Dylan/darktrace li work

Sample Data/DarktraceEMAIL_CL.json

@@ -17,16 +17,16 @@
     "customLabel": "Sample Label",
     "darktraceProduct": "Darktrace / EMAIL",
     "direction": "inbound",
-    "from": "test@darktrace.com",
+    "from": "sanitized@sanitized.com",
     "linkHosts": [
       "darktrace.com"
     ],
     "messageId": "5877f022-108f-4cf7-8ced-dcdf8d25770",
     "recipientActions": [
-      "test@example.com: notify"
+      "sanitized@sanitized.com: notify"
     ],
     "recipients": [
-      "test@example.com"
+      "sanitized@sanitized.com"
     ],
     "subject": "Test Darktrace / EMAIL Alert",
     "tags": [

Solutions/Darktrace/Analytic Rules/DarktraceIncidentEvent.yaml

@@ -4,7 +4,7 @@ kind: NRT
 description: Creates a Sentinel Incident from a Darktrace Incident Event.
 severity: High
 requiredDataConnectors:
-  - connectorId: DarktraceLogIngestionAPIConnector
+  - connectorId: DarktraceActiveAISecurityPlatform
     dataTypes:
       - DarktraceIncidents_CL
 tactics: []

Solutions/Darktrace/Analytic Rules/DarktraceModelAlert.yaml

@@ -6,7 +6,7 @@ description: |
   this Analytic Rule if you would like it to create Sentinel Incidents.
 severity: High
 requiredDataConnectors:
-  - connectorId: DarktraceLogIngestionAPIConnector
+  - connectorId: DarktraceActiveAISecurityPlatform
     dataTypes:
       - DarktraceModelAlerts_CL
 tactics: []

Solutions/Darktrace/Package/createUiDefinition.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Darktrace.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Darktrace](https://darktrace.com/) Sentinel Solution lets users connect Darktrace AI-based alerting in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats. \n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\na. [Microsoft Sentinel Data Collector API](https://docs.microsoft.com/azure/sentinel/connect-rest-api-template)\n\n For more details about this solution refer to https://www.darktrace.com/microsoft/sentinel/\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Darktrace.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [Darktrace](https://darktrace.com/) Microsoft Sentinel Solution lets users connect Darktrace AI-based alerting in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats. \n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n\na. [Microsoft Sentinel Log Ingestion API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/logs-ingestion-api-overview)\n\n For more details about this solution refer to https://www.darktrace.com/microsoft/sentinel/\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -60,7 +60,7 @@
             "name": "dataconnectors1-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "The Darktrace REST API connector pushes real-time events from Darktrace's Product Suite to Microsoft Sentinel and is designed to be used with the Darktrace Solution for Sentinel. The connector writes logs to a custom log table titled \"darktrace_model_alerts_CL\"; Model Breaches, AI Analyst Incidents, System Alerts and Antigena Email alerts can be ingested - additional filters can be set up on Darktrace system configuration page. Data is pushed to Sentinel from Darktrace appliances."
+              "text": "The Darktrace Log Ingestion API connector pushes real-time events from Darktrace's Product Suite to Microsoft Sentinel and is designed to be used with the Darktrace Solution for Microsoft Sentinel. The connector writes logs to custom log tables named accordingly; Model Breaches, AI Analyst Incidents, System Alerts, Response Actions, Attack Surface Management alerts and Email alerts can be ingested - additional filters can be set up on Darktrace system configuration page. Data is pushed to Microsoft Sentinel from Darktrace appliances."
             }
           },
           {
@@ -88,7 +88,7 @@
             "name": "workbooks-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "This solution installs workbook to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
+              "text": "This solution installs the workbook to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view."
             }
           },
           {
@@ -110,7 +110,7 @@
                 "name": "workbook1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "The Darktrace Workbook visualises Model Breach and AI Analyst data received by the Darktrace Data Connector and visualises events across the network, SaaS, IaaS and Email."
+                  "text": "The Darktrace Workbook visualises alert data received by the Darktrace Log Ingestion API and visualises events across the network, SaaS, IaaS and Email."
                 }
               }
             ]
@@ -146,41 +146,27 @@
           {
             "name": "analytic1",
             "type": "Microsoft.Common.Section",
-            "label": "Darktrace Model Breach",
+            "label": "Darktrace Model Alert",
             "elements": [
               {
                 "name": "analytic1-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This rule creates Microsoft Sentinel Alerts based on Darktrace Model Breaches, fetched every 5 minutes."
+                  "text": "This rule creates Microsoft Sentinel Alerts based on Darktrace Model Alerts, fetched every 5 minutes."
                 }
               }
             ]
           },
           {
             "name": "analytic2",
             "type": "Microsoft.Common.Section",
-            "label": "Darktrace AI Analyst",
+            "label": "Darktrace AI Analyst Incident Events",
             "elements": [
               {
                 "name": "analytic2-text",
                 "type": "Microsoft.Common.TextBlock",
                 "options": {
-                  "text": "This rule creates Microsoft Sentinel Incidents based on Darktrace AI Analyst Incidents, fetched every 5 minutes."
-                }
-              }
-            ]
-          },
-          {
-            "name": "analytic3",
-            "type": "Microsoft.Common.Section",
-            "label": "Darktrace System Status",
-            "elements": [
-              {
-                "name": "analytic3-text",
-                "type": "Microsoft.Common.TextBlock",
-                "options": {
-                  "text": "This rule creates Microsoft Sentinel Alerts based on Darktrace system status alerts for health monitoring, fetched every 5 minutes."
+                  "text": "This rule creates Microsoft Sentinel Incidents based on Darktrace AI Analyst Incident Events, fetched every 5 minutes."
                 }
               }
             ]

