValue": "tab",
- "linkTarget": "parameter",
- "linkLabel": "System Status",
- "subTarget": "status",
- "style": "link"
- }
- ]
- },
- "name": "tabs"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "parameters": [
- {
- "id": "96e10804-35d4-4d5c-b2d8-1af544471721",
- "version": "KqlParameterItem/1.0",
- "name": "Timeframe",
- "type": 4,
- "description": "Set the global time range for all queries below",
- "isRequired": true,
- "typeSettings": {
- "selectableValues": [
- {
- "durationMs": 300000
- },
- {
- "durationMs": 900000
- },
- {
- "durationMs": 1800000
- },
- {
- "durationMs": 3600000
- },
- {
- "durationMs": 14400000
- },
- {
- "durationMs": 43200000
- },
- {
- "durationMs": 86400000
- },
- {
- "durationMs": 172800000
- },
- {
- "durationMs": 259200000
- },
- {
- "durationMs": 604800000
- },
- {
- "durationMs": 1209600000
- },
- {
- "durationMs": 2419200000
- },
- {
- "durationMs": 2592000000
- },
- {
- "durationMs": 5184000000
- },
- {
- "durationMs": 7776000000
- }
- ]
- },
- "timeContext": {
- "durationMs": 86400000
- },
- "value": {
- "durationMs": 604800000
- }
- }
- ],
- "style": "pills",
- "doNotRunWhenHidden": true,
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "name": "Timescale "
- },
- {
- "type": 12,
- "content": {
- "version": "NotebookGroup/1.0",
- "groupType": "editable",
- "items": [
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "parameters": [
- {
- "id": "610136a1-b7cf-4eb3-9ef6-51a2d22e1621",
- "version": "KqlParameterItem/1.0",
- "name": "_severity",
- "type": 1,
- "description": "parameter to drill down on clicked severity tile",
- "value": "",
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 86400000
- },
- "label": "severity"
- }
- ],
- "style": "above",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "name": "parameters - 1"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "datatable (Count: long, status: string, status_count: long) [0, \"Compliance\", 1, 0, \"Informational\", 2, 0, \"Suspicious\", 3, 0, \"Critical\", 4]\r\n| union\r\n (\r\n darktrace_model_alerts_CL\r\n | where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n | extend ThreatRiskLevel=score_d\r\n | extend status = case( \r\n compliance_b == false and Category == \"Critical\", \"Critical\",\r\n compliance_b == true, \"Compliance\",\r\n compliance_b == false and Category == \"Suspicious\", \"Suspicious\",\r\n compliance_b == false and Category == \"Informational\", \"Informational\", \r\n \"True\"\r\n )\r\n | where status != \"True\"\r\n | extend status_count = case(status == \"Critical\", 4, status == \"Suspicious\", 3, status == \"Informational\", 2, 1)\r\n | summarize Count = count() by status, status_count\r\n )\r\n| summarize Count=sum(Count) by status, status_count\r\n| sort by status_count asc",
- "size": 3,
- "title": "Model Breaches by Category",
- "timeContextFromParameter": "Timeframe",
- "exportFieldName": "status",
- "exportParameterName": "_severity",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "tiles",
- "tileSettings": {
- "titleContent": {
- "columnMatch": "status",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "==",
- "thresholdValue": "Compliance",
- "representation": "turquoise",
- "text": "{0}{1}"
- },
- {
- "operator": "==",
- "thresholdValue": "Informational",
- "representation": "yellow",
- "text": "{0}{1}"
- },
- {
- "operator": "==",
- "thresholdValue": "Suspicious",
- "representation": "orange",
- "text": "{0}{1}"
- },
- {
- "operator": "==",
- "thresholdValue": "Critical",
- "representation": "redBright",
- "text": "{0}{1}"
- },
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "green",
- "text": "{0}{1}"
- }
- ]
- }
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 1,
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "useGrouping": false,
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "showBorder": true,
- "size": "auto"
- }
- },
- "name": "model breaches by severity"
- },
- {
- "type": 1,
- "content": {
- "json": "_Click on the tiles to view more details (maximum 100 entries displayed)_",
- "style": "info"
- },
- "name": "text - 3"
- },
- {
- "type": 12,
- "content": {
- "version": "NotebookGroup/1.0",
- "groupType": "editable",
- "items": [
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| project-rename MitreTechniques=mitreTechniques_s\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where compliance_b == true\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n",
- "size": 0,
- "title": "Compliance Model Breaches",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "table",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "TimeGenerated",
- "formatter": 6,
- "formatOptions": {
- "customColumnWidthSetting": "20%"
- }
- },
- {
- "columnMatch": "Activity",
- "formatter": 1,
- "formatOptions": {
- "linkColumn": "DarktraceURL",
- "linkTarget": "Url",
- "customColumnWidthSetting": "40%"
- }
- },
- {
- "columnMatch": "DeviceName",
- "formatter": 1,
- "formatOptions": {
- "customColumnWidthSetting": "17.5%"
- }
- },
- {
- "columnMatch": "DeviceAddress",
- "formatter": 1,
- "formatOptions": {
- "customColumnWidthSetting": "17.5%"
- }
- },
- {
- "columnMatch": "LogSeverity",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "yellow",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "DarktraceURL",
- "formatter": 5
- },
- {
- "columnMatch": "DarktraceUrl",
- "formatter": 5,
- "formatOptions": {
- "linkTarget": "Url"
- }
- },
- {
- "columnMatch": "OtherExtensions",
- "formatter": 5,
- "formatOptions": {
- "customColumnWidthSetting": "50%"
- }
- }
- ],
- "labelSettings": [
- {
- "columnId": "TimeGenerated",
- "label": "Time"
- }
- ]
- }
- },
- "conditionalVisibility": {
- "parameterName": "_severity",
- "comparison": "isEqualTo",
- "value": "Compliance"
- },
