diff --git a/.script/tests/KqlvalidationsTests/CustomTables/DarktraceASM_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceASM_CL.json new file mode 100644 index 00000000000..9af7333f9eb --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceASM_CL.json @@ -0,0 +1,89 @@ +{ + "Name": "DarktraceASM_CL", + "Properties": [ + { + "name": "action", + "type": "string" + }, + { + "name": "alertTime", + "type": "datetime" + }, + { + "name": "alertTimestamp", + "type": "int" + }, + { + "name": "alertTitle", + "type": "string" + }, + { + "name": "alertType", + "type": "string" + }, + { + "name": "assetId", + "type": "int" + }, + { + "name": "assetName", + "type": "string" + }, + { + "name": "assetUri", + "type": "string" + }, + { + "name": "customLabel", + "type": "string" + }, + { + "name": "darktraceProduct", + "type": "string" + }, + { + "name": "description", + "type": "string" + }, + { + "name": "endTime", + "type": "string" + }, + { + "name": "endTimestamp", + "type": "int" + }, + { + "name": "previousRating", + "type": "string" + }, + { + "name": "rating", + "type": "string" + }, + { + "name": "riskId", + "type": "int" + }, + { + "name": "riskUri", + "type": "string" + }, + { + "name": "startTime", + "type": "datetime" + }, + { + "name": "startTimestamp", + "type": "int" + }, + { + "name": "state", + "type": "string" + }, + { + "name": "workbenchUri", + "type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/DarktraceEMAIL_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceEMAIL_CL.json new file mode 100644 index 00000000000..3a2d8f1a926 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceEMAIL_CL.json @@ -0,0 +1,81 @@ +{ + "Name": "DarktraceEMAIL_CL", + "Properties": [ + { + "name": "actions", + "type": "dynamic" + }, + { + "name": "alertTime", + "type": "datetime" + }, + { + "name": "anomalyScore", + "type": "int" + }, + { + "name": "attachmentNames", + "type": "dynamic" + }, + { + "name": "attachmentSha1s", + "type": "dynamic" + }, + { + "name": "attachmentSha256s", + "type": "dynamic" + }, + { + "name": "customLabel", + "type": "string" + }, + { + "name": "darktraceProduct", + "type": "string" + }, + { + "name": "direction", + "type": "string" + }, + { + "name": "from", + "type": "string" + }, + { + "name": "linkHosts", + "type": "dynamic" + }, + { + "name": "messageId", + "type": "string" + }, + { + "name": "recipientActions", + "type": "dynamic" + }, + { + "name": "recipients", + "type": "dynamic" + }, + { + "name": "subject", + "type": "string" + }, + { + "name": "tags", + "type": "dynamic" + }, + { + "name": "timestamp", + "type": "datetime" + }, + { + "name": "url", + "type": "string" + }, + { + "name": "uuid", + "type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/DarktraceIncidents_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceIncidents_CL.json new file mode 100644 index 00000000000..4ad6ec4dd39 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceIncidents_CL.json @@ -0,0 +1,121 @@ +{ + "Name": "DarktraceIncidents_CL", + "Properties": [ + { + "name": "activityId", + "type": "string" + }, + { + "name": "aiaScore", + "type": "int" + }, + { + "name": "bestAssetName", + "type": "string" + }, + { + "name": "currentGroup", + "type": "string" + }, + { + "name": "customLabel", + "type": "string" + }, + { + "name": "darktraceProduct", + "type": "string" + }, + { + "name": "deviceHostname", + "type": "string" + }, + { + "name": "deviceIp", + "type": "string" + }, + { + "name": "deviceIdentifier", + "type": "string" + }, + { + "name": "deviceMac", + "type": "string" + }, + { + "name": "deviceSubnet", + "type": "string" + }, + { + "name": "devices", + "type": "dynamic" + }, + { + "name": "endTime", + "type": "string" + }, + { + "name": "externalId", + "type": "string" + }, + { + "name": "groupByActivity", + "type": "boolean" + }, + { + "name": "groupCategory", + "type": "string" + }, + { + "name": "groupPreviousGroups", + "type": "dynamic" + }, + { + "name": "groupScore", + "type": "int" + }, + { + "name": "groupingId", + "type": "string" + }, + { + "name": "incidentEventTime", + "type": "datetime" + }, + { + "name": "incidentEventTitle", + "type": "string" + }, + { + "name": "latitude", + "type": "real" + }, + { + "name": "longitude", + "type": "real" + }, + { + "name": "newEvent", + "type": "boolean" + }, + { + "name": "severity", + "type": "int" + }, + { + "name": "startTime", + "type": "string" + }, + { + "name": "summary", + "type": "string" + }, + { + "name": "summaryFirstSentence", + "type": "string" + }, + { + "name": "url", + "type": "string" + } + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/DarktraceModelAlerts_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceModelAlerts_CL.json new file mode 100644 index 00000000000..05f2c759dc6 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceModelAlerts_CL.json @@ -0,0 +1,158 @@ +{ + "Name": "DarktraceModelAlerts_CL", + "Properties": [ + { + "name": "alertTime", + "type": "datetime" + }, + { + "name": "alertUrl", + "type": "string" + }, + { + "name": "antigena", + "type": "boolean" + }, + { + "name": "category", + "type": "string" + }, + { + "name": "cSensor", + "type": "boolean" + }, + { + "name": "cSensorId", + "type": "string" + }, + { + "name": "compliance", + "type": "boolean" + }, + { + "name": "customLabel", + "type": "string" + }, + { + "name": "darktraceProduct", + "type": "string" + }, + { + "name": "description", + "type": "string" + }, + { + "name": "destHost", + "type": "string" + }, + { + "name": "destIp", + "type": "string" + }, + { + "name": "destMac", + "type": "string" + }, + { + "name": "destPort", + "type": "string" + }, + { + "name": "details", + "type": "string" + }, + { + "name": "deviceCredentials", + "type": "dynamic" + }, + { + "name": "deviceHostname", + "type": "string" + }, + { + "name": "deviceId", + "type": "int" + }, + { + "name": "deviceLabel", + "type": "string" + }, + { + "name": "deviceSubnet", + "type": "string" + }, + { + "name": "deviceType", + "type": "string" + }, + { + "name": "latitude", + "type": "real" + }, + { + "name": "longitude", + "type": "real" + }, + { + "name": "message", + "type": "string" + }, + { + "name": "mitreTechniques", + "type": "dynamic" + }, + { + "name": "modelName", + "type": "string" + }, + { + "name": "modelTags", + "type": "dynamic" + }, + { + "name": "pid", + "type": "int" + }, + { + "name": "score", + "type": "int" + }, + { + "name": "sid", + "type": "int" + }, + { + "name": "sourceHost", + "type": "string" + }, + { + "name": "sourceIp", + "type": "string" + }, + { + "name": "sourceMac", + "type": "string" + }, + { + "name": "sourcePort", + "type": "string" + }, + { + "name": "threatId", + "type": "int" + }, + { + "name": "triggeredComponents", + "type": "string" + }, + { + "name": "typeLabel", + "type": "string" + }, + { + "name": "uuid", + "type": "string" + } + + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/DarktraceResponseActions_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceResponseActions_CL.json new file mode 100644 index 00000000000..126b04bd7ec --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceResponseActions_CL.json @@ -0,0 +1,106 @@ +{ + "Name": "DarktraceResponseActions_CL", + "Properties": [ + { + "name": "action", + "type": "string" + }, + { + "name": "alertTime", + "type": "datetime" + }, + { + "name": "changedBy", + "type": "string" + }, + { + "name": "codeId", + "type": "int" + }, + { + "name": "customLabel", + "type": "string" + }, + { + "name": "darktraceProduct", + "type": "string" + }, + { + "name": "deviceFirstSeen", + "type": "string" + }, + { + "name": "deviceHostname", + "type": "string" + }, + { + "name": "deviceIp", + "type": "string" + }, + { + "name": "deviceLabel", + "type": "string" + }, + { + "name": "deviceLastSeen", + "type": "string" + }, + { + "name": "deviceMac", + "type": "string" + }, + { + "name": "deviceName", + "type": "string" + }, + { + "name": "deviceType", + "type": "string" + }, + { + "name": "endTime", + "type": "string" + }, + { + "name": "inhibitor", + "type": "string" + }, + { + "name": "model", + "type": "string" + }, + { + "name": "reason", + "type": "string" + }, + { + "name": "score", + "type": "int" + }, + { + "name": "startTime", + "type": "string" + }, + { + "name": "state", + "type": "string" + }, + { + "name": "subnetId", + "type": "int" + }, + { + "name": "subnetLabel", + "type": "string" + }, + { + "name": "subnetNetwork", + "type": "string" + }, + { + "name": "url", + "type": "string" + } + + ] +} \ No newline at end of file diff --git a/.script/tests/KqlvalidationsTests/CustomTables/DarktraceSystemStatusAlerts_CL.json b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceSystemStatusAlerts_CL.json new file mode 100644 index 00000000000..28c8a2b5179 --- /dev/null +++ b/.script/tests/KqlvalidationsTests/CustomTables/DarktraceSystemStatusAlerts_CL.json @@ -0,0 +1,65 @@ +{ + "Name": "DarktraceSystemStatusAlerts_CL", + "Properties": [ + { + "name": "alertTime", + "type": "datetime" + }, + { + "name": "customLabel", + "type": "string" + }, + { + "name": "darktraceHostname", + "type": "string" + }, + { + "name": "darktraceProduct", + "type": "string" + }, + { + "name": "deviceIp", + "type": "string" + }, + { + "name": "friendlyModelName", + "type": "string" + }, + { + "name": "message", + "type": "string" + }, + { + "name": "modelName", + "type": "string" + }, + { + "name": "priority", + "type": "string" + }, + { + "name": "priorityCode", + "type": "int" + }, + { + "name": "status", + "type": "string" + }, + { + "name": "severity", + "type": "int" + }, + { + "name": "statusName", + "type": "string" + }, + { + "name": "url", + "type": "string" + }, + { + "name": "uuid", + "type": "string" + } + ] +} \ No newline at end of file diff --git a/Sample Data/DarktraceASM_CL.json b/Sample Data/DarktraceASM_CL.json new file mode 100644 index 00000000000..0d67f427db3 --- /dev/null +++ b/Sample Data/DarktraceASM_CL.json @@ -0,0 +1,25 @@ +[ + { + "action": "Update the software listed in this risk, by contacting your provider or hosting party. Also, take note that this information should not be publicly accessible, as this might help the hacker in their attack preparation.", + "alertTime": "2024-08-20 15:52:02", + "alertTimestamp": 1733410492, + "alertTitle": "Risk rating increased", + "alertType": "vulnerable-software", + "assetId": 177054, + "assetName": "SMTP Server london", + "assetUri": "https://instance.example.com/app/#/detail/overview/177054", + "customLabel": "Sample Label", + "darktraceProduct": "Darktrace / Attack Surface Management", + "description": "The rating for vulnerable software Prototype/1.7.3 has increased from a rating B to a rating E", + "endTime": "", + "endTimestamp": 1733310492, + "previousRating": "B", + "rating": "E", + "riskId": 134244, + "riskUri": "https://instance.example.darktrace.com/app/#/detail/direct-risks/177054?risk_id=134244", + "startTime": "1970-01-21 01:28:30", + "startTimestamp": 1733310492, + "state": "Increased Risk Rating", + "workbenchUri": "https://instance.example.darktrace.com/app/#/workbench?id=100&name=allowed&query=id+in+(134244,+256638,+256043)" + } +] \ No newline at end of file diff --git a/Sample Data/DarktraceEMAIL_CL.json b/Sample Data/DarktraceEMAIL_CL.json new file mode 100644 index 00000000000..79c41af76ba --- /dev/null +++ b/Sample Data/DarktraceEMAIL_CL.json @@ -0,0 +1,39 @@ +[ + { + "actions": [ + "notify" + ], + "alertTime": "2024-08-20 15:52:02", + "anomalyScore": 