From bfd94e7cbc639b53d619ffc99c39081bb0e257cd Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Mon, 18 Sep 2023 11:31:05 +0530 Subject: [PATCH 1/4] Repackaging - AI Analyst Darktrace (MMA to AMA Migration) --- .../Data Connectors/AIA-Darktrace.json | 2 +- .../template_AIA-DarktraceAMA.json | 117 ++++++++++++++++++ .../Data/Solution_AIAnalystDarktrace.json | 7 +- .../WorkbookMetadata/WorkbooksMetadata.json | 3 +- 4 files changed, 124 insertions(+), 5 deletions(-) create mode 100644 Solutions/AI Analyst Darktrace/Data Connectors/template_AIA-DarktraceAMA.json diff --git a/Solutions/AI Analyst Darktrace/Data Connectors/AIA-Darktrace.json b/Solutions/AI Analyst Darktrace/Data Connectors/AIA-Darktrace.json index 8c53bb5d532..0eeae7d7f74 100644 --- a/Solutions/AI Analyst Darktrace/Data Connectors/AIA-Darktrace.json +++ b/Solutions/AI Analyst Darktrace/Data Connectors/AIA-Darktrace.json @@ -1,6 +1,6 @@ { "id": "Darktrace", - "title": "AI Analyst Darktrace", + "title": "[Deprecated] AI Analyst Darktrace via Legacy Agent", "publisher": "Darktrace", "descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Azure Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Azure Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.", "graphQueries": [ diff --git a/Solutions/AI Analyst Darktrace/Data Connectors/template_AIA-DarktraceAMA.json b/Solutions/AI Analyst Darktrace/Data Connectors/template_AIA-DarktraceAMA.json new file mode 100644 index 00000000000..bf731c7e333 --- /dev/null +++ b/Solutions/AI Analyst Darktrace/Data Connectors/template_AIA-DarktraceAMA.json @@ -0,0 +1,117 @@ +{ + "id": "Darktrace", + "title": "[Recommended] AI Analyst Darktrace via AMA", + "publisher": "Darktrace", + "descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Azure Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Azure Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Darktrace", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Darktrace'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "sampleQueries": [ + { + "description": "first 10 most recent data breaches", + "query": "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\"\n| order by TimeGenerated desc \n| limit 10" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (Darktrace)", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Darktrace'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'Darktrace'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": "", + "instructions": [ + { + "parameters": { + "title": "1. Kindly follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine", + "instructions": [ + ] + }, + { + "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", + "description": "Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Azure Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Azure Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes.", + "instructions": [ + ] + }, + { + "title": "Step C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + + }, + + + { + "title": "2. Secure your machine ", + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)" + } + ] +} diff --git a/Solutions/AI Analyst Darktrace/Data/Solution_AIAnalystDarktrace.json b/Solutions/AI Analyst Darktrace/Data/Solution_AIAnalystDarktrace.json index 21eba0cc887..eb41224a5c5 100644 --- a/Solutions/AI Analyst Darktrace/Data/Solution_AIAnalystDarktrace.json +++ b/Solutions/AI Analyst Darktrace/Data/Solution_AIAnalystDarktrace.json @@ -2,15 +2,16 @@ "Name": "AI Analyst Darktrace", "Author": "Darktrace", "Logo": "", - "Description": "The [AI Analyst Darktrace](https://www.darktrace.com/en/cyber-ai-analyst/) Solution for Microsoft Sentinel lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats. \n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n1.[Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format) \n For more details about this solution refer to https://www.darktrace.com/en/microsoft/sentinel/", + "Description": "The [AI Analyst Darktrace](https://www.darktrace.com/en/cyber-ai-analyst/) Solution for Microsoft Sentinel lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.\n\r\n1. **AI Analyst Darktrace via AMA** - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **AI Analyst Darktrace via Legacy Agent** - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of AI Analyst Darktrace via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", "Workbooks": [ "Solutions/AI Analyst Darktrace/Workbooks/AIA-Darktrace.json" ], "Data Connectors": [ - "Solutions/AI Analyst Darktrace/DataConnectors/AIA-Darktrace.json" + "Solutions/AI Analyst Darktrace/DataConnectors/AIA-Darktrace.json", + "Solutions/AI Analyst Darktrace/DataConnectors/template_AIA-DarktraceAMA.json" ], "BasePath": "C:\\Sentinel-Repos\\Azure-Sentinel", - "Version": "2.0.1", + "Version": "3.0.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json index 64ad99fb31b..936fe4a3736 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json @@ -1902,7 +1902,8 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "Darktrace" + "Darktrace", + "DarktraceAma" ], "previewImagesFileNames": [ "AIA-DarktraceSummaryWhite.png", From cc097f82d10b74e6afa2bb7770b9c10058e011bb Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Mon, 18 Sep 2023 11:48:42 +0530 Subject: [PATCH 2/4] updated text from Azure Sentinel to Microsoft Sentinel --- .../Data Connectors/AIA-Darktrace.json | 10 +++++----- .../Data Connectors/template_AIA-DarktraceAMA.json | 6 +++--- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Solutions/AI Analyst Darktrace/Data Connectors/AIA-Darktrace.json b/Solutions/AI Analyst Darktrace/Data Connectors/AIA-Darktrace.json index 0eeae7d7f74..e69eeacbe87 100644 --- a/Solutions/AI Analyst Darktrace/Data Connectors/AIA-Darktrace.json +++ b/Solutions/AI Analyst Darktrace/Data Connectors/AIA-Darktrace.json @@ -2,7 +2,7 @@ "id": "Darktrace", "title": "[Deprecated] AI Analyst Darktrace via Legacy Agent", "publisher": "Darktrace", - "descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Azure Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Azure Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.", + "descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.", "graphQueries": [ { "metricName": "Total data received", @@ -61,15 +61,15 @@ "instructionSteps": [ { "title": "1. Linux Syslog agent configuration", - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", + "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", "innerSteps": [ { "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Azure Sentinel will use as the proxy between your security solution and Azure Sentinel this machine can be on your on-prem environment, Azure or other clouds." + "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." }, { "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", + "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", "instructions": [ { "parameters": { @@ -88,7 +88,7 @@ }, { "title": "2. Forward Common Event Format (CEF) logs to Syslog agent", - "description": "Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Azure Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Azure Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes." + "description": "Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Microsoft Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Microsoft Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes." }, { "title": "3. Validate connection", diff --git a/Solutions/AI Analyst Darktrace/Data Connectors/template_AIA-DarktraceAMA.json b/Solutions/AI Analyst Darktrace/Data Connectors/template_AIA-DarktraceAMA.json index