- "name": "Low severity model breaches"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| project-rename MitreTechniques=mitreTechniques_s\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where compliance_b == false and Category == \"Informational\"\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n\r\n",
- "size": 0,
- "title": "Informational Model Breaches",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "table",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "TimeGenerated",
- "formatter": 6,
- "formatOptions": {
- "customColumnWidthSetting": "20%"
- }
- },
- {
- "columnMatch": "Activity",
- "formatter": 1,
- "formatOptions": {
- "linkColumn": "DarktraceURL",
- "linkTarget": "Url",
- "customColumnWidthSetting": "40%"
- }
- },
- {
- "columnMatch": "DeviceName",
- "formatter": 1,
- "formatOptions": {
- "customColumnWidthSetting": "17.5%"
- }
- },
- {
- "columnMatch": "DeviceAddress",
- "formatter": 1,
- "formatOptions": {
- "customColumnWidthSetting": "17.5%"
- }
- },
- {
- "columnMatch": "LogSeverity",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "orange",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "DarktraceURL",
- "formatter": 5
- },
- {
- "columnMatch": "DarktraceUrl",
- "formatter": 5,
- "formatOptions": {
- "linkTarget": "Url"
- }
- },
- {
- "columnMatch": "OtherExtensions",
- "formatter": 5,
- "formatOptions": {
- "customColumnWidthSetting": "50%"
- }
- }
- ],
- "labelSettings": [
- {
- "columnId": "TimeGenerated",
- "label": "Time"
- }
- ]
- },
- "sortBy": []
- },
- "conditionalVisibility": {
- "parameterName": "_severity",
- "comparison": "isEqualTo",
- "value": "Informational"
- },
- "name": "Medium severity model breaches "
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| project-rename MitreTechniques=mitreTechniques_s\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where compliance_b == false and Category == \"Suspicious\"\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| limit 100\r\n| sort by TimeGenerated desc\r\n",
- "size": 0,
- "title": "Suspicious Model Breaches",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "table",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "TimeGenerated",
- "formatter": 6,
- "formatOptions": {
- "customColumnWidthSetting": "20%"
- }
- },
- {
- "columnMatch": "Activity",
- "formatter": 1,
- "formatOptions": {
- "linkColumn": "DarktraceURL",
- "linkTarget": "Url",
- "customColumnWidthSetting": "40%"
- }
- },
- {
- "columnMatch": "DeviceName",
- "formatter": 1,
- "formatOptions": {
- "customColumnWidthSetting": "17.5%"
- }
- },
- {
- "columnMatch": "DeviceAddress",
- "formatter": 1,
- "formatOptions": {
- "customColumnWidthSetting": "17.5%"
- }
- },
- {
- "columnMatch": "LogSeverity",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "redBright",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "DarktraceURL",
- "formatter": 5
- },
- {
- "columnMatch": "DarktraceUrl",
- "formatter": 5,
- "formatOptions": {
- "linkTarget": "Url"
- }
- },
- {
- "columnMatch": "AdditionalExtensions",
- "formatter": 5,
- "formatOptions": {
- "customColumnWidthSetting": "70%"
- }
- }
- ],
- "labelSettings": [
- {
- "columnId": "TimeGenerated",
- "label": "Time"
- }
- ]
- }
- },
- "conditionalVisibility": {
- "parameterName": "_severity",
- "comparison": "isEqualTo",
- "value": "Suspicious"
- },
- "name": "High severity model breaches "
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| project-rename MitreTechniques=mitreTechniques_s\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where compliance_b == false and Category == \"Critical\"\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| limit 100\r\n| sort by TimeGenerated desc\r\n",
- "size": 0,
- "title": "Critical Model Breaches",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "table",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "TimeGenerated",
- "formatter": 6,
- "formatOptions": {
- "customColumnWidthSetting": "20%"
- }
- },
- {
- "columnMatch": "Activity",
- "formatter": 1,
- "formatOptions": {
- "linkColumn": "DarktraceURL",
- "linkTarget": "Url",
- "customColumnWidthSetting": "40%"
- }
- },
- {
- "columnMatch": "DeviceName",
- "formatter": 1,
- "formatOptions": {
- "customColumnWidthSetting": "17.5%"
- }
- },
- {
- "columnMatch": "DeviceAddress",
- "formatter": 1,
- "formatOptions": {
- "customColumnWidthSetting": "17.5%"
- }
- },
- {
- "columnMatch": "LogSeverity",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "red",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "DarktraceURL",
- "formatter": 5
- },
- {
- "columnMatch": "DarktraceUrl",
- "formatter": 5,
- "formatOptions": {
- "linkTarget": "Url"
- }
- },
- {
- "columnMatch": "AdditionalExtensions",
- "formatter": 5,
- "formatOptions": {
- "customColumnWidthSetting": "70%"
- }
- }
- ],
- "labelSettings": [
- {
- "columnId": "TimeGenerated",
- "label": "Time"
- }
- ]
- }
- },
- "conditionalVisibility": {
- "parameterName": "_severity",
- "comparison": "isEqualTo",
- "value": "Critical"
- },
- "name": "Critical severity model breaches"
- }
- ]
- },
- "conditionalVisibility": {
- "parameterName": "_severity",
- "comparison": "isNotEqualTo",
- "value": "hidden"
- },
- "name": "Drill down group for different severities"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| make-series Count = count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})",
- "size": 0,
- "title": "Total Model Breaches",
- "color": "orange",
- "timeContextFromParameter": "Timeframe",
- "timeBrushParameterName": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "areachart",
- "chartSettings": {
- "seriesLabelSettings": [
- {
- "seriesName": "Count",
- "label": "Model Breaches"
- }
- ],
- "ySettings": {
- "numberFormatSettings": {
- "unit": 0,
- "options": {
- "style": "decimal",
- "useGrouping": true,
- "maximumFractionDigits": 0
- }
- }
- }
- }
- },
- "name": "breaches in group"
- },
- {
- "type": 1,
- "content": {
- "json": "_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _",
