Azure · seanmacdonald8 · Oct 15, 2025
@@ -0,0 +1,56 @@
+id: 05DE0EAF-01BC-4615-99FC-2EC769864B34
+name: Darktrace Incident Event
+kind: NRT
+description: Creates a Sentinel Incident from a Darktrace Incident Event.
+severity: High
+requiredDataConnectors:
+  - connectorId: DarktraceLogIngestionAPIConnector
+    dataTypes:
+      - DarktraceIncidents_CL
+tactics: []
+relevantTechniques: []
+query: |
+  DarktraceIncidents_CL
+  | extend SentinelSeverity = case(groupCategory == "suspicious", "Medium",
+  groupCategory == "critical", "High", "Informational")
+  | extend ProviderName = "Darktrace"
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: deviceIp
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: deviceHostname
+customDetails:
+  Asset: bestAssetName
+  IncidentEventScore: aiaScore
+  IncidentScore: groupScore
+  CurrentGroup: currentGroup
+  PreviousGroups: groupPreviousGroups
+  StartTime: startTime
+  EndTime: endTime
+  CustomLabel: customLabel
+  AssetDetails: devices
+alertDetailsOverride:
+  alertDisplayNameFormat: 'Darktrace Incident Event: {{incidentEventTitle}} '
+  alertDescriptionFormat: '{{summary}}'
+  alertSeverityColumnName: SentinelSeverity
+  alertDynamicProperties:
+    - alertProperty: AlertLink
+      value: url
+    - alertProperty: ProductName
+      value: darktraceProduct
+    - alertProperty: ProviderName
+      value: ProviderName
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: PT5M
+    matchingMethod: AllEntities
+version: 1.0.0
@@ -0,0 +1,69 @@
+id: 9392A06F-63A4-4A5D-8CA3-647064B13C28
+name: Darktrace Model Alert
+kind: NRT
+description: |
+  Creates a Sentinel Alert from a Darktrace Model Alert. You will need to edit
+  this Analytic Rule if you would like it to create Sentinel Incidents.
+severity: High
+requiredDataConnectors:
+  - connectorId: DarktraceLogIngestionAPIConnector
+    dataTypes:
+      - DarktraceModelAlerts_CL
+tactics: []
+relevantTechniques: []
+query: |
+  DarktraceModelAlerts_CL
+  | extend SentinelSeverity = case(category == "Informational", "Low",
+  category == "Suspicious", "Medium", "High")
+  | extend ProviderName = "Darktrace"
+  | mv-apply item = mitreTechniques on (
+      extend techniqueId = tostring(item.techniqueId)
+      | summarize techniqueIdArray = make_list(techniqueId, 5)
+  )
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: sourceIp
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: destIp
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: destHost
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: sourceHost
+customDetails:
+  DeviceHostname: deviceHostname
+  DeviceCredentials: deviceCredentials
+  Compliance: compliance
+  Score: score
+  CustomLabel: customLabel
+  Category: category
+alertDetailsOverride:
+  alertDisplayNameFormat: 'Darktrace Model Alert: {{modelName}}  '
+  alertDescriptionFormat: '{{message}}'
+  alertSeverityColumnName: SentinelSeverity
+  alertDynamicProperties:
+    - alertProperty: AlertLink
+      value: alertUrl
+    - alertProperty: ProductName
+      value: darktraceProduct
+    - alertProperty: ProviderName
+      value: ProviderName
+    - alertProperty: Techniques
+      value: techniqueIdArray
+incidentConfiguration:
+  createIncident: false
+  groupingConfiguration:
+    enabled: false
+    reopenClosedIncident: false
+    lookbackDuration: PT5H
+    matchingMethod: AllEntities
+version: 1.0.0
@@ -0,0 +1,89 @@
+{
+    "Name": "DarktraceASM_CL",
+    "Properties": [
+            {
+                "name": "action",
+                "type": "string"
+            },
+            {
+                "name": "alertTime",
+                "type": "datetime"
+            },
+            {
+                "name": "alertTimestamp",
+                "type": "int"
+            },
+            {
+                "name": "alertTitle",
+                "type": "string"
+            },
+            {
+                "name": "alertType",
+                "type": "string"
+            },
+            {
+                "name": "assetId",
+                "type": "int"
+            },
+            {
+                "name": "assetName",
+                "type": "string"
+            },
+            {
+                "name": "assetUri",
+                "type": "string"
+            },
+            {
+                "name": "customLabel",
+                "type": "string"
+            },
+            {
+                "name": "darktraceProduct",
+                "type": "string"
+            },
+            {
+                "name": "description",
+                "type": "string"
+            },
+            {
+                "name": "endTime",
+                "type": "string"
+            },
+            {
+                "name": "endTimestamp",
+                "type": "int"
+            },
+            {
+                "name": "previousRating",
+                "type": "string"
+            },
+            {
+                "name": "rating",
+                "type": "string"
+            },
+            {
+                "name": "riskId",
+                "type": "int"
+            },
+            {
+                "name": "riskUri",
+                "type": "string"
+            },
+            {
+                "name": "startTime",
+                "type": "datetime"
+            },
+            {
+                "name": "startTimestamp",
+                "type": "int"
+            },
+            {
+                "name": "state",
+                "type": "string"
+            },
+            {
+                "name": "workbenchUri",
+                "type": "string"
+            }
+        ]
+}
@@ -0,0 +1,81 @@
+{
+    "Name": "DarktraceEMAIL_CL",
+    "Properties": [
+            {
+                "name": "actions",
+                "type": "dynamic"
+            },
+            {
+                "name": "alertTime",
+                "type": "datetime"
+            },
+            {
+                "name": "anomalyScore",
+                "type": "int"
+            },
+            {
+                "name": "attachmentNames",
+                "type": "dynamic"
+            },
+            {
+                "name": "attachmentSha1s",
+                "type": "dynamic"
+            },
+            {
+                "name": "attachmentSha256s",
+                "type": "dynamic"
+            },
+            {
+                "name": "customLabel",
+                "type": "string"
+            },
+            {
+                "name": "darktraceProduct",
+                "type": "string"
+            },
+            {
+                "name": "direction",
+                "type": "string"
+            },
+            {
+                "name": "from",
+                "type": "string"
+            },
+            {
+                "name": "linkHosts",
+                "type": "dynamic"
+            },
+            {
+                "name": "messageId",
+                "type": "string"
+            },
+            {
+                "name": "recipientActions",
+                "type": "dynamic"
+            },
+            {
+                "name": "recipients",
+                "type": "dynamic"
+            },
+            {
+                "name": "subject",
+                "type": "string"
+            },
+            {
+                "name": "tags",
+                "type": "dynamic"
+            },
+            {
+                "name": "timestamp",
+                "type": "datetime"
+            },
+            {
+                "name": "url",
+                "type": "string"
+            },
+            {
+                "name": "uuid",
+                "type": "string"
+            }
+        ]
+}