bf731c7e333..e1df9e91d92 100644 --- a/Solutions/AI Analyst Darktrace/Data Connectors/template_AIA-DarktraceAMA.json +++ b/Solutions/AI Analyst Darktrace/Data Connectors/template_AIA-DarktraceAMA.json @@ -1,8 +1,8 @@ { - "id": "Darktrace", + "id": "DarktraceAma", "title": "[Recommended] AI Analyst Darktrace via AMA", "publisher": "Darktrace", - "descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Azure Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Azure Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.", + "descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.", "graphQueries": [ { "metricName": "Total data received", @@ -83,7 +83,7 @@ }, { "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", - "description": "Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Azure Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Azure Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes.", + "description": "Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Microsoft Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Microsoft Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes.", "instructions": [ ] }, From ce93a38a748452c5eb9c4e9ea6d14fc87706e720 Mon Sep 17 00:00:00 2001 From: Github Bot Date: Mon, 18 Sep 2023 06:38:03 +0000 Subject: [PATCH 3/4] [skip ci] Github Bot Added package to Pull Request! --- .../Data/system_generated_metadata.json | 29 ++ .../AI Analyst Darktrace/Package/3.0.0.zip | Bin 0 -> 10291 bytes .../Package/createUiDefinition.json | 42 +- .../Package/mainTemplate.json | 412 ++---------------- 4 files changed, 87 insertions(+), 396 deletions(-) create mode 100644 Solutions/AI Analyst Darktrace/Data/system_generated_metadata.json create mode 100644 Solutions/AI Analyst Darktrace/Package/3.0.0.zip diff --git a/Solutions/AI Analyst Darktrace/Data/system_generated_metadata.json b/Solutions/AI Analyst Darktrace/Data/system_generated_metadata.json new file mode 100644 index 00000000000..dbd4b15b9e8 --- /dev/null +++ b/Solutions/AI Analyst Darktrace/Data/system_generated_metadata.json @@ -0,0 +1,29 @@ +{ + "Name": "AI Analyst Darktrace", + "Author": "Darktrace", + "Logo": "", + "Description": "The [AI Analyst Darktrace](https://www.darktrace.com/en/cyber-ai-analyst/) Solution for Microsoft Sentinel lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.\n\r\n1. **AI Analyst Darktrace via AMA** - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **AI Analyst Darktrace via Legacy Agent** - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of AI Analyst Darktrace via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", + "BasePath": "C:\\Sentinel-Repos\\Azure-Sentinel", + "Version": "3.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": false, + "publisherId": "darktrace1655286944672", + "offerId": "darktrace_mss", + "providers": [ + "Darktrace" + ], + "categories": { + "domains": [ + "Security - Threat Protection" + ] + }, + "firstPublishDate": "2022-05-02", + "support": { + "tier": "Partner", + "name": "Darktrace", + "link": "https://www.darktrace.com/en/contact/" + }, + "Data Connectors": "[\n \"Solutions/AI Analyst Darktrace/DataConnectors/AIA-Darktrace.json\",\n \"Solutions/AI Analyst Darktrace/DataConnectors/template_AIA-DarktraceAMA.json\"\n]", + "Workbooks": "[\n \"AIA-Darktrace.json\"\n]" +} diff --git a/Solutions/AI Analyst Darktrace/Package/3.0.0.zip b/Solutions/AI Analyst Darktrace/Package/3.0.0.zip new file mode 100644 index 0000000000000000000000000000000000000000..1ec304dab4a871f31e90d9df55777a5d6a8a03e5 GIT binary patch literal 10291 zcmZ{qRZtz^@1}7$2X~j^?!~2WaCdjN;ts{FxH}Z5xZAZ(VKulvpK;ZtTYwB!n>}sxVEoN?EZEx*r z?O@MrHrqXqGaQ`$r&$GX<3_RuUb+hma^Rln z-%n=yI$D?f)E@v8=9&kE^+Rm#xT$L`u}A9`lobPN=FrRSuj=QBnzH!zg{JLpoquQV z=jSzRzgsLV&r93Y@Os((j0k%#NnJXpGa8$*9*vhghe@4G-K}l!G%6BJ>I}dbxecOt z!%m==Sl&rJdZzX&Sda#7Z9ZOby&t>N1k|YD<#)@-eF=}(fjwmwVzsXw( zMBB6j$<}7cTn8+xQ)Y#KI-1Fuk*yu+22CjRVzvL_qVw}-fl2TV?c5rmDsawYFNJqw zxqJ4YRPupw6z9scwR~m6?Z=x!$8)T;9T?71jHua6Qk9Llwnnndj}w*%mlN;<8vJ9V z?o6$t=v3~{5^2?zFAb%ug60y#yyD=3N+#w3KEw944y~npW|KPo>*#4f*=25Y4|;OP zK=V-GEVi-hs*$U^M&bLBdUDNR>~Q$l^q25PdA$(U0m%)x)z{}KH*(zU+zs5q=@TPE z%&Ls(f=hb4zW)Gpw`NV4XN?mHnJ4s7o?{4!SO1@lp<7MujZ71AQ)rBUg!@Wyd z@5qD7)aor=SAg12vTLTyB>1(h#^B-l@9P{dbG+3;2dS@r^)IucYsU-fIuF#UyBU;K z4K=uCc35`IwUu;+3>>5UOoDSaKyNQ?@F{cHNkgp0iMwjJ5@(!jqm<}=Brgqe5p6M% z@fWb`04&+zX1LCge;p+_vjSh zqaOR?`3?7B;R9vx(bwrSeDGzEu0ybE_WH1W-G8-7zhKcw49pI0?F(4L)$pajl2&BT zQ__-Zk|_@#sOrWVT5a5%oupw+o4M~u113>zHeHck?2;g!`%6Ga4F$mcq)`>46m|@? zeOykxG0{+V)S&7=ca?gc_qrF``&MyybiS#%pl0pf!ckh2KfB=5dgV2e*(5zS`HeM6 z!OQ@4OF?78<}%w)N7J(=xaDkz(~R;+G4$M(IOMFyhrRR77r2NDa>mFhMjusXJI-HB z$;p)(tO^Iq?3}3imPpB|AAj?Rbx)vMZtB^IWp&!|Gn-TUw=>sGWxYWOCHEAR_v4C` zqoU0A95WOuJ-<8# z@Mxm3+~cGEwo=ijRGnt{2g{hC<~LgV30VIdK^cCu=C^5vTK)6apdy3lakTKMMZS*xFvr{HLSce{}r6 zYxjlzm*)CV{a2^|;8N!m-d3I6I2YVp{2hX|j>2df;oM^fe6}l7)z9zs2R7yrS>s=y z7Tq=vlUze+QUe#r&5!Hn=jRia7MlJ4uF%RqqWDbNdz)zfa>ee`{hG7+O*08VxsH&N zLgT&>ZiwK_aU>tNs+ezns&b#US!YU<`*55(?W9R6i!+^jj|%HWZGt=71_a|p`q7|2 z^aUWBa<8BJ7kG-AobRQ_eBpQXV+uqK8xPQT^~?_Q^r7skdl_PKA(@Ak<_kyVOJa?S z%(6z$?6UD8)e4ug$>@OgZG~2_B=O*2R1$aJXL{@MO(axqbAbal~!)DZG<(PUN;BaD9P5`@rUA*Yp6 zZwmC}DlmPGgM%SsMkDX?EpLjIa)CVPWkpf+$Mt}xr%@aLK zXNSi^CZww*v$xvlixSNGZlznf?S@ljb(XJ5<}2h)f{sM)#+N1M$Z6R8M`NAP=24Cr z`zE98BS7 z;_IV$^`~v`im1dPJ>hG8MN@H|Lj48~aB)hL2gCbmrAf71t-6;q(lkS(9;{(Je5s*7 zu5!ndw`D~%pIWYPhHN$=EX=jdnZcHv!jpp$elx)JRNHoU-&O9weOeU~t-3cs&XQ~E zd>Uh3RaFtF?l1v$b%l=})L}mJkst3Ed>;f{ZDKhk|L&$R&Of zmCB+Z*qjKr5bIhE;A5e@;JGSY%_ezTBPaV`&`)+rYbzIc0sI ziAW`Z2=`OI@Olo~RzWvW-3D<^40pfG@;FS4xsl+J=3uhH$6g=jzqz`s-ZiWY0DOjV^;=O&Y~nBb6b0dp2yCl zZQT3`aBrQN4>E_WH<_-L6)(BGex8|o)xDrC64vv&;eqT;GeJ(U<_u9EG|1DS`M$CF z2H~CE!J+&4l$^z43^Jm)Dc{yh}H=Cm-rq)0QVre?GW@B>5G!2+i6=zWlO{IR3Ms* zhJ#0orEz;qm0-*EP``nX2P@ufGs?{`ly&tq@bD84K|;FlQuJ&njpq+vgGac(=3F9Z z+=O_OeQF6MSxv$<`rH^cP7X7hCl{C6ogcsK9>QWxFCO>=E4BxNd-J-xx$*WUm9lm& zpuFoWjT;;x2Z_;UE^9ZN-Ov4|Pj@%2F-|US4)B4qp7KSiXG7U`48eyoBiIhZZ>I&&q!uLAA7pOi{QMko`CK zUBH}h63tGbV}s%?s(GZw|IGoLx2!7h{NMf2$`xjNC;U)(`+nbE8-MKg<5r*4m~j41 z1Bd0Ui+!{J)WxT!C~uv`cJ?eK`5v5;nAqv3O{mqt4&>v1GylMk9&=lwZ6PXymu2ttre8W#Chx845XBb+E6@lMxc=ETq_{ta49^fAtGe2n_OrXZg>*dm%}s z_AMV_cYDOc70&h9Azuv&+{eNKsRq;Qx7RI(H`?5(NM|6OS*dg@Y0C!u_GS?Gn8;4m zB1gHr!(L%k_1DhnOcO`94xx$jh=uBWSLdO{Lkxnk5oph1ViqP@8lR<~#$~qpElj)T zsn%c2lO{es^NO@ButPY@o0J$_lqfZjlbIEyO~AAiVE0IcvHiiF%RGwjTyLFCF>o%c zirzJpF)b-(majYkS0-0XCono;%GnDE^TTQZ8bCoAK{TJb1?i(eXruCfF0Pp>J%|s6 z1RyGP!ywsLE|G5D4M`#Sz?n3Xo6ThzH$Y;H$!71F$$G5_@fc&UW7AjfS`TZX2o>f# z65qi)KYL0U=4*rWHE?)}ho88o3X=#?Va4aQm(YG(E!>pMpXilYp5#uUUurIo;ho3{ zaYC*xU6WSJ*D=02{h3Bic!4LpL^7c_43*lx8HN zjmpxIfa_BGCppKvu!j)JHdqVSqvpjofK79{f8^v_AuF=5nDo;1SJ5S7v0uiBSHU$d5VgxB4zQlw~fk2lbe z;Zu-tdat=1He`a^72$2o?-v~=B_Ke!&4~_Dof}%MAXUIqWzi4nwZM9yFMBv?l#%S% zRUxo8tB+M&hD}Yy4T8M?M>w-%EMdr>g$x928tAV{>p7a$Zt+h@8ZpJA77v<^vAB09 z*1L}^H{?swK?-v3UsPQi<)E-8aR-{~(J0GHrnmmOa}=z(pe+%TxC<}E{O83^9uQdwY~(?d7KN{ zkXsvAOB=l8v%0@v@W^7M8WS}M$ZSzn?8a9^{n!|tEI3hUBs(gE1-MDZMZDs29{rt) z^;pw&ZbaWySy2$3B9%iHIn%ny>Va7*A;!1~%M3Iu=>6&dJ)XqQ^$l(IRIIyp(y0}R zCxFoM059V1KXCx4q0d;s$x<4Vj;D z#67bWHJ?TSo8J_cT9rcCZIc;cI)wlm)YGf_>`<{9n2?VCXIh5l25jz>2`)e11S5;I zu;E43AhxEEybFrAV>`aV1rqXSmKo{7uG6nP{xDvzzndKn+K6;LmDpLghutP&_rK0#sZgfO&73do*FUU$MpB;J#&omsENifhFp!7rT9pz&v$`3v{T)gC#Ry5wSU> z+NbNi$vjLK%DxG~qAn>N(2$ZP?t0zrU7TZ?5Cu{Qwyt1(eMZC{g}1;hZ-0!;F-RCA zDiZf-LEbgv_fg*DrBDfa2re1P*7j>9@(U)xK5dtM9$ClQnmt*e8CLJe@;dc_mS=l* zC;T|PnDeG@8RH~JD1V#NRJl-`g===Vx?gt$tcw8z2o`>&bRsHz|N0dBH^sCu>hs~+ z{h;Q>uBVEDX4e(4C(hCiD1mVIME}yb2&;8Na)`Z-_yfmhSEbXBt{l6|??f2}52?xz zc4=!uSNf?VDv_K02R=-lXWd?pX9MUdnHnVcnfr#;mtc$knO#mCu6j+ZB`NWBDD~O- z_mjS;ZcVQm;;tg#+3jh@qGgC6pc4z!vit+{gX^pbug?s(m#9KlUA|i4ugl;-C$BjID z$?3Fg-WUpI$~27&TEBZQ&yf2ii9B_N(|@G|mb&3NMfJ=Ng)_wPrNHD+8<3@$2MO0H zMw4S|My%gD@PIvsDJ`oaX1KA0*$OBHhI$H)rZakZWohOU=xxrO!U9D1%TL$Y?7;J{ zs1H7@R@$nGeAyUFX3$5B+a5!;ObuF+OLPQ*NL0o*Z}Z z@ck~oI4N8LMd#HVi=4J;2vEQB`lMHirx~@ts(vM8NrmPrAGNt!w{e7|2<2GW47uvm z+M23ZS#dF#DfAqMpA$`E6Po5nJ_s2vDiWZ!es!HLdZume?9>{WVa?