- "style": "info"
- },
- "name": "text - 11"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| project-rename NetworkRuleName=modelName_s\r\n| summarize event_count=count() by NetworkRuleName\r\n| top 10 by event_count",
- "size": 0,
- "title": "Top 10 Most Breached Models",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "Activity",
- "formatter": 0,
- "formatOptions": {
- "customColumnWidthSetting": "60ch"
- }
- },
- {
- "columnMatch": "event_count",
- "formatter": 3,
- "formatOptions": {
- "palette": "orange"
- }
- }
- ],
- "labelSettings": [
- {
- "columnId": "event_count",
- "label": "Count"
- }
- ]
- }
- },
- "customWidth": "55",
- "name": "most breached models"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "\r\ndarktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename DstHostname=destHost_s\r\n| where isnotempty(DstHostname) \r\n| summarize count(NetworkRuleName) by DstHostname",
- "size": 3,
- "title": "Top External Hostnames",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "piechart"
- },
- "customWidth": "45",
- "name": "top external hostnames"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename DtURL=breachUrl_s\r\n| project-rename ThreatRiskLevel=score_d\r\n| project-rename NetworkRuleName=modelName_s\r\n| project TimeGenerated, ThreatRiskLevel, NetworkRuleName, SrcHostname, SrcIpAddr, DtURL\r\n| top 10 by ThreatRiskLevel desc ",
- "size": 0,
- "title": "Top 10 Model Breaches with Highest Severity",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "table",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "TimeGenerated",
- "formatter": 0,
- "formatOptions": {
- "customColumnWidthSetting": "20%"
- }
- },
- {
- "columnMatch": "Activity",
- "formatter": 1,
- "formatOptions": {
- "linkColumn": "DarktraceURL",
- "linkTarget": "Url",
- "customColumnWidthSetting": "40%"
- }
- },
- {
- "columnMatch": "DeviceName",
- "formatter": 0,
- "formatOptions": {
- "customColumnWidthSetting": "17.5%"
- }
- },
- {
- "columnMatch": "DeviceAddress",
- "formatter": 0,
- "formatOptions": {
- "customColumnWidthSetting": "17.5%"
- }
- },
- {
- "columnMatch": "Severity",
- "formatter": 8,
- "formatOptions": {
- "min": 1,
- "max": 10,
- "palette": "yellowOrangeRed"
- }
- },
- {
- "columnMatch": "DarktraceURL",
- "formatter": 5
- }
- ],
- "labelSettings": [
- {
- "columnId": "TimeGenerated",
- "label": "Time"
- }
- ]
- },
- "sortBy": []
- },
- "name": "Top 10 hitting devices"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\")\n| project-rename DstIpAddr=destIP_s\n| where isnotempty(DstIpAddr) \n| where DstIpAddr !startswith \"10\"\n| where DstIpAddr !startswith \"192\"\n| where DstIpAddr !startswith \"172\"\n| summarize event_count=count() by DstIpAddr\n| top 10 by event_count",
- "size": 0,
- "title": "Top 10 External IPs",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "barchart"
- },
- "customWidth": "80",
- "name": "top 10 external IPs"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s !contains (\"SaaS\") and modelName_s !contains (\"IaaS\") and compliance_b == true\r\n| make-series Count = count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\r\n",
- "size": 0,
- "title": "Compliance Model Breaches Over Time",
- "color": "orange",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "areachart",
- "chartSettings": {
- "seriesLabelSettings": [
- {
- "seriesName": "Count",
- "label": "Model Breaches"
- }
- ],
- "ySettings": {
- "numberFormatSettings": {
- "unit": 0,
- "options": {
- "style": "decimal",
- "useGrouping": true,
- "maximumFractionDigits": 0
- }
- }
- }
- }
- },
- "name": "compliance breaches over time"
- }
- ],
- "exportParameters": true
- },
- "conditionalVisibility": {
- "parameterName": "tab",
- "comparison": "isEqualTo",
- "value": "overview"
- },
- "name": "overview"
- },
- {
- "type": 12,
- "content": {
- "version": "NotebookGroup/1.0",
- "groupType": "editable",
- "items": [
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "parameters": [
- {
- "id": "610136a1-b7cf-4eb3-9ef6-51a2d22e1621",
- "version": "KqlParameterItem/1.0",
- "name": "_severity",
- "type": 1,
- "description": "parameter to drill down on clicked severity tile",
- "value": "hidden",
- "isHiddenWhenLocked": true,
- "timeContext": {
- "durationMs": 86400000
- },
- "label": "severity"
- }
- ],
- "style": "above",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "name": "parameters - 1"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "datatable (Count: long, status: string, status_count: long) [0, \"Low\", 1, 0, \"Medium\", 2, 0, \"High\", 3, 0, \"Critical\", 4]\r\n| union\r\n (\r\n darktrace_model_alerts_CL\r\n | where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\"))\r\n | extend ThreatRiskLevel=score_d\r\n | extend status = case( \r\n ThreatRiskLevel >= 75, \"Critical\",\r\n ThreatRiskLevel < 25, \"Low\",\r\n ThreatRiskLevel >= 50 and ThreatRiskLevel < 75, \"High\",\r\n ThreatRiskLevel >= 25 and ThreatRiskLevel < 50, \"Medium\", \r\n \"True\"\r\n )\r\n | where status != \"True\"\r\n | extend status_count = case(status == \"Critical\", 4, status == \"High\", 3, status == \"Medium\", 2, 1)\r\n | summarize Count = count() by status, status_count\r\n )\r\n| summarize Count=sum(Count) by status, status_count\r\n| sort by status_count asc",
- "size": 3,
- "title": "Model Breaches by Severity",
- "timeContextFromParameter": "Timeframe",
- "exportFieldName": "status",
- "exportParameterName": "_severity",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "tiles",
- "tileSettings": {
- "titleContent": {
- "columnMatch": "status",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "==",
- "thresholdValue": "Low",
- "representation": "yellow",
- "text": "{0}{1}"
- },
- {
- "operator": "==",
- "thresholdValue": "Medium",
- "representation": "orange",
- "text": "{0}{1}"
- },
- {
- "operator": "==",
