diff --git a/Sample Data/DarktraceEMAIL_CL.json b/Sample Data/DarktraceEMAIL_CL.json
index 79c41af76ba..cf61ba9b2bc 100644
--- a/Sample Data/DarktraceEMAIL_CL.json
+++ b/Sample Data/DarktraceEMAIL_CL.json
@@ -17,16 +17,16 @@
"customLabel": "Sample Label",
"darktraceProduct": "Darktrace / EMAIL",
"direction": "inbound",
- "from": "test@darktrace.com",
+ "from": "sanitized@sanitized.com",
"linkHosts": [
"darktrace.com"
],
"messageId": "5877f022-108f-4cf7-8ced-dcdf8d25770",
"recipientActions": [
- "test@example.com: notify"
+ "sanitized@sanitized.com: notify"
],
"recipients": [
- "test@example.com"
+ "sanitized@sanitized.com"
],
"subject": "Test Darktrace / EMAIL Alert",
"tags": [
diff --git a/Solutions/Darktrace/Analytic Rules/DarktraceIncidentEvent.yaml b/Solutions/Darktrace/Analytic Rules/DarktraceIncidentEvent.yaml
index 64f2fd92bba..7172d57f4fa 100644
--- a/Solutions/Darktrace/Analytic Rules/DarktraceIncidentEvent.yaml
+++ b/Solutions/Darktrace/Analytic Rules/DarktraceIncidentEvent.yaml
@@ -4,7 +4,7 @@ kind: NRT
description: Creates a Sentinel Incident from a Darktrace Incident Event.
severity: High
requiredDataConnectors:
- - connectorId: DarktraceLogIngestionAPIConnector
+ - connectorId: DarktraceActiveAISecurityPlatform
dataTypes:
- DarktraceIncidents_CL
tactics: []
diff --git a/Solutions/Darktrace/Analytic Rules/DarktraceModelAlert.yaml b/Solutions/Darktrace/Analytic Rules/DarktraceModelAlert.yaml
index 95178fab0b9..296f2eada06 100644
--- a/Solutions/Darktrace/Analytic Rules/DarktraceModelAlert.yaml
+++ b/Solutions/Darktrace/Analytic Rules/DarktraceModelAlert.yaml
@@ -6,7 +6,7 @@ description: |
this Analytic Rule if you would like it to create Sentinel Incidents.
severity: High
requiredDataConnectors:
- - connectorId: DarktraceLogIngestionAPIConnector
+ - connectorId: DarktraceActiveAISecurityPlatform
dataTypes:
- DarktraceModelAlerts_CL
tactics: []
diff --git a/Solutions/Darktrace/Package/createUiDefinition.json b/Solutions/Darktrace/Package/createUiDefinition.json
index a72e331d8e3..4f823840a75 100644
--- a/Solutions/Darktrace/Package/createUiDefinition.json
+++ b/Solutions/Darktrace/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Darktrace.svg\")
\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Darktrace](https://darktrace.com/) Sentinel Solution lets users connect Darktrace AI-based alerting in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats. \n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\na. [Microsoft Sentinel Data Collector API](https://docs.microsoft.com/azure/sentinel/connect-rest-api-template)\n\n For more details about this solution refer to https://www.darktrace.com/microsoft/sentinel/\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Darktrace](https://darktrace.com/) Microsoft Sentinel Solution lets users connect Darktrace AI-based alerting in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats. \n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\na. [Microsoft Sentinel Log Ingestion API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview)\n\n For more details about this solution refer to https://www.darktrace.com/microsoft/sentinel/\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -60,7 +60,7 @@
"name": "dataconnectors1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The Darktrace REST API connector pushes real-time events from Darktrace's Product Suite to Microsoft Sentinel and is designed to be used with the Darktrace Solution for Sentinel. The connector writes logs to a custom log table titled \"darktrace_model_alerts_CL\"; Model Breaches, AI Analyst Incidents, System Alerts and Antigena Email alerts can be ingested - additional filters can be set up on Darktrace system configuration page. Data is pushed to Sentinel from Darktrace appliances."
+ "text": "The Darktrace Log Ingestion API connector pushes real-time events from Darktrace's Product Suite to Microsoft Sentinel and is designed to be used with the Darktrace Solution for Microsoft Sentinel. The connector writes logs to custom log tables named accordingly; Model Breaches, AI Analyst Incidents, System Alerts, Response Actions, Attack Surface Management alerts and Email alerts can be ingested - additional filters can be set up on Darktrace system configuration page. Data is pushed to Microsoft Sentinel from Darktrace appliances."
}
},
{
@@ -88,7 +88,7 @@
"name": "workbooks-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This solution installs workbook to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
+ "text": "This solution installs the workbook to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
}
},
{
@@ -110,7 +110,7 @@
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "The Darktrace Workbook visualises Model Breach and AI Analyst data received by the Darktrace Data Connector and visualises events across the network, SaaS, IaaS and Email."
