Darktrace Connector REST API connector for Microsoft Sentinel
The Darktrace REST API connector pushes real-time events from Darktrace to Microsoft Sentinel and is designed to be used with the Darktrace Solution for Sentinel. The connector writes logs to a custom log table titled "darktrace_model_alerts_CL"; Model Breaches, AI Analyst Incidents, System Alerts and Email Alerts can be ingested - additional filters can be set up on the Darktrace System Configuration page. Data is pushed to Sentinel from Darktrace masters.
Connector attributes
| Connector attribute | Description |
|---|---|
| Log Analytics table(s) | darktrace_model_alerts_CL |
| Data collection rules support | Not currently supported |
| Supported by | Darktrace |
Query samples
Look for Test Alerts
darktrace_model_alerts_CL
| where modelName_s == "Unrestricted Test Model"
Return Top Scoring Darktrace Model Breaches
darktrace_model_alerts_CL
| where dtProduct_s =="Policy Breach"
| project-rename SrcIpAddr=SourceIP
| project-rename SrcHostname=hostname_s
| project-rename DarktraceLink=breachUrl_s
| project-rename ThreatRiskLevel=score_d
| project-rename NetworkRuleName=modelName_s
| project TimeGenerated, NetworkRuleName, SrcHostname, SrcIpAddr, ThreatRiskLevel
| top 10 by ThreatRiskLevel desc
Return AI Analyst Incidents
darktrace_model_alerts_CL
| where dtProduct_s == "AI Analyst"
| project-rename EventStartTime=startTime_s
| project-rename EventEndTime = endTime_s
| project-rename NetworkRuleName=title_s
| project-rename CurrentGroup=externalId_g //externalId is the Current Group ID from Darktrace
| project-rename ThreatCategory=dtProduct_s
| extend ThreatRiskLevel=score_d //This is the event score, which is different from the GroupScore
| project-rename SrcHostname=hostname_s
| project-rename DarktraceLink=url_s
| project-rename Summary=summary_s
| project-rename GroupScore=groupScore_d
| project-rename GroupCategory=groupCategory_s
| project-rename SrcDeviceName=bestDeviceName_s
Return System Health Alerts
darktrace_model_alerts_CL
| where dtProduct_s == "System Alert"
Return email Logs for a specific external sender (example@test.com)
darktrace_model_alerts_CL
| where dtProduct_s == 'Antigena Email'
| where from_s == 'example@test.com'
Prerequisites
To integrate with Darktrace Connector for Microsoft Sentinel REST API make sure you have:
- Darktrace Prerequisites: To use this Data Connector a Darktrace master running v5.2+ is required. Data is sent to the Azure Monitor HTTP Data Collector API over HTTPs from Darktrace masters, therefore outbound connectivity from the Darktrace master to Microsoft Sentinel REST API is required.
- Filter Darktrace Data: During configuration it is possible to set up additional filtering on the Darktrace System Configuration page to constrain the amount or types of data sent.
- Try the Darktrace Sentinel Solution: You can get the most out of this connector by installing the Darktrace Solution for Microsoft Sentinel. This will provide workbooks to visualise alert data and analytics rules to automatically create alerts and incidents from Darktrace Model Breaches and AI Analyst incidents.
Vendor installation instructions
- Detailed setup instructions can be found on the Darktrace Customer Portal: https://customerportal.darktrace.com/product-guides/main/microsoft-sentinel-introduction
- Take note of the Workspace ID and the Primary key. You will need to enter these details on your Darktrace System Configuration page.
Darktrace Configuration
- Perform the following steps on the Darktrace System Configuration page:
- Navigate to the System Configuration Page (Main Menu > Admin > System Config)
- Go into Modules configuration and click on the "Microsoft Sentinel" configuration card
- Select "HTTPS (JSON)" and hit "New"
- Fill in the required details and select appropriate filters
- Click "Verify Alert Settings" to attempt authentication and send out a test alert
- Run a "Look for Test Alerts" sample query to validate that the test alert has been received
Next steps
For more information, go to the related solution in the Azure Marketplace.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for