- "thresholdValue": "High",
- "representation": "redBright",
- "text": "{0}{1}"
- },
- {
- "operator": "==",
- "thresholdValue": "Critical",
- "representation": "red",
- "text": "{0}{1}"
- },
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "green",
- "text": "{0}{1}"
- }
- ]
- }
- },
- "leftContent": {
- "columnMatch": "Count",
- "formatter": 1,
- "numberFormat": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "useGrouping": false,
- "maximumFractionDigits": 2,
- "maximumSignificantDigits": 3
- }
- }
- },
- "showBorder": true,
- "size": "auto"
- }
- },
- "name": "model breaches by severity"
- },
- {
- "type": 1,
- "content": {
- "json": "_Click on the tiles to view more details (maximum 100 entries displayed)_",
- "style": "info"
- },
- "name": "text - 3"
- },
- {
- "type": 12,
- "content": {
- "version": "NotebookGroup/1.0",
- "groupType": "editable",
- "items": [
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\"))\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| extend MitreTechniques=parse_json(mitreTechniques_s)\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where ThreatRiskLevel < 25\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n",
- "size": 0,
- "title": "Low Severity Model Breaches",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "table",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "TimeGenerated",
- "formatter": 6,
- "formatOptions": {
- "customColumnWidthSetting": "20%"
- }
- },
- {
- "columnMatch": "Activity",
- "formatter": 1,
- "formatOptions": {
- "linkColumn": "DarktraceURL",
- "linkTarget": "Url",
- "customColumnWidthSetting": "40%"
- }
- },
- {
- "columnMatch": "DeviceName",
- "formatter": 1,
- "formatOptions": {
- "customColumnWidthSetting": "17.5%"
- }
- },
- {
- "columnMatch": "DeviceAddress",
- "formatter": 1,
- "formatOptions": {
- "customColumnWidthSetting": "17.5%"
- }
- },
- {
- "columnMatch": "LogSeverity",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "yellow",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "DarktraceURL",
- "formatter": 5
- },
- {
- "columnMatch": "DarktraceUrl",
- "formatter": 5,
- "formatOptions": {
- "linkTarget": "Url"
- }
- },
- {
- "columnMatch": "OtherExtensions",
- "formatter": 5,
- "formatOptions": {
- "customColumnWidthSetting": "50%"
- }
- }
- ],
- "labelSettings": [
- {
- "columnId": "TimeGenerated",
- "label": "Time"
- }
- ]
- }
- },
- "conditionalVisibility": {
- "parameterName": "_severity",
- "comparison": "isEqualTo",
- "value": "Low"
- },
- "name": "Low severity model breaches"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\"))\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| extend MitreTechniques=parse_json(mitreTechniques_s)\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where ThreatRiskLevel >= 25 and ThreatRiskLevel < 50\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n",
- "size": 0,
- "title": "Medium Severity Model Breaches",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "table",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "TimeGenerated",
- "formatter": 6,
- "formatOptions": {
- "customColumnWidthSetting": "20%"
- }
- },
- {
- "columnMatch": "Activity",
- "formatter": 1,
- "formatOptions": {
- "linkColumn": "DarktraceURL",
- "linkTarget": "Url",
- "customColumnWidthSetting": "40%"
- }
- },
- {
- "columnMatch": "DeviceName",
- "formatter": 1,
- "formatOptions": {
- "customColumnWidthSetting": "17.5%"
- }
- },
- {
- "columnMatch": "DeviceAddress",
- "formatter": 1,
- "formatOptions": {
- "customColumnWidthSetting": "17.5%"
- }
- },
- {
- "columnMatch": "LogSeverity",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "orange",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "DarktraceURL",
- "formatter": 5
- },
- {
- "columnMatch": "DarktraceUrl",
- "formatter": 5,
- "formatOptions": {
- "linkTarget": "Url"
- }
- },
- {
- "columnMatch": "OtherExtensions",
- "formatter": 5,
- "formatOptions": {
- "customColumnWidthSetting": "50%"
- }
- }
- ],
- "labelSettings": [
- {
- "columnId": "TimeGenerated",
- "label": "Time"
- }
- ]
- }
- },
- "conditionalVisibility": {
- "parameterName": "_severity",
- "comparison": "isEqualTo",
- "value": "Medium"
- },
- "name": "Medium severity model breaches "
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\"))\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| extend MitreTechniques=parse_json(mitreTechniques_s)\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where ThreatRiskLevel >= 50 and ThreatRiskLevel < 75\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n",
- "size": 0,
- "title": "High Severity Model Breaches",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "table",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "TimeGenerated",
- "formatter": 6,
- "formatOptions": {
- "customColumnWidthSetting": "20%"
- }
- },
- {
- "columnMatch": "Activity",
- "formatter": 1,
- "formatOptions": {
- "linkColumn": "DarktraceURL",
- "linkTarget": "Url",
- "customColumnWidthSetting": "40%"
- }
- },
- {
- "columnMatch": "DeviceName",
- "formatter": 1,
- "formatOptions": {
- "customColumnWidthSetting": "17.5%"
- }
- },
- {
- "columnMatch": "DeviceAddress",
- "formatter": 1,
- "formatOptions": {
- "customColumnWidthSetting": "17.5%"
- }
- },
- {
- "columnMatch": "LogSeverity",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "redBright",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "DarktraceURL",
- "formatter": 5
- },
- {
- "columnMatch": "DarktraceUrl",
- "formatter": 5,
- "formatOptions": {
- "linkTarget": "Url"
- }
- },
- {
- "columnMatch": "AdditionalExtensions",
- "formatter": 5,
- "formatOptions": {
- "customColumnWidthSetting": "70%"
- }
- }
- ],
- "labelSettings": [
- {
- "columnId": "TimeGenerated",
- "label": "Time"
- }
- ]
- }
- },
- "conditionalVisibility": {
- "parameterName": "_severity",
- "comparison": "isEqualTo",