+Gin$y0ljm|* z-wpV`b2po_h_r~cnki8=-XCU#ZOK{dA2n3&>P0B2$L&?>)o^V0-Kqpop>nDoQ7LLx(Y5Lu?s%?^k7n!N=3@+P zup4WzV`=Z=9;sh?{cS1UK{y+m%PDbB21>9oQ0?y$tp^< z3h9>5DTtX#{j;B*VR5n`Bu zU|?)Vz$#d^Sj5-U8V!AUT79UEet)AS$7$-OKO;+!%yb&~6*iq?S>S2Md%@RET;DQ( zrIYjV*mKJ3xxIGg3YXd$F701)f%LOpL4iNMxJ>bxZ71qlro@wO+736o5M5TbFKO+@ zw10x$B?F77?bj(EGrIF9e|vi4)7#rp-ttz9cYBe;#l=o+6aO*aN9RXQZ{D_n=_f@7 z_tCSs`zd#3l62Yn+3q*@_0)AzlZxdF@X{wqb5)M}^f!Ke%Tm*;O4*Y;FQ8tPyglE` zHWp5jy-t7eL!z7y?En*%5Fu+cgvQM7%{L|X(wlt6g7gCDlU3v^7*`)|*`}6WP9Kj1lQ_Z2qtSH*9@lKUq zQX-U5`-AjVq}w<{zi}8i^skEacC8B|A4gXEkt)PGCqSxL_rJ5Y6p@nrt_2Ak+SV;E zqDl&GLXfmAKn^?`V;XFr7n8e4r}49tl+iXjOP*oS9kZ{=5EHj=IX$Pjc*gGoPbJn_ zJLHvbzvB;z_KIT-Q$6@R&e?%BcT?RUCt49dmy`;A?;KQetKL z#g#RAfJpOA5&90jC>?@I`vl^aw0W+Pw8dT(i_MQl-OnVvN>Zrg{&`UFq{q&Q%OLY& zFVLz%pgXcD6KNA6ChuM+BX&B?@(*2(K>>P9Yz+DZ6~!7X#Tqxk?1Ja5bX^xiVd0N_ zb3(@D?!ksD#*AO3Mvpng4cu@Yy9X|z+G}ZS)T&=Ykp`Ud96XB^`FnSiH5EIWE36XG zrW`WjS(F~kq8k=Q)k(k!s%lg|6e84)iD!u#`!V1SL8tta5k8h8kN$!N7 zZ^FBvEuI(-r)>*U+J0Aye*(gD`Dx2hzV`aEuLE2jMzWGx3oaNQTE+A4eOLnrz&_rW zt|Z!>x9d_xl$%KpmD;QAX;@&+ly}TsrFO3_e*0mm>`Mzfvr2gHA908)O?K`nSQVdg z>a*?yZl;Sx1x`N&78hsVJRsWL1rUWK@_=JLQ@@B!L5}_3`kBHB!xYmc$Ea_vkEwOi z??G<%fr84t7u;&DEE(UXPwvO&bRogQhF)i0-CO5F8S4>zfhk#f+c6g$M!Po!%kLxK z4bqu?NA&*4fv-W^+{pjR)0*8P9f`;kxh$po=)TdCcL@X~ZEo#QKThT3b_di!icxpb zUq)CSmGvCmhB|EO!;KZhUl9*J%`Ietv(Qz)vW+6n-dgJ^W{ZY>L3|ILo(w31hAXS= zy3qF3Ujc$tAyuzjJc1cQ$+BONlIXb(UYG7AeGB(5lXzk7NiR=9-Ew_8PESoe_}G

l@s+JPxj^)0>s3LBuuqb2+jANZQzn=#x^$S+#nfecS)=xv4-U|nAix%tW`(7*IQ;5w=y zHd*$L9=81&9GBhgzYf%ffZe@@d*-oII#~4<+(W-@@2hMk^Zv+%RJqpU)CnfbkGpp6 z?oRRPFYXVU@x(IAtv;DGp}cHp?rWhgJ9lsaqIGdiq{XGRZySSc9A6HxT6QTzhX0tL zzH^1}3G)L}Kzv{KF|)C>)9S;6+v}0IvtS=0a9eQFz9l?`qvnezrGL!pPR2mpkVV^| zOxXIU%LgCbNY3aqhNTLp%d;u|4f8txtbpkEi?(7>Rinou=n3 zfMt#y7M5g!eZI50vxFiI|&pk z>M->z?yu$n7FrC-HfQ;=`${}ocXWrHeYE_09*r!1H^ceySjn>nH2@$=U()u1yYZ6c6;&gaj)XN+Uu^u4Il9cf#wNWEU zo8+3#7M{*rS^jXOv`L$HT7PnGQ?Bjv)ClU#({{iFV9eq~0NtIUT|$q9cx{pC0C!$=aW1MhUzNI$ zQsFNEX)3#Tj(9qn<7&ihOz{!XS})9MLJjCVBE1$(9G&?=kK%{+Pd~ARhXnKnVld`h z9~CAymqx++DO#B{*lM3?t6PgNB4Lb(<6z08Gq|p`67M^YT7HpGuDmoT$+AW- zC4N83q{9`YBp#~b5bY1dsSObsYG&5y*uydByM<1H25hF=dh4@7|JQv;jSE^_S9C@u zXKpq5#nikrsKkh331V!}s0X*f9KeDHWwMye+YScX*zinO5dd`bn0TCQzn|)x2B*r4 zbP5gPUOq&btPufp^5(Qfytd{jndEn;U(7-aZ`@_}45S8=|2U2oX_i{tcpvoMgvz68jNIs2I4&{sWVMpLCWIKP6w;5Ne>}=I{|^1opS%pI;k8 z|9l(L0)#<6-4+4{>)|qAVN@SuPvXrn%?Hh(3WGrk5ODK&Z${dZlch{#SJt+#=K=wA z5IL|1*jXDd0b&{$WIrK8#pRBY>Fb{pB5{md>1mLJycs`3F!&=52s&W4BUSO9k9FT! z!f$@)b@jvXw*YGJEQ$V3grkH@ZFC1#pLn9}jT9pn{n~<4QPv(a&6X^vo=`wQx~H}S zu^s7S5cp7R*)|wm^NCa9HDp&a--(#HLavF>j8^u%7(cXfL6lNn_gLMy(BoL$seMJ; z&<8@AIN0x}a~(Q|3cW2q<>J?C9+T;L;}Li9$%)OGXe<16{7q!e*0w*eifC4g55*R` z=`{9Y*E1fu@*$#3_eeDMGP(%KNP{aE|2IG{zu(^iT~|g((Uk|v;QK6~7yWJ|4+gbQ z+b+7J(Je6hwX)p;1IjEhQd_pOLC3i{6%>YJ5twLcXUUHLlYFq>Oq>ErUk-vnMIN;_ zW;c33dO=Tpd@cxE`Yh64qIPl$6(PV>7Rv% zUJ23EzCY=gDDU85MR+@5LkcSD;4fKN<)tv>NYtvvoe6l}AN!1|ai1NzMD^PPd$t}3 z05<}HN1hVepE(&<1+3R?U8(mV(%TTskr1aKR*5-Oa(m2=p|%&`*fRj|9=582v-l@q z3u+gHg0l0)3TXZ@l5>JU_d+7#J33#D-205qTGR1ti0poxf zA`KBuoL54P(u{#QJffo66(-ERu&qweJ(b zngLsxzb3HCb)W6Nvz_Au#&9^~o5aV*s*PjUf;ufCOiBxFbQNQ4StW^Vn-kKY>kiPA zI?9B~Vt;RCB++rWFMbrv7Jr6i#uVel810rk%;T(lUp(8Y8~(m@T}(-n`g#sZMZc_a zgzD)@qO|BXZQ`dB(X>|&qY!s?GQOm9vQzHy=gzJL-4lh|(o+uHK=k_|s7c8^hnDHw zBqt-55!WIU)92MQ6=_XM9L-k+>f}zD2#udzRd>JnE6GAaVL|`@(Y*iM_Ww8g|A2b` m_mKaa4)|Xa`u;=x{XeXLk}NFTe|>@akB9u{&7k?O>c0VC01Q3= literal 0 HcmV?d00001 diff --git a/Solutions/AI Analyst Darktrace/Package/createUiDefinition.json b/Solutions/AI Analyst Darktrace/Package/createUiDefinition.json index 7b3bd196efa..6abb65f9645 100644 --- a/Solutions/AI Analyst Darktrace/Package/createUiDefinition.json +++ b/Solutions/AI Analyst Darktrace/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [AI Analyst Darktrace](https://www.darktrace.com/en/cyber-ai-analyst/) Solution for Microsoft Sentinel lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats. \n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n1. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\nFor more details about this solution refer to https://www.darktrace.com/en/microsoft/sentinel/\n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [AI Analyst Darktrace](https://www.darktrace.com/en/cyber-ai-analyst/) Solution for Microsoft Sentinel lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.\n\r\n1. **AI Analyst Darktrace via AMA** - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **AI Analyst Darktrace via Legacy Agent** - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of AI Analyst Darktrace via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,30 +51,6 @@ } ], "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the data connector for ingesting AI Analyst Darktrace Events in the CEF format into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, { "name": "workbooks", "label": "Workbooks", @@ -88,7 +64,7 @@ "name": "workbooks-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This solution installs workbook to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." } }, { @@ -100,6 +76,20 @@ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" } } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "AI Analyst Darktrace Model Breach Summary", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "A workbook containing relevant KQL queries to help you visualise the data in model breaches from the Darktrace Connector" + } + } + ] } ] } diff --git a/Solutions/AI Analyst Darktrace/Package/mainTemplate.json b/Solutions/AI Analyst Darktrace/Package/mainTemplate.json index 5b99632ce22..2a630be28e2 100644 --- a/Solutions/AI Analyst Darktrace/Package/mainTemplate.json +++ b/Solutions/AI Analyst Darktrace/Package/mainTemplate.json @@ -40,50 +40,28 @@ "variables": { "solutionId": "darktrace1655286944672.darktrace_mss", "_solutionId": "[variables('solutionId')]", + "_solutionName": "AI Analyst Darktrace", + "_solutionVersion": "3.0.0", "workbookVersion1": "1.1.0", "workbookContentId1": "DarktraceSummaryWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", "_workbookContentId1": "[variables('workbookContentId1')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", - "uiConfigId1": "Darktrace", - "_uiConfigId1": "[variables('uiConfigId1')]", - "dataConnectorContentId1": "Darktrace", - "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", - "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", - "dataConnectorVersion1": "1.0.0" + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('workbookTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, - "properties": { - "description": "AI Analyst Darktrace Workbook with template", - "displayName": "AI Analyst Darktrace workbook template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AIA-DarktraceWorkbook Workbook with template version 2.0.1", + "description": "AIA-DarktraceWorkbook Workbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -101,7 +79,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"45805ae8-29d7-4774-a10a-8d60af407bbf\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Overview\",\"subTarget\":\"overview\",\"style\":\"link\"},{\"id\":\"a4b35478-499a-4fcc-8424-63abbb698bfa\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"AI Analyst\",\"subTarget\":\"ai-analyst\",\"style\":\"link\"},{\"id\":\"2eac3f00-5164-4a77-9781-118eb681b729\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Antigena Response\",\"subTarget\":\"agn\",\"style\":\"link\"},{\"id\":\"7a64cd79-3a09-4046-8d6f-ba24fc2bab6c\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cloud\",\"subTarget\":\"cloud\",\"style\":\"link\"}]},\"name\":\"tabs\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"96e10804-35d4-4d5c-b2d8-1af544471721\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Timeframe\",\"type\":4,\"description\":\"Pick the timerange for all queries in the graph \",\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Timescale \"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"610136a1-b7cf-4eb3-9ef6-51a2d22e1621\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_severity\",\"type\":1,\"description\":\"parameter to drill down on clicked severity tile\",\"value\":\"hidden\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"label\":\"severity\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"datatable (Count: long, status: string, status_count: long) [0, \\\"Low\\\", 1, 0, \\\"Medium\\\", 2, 0, \\\"High\\\", 3, 0, \\\"Critical\\\", 4]\\r\\n| union\\r\\n (\\r\\n CommonSecurityLog\\r\\n | where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n | extend status = case( \\r\\n toint(LogSeverity) > 6, \\\"Critical\\\",\\r\\n toint(LogSeverity) < 3, \\\"Low\\\",\\r\\n toint(LogSeverity) >= 5 and toint(LogSeverity)<= 6, \\\"High\\\",\\r\\n toint(LogSeverity) < 5 and toint(LogSeverity) >= 3, \\\"Medium\\\", \\r\\n \\\"True\\\"\\r\\n )\\r\\n | where status != \\\"True\\\"\\r\\n | extend status_count = case(status == \\\"Critical\\\", 4, status == \\\"High\\\", 3, status == \\\"Medium\\\", 2, 1)\\r\\n | summarize Count = count() by status, status_count\\r\\n )\\r\\n| summarize Count=sum(Count) by status, status_count\\r\\n| sort by status_count asc\",\"size\":3,\"title\":\"Model Breaches By Severity\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"exportFieldName\":\"status\",\"exportParameterName\":\"_severity\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"model breaches by severity\"},{\"type\":1,\"content\":{\"json\":\"_Click on the tiles to view more details (maximum 100 entries displayed)_\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//low severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) < 3\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Low Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Low\"},\"name\":\"Low severity model breaches\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//medium severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) >=3 and toint(LogSeverity) < 5\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Medium Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Medium\"},\"name\":\"Medium severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//high severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) >=5 and toint(LogSeverity) < 7\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"High Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"High\"},\"name\":\"High severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//critical severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) >6\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Critical Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"red\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Critical\"},\"name\":\"Critical severity model breaches\"}]},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isNotEqualTo\",\"value\":\"hidden\"},\"name\":\"Drill down group for different severities\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"Model Breaches Over Time \",\"color\":\"orange\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"breaches in group\"},{\"type\":1,\"content\":{\"json\":\"_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _\",\"style\":\"info\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| summarize event_count=count() by Activity \\r\\n| where Activity!=\\\"System/System\\\" \\r\\n| top 10 by event_count\",\"size\":0,\"title\":\"Top 10 Most Breached Models\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Activity\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"}},{\"columnMatch\":\"event_count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"event_count\",\"label\":\"Count\"}]}},\"customWidth\":\"55\",\"name\":\"most breached models\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nCommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where isnotempty(DestinationHostName) \\r\\n| summarize count(Activity) by DestinationHostName\",\"size\":3,\"title\":\"Top External Hostnames\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"45\",\"name\":\"top external hostnames\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName !contains(\\\"#\\\")\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend Severity = toint(LogSeverity)\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, Severity, DarktraceURL\\r\\n| top 10 by toint(Severity) desc \",\"size\":0,\"title\":\"Top 10 Devices By Severity\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Severity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"Severity\"}]}},\"name\":\"Top 10 hitting devices\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName contains '#'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| top 10 by toint(LogSeverity) desc \\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, toint(LogSeverity), DarktraceURL\",\"size\":0,\"title\":\"Top 10 C-Sensor activities\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"}]}},\"name\":\"c-sensor top 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog | where DeviceVendor == \\\"Darktrace\\\" | where isnotempty(DestinationIP) | where DestinationIP !startswith \\\"10\\\"| where DestinationIP !startswith \\\"192\\\"| where DestinationIP !startswith \\\"172\\\"| summarize event_count=count() by DestinationIP | top 10 by event_count\",\"size\":0,\"title\":\"Top 10 External IPs\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"80\",\"name\":\"top 10 external IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog | where DeviceVendor == \\\"Darktrace\\\" \\r\\n| where Activity contains \\\"Compliance\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":0,\"title\":\"Compliance Breaches Over Time\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"compliance breaches over time\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"overview\"},\"name\":\"overview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"610136a1-b7cf-4eb3-9ef6-51a2d22e1621\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_severity\",\"type\":1,\"description\":\"parameter to drill down on clicked severity tile\",\"value\":\"hidden\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"label\":\"severity\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"datatable (Count: long, status: string, status_count: long) [0, \\\"Low\\\", 1, 0, \\\"Medium\\\", 2, 0, \\\"High\\\", 3, 0, \\\"Critical\\\", 4]\\r\\n| union\\r\\n (\\r\\n CommonSecurityLog\\r\\n | where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n | extend status = case( \\r\\n toint(LogSeverity) > 6, \\\"Critical\\\",\\r\\n toint(LogSeverity) < 3, \\\"Low\\\",\\r\\n toint(LogSeverity) >= 5 and toint(LogSeverity)<= 6, \\\"High\\\",\\r\\n toint(LogSeverity) < 5 and toint(LogSeverity) >= 3, \\\"Medium\\\", \\r\\n \\\"True\\\"\\r\\n )\\r\\n | where status != \\\"True\\\"\\r\\n | extend status_count = case(status == \\\"Critical\\\", 4, status == \\\"High\\\", 3, status == \\\"Medium\\\", 2, 1)\\r\\n | summarize Count = count() by status, status_count\\r\\n )\\r\\n| summarize Count=sum(Count) by status, status_count\\r\\n| sort by status_count asc\",\"size\":3,\"title\":\"Model Breaches By Severity\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"exportFieldName\":\"status\",\"exportParameterName\":\"_severity\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"model breaches by severity\"},{\"type\":1,\"content\":{\"json\":\"_Click on the tiles to view more details (maximum 100 entries displayed)_\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//low severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) < 3\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Low Severity Model Breaches\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Low\"},\"name\":\"Low severity model breaches\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//medium severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) >=3 and toint(LogSeverity) < 5\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Medium Severity Model Breaches\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Medium\"},\"name\":\"Medium severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//high severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) >=5 and toint(LogSeverity) < 7\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"High Severity Model Breaches\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"High\"},\"name\":\"High severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//critical severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) >6\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| extend Severity = toint(LogSeverity)\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, Severity, DarktraceURL\\r\\n| sort by Severity desc\",\"size\":0,\"title\":\"Critical Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">\",\"thresholdValue\":\"0\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"greenRed\"}},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Critical\"},\"name\":\"Critical severity model breaches\"}]},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isNotEqualTo\",\"value\":\"hidden\"},\"name\":\"Drill down group for different severities\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"SaaS User Breaches Over Time \",\"color\":\"orange\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"customWidth\":\"50\",\"name\":\"saas user graph / time \",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"iaas\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"IaaS User Breaches Over Time \",\"color\":\"orange\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"customWidth\":\"50\",\"name\":\"iaas user graph / time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _\",\"style\":\"info\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| summarize event_count=count() by Activity, DeviceName\\r\\n| where Activity!=\\\"System/System\\\" \\r\\n| top 10 by event_count\\r\\n| project DeviceName, Activity, event_count\",\"size\":0,\"title\":\"Top 10 Most Breached SaaS Users\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Activity\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"}},{\"columnMatch\":\"event_count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"DeviceName\",\"label\":\"Device\"},{\"columnId\":\"event_count\",\"label\":\"Count\"}]}},\"name\":\"most breached SaaS users\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName !contains(\\\"#\\\")\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend Severity = toint(LogSeverity)\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, Severity, DarktraceURL\\r\\n| top 10 by toint(Severity) desc \",\"size\":0,\"title\":\"Top 10 SaaS Devices By Severity\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Severity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"Severity\"}]}},\"name\":\"Top 10 hitting SaaS devices\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName contains '#'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| top 10 by toint(LogSeverity) desc \\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, toint(LogSeverity), DarktraceURL\",\"size\":0,\"title\":\"Top 10 C-Sensor SaaS activities\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"}]}},\"name\":\"c-sensor top 10 saas\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog | where DeviceVendor == \\\"Darktrace\\\" \\r\\n| where Activity contains \\\"Compliance\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":0,\"title\":\"Compliance Breaches Over Time\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"compliance breaches over time\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloud\"},\"name\":\"Cloud group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"272e8563-290b-4ca9-822b-18ae680cf1e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"tripleDrillDown\",\"type\":1,\"description\":\"toggles drilldown \",\"value\":\"false\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"57ae0969-b409-47e6-85a2-7b3c6895bb60\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"groupingID\",\"type\":1,\"value\":\"false\",\"isHiddenWhenLocked\":true},{\"id\":\"d44afad0-d6fa-433d-98a1-504ce53c5215\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"groupByActivity\",\"type\":1,\"value\":\"false\",\"isHiddenWhenLocked\":true}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"clicked triple drilldown \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AIAnalystAlerts =\\r\\n CommonSecurityLog\\r\\n | where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n | extend status = case( \\r\\n toint(LogSeverity) > 6, \\\"Critical\\\",\\r\\n toint(LogSeverity) < 3, \\\"Low\\\",\\r\\n toint(LogSeverity) >= 5 and toint(LogSeverity)<= 6, \\\"High\\\",\\r\\n toint(LogSeverity) < 5 and toint(LogSeverity) >= 3, \\\"Medium\\\", \\r\\n \\\"True\\\"\\r\\n )\\r\\n | sort by TimeGenerated asc;\\r\\nunion (\\r\\n AIAnalystAlerts\\r\\n | parse AdditionalExtensions with * \\\"groupByActivity=\\\" GroupByActivity \\\";\\\" null\\r\\n | where GroupByActivity == 0\\r\\n | parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n | extend d = pack(\\\"Activity\\\", Activity, \\\"TimeGenerated\\\", TimeGenerated, \\\"status\\\", status, \\\"DeviceName\\\", DeviceName, \\\"DeviceAddress\\\", DeviceAddress, \\\"GroupByActivity\\\", GroupByActivity)\\r\\n | summarize status = make_list(d)[0].status, Left = iff(make_list(d)[0].DeviceName != \\\"\\\", make_list(d)[0].DeviceName, make_list(d)[0].DeviceAddress), TimeGenerated = todatetime(make_list(d)[0].TimeGenerated), list = make_list(d), GroupByActivity = make_list(d)[0].GroupByActivity by GroupingID\\r\\n | extend FirstActivity = list[0].Activity\\r\\n | extend SecondActivity = iff(FirstActivity != \\\"\\\" and list[1].Activity != \\\"\\\", strcat(\\\", \\\", list[1].Activity), \\\"\\\")\\r\\n | extend ThirdActivity = iff(FirstActivity != \\\"\\\" and SecondActivity != \\\"\\\" and list[2].Activity != \\\"\\\", strcat(\\\", \\\", list[2].Activity), \\\"\\\")\\r\\n | extend Right = strcat(FirstActivity, SecondActivity, ThirdActivity, iff(ThirdActivity != \\\"\\\", \\\"...