Solutions/Darktrace/Package/mainTemplate.json

@@ -688,7 +688,7 @@
                   "id": "[variables('_uiConfigId1')]",
                   "title": "Darktrace Connector for Microsoft Sentinel REST API",
                   "publisher": "Darktrace",
-                  "descriptionMarkdown": "The Darktrace REST API connector pushes real-time events from Darktrace to Microsoft Sentinel and is designed to be used with the Darktrace Solution for Sentinel. The connector writes logs to a custom log table titled \"darktrace_model_alerts_CL\"; Model Breaches, AI Analyst Incidents, System Alerts and Email Alerts can be ingested - additional filters can be set up on the Darktrace System Configuration page. Data is pushed to Sentinel from Darktrace masters.",
+                  "descriptionMarkdown": "The Darktrace REST API connector pushes real-time events from Darktrace to Microsoft Sentinel and is designed to be used with the Darktrace Solution for Microsoft Sentinel. The connector writes logs to a custom log table titled \"darktrace_model_alerts_CL\"; Model Breaches, AI Analyst Incidents, System Alerts and Email Alerts can be ingested - additional filters can be set up on the Darktrace System Configuration page. Data is pushed to Microsoft Sentinel from Darktrace masters.",
                   "graphQueries": [
                     {
                       "metricName": "Total data received",
@@ -1072,7 +1072,63 @@
         }
       },
       "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+    },
+    {
+      "type": "Microsoft.Insights/dataCollectionEndpoints",
+      "apiVersion": "2021-09-01-preview",
+      "name": "darktrace-log-ingestion-dce",
+      "location": "[parameters('location')]",
+      "properties": {
+        "networkAccess": {
+          "publicNetworkAccess": "Enabled"
+        }
+      }
+    },
+    {
+      "type": "Microsoft.Insights/dataCollectionRules",
+      "apiVersion": "2021-09-01-preview",
+      "name": "darktrace-log-ingestion-dcr",
+      "location": "[parameters('location')]",
+      "properties": {
+        "dataFlows": [
+          {
+            "streams": [ "Custom-Darktrace" ],
+            "destinations": [ "la-destination" ]
+          }
+        ],
+        "destinations": {
+          "logAnalytics": [
+            {
+              "workspaceResourceId": "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]",
+              "name": "la-destination"
+            }
+          ]
+        }
+      }
+    },
+    {
+      "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
+      "apiVersion": "2018-11-30",
+      "name": "darktrace-log-ingestion-app",
+      "location": "[parameters('location')]"
     }
   ],
-  "outputs": {}
+  "outputs": {
+    "dceUrl": {
+      "type": "string",
+      "value": "[reference('darktrace-log-ingestion-dce').properties.logsIngestion.endpoint]"
+    },
+    "dcrId": {
+      "type": "string",
+      "value": "[resourceId('Microsoft.Insights/dataCollectionRules', 'darktrace-log-ingestion-dcr')]"
+    },
+    "clientId": {
+      "type": "string",
+      "value": "[reference('darktrace-log-ingestion-app').clientId]"
+    },
+    "clientSecret": {
+      "type": "string",
+      "value": "Generated via Key Vault or manual step"
+    }
+  }
 }