- "value": "High"
- },
- "name": "High severity model breaches "
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\"))\r\n| extend EventCount = 1\r\n| extend EventType = \"NetworkSession\"\r\n| extend EventSchema = \"NetworkSession\"\r\n| extend EventSchemaVersion = \"0.2.2\"\r\n| extend EventResult = \"Success\"\r\n| extend DvcAction = \"Allow\"\r\n| project-rename EventSeverity=score_d\r\n| extend EventVendor = \"Darktrace\"\r\n| extend EventProduct = \"Enterprise Immune System\"\r\n| project-rename EventStartTime = breachTime_s\r\n| extend EventEndTime = EventStartTime\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename NetworkRuleNumber=pid_d\r\n| extend Rule = \"NetworkRuleNumber\"\r\n| project-rename ThreatId=threatID_d\r\n| extend ThreatName = NetworkRuleName\r\n| project-rename ThreatCategory=dtProduct_s\r\n| extend ThreatRiskLevel=EventSeverity\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename SrcMacAddr=sourceMac_s\r\n| project-rename SrcPortNumber=sourcePort_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstPortNumber=destPort_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename DstMacAddr=destMac_s\r\n| extend MitreTechniques=parse_json(mitreTechniques_s)\r\n| project-rename DarktraceLink=breachUrl_s\r\n| where ThreatRiskLevel >= 75\r\n| limit 100\r\n| project TimeGenerated, NetworkRuleName, ThreatRiskLevel, ThreatId, DarktraceLink, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, EventStartTime, MitreTechniques\r\n| sort by TimeGenerated desc\r\n\r\n",
- "size": 0,
- "title": "Critical Severity Model Breaches",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "table",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "TimeGenerated",
- "formatter": 6,
- "formatOptions": {
- "customColumnWidthSetting": "20%"
- }
- },
- {
- "columnMatch": "Activity",
- "formatter": 1,
- "formatOptions": {
- "linkColumn": "DarktraceURL",
- "linkTarget": "Url",
- "customColumnWidthSetting": "40%"
- }
- },
- {
- "columnMatch": "DeviceName",
- "formatter": 1,
- "formatOptions": {
- "customColumnWidthSetting": "17.5%"
- }
- },
- {
- "columnMatch": "DeviceAddress",
- "formatter": 1,
- "formatOptions": {
- "customColumnWidthSetting": "17.5%"
- }
- },
- {
- "columnMatch": "Severity",
- "formatter": 18,
- "formatOptions": {
- "thresholdsOptions": "colors",
- "thresholdsGrid": [
- {
- "operator": ">",
- "thresholdValue": "0",
- "representation": "red",
- "text": "{0}{1}"
- },
- {
- "operator": "Default",
- "thresholdValue": null,
- "representation": "blue",
- "text": "{0}{1}"
- }
- ]
- }
- },
- {
- "columnMatch": "DarktraceURL",
- "formatter": 5
- },
- {
- "columnMatch": "LogSeverity",
- "formatter": 8,
- "formatOptions": {
- "min": 1,
- "max": 10,
- "palette": "greenRed"
- }
- },
- {
- "columnMatch": "DarktraceUrl",
- "formatter": 5,
- "formatOptions": {
- "linkTarget": "Url"
- }
- },
- {
- "columnMatch": "AdditionalExtensions",
- "formatter": 5,
- "formatOptions": {
- "customColumnWidthSetting": "70%"
- }
- }
- ],
- "labelSettings": [
- {
- "columnId": "TimeGenerated",
- "label": "Time"
- }
- ]
- },
- "sortBy": []
- },
- "conditionalVisibility": {
- "parameterName": "_severity",
- "comparison": "isEqualTo",
- "value": "Critical"
- },
- "name": "Critical severity model breaches"
- }
- ]
- },
- "conditionalVisibility": {
- "parameterName": "_severity",
- "comparison": "isNotEqualTo",
- "value": "hidden"
- },
- "name": "Drill down group for different severities"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"SaaS\")\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})",
- "size": 3,
- "title": "Total SaaS Model Breaches",
- "color": "orange",
- "timeContextFromParameter": "Timeframe",
- "timeBrushParameterName": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "areachart",
- "chartSettings": {
- "seriesLabelSettings": [
- {
- "seriesName": "count_",
- "label": "Model Breches"
- }
- ],
- "ySettings": {
- "numberFormatSettings": {
- "unit": 0,
- "options": {
- "style": "decimal",
- "useGrouping": true,
- "maximumFractionDigits": 0
- }
- }
- }
- }
- },
- "customWidth": "50",
- "name": "saas user graph / time ",
- "styleSettings": {
- "showBorder": true
- }
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"IaaS\")\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})",
- "size": 3,
- "title": "Total IaaS Model Breaches",
- "color": "orange",
- "timeContextFromParameter": "Timeframe",
- "timeBrushParameterName": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "areachart",
- "chartSettings": {
- "seriesLabelSettings": [
- {
- "seriesName": "count_",
- "label": "Model Breaches"
- }
- ],
- "ySettings": {
- "numberFormatSettings": {
- "unit": 0,
- "options": {
- "style": "decimal",
- "useGrouping": true,
- "maximumFractionDigits": 0
- }
- }
- }
- }
- },
- "customWidth": "50",
- "name": "iaas user graph / time",
- "styleSettings": {
- "showBorder": true
- }
- },
- {
- "type": 1,
- "content": {
- "json": "_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _",
- "style": "info"
- },
- "name": "text - 11"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"SaaS\")\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename SrcHostname=hostname_s\r\n| summarize Count=count() by SrcHostname\r\n| top 10 by Count\r\n| project SrcHostname, Count\r\n\r\n",
- "size": 0,
- "title": "Top 10 SaaS Users With Most Model Breaches",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "Count",
- "formatter": 3,
- "formatOptions": {
- "palette": "orange"
- }
- },
- {
- "columnMatch": "event_count",
- "formatter": 3,
- "formatOptions": {
- "palette": "orange"
- }
- },
- {
- "columnMatch": "Activity",
- "formatter": 0,
- "formatOptions": {
- "customColumnWidthSetting": "60ch"
- }
- }
- ]
- }
- },
- "name": "most breached SaaS users"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"SaaS\")\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename DtURL=breachUrl_s\r\n| project-rename ThreatRiskLevel=score_d\r\n| project TimeGenerated, ThreatRiskLevel, NetworkRuleName, SrcHostname, SrcIpAddr, DtURL\r\n| top 10 by ThreatRiskLevel desc ",
- "size": 0,
- "title": "Top 10 Highest Severity SaaS Model Breaches",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "table",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "TimeGenerated",
- "formatter": 0,
- "formatOptions": {
- "customColumnWidthSetting": "20%"
- }
- },
- {
- "columnMatch": "Activity",
- "formatter": 1,
- "formatOptions": {
- "linkColumn": "DarktraceURL",
- "linkTarget": "Url",
- "customColumnWidthSetting": "40%"
- }
- },
- {
- "columnMatch": "DeviceName",
- "formatter": 0,
- "formatOptions": {
- "customColumnWidthSetting": "17.5%"
- }
- },
- {
- "columnMatch": "DeviceAddress",
- "formatter": 0,
- "formatOptions": {
- "customColumnWidthSetting": "17.5%"
- }
- },
- {
- "columnMatch": "Severity",
- "formatter": 8,
- "formatOptions": {
- "min": 1,
- "max": 10,
- "palette": "yellowOrangeRed"
- }
- },
- {
- "columnMatch": "DarktraceURL",
- "formatter": 5
- }
- ],
- "labelSettings": [
- {
- "columnId": "TimeGenerated",
- "label": "Time"
- }
- ]
- },
- "sortBy": []
- },
- "name": "Top 10 hitting SaaS devices"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and (modelName_s contains (\"SaaS\") or modelName_s contains (\"IaaS\")) and compliance_b == true\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})",
- "size": 0,
- "title": "Total XaaS Compliance Model Breaches",
- "color": "orange",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "areachart",
- "chartSettings": {
- "seriesLabelSettings": [
- {
- "seriesName": "count_",
- "label": "Model Breaches"
- }
- ],
- "ySettings": {
- "numberFormatSettings": {
- "unit": 0,
- "options": {
- "style": "decimal",
- "useGrouping": true,
- "maximumFractionDigits": 0
- }
- }
- }
- }
- },
- "name": "compliance breaches over time"
- }
- ],
- "exportParameters": true
- },
- "conditionalVisibility": {
- "parameterName": "tab",
- "comparison": "isEqualTo",
- "value": "cloud"
- },
- "name": "Cloud group"
- },
- {
- "type": 12,
- "content": {
- "version": "NotebookGroup/1.0",
- "groupType": "editable",
- "items": [
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"Antigena\") and modelName_s contains (\"Network\")\r\n| project-rename SrcIpAddr=SourceIP\r\n| project-rename SrcHostname=hostname_s\r\n| project-rename DtURL=breachUrl_s\r\n| project-rename ThreatRiskLevel=score_d\r\n| project-rename NetworkRuleName=modelName_s\r\n| project-rename DstIpAddr=destIP_s\r\n| project-rename DstHostname=destHost_s\r\n| project-rename EventStartTime = breachTime_s\r\n| extend DtMitreTechniques=parse_json(mitreTechniques_s)\r\n| project-rename ThreatId=threatID_d\r\n| limit 100\r\n| project TimeGenerated, ThreatRiskLevel, NetworkRuleName, ThreatId, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, DtURL, EventStartTime, DtMitreTechniques\r\n| sort by TimeGenerated desc\r\n",
- "size": 0,
- "title": "/Network ",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "table",
- "tileSettings": {
- "titleContent": {
- "columnMatch": "agnActivity",
- "formatter": 1,
- "formatOptions": {
- "linkColumn": "DarktraceURL",
- "linkTarget": "Url"
- }
- },
- "subtitleContent": {
- "columnMatch": "TimeGenerated",
- "formatter": 6
- },
- "leftContent": {
- "columnMatch": "Device"
- },
- "secondaryContent": {
- "columnMatch": "msgInfo",
- "formatter": 1
- },
- "showBorder": true,
- "sortCriteriaField": "TimeGenerated",
- "sortOrderField": 2,
- "size": "full"
- }
- },
- "name": "top level query "
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\n| where dtProduct_s ==\"Policy Breach\" and modelName_s contains (\"Antigena\") and modelName_s contains (\"SaaS\")\n| project-rename SrcIpAddr=SourceIP\n| project-rename SrcHostname=hostname_s\n| project-rename DtURL=breachUrl_s\n| project-rename ThreatRiskLevel=score_d\n| project-rename NetworkRuleName=modelName_s\n| project-rename DstIpAddr=destIP_s\n| project-rename DstHostname=destHost_s\n| project-rename EventStartTime = breachTime_s\n| extend DtMitreTechniques=parse_json(mitreTechniques_s)\n| project-rename ThreatId=threatID_d\n| limit 100\n| project TimeGenerated, ThreatRiskLevel, NetworkRuleName, ThreatId, SrcHostname, SrcIpAddr, DstHostname, DstIpAddr, DtURL, EventStartTime, DtMitreTechniques\n| sort by TimeGenerated desc\n",
- "size": 0,
- "title": "/Apps",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "name": "query - 1"
- }
- ]
- },
- "conditionalVisibility": {
- "parameterName": "tab",
- "comparison": "isEqualTo",
- "value": "agn"
- },
- "name": "agn group"
- },
- {
- "type": 12,
- "content": {
- "version": "NotebookGroup/1.0",
- "groupType": "editable",
- "items": [
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "parameters": [
- {
- "id": "cd64e441-332e-4f47-8602-a25828ebc053",
- "version": "KqlParameterItem/1.0",
- "name": "aia_type",
- "label": "AI Analyst Incident Types",
- "type": 2,
- "description": "Filter out the types of AI Analyst Incidents available.",
- "isRequired": true,
- "typeSettings": {
- "additionalResourceOptions": [],
- "showDefault": false
- },