+ "text": "The Darktrace Workbook visualises alert data received by the Darktrace Log Ingestion API and visualises events across the network, SaaS, IaaS and Email."
}
}
]
@@ -146,13 +146,13 @@
{
"name": "analytic1",
"type": "Microsoft.Common.Section",
- "label": "Darktrace Model Breach",
+ "label": "Darktrace Model Alert",
"elements": [
{
"name": "analytic1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes."
+ "text": "This rule creates Microsoft Sentinel Alerts based on Darktrace Model Alerts, fetched every 5 minutes."
}
}
]
@@ -160,27 +160,13 @@
{
"name": "analytic2",
"type": "Microsoft.Common.Section",
- "label": "Darktrace AI Analyst",
+ "label": "Darktrace AI Analyst Incident Events",
"elements": [
{
"name": "analytic2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "This rule creates Microsoft Sentinel Incidents based on Darktrace AI Analyst Incidents, fetched every 5 minutes."
- }
- }
- ]
- },
- {
- "name": "analytic3",
- "type": "Microsoft.Common.Section",
- "label": "Darktrace System Status",
- "elements": [
- {
- "name": "analytic3-text",
- "type": "Microsoft.Common.TextBlock",
- "options": {
- "text": "This rule creates Microsoft Sentinel Alerts based on Darktrace system status alerts for health monitoring, fetched every 5 minutes."
+ "text": "This rule creates Microsoft Sentinel Incidents based on Darktrace AI Analyst Incident Events, fetched every 5 minutes."
}
}
]
diff --git a/Solutions/Darktrace/Package/mainTemplate.json b/Solutions/Darktrace/Package/mainTemplate.json
index 6dd9aea205c..1ff3415f8ac 100644
--- a/Solutions/Darktrace/Package/mainTemplate.json
+++ b/Solutions/Darktrace/Package/mainTemplate.json
@@ -688,7 +688,7 @@
"id": "[variables('_uiConfigId1')]",
"title": "Darktrace Connector for Microsoft Sentinel REST API",
"publisher": "Darktrace",
- "descriptionMarkdown": "The Darktrace REST API connector pushes real-time events from Darktrace to Microsoft Sentinel and is designed to be used with the Darktrace Solution for Sentinel. The connector writes logs to a custom log table titled \"darktrace_model_alerts_CL\"; Model Breaches, AI Analyst Incidents, System Alerts and Email Alerts can be ingested - additional filters can be set up on the Darktrace System Configuration page. Data is pushed to Sentinel from Darktrace masters.",
+ "descriptionMarkdown": "The Darktrace REST API connector pushes real-time events from Darktrace to Microsoft Sentinel and is designed to be used with the Darktrace Solution for Microsoft Sentinel. The connector writes logs to a custom log table titled \"darktrace_model_alerts_CL\"; Model Breaches, AI Analyst Incidents, System Alerts and Email Alerts can be ingested - additional filters can be set up on the Darktrace System Configuration page. Data is pushed to Microsoft Sentinel from Darktrace masters.",
"graphQueries": [
{
"metricName": "Total data received",
@@ -1072,7 +1072,63 @@
}
},
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ },
+ {
+ "type": "Microsoft.Insights/dataCollectionEndpoints",
+ "apiVersion": "2021-09-01-preview",
+ "name": "darktrace-log-ingestion-dce",
+ "location": "[parameters('location')]",
+ "properties": {
+ "networkAccess": {
+ "publicNetworkAccess": "Enabled"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Insights/dataCollectionRules",
+ "apiVersion": "2021-09-01-preview",
+ "name": "darktrace-log-ingestion-dcr",
+ "location": "[parameters('location')]",
+ "properties": {
+ "dataFlows": [
+ {
+ "streams": [ "Custom-Darktrace" ],
+ "destinations": [ "la-destination" ]
+ }
+ ],
+ "destinations": {
+ "logAnalytics": [
+ {
+ "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]",
+ "name": "la-destination"
+ }
+ ]
+ }
+ }
+ },
+ {
+ "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
+ "apiVersion": "2018-11-30",
+ "name": "darktrace-log-ingestion-app",
+ "location": "[parameters('location')]"
}
],
- "outputs": {}
+ "outputs": {
+ "dceUrl": {
+ "type": "string",
+ "value": "[reference('darktrace-log-ingestion-dce').properties.logsIngestion.endpoint]"
+ },
+ "dcrId": {
+ "type": "string",
+ "value": "[resourceId('Microsoft.Insights/dataCollectionRules', 'darktrace-log-ingestion-dcr')]"
+ },
+ "clientId": {
+ "type": "string",
+ "value": "[reference('darktrace-log-ingestion-app').clientId]"
+ },
+ "clientSecret": {
+ "type": "string",
+ "value": "Generated via Key Vault or manual step"
+ }
+ }
}