\\\", \\\"\\\"))\\r\\n | extend showGroupBy = GroupingID\\r\\n), (\\r\\n AIAnalystAlerts\\r\\n | parse AdditionalExtensions with * \\\"groupByActivity=\\\" GroupByActivity \\\";\\\" null\\r\\n | where GroupByActivity == 1\\r\\n | extend d = pack(\\\"Activity\\\", Activity, \\\"TimeGenerated\\\", TimeGenerated, \\\"status\\\", status, \\\"DeviceName\\\", DeviceName, \\\"DeviceAddress\\\", DeviceAddress, \\\"ActivityID\\\", DeviceEventClassID, \\\"GroupByActivity\\\", GroupByActivity)\\r\\n | summarize status = make_list(d)[0].status, Left = make_list(d)[0].Activity, Devices = make_list(d), TimeGenerated = todatetime(make_list(d)[0].TimeGenerated), list = make_list(d), GroupByActivity = make_list(d)[0].GroupByActivity by DeviceEventClassID\\r\\n | extend FirstDevice = iff(list[0].DeviceName != \\\"\\\", list[0].DeviceName, list[0].DeviceAddress)\\r\\n | extend SecondDeviceName = iff(list[1].DeviceName != \\\"\\\", list[1].DeviceName, list[1].DeviceAddress)\\r\\n | extend SecondDevice = iff(FirstDevice != \\\"\\\" and SecondDeviceName != \\\"\\\", strcat(\\\", \\\", SecondDeviceName), \\\"\\\")\\r\\n | extend ThirdDeviceName = iff(list[2].DeviceName != \\\"\\\", list[2].DeviceName, list[2].DeviceAddress)\\r\\n | extend ThirdDevice = iff(FirstDevice != \\\"\\\" and SecondDevice != \\\"\\\" and ThirdDeviceName != \\\"\\\", strcat(\\\", \\\", ThirdDeviceName), \\\"\\\")\\r\\n | extend Right = strcat(FirstDevice, SecondDevice, ThirdDevice, iff(ThirdDevice != \\\"\\\", \\\"...\\\", \\\"\\\"))\\r\\n | extend showGroupBy = DeviceEventClassID\\r\\n | extend showGroupByActivity = 1\\r\\n)\\r\\n| sort by TimeGenerated\",\"size\":2,\"title\":\"AI Analyst Incidents\",\"timeContext\":{\"durationMs\":604800000,\"endTime\":\"2021-02-11T09:00:00Z\"},\"timeContextFromParameter\":\"Timeframe\",\"exportedParameters\":[{\"fieldName\":\"showGroupByActivity\",\"parameterName\":\"groupByActivity\",\"parameterType\":1},{\"fieldName\":\"showGroupBy\",\"parameterName\":\"groupingID\",\"parameterType\":1},{\"fieldName\":\"TimeGenerated\",\"parameterName\":\"tripleDrillDown\",\"parameterType\":1}],\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"url\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"sortBy\":[{\"itemKey\":\"DeviceEventClassID\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"GroupingID\",\"label\":\"Grouping ID \"},{\"columnId\":\"GroupByActivity\",\"label\":\"Group By Activity\"}]},\"sortBy\":[{\"itemKey\":\"DeviceEventClassID\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"lightBlue\",\"text\":\"\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"lightBlue\",\"text\":\"\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"blue\",\"text\":\"\"},{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"blue\",\"text\":\"\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"\"}]}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Left\",\"formatter\":1},\"rightContent\":{\"columnMatch\":\"Right\",\"formatter\":1},\"showBorder\":true,\"size\":\"full\"}},\"name\":\"All Incidents\"},{\"type\":1,\"content\":{\"json\":\"_ Click on an incident to see related incidents _\",\"style\":\"info\"},\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| where DeviceEventClassID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend id = split(tostring(DarktraceURL), '#aiincident/')[1]\\r\\n| extend d = pack_array(id)\\r\\n| extend p = pack(\\\"GroupingID\\\", GroupingID)\\r\\n| summarize packed = make_list(d), GroupingID = make_list(p)[0].GroupingID\\r\\n| extend ids = strcat_array(packed, ',')\\r\\n| project GroupingID = tostring(GroupingID), ids)\\r\\n| join (\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| where DeviceEventClassID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend url = split(tostring(DarktraceURL), '#aiincident/')[0]\\r\\n| extend Device = iff(DeviceName != \\\"\\\", DeviceName, DeviceAddress)\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, GroupingID = tostring(GroupingID), url = tostring(url)\\r\\n) on GroupingID\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, DarktraceURL = strcat(url, '#aiincident/', ids)\",\"size\":0,\"title\":\"Related Incidents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"Message\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"30%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":10,\"palette\":\"blue\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"GroupingID\",\"formatter\":5},{\"columnMatch\":\"DeviceEventClassID\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\"}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Device\",\"formatter\":1},\"secondaryContent\":{\"columnMatch\":\"Message\",\"formatter\":1},\"showBorder\":true,\"size\":\"full\"}},\"conditionalVisibility\":{\"parameterName\":\"groupByActivity\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"3drilldownlate - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| where GroupingID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend id = split(tostring(DarktraceURL), '#aiincident/')[1]\\r\\n| extend d = pack_array(id)\\r\\n| extend p = pack(\\\"GroupingID\\\", GroupingID)\\r\\n| summarize packed = make_list(d), GroupingID = make_list(p)[0].GroupingID\\r\\n| extend ids = strcat_array(packed, ',')\\r\\n| project GroupingID = tostring(GroupingID), ids)\\r\\n| join (\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| where GroupingID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend url = split(tostring(DarktraceURL), '#aiincident/')[0]\\r\\n| extend Device = iff(DeviceName != \\\"\\\", DeviceName, DeviceAddress)\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, GroupingID = tostring(GroupingID), url = tostring(url)\\r\\n) on GroupingID\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, DarktraceURL = strcat(url, '#aiincident/', ids)\",\"size\":0,\"title\":\"Related Incidents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"Message\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"35%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":10,\"palette\":\"blue\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"Message\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\"}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Device\",\"formatter\":1},\"secondaryContent\":{\"columnMatch\":\"Message\"},\"showBorder\":true,\"size\":\"full\"},\"mapSettings\":{\"locInfo\":\"LatLong\"}},\"conditionalVisibilities\":[{\"parameterName\":\"groupByActivity\",\"comparison\":\"isEqualTo\",\"value\":\"false\"},{\"parameterName\":\"groupingID\",\"comparison\":\"isNotEqualTo\",\"value\":\"false\"}],\"name\":\"3drilldownlate\"}],\"exportParameters\":true},\"conditionalVisibilities\":[{\"parameterName\":\"groupingID\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"tripleDrillDown\",\"comparison\":\"isNotEqualTo\",\"value\":\"false\"}],\"name\":\"GROUP BY drilldown \"}],\"exportParameters\":true},\"name\":\"triple drilldown\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"AI Analyst Incidents Over Time\",\"color\":\"lightBlue\",\"timeContext\":{\"durationMs\":604800000,\"endTime\":\"2021-02-11T09:00:00Z\"},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false,\"ySettings\":{\"numberFormatSettings\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumFractionDigits\":0,\"maximumFractionDigits\":0}}}}},\"name\":\"incidents in group\"},{\"type\":1,\"content\":{\"json\":\"_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _\",\"style\":\"info\"},\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| summarize event_count=count() by Activity \\r\\n| where Activity!=\\\"System/System\\\" \\r\\n| top 10 by event_count\",\"size\":0,\"title\":\"Top 10 Most Frequent Incidents \",\"timeContext\":{\"durationMs\":604800000,\"endTime\":\"2021-02-11T09:00:00Z\"},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"event_count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blue\"}}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"event_count\",\"label\":\"Count\"}]}},\"name\":\"Top 10 Most Frequent Incidents \"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"ai-analyst\"},\"name\":\"ai- analyst group \"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"Antigena\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupByActivity=\\\" GroupByActivity \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message_s \\\";\\\" null\\r\\n| extend Device = iff(DeviceName != \\\"\\\", DeviceName, DeviceAddress)\\r\\n| extend agnActivity = split(Activity, \\\"/\\\")[2]\\r\\n| extend arr = split(Message_s,\\\"/\\\")\\r\\n| extend msgInfo = arr[(array_length(arr)-1)]\",\"size\":3,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"agnActivity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\"}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Device\"},\"secondaryContent\":{\"columnMatch\":\"msgInfo\",\"formatter\":1},\"showBorder\":true,\"sortCriteriaField\":\"TimeGenerated\",\"sortOrderField\":2,\"size\":\"full\"}},\"name\":\"top level query \"}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"agn\"},\"name\":\"agn group\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-AI Darktrace v1.0\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"45805ae8-29d7-4774-a10a-8d60af407bbf\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Overview\",\"subTarget\":\"overview\",\"style\":\"link\"},{\"id\":\"a4b35478-499a-4fcc-8424-63abbb698bfa\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"AI Analyst\",\"subTarget\":\"ai-analyst\",\"style\":\"link\"},{\"id\":\"2eac3f00-5164-4a77-9781-118eb681b729\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Antigena Response\",\"subTarget\":\"agn\",\"style\":\"link\"},{\"id\":\"7a64cd79-3a09-4046-8d6f-ba24fc2bab6c\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cloud\",\"subTarget\":\"cloud\",\"style\":\"link\"}]},\"name\":\"tabs\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"96e10804-35d4-4d5c-b2d8-1af544471721\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Timeframe\",\"type\":4,\"description\":\"Pick the timerange for all queries in the graph \",\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Timescale \"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"610136a1-b7cf-4eb3-9ef6-51a2d22e1621\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_severity\",\"type\":1,\"description\":\"parameter to drill down on clicked severity tile\",\"value\":\"hidden\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"label\":\"severity\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"datatable (Count: long, status: string, status_count: long) [0, \\\"Low\\\", 1, 0, \\\"Medium\\\", 2, 0, \\\"High\\\", 3, 0, \\\"Critical\\\", 4]\\r\\n| union\\r\\n (\\r\\n CommonSecurityLog\\r\\n | where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n | extend status = case( \\r\\n toint(LogSeverity) > 6, \\\"Critical\\\",\\r\\n toint(LogSeverity) < 3, \\\"Low\\\",\\r\\n toint(LogSeverity) >= 5 and toint(LogSeverity)<= 6, \\\"High\\\",\\r\\n toint(LogSeverity) < 5 and toint(LogSeverity) >= 3, \\\"Medium\\\", \\r\\n \\\"True\\\"\\r\\n )\\r\\n | where status != \\\"True\\\"\\r\\n | extend status_count = case(status == \\\"Critical\\\", 4, status == \\\"High\\\", 3, status == \\\"Medium\\\", 2, 1)\\r\\n | summarize Count = count() by status, status_count\\r\\n )\\r\\n| summarize Count=sum(Count) by status, status_count\\r\\n| sort by status_count asc\",\"size\":3,\"title\":\"Model Breaches By Severity\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"exportFieldName\":\"status\",\"exportParameterName\":\"_severity\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"model breaches by severity\"},{\"type\":1,\"content\":{\"json\":\"_Click on the tiles to view more details (maximum 100 entries displayed)_\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//low severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) < 3\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Low Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Low\"},\"name\":\"Low severity model breaches\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//medium severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) >=3 and toint(LogSeverity) < 5\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Medium Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Medium\"},\"name\":\"Medium severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//high severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) >=5 and toint(LogSeverity) < 7\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"High Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"High\"},\"name\":\"High severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//critical severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) >6\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Critical Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"red\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Critical\"},\"name\":\"Critical severity model breaches\"}]},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isNotEqualTo\",\"value\":\"hidden\"},\"name\":\"Drill down group for different severities\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"Model Breaches Over Time \",\"color\":\"orange\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"breaches in group\"},{\"type\":1,\"content\":{\"json\":\"_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _\",\"style\":\"info\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| summarize event_count=count() by Activity \\r\\n| where Activity!=\\\"System/System\\\" \\r\\n| top 10 by event_count\",\"size\":0,\"title\":\"Top 10 Most Breached Models\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Activity\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"}},{\"columnMatch\":\"event_count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"event_count\",\"label\":\"Count\"}]}},\"customWidth\":\"55\",\"name\":\"most breached models\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nCommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where isnotempty(DestinationHostName) \\r\\n| summarize count(Activity) by DestinationHostName\",\"size\":3,\"title\":\"Top External Hostnames\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"45\",\"name\":\"top external hostnames\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName !contains(\\\"#\\\")\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend Severity = toint(LogSeverity)\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, Severity, DarktraceURL\\r\\n| top 10 by toint(Severity) desc \",\"size\":0,\"title\":\"Top 10 Devices By Severity\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Severity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"Severity\"}]},\"sortBy\":[]},\"name\":\"Top 10 hitting devices\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName contains '#'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| top 10 by toint(LogSeverity) desc \\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, toint(LogSeverity), DarktraceURL\",\"size\":0,\"title\":\"Top 10 C-Sensor activities\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"}]}},\"name\":\"c-sensor top 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog | where DeviceVendor == \\\"Darktrace\\\" | where isnotempty(DestinationIP) | where DestinationIP !startswith \\\"10\\\"| where DestinationIP !startswith \\\"192\\\"| where DestinationIP !startswith \\\"172\\\"| summarize event_count=count() by DestinationIP | top 10 by event_count\",\"size\":0,\"title\":\"Top 10 External IPs\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"80\",\"name\":\"top 10 external IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog | where DeviceVendor == \\\"Darktrace\\\" \\r\\n| where Activity contains \\\"Compliance\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":0,\"title\":\"Compliance Breaches Over Time\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"compliance breaches over time\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"overview\"},\"name\":\"overview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"610136a1-b7cf-4eb3-9ef6-51a2d22e1621\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_severity\",\"type\":1,\"description\":\"parameter to drill down on clicked severity tile\",\"value\":\"hidden\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"label\":\"severity\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"datatable (Count: long, status: string, status_count: long) [0, \\\"Low\\\", 1, 0, \\\"Medium\\\", 2, 0, \\\"High\\\", 3, 0, \\\"Critical\\\", 4]\\r\\n| union\\r\\n (\\r\\n CommonSecurityLog\\r\\n | where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n | extend status = case( \\r\\n toint(LogSeverity) > 6, \\\"Critical\\\",\\r\\n toint(LogSeverity) < 3, \\\"Low\\\",\\r\\n toint(LogSeverity) >= 5 and toint(LogSeverity)<= 6, \\\"High\\\",\\r\\n toint(LogSeverity) < 5 and toint(LogSeverity) >= 3, \\\"Medium\\\", \\r\\n \\\"True\\\"\\r\\n )\\r\\n | where status != \\\"True\\\"\\r\\n | extend status_count = case(status == \\\"Critical\\\", 4, status == \\\"High\\\", 3, status == \\\"Medium\\\", 2, 1)\\r\\n | summarize Count = count() by status, status_count\\r\\n )\\r\\n| summarize Count=sum(Count) by status, status_count\\r\\n| sort by status_count asc\",\"size\":3,\"title\":\"Model Breaches By Severity\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"exportFieldName\":\"status\",\"exportParameterName\":\"_severity\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"model breaches by severity\"},{\"type\":1,\"content\":{\"json\":\"_Click on the tiles to view more details (maximum 100 entries displayed)_\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//low severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) < 3\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Low Severity Model Breaches\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Low\"},\"name\":\"Low severity model breaches\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//medium severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) >=3 and toint(LogSeverity) < 5\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Medium Severity Model Breaches\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Medium\"},\"name\":\"Medium severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//high severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) >=5 and toint(LogSeverity) < 7\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"High Severity Model Breaches\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"High\"},\"name\":\"High severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//critical severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) >6\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| extend Severity = toint(LogSeverity)\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, Severity, DarktraceURL\\r\\n| sort by Severity desc\",\"size\":0,\"title\":\"Critical Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">\",\"thresholdValue\":\"0\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"greenRed\"}},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"DarktraceURL\"}]},\"sortBy\":[]},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Critical\"},\"name\":\"Critical severity model breaches\"}]},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isNotEqualTo\",\"value\":\"hidden\"},\"name\":\"Drill down group for different severities\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"SaaS User Breaches Over Time \",\"color\":\"orange\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"customWidth\":\"50\",\"name\":\"saas user graph / time \",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"iaas\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"IaaS User Breaches Over Time \",\"color\":\"orange\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"customWidth\":\"50\",\"name\":\"iaas user graph / time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _\",\"style\":\"info\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| summarize event_count=count() by Activity, DeviceName\\r\\n| where Activity!=\\\"System/System\\\" \\r\\n| top 10 by event_count\\r\\n| project DeviceName, Activity, event_count\",\"size\":0,\"title\":\"Top 10 Most Breached SaaS Users\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Activity\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"}},{\"columnMatch\":\"event_count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"DeviceName\",\"label\":\"Device\"},{\"columnId\":\"event_count\",\"label\":\"Count\"}]}},\"name\":\"most breached SaaS users\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName !contains(\\\"#\\\")\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend Severity = toint(LogSeverity)\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, Severity, DarktraceURL\\r\\n| top 10 by toint(Severity) desc \",\"size\":0,\"title\":\"Top 10 SaaS Devices By Severity\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Severity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"Severity\"}]},\"sortBy\":[]},\"name\":\"Top 10 hitting SaaS devices\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName contains '#'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| top 10 by toint(LogSeverity) desc \\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, toint(LogSeverity), DarktraceURL\",\"size\":0,\"title\":\"Top 10 C-Sensor SaaS activities\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"}]}},\"name\":\"c-sensor top 10 saas\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog | where DeviceVendor == \\\"Darktrace\\\" \\r\\n| where Activity contains \\\"Compliance\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":0,\"title\":\"Compliance Breaches Over Time\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"compliance breaches over time\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloud\"},\"name\":\"Cloud group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"272e8563-290b-4ca9-822b-18ae680cf1e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"tripleDrillDown\",\"type\":1,\"description\":\"toggles drilldown \",\"value\":\"false\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"57ae0969-b409-47e6-85a2-7b3c6895bb60\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"groupingID\",\"type\":1,\"value\":\"false\",\"isHiddenWhenLocked\":true},{\"id\":\"d44afad0-d6fa-433d-98a1-504ce53c5215\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"groupByActivity\",\"type\":1,\"value\":\"false\",\"isHiddenWhenLocked\":true}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"clicked triple drilldown \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AIAnalystAlerts =\\r\\n CommonSecurityLog\\r\\n | where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n | extend status = case( \\r\\n toint(LogSeverity) > 6, \\\"Critical\\\",\\r\\n toint(LogSeverity) < 3, \\\"Low\\\",\\r\\n toint(LogSeverity) >= 5 and toint(LogSeverity)<= 6, \\\"High\\\",\\r\\n toint(LogSeverity) < 5 and toint(LogSeverity) >= 3, \\\"Medium\\\", \\r\\n \\\"True\\\"\\r\\n )\\r\\n | sort by TimeGenerated asc;\\r\\nunion (\\r\\n AIAnalystAlerts\\r\