- "jsonData": "[\n {\"value\": \"darktrace_model_alerts_CL | where dtProduct_s =='AI Analyst' | project-rename DtIncidentName=title_s | project-rename DtCurrentGroup=externalId_g | project-rename GroupScore=groupScore_d | project-rename SrcDeviceName=bestDeviceName_s | limit 100 | summarize DtMaxIncidentScore=max(GroupScore), take_any(SrcDeviceName, DtIncidentName) by DtCurrentGroup | project DtMaxIncidentScore, DtIncidentName, SrcDeviceName, DtCurrentGroup\", \"label\": \"All\"},\n {\"value\": \"darktrace_model_alerts_CL | where dtProduct_s =='AI Analyst' | project-rename DtIncidentName=title_s | project-rename DtCurrentGroup=externalId_g | project-rename GroupScore=groupScore_d | project-rename SrcDeviceName=bestDeviceName_s | where SrcDeviceName !contains 'SaaS' | limit 100 | summarize DtMaxIncidentScore=max(GroupScore), take_any(SrcDeviceName, DtIncidentName) by DtCurrentGroup | project DtMaxIncidentScore, DtIncidentName, SrcDeviceName, DtCurrentGroup\", \"label\": \"Network\"},\n {\"value\": \"darktrace_model_alerts_CL | where dtProduct_s =='AI Analyst' | project-rename DtIncidentName=title_s | project-rename DtCurrentGroup=externalId_g | project-rename GroupScore=groupScore_d | project-rename SrcDeviceName=bestDeviceName_s | where SrcDeviceName contains 'SaaS' | limit 100 | summarize DtMaxIncidentScore=max(GroupScore), take_any(SrcDeviceName, DtIncidentName) by DtCurrentGroup | project DtMaxIncidentScore, DtIncidentName, SrcDeviceName, DtCurrentGroup\", \"label\": \"SaaS\"}\n]",
- "timeContext": {
- "durationMs": 86400000
- },
- "value": "darktrace_model_alerts_CL | where dtProduct_s =='AI Analyst' | project-rename DtIncidentName=title_s | project-rename DtCurrentGroup=externalId_g | project-rename GroupScore=groupScore_d | project-rename SrcDeviceName=bestDeviceName_s | limit 100 | summarize DtMaxIncidentScore=max(GroupScore), take_any(SrcDeviceName, DtIncidentName) by DtCurrentGroup | project DtMaxIncidentScore, DtIncidentName, SrcDeviceName, DtCurrentGroup"
- }
- ],
- "style": "pills",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "name": "parameters - 6"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "{aia_type}",
- "size": 0,
- "title": "AI Analyst Incidents",
- "timeContextFromParameter": "Timeframe",
- "exportFieldName": "DtCurrentGroup",
- "exportParameterName": "SelectedAIAGroup",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "name": "query - 7"
- },
- {
- "type": 1,
- "content": {
- "json": "_ Selecting an AI Analyst Incident in the table above will put its corresponding Events in focus below _",
- "style": "info"
- },
- "name": "text - 6"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\n| where dtProduct_s ==\"AI Analyst\"\n| project-rename EventStartTime=startTime_s\n| project-rename EventEndTime = endTime_s\n| project-rename DtIncidentEventName=title_s\n| project-rename DtCurrentGroup=externalId_g //externalId is the Current Group ID from Darktrace \n| project-rename ThreatCategory=dtProduct_s\n| extend ThreatRiskLevel=score_d //This is the event score, which is different from the GroupScore\n| project-rename SrcHostname=hostname_s\n| project-rename DtURL=url_s\n| project-rename DtSummary=summary_s\n| project-rename DtGroupScore=groupScore_d\n| project-rename DtGroupCategory=groupCategory_s\n| project-rename SrcDeviceName=bestDeviceName_s\n| where DtCurrentGroup contains \"{SelectedAIAGroup}\"\n| limit 100\n| project TimeGenerated, DtIncidentEventName, ThreatCategory, ThreatRiskLevel, DtSummary, SrcDeviceName, SrcHostname, DtURL, DtCurrentGroup, DtGroupScore, DtGroupCategory, EventStartTime, EventEndTime\n| sort by TimeGenerated desc\n\n",
- "size": 0,
- "title": "Selected AI Analyst Incident Events",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "table"
- },
- "name": "query - 5"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"AI Analyst\"\r\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})",
- "size": 3,
- "title": "Total AI Analyst Incident Events",
- "color": "lightBlue",
- "timeContextFromParameter": "Timeframe",
- "timeBrushParameterName": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "areachart",
- "chartSettings": {
- "showMetrics": false,
- "ySettings": {
- "numberFormatSettings": {
- "unit": 17,
- "options": {
- "style": "decimal",
- "useGrouping": true,
- "minimumFractionDigits": 0,
- "maximumFractionDigits": 0
- }
- }
- }
- }
- },
- "name": "incidents in group"
- },
- {
- "type": 1,
- "content": {
- "json": "_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _",
- "style": "info"
- },
- "name": "text - 6"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\r\n| where dtProduct_s ==\"AI Analyst\"\r\n| extend DtIncidentEventName = title_s\r\n| summarize event_count=count() by DtIncidentEventName\r\n| top 10 by event_count",
- "size": 0,
- "title": "Top 10 Most Frequent AI Analyst Incident Events",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "event_count",
- "formatter": 3,
- "formatOptions": {
- "palette": "blue"
- }
- }
- ],
- "labelSettings": [
- {
- "columnId": "event_count",
- "label": "Count"
- }
- ]
- }
- },
- "name": "Top 10 Most Frequent Incidents"
- }
- ],
- "exportParameters": true
- },
- "conditionalVisibility": {
- "parameterName": "tab",
- "comparison": "isEqualTo",
- "value": "ai-analyst"
- },
- "name": "ai- analyst group "
- },
- {
- "type": 12,
- "content": {
- "version": "NotebookGroup/1.0",
- "groupType": "editable",
- "items": [
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\n| where dtProduct_s == \"Antigena Email\"\n| extend Actions = parse_json(actions_s)\n| extend Hold_Email=set_has_element(Actions, \"Hold\")\n| extend Junk_Email=set_has_element(Actions, \"Move to Junk\")\n| extend Lock_Link=set_has_element(Actions, \"Lock Link\")\n| extend Lock_All_Links=set_has_element(Actions, \"Lock All Links\")\n| extend Double_Lock_Link=set_has_element(Actions, \"Double Lock Link\")\n| extend Double_Lock_All_Links=set_has_element(Actions, \"Double Lock All Links\")\n| extend Strip_Attachment=set_has_element(Actions, \"Stip Attachment\")\n| extend Strip_All_Attachments=set_has_element(Actions, \"Strip All Attachments\")\n| extend Convert_Attachment=set_has_element(Actions, \"Convert Attachment\")\n| extend Convert_All_Attachments=set_has_element(Actions, \"Convert All Attachments\")\n| extend Unspoof=set_has_element(Actions, \"Unspoof\")\n| extend XAxis=set_has_element(Actions, \"Unspoof\")\n| summarize XAxis=countif(XAxis == true), Hold_Email=countif(Hold_Email == true), Junk_Email=countif(Junk_Email == true), Lock_Link=countif(Lock_Link == true), Lock_All_Links=countif(Lock_All_Links == true), Double_Lock_Link=countif(Double_Lock_Link == true), Double_Lock_All_Links=countif(Double_Lock_All_Links == true), Convert_Attachment=countif(Convert_Attachment == true), Convert_All_Attachments=countif(Convert_All_Attachments == true), Strip_Attachment=countif(Strip_Attachment == true), Strip_All_Attachments=countif(Strip_All_Attachments == true), Unspoof=countif(Unspoof == true)",
- "size": 0,
- "title": "Total Actions Taken",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "visualization": "categoricalbar",
- "gridSettings": {
- "sortBy": [
- {
- "itemKey": "Hold_Email",
- "sortOrder": 2
- }
- ]
- },
- "sortBy": [
- {
- "itemKey": "Hold_Email",
- "sortOrder": 2
- }
- ],
- "tileSettings": {
- "showBorder": false
- },
- "graphSettings": {
- "type": 0
- },
- "chartSettings": {
- "seriesLabelSettings": [
- {
- "seriesName": "Junk_Email",
- "label": "Junk Email",
- "color": "redBright"
- },
- {
- "seriesName": "Lock_Link",
- "label": "Lock Link",
- "color": "lightBlue"
- },
- {
- "seriesName": "Double_Lock_Link",
- "label": "Double Lock Link",
- "color": "green"
- },
- {
- "seriesName": "Strip_Attachment",
- "label": "Strip Attachment",
- "color": "purple"
- },
- {
- "seriesName": "Convert_Attachment",
- "label": "Convert Attachment",
- "color": "orange"
- },
- {
- "seriesName": "Unspoof",
- "label": "Unspoof",
- "color": "pink"
- },
- {
- "seriesName": "Hold_Email",
- "label": "Hold Email",
- "color": "redDark"
- },
- {
- "seriesName": "Lock_All_Links",
- "label": "Lock All Links",
- "color": "blueDark"
- },
- {
- "seriesName": "Double_Lock_All_Links",
- "label": "Double Lock All Links",
- "color": "greenDark"
- },
- {
- "seriesName": "Convert_All_Attachments",
- "label": "Convert All Attachments",
- "color": "orangeDark"
- },
- {
- "seriesName": "Strip_All_Attachments",
- "label": "Strip All Attachments",
- "color": "purpleDark"
- }
- ]
- },
- "mapSettings": {
- "locInfo": "LatLong",
- "sizeSettings": "Hold_Email",
- "sizeAggregation": "Sum",
- "legendMetric": "Hold_Email",
- "legendAggregation": "Sum",
- "itemColorSettings": {
- "type": "heatmap",
- "colorAggregation": "Sum",
- "nodeColorField": "Hold_Email",
- "heatmapPalette": "greenRed"
- }
- }
- },
- "name": "query - 0"
- },
- {
- "type": 9,
- "content": {
- "version": "KqlParameterItem/1.0",
- "parameters": [
- {
- "id": "ac642d55-be90-4144-8bc3-ce0cb7fcc161",
- "version": "KqlParameterItem/1.0",
- "name": "SearchRecipient",
- "label": "Search Recipient",
- "type": 1,
- "description": "Filter for held emails",
- "value": "",
- "timeContext": {
- "durationMs": 86400000
- }
- }
- ],
- "style": "pills",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "name": "parameters - 3"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\n| where dtProduct_s == \"Antigena Email\"\n| extend Actions = parse_json(actions_s)\n| extend Hold_Email=set_has_element(Actions, \"Hold\")\n| where Hold_Email == true \n| extend Recipients=parse_json(recipients_s)\n| where Recipients contains \"{SearchRecipient}\"\n| project-rename ThreatRiskLevel=anomaly_score_d\n| project-rename AttachmentSHA1s=attachment_sha1s_s\n| project-rename Sender=from_s\n| project-rename Subject=subject_s\n| project-rename Tags=tags_s\n| project-rename TimestampUTC=timestamp_t\n| project-rename UUID=uuid_s\n| project-rename DarktraceLink=url_s\n| project-rename Direction=direction_s\n| project Subject, Sender, Recipients, ThreatRiskLevel, TimestampUTC, Direction, Tags, AttachmentSHA1s, DarktraceLink, UUID",
- "size": 0,
- "title": "Held Emails",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "name": "query - 2"
- },
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL\n| where dtProduct_s == \"Antigena Email\"\n| where direction_s == \"inbound\"\n| project-rename Sender=from_s\n| summarize Count=count() by Sender\n| top 10 by Count",
- "size": 0,
- "title": "Top 10 Most Frequent External Senders ",
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces",
- "gridSettings": {
- "formatters": [
- {
- "columnMatch": "Count",
- "formatter": 3,
- "formatOptions": {
- "palette": "orange"
- }
- },
- {
- "columnMatch": "event_count",
- "formatter": 3,
- "formatOptions": {
- "palette": "orange"
- }
- }
- ]
- }
- },
- "name": "query - 1"
- }
- ]
- },
- "conditionalVisibility": {
- "parameterName": "tab",
- "comparison": "isEqualTo",
- "value": "email"
- },
- "name": "group - 7"
- },
- {
- "type": 12,
- "content": {
- "version": "NotebookGroup/1.0",
- "groupType": "editable",
- "items": [
- {
- "type": 3,
- "content": {
- "version": "KqlItem/1.0",
- "query": "darktrace_model_alerts_CL //anything starting with 'Dt' is not an ASIM mapping \n| where dtProduct_s ==\"System Alert\"\n| extend EventVendor = \"Darktrace\"\n| extend EventProduct = \"Darktrace DETECT\"\n| project-rename NetworkRuleName=friendlyName_s\n| project-rename ThreatRiskLevel=priority_code_d\n| project-rename ThreatRiskCategory=priority_s\n| project-rename EventStartTime = time_s\n| project-rename SrcIpAddr=deviceIP_s\n| project-rename SrcHostname=hostname_s\n| project-rename DtStatus=status_s\n| project-rename DtURL=url_s\n| project-rename DtSeverity=Severity\n| project-rename DtName=name_s\n| project-rename DtMessage=Message\n| project EventVendor, EventProduct, NetworkRuleName, ThreatRiskLevel, ThreatRiskCategory, SrcIpAddr, SrcHostname, DtStatus, DtURL, DtName, DtMessage",
- "size": 0,
- "timeContextFromParameter": "Timeframe",
- "queryType": 0,
- "resourceType": "microsoft.operationalinsights/workspaces"
- },
- "name": "query - 0"
- }
- ]
- },
- "conditionalVisibility": {
- "parameterName": "tab",
- "comparison": "isEqualTo",
- "value": "status"
- },
- "name": "group - 8"
- }
- ],
- "fallbackResourceIds": [],
- "fromTemplateId": "sentinel-Darktrace",
- "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
-}
\ No newline at end of file