0, + "attachmentNames": [ + "image-1.jpg" + ], + "attachmentSha1s": [ + "f0c31baa0193dde73dd3f96147ae99c7af84a025" + ], + "attachmentSha256s": [ + "33b5bb0fb2234c39c8dc210d9bf27d6a32cb7c19d2c49cf91af8229f2a53c2ec" + ], + "customLabel": "Sample Label", + "darktraceProduct": "Darktrace / EMAIL", + "direction": "inbound", + "from": "test@darktrace.com", + "linkHosts": [ + "darktrace.com" + ], + "messageId": "5877f022-108f-4cf7-8ced-dcdf8d25770", + "recipientActions": [ + "test@example.com: notify" + ], + "recipients": [ + "test@example.com" + ], + "subject": "Test Darktrace / EMAIL Alert", + "tags": [ + "Test Email" + ], + "timestamp": "2020-12-15T04:47:29.936", + "url": "https://sample-darktrace.com/emailuuid", + "uuid": "79D0DD80-5A5E-44E9-A917-7F8567C21877.1" + } +] \ No newline at end of file diff --git a/Sample Data/DarktraceIncidents_CL.json b/Sample Data/DarktraceIncidents_CL.json new file mode 100644 index 00000000000..95482689b14 --- /dev/null +++ b/Sample Data/DarktraceIncidents_CL.json @@ -0,0 +1,45 @@ +[ + { + "activityId": "00000000", + "aiaScore": 100, + "bestAssetName": "Test Device", + "currentGroup": "00000000-0000-0000-0000-000000000004", + "customLabel": "", + "darktraceProduct": "Darktrace Incidents", + "deviceHostname": "test-device.example.com", + "deviceIp": "0.1.2.3", + "deviceIdentifier": "Test Device", + "deviceMac": "00:11:22:33:44:55", + "deviceSubnet": "example", + "devices": [ + { + "deviceDid": 5649, + "deviceHostname": "ip-0-0-0-0.eu-west-1.compute.internal", + "deviceIp": "0.0.0.0", + "deviceIdentifier": "ip-0-0-0-0.eu-west-1.compute.internal", + "deviceMac": "00:00:00:00:00:00", + "deviceSid": 111, + "deviceSubnet": "example" + } + ], + "endTime": "Jan 1st 2000 00:00:00 UTC", + "externalId": "00000000-0000-0000-0000-000000000006", + "groupByActivity": false, + "groupCategory": "compliance", + "groupPreviousGroups": [ + "00000000-0000-0000-0000-000000000005" + ], + "groupScore": 100, + "groupingId": "00000000", + "incidentEventTime": "2024-08-20 15:52:02", + "incidentEventTitle": "Test AIA Alert", + "latitude": 4.598, + "longitude": -74.343, + "newEvent": false, + "severity": 10, + "startTime": "Jan 1st 2000 00:00:00 UTC", + "summary": "Test AIA alert used for testing alerting configuration.", + "summaryFirstSentence": "Test AIA alert used for testing alerting configuration.", + "url": "" + } +] \ No newline at end of file diff --git a/Sample Data/DarktraceModelAlerts_CL.json b/Sample Data/DarktraceModelAlerts_CL.json new file mode 100644 index 00000000000..604a75ee111 --- /dev/null +++ b/Sample Data/DarktraceModelAlerts_CL.json @@ -0,0 +1,60 @@ +[ + { + "alertTime": "2024-08-20 15:52:02", + "alertUrl": "https://example.com/#modelbreach/18754", + "antigena": false, + "category": "Critical", + "cSensor": true, + "cSensorId": "5f016ddb-53c2-28d3-19b1-f434713e6a08", + "compliance": false, + "customLabel": "Sample Label", + "darktraceProduct": "Darktrace Model Alerts", + "description": "No description is available for this model breach", + "destHost": "download.windowsupdate.com", + "destIp": "8.7.7.5", + "destMac": "00-B0-D0-63-C2-26", + "destPort": "443", + "details": "https://example.com/#modelbreach/18754", + "deviceCredentials": [ + { + "cred": "example_cred", + "seen": "2024-08-20 15:52:02" + } + ], + "deviceHostname": "sample_host", + "deviceId": 3423, + "deviceLabel": "test-device.example.com", + "deviceSubnet": "Sample Subnet", + "deviceType": "Laptop", + "latitude": 4.598, + "longitude": -74.076, + "message": "FileTransfer::Exe file found with filetype. This is an example.", + "mitreTechniques": [ + { + "tactics": [ + "defense-evasion", + "lateral-movement" + ], + "technique": "Use Alternate Authentication Material", + "techniqueId": "T1550" + } + ], + "modelName": "Test Folder/Test Model", + "modelTags": [ + "AP: C2 Comms", + "AP: Egress", + "OT Engineer" + ], + "pid": 665, + "score": 16, + "sid": -9, + "sourceHost": "my_host", + "sourceIp": "190.137.183.213", + "sourceMac": "00-B0-D0-63-C2-25", + "sourcePort": "18000", + "threatId": 18754, + "triggeredComponents": "SaaS Resource Viewed\nRare domain: 0\nRare hostname: 0\nBeaconing score: 0", + "typeLabel": "sample_label", + "uuid": "539464e9-df49-45e9-a8da-3beece6394e8" + } +] \ No newline at end of file diff --git a/Sample Data/DarktraceResponseActions_CL.json b/Sample Data/DarktraceResponseActions_CL.json new file mode 100644 index 00000000000..65a5ec700bf --- /dev/null +++ b/Sample Data/DarktraceResponseActions_CL.json @@ -0,0 +1,29 @@ +[ + { + "action": "CREATE", + "alertTime": "2024-08-20 15:52:02", + "changedBy": "darktrace", + "codeId": 9896, + "customLabel": "Sample Label", + "darktraceProduct": "Darktrace Autonomous Response", + "deviceFirstSeen": "Jan 1st 2000 00:00:00 UTC", + "deviceHostname": "test-device.example.com", + "deviceIp": "0.1.2.3", + "deviceLabel": "testlabel", + "deviceLastSeen": "Jan 1st 2000 00:00:00 UTC", + "deviceMac": "00:11:22:33:44:55", + "deviceName": "testlabel", + "deviceType": "Desktop", + "endTime": "Jan 1st 2000 00:00:00 UTC", + "inhibitor": "Alert for for testing alerting configuration.", + "model": "Test Model", + "reason": "This is a test alert for testing alerting configuration.", + "score": 0, + "startTime": "Jan 1st 2000 00:00:00 UTC", + "state": "Created", + "subnetId": 0, + "subnetLabel": "testsubnetlabel", + "subnetNetwork": "testnetwork", + "url": "https://darktrace.com" + } +] \ No newline at end of file diff --git a/Sample Data/DarktraceSystemStatusAlerts.json b/Sample Data/DarktraceSystemStatusAlerts.json new file mode 100644 index 00000000000..bb7ef6306dd --- /dev/null +++ b/Sample Data/DarktraceSystemStatusAlerts.json @@ -0,0 +1,19 @@ +[ + { + "alertTime": "2024-08-20 15:52:02", + "customLabel": "Sample Label", + "darktraceHostname": "darktrace.example.com", + "darktraceProduct": "Darktrace System Status Alerts", + "deviceIp": "0.1.2.3", + "friendlyModelName": "Test System Status Alert", + "message": "Test System Status alert used for testing alerting configuration.", + "modelName": "test-system-status-alert", + "priority": "high", + "priorityCode": 100, + "status": "Resolved", + "severity": 10, + "statusName": "Resolved: Test System Status Alert", + "url": "https://darktrace.com", + "uuid": "00000000-0000-0000-0000-000000000008" + } +] \ No newline at end of file diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json index c0e3a874721..0daffd76140 100644 --- a/Workbooks/WorkbooksMetadata.json +++ b/Workbooks/WorkbooksMetadata.json @@ -5132,12 +5132,17 @@ { "workbookKey": "DarktraceWorkbook", "logoFileName": "Darktrace.svg", - "description": "The Darktrace Workbook visualises Model Breach and AI Analyst data received by the Darktrace Data Connector and visualises events across the network, SaaS, IaaS and Email.", + "description": "The Darktrace Workbook visualises Model Breaches, AI Analyst incidents, ASM alerts, EMAIL alerts, Response actions and system status alerts data received by the Darktrace Data Connector and visualises events across the network, SaaS, IaaS and Email.", "dataTypesDependencies": [ - "darktrace_model_alerts_CL" + "DarktraceASM_CL", + "DarktraceEMAIL_CL", + "DarktraceIncidents_CL", + "DarktraceModelAlerts_CL", + "DarktraceResponseActions_CL", + "DarktraceSystemStatusAlerts_CL" ], "dataConnectorsDependencies": [ - "DarktraceRESTConnector" + "DarktraceActiveAISecurityPlatform_Template" ], "previewImagesFileNames": [ "DarktraceWorkbookBlack01.png", @@ -5145,7 +5150,7 @@ "DarktraceWorkbookWhite01.png", "DarktraceWorkbookWhite02.png" ], - "version": "1.0.1", + "version": "2.0.0", "title": "Darktrace", "templateRelativePath": "DarktraceWorkbook.json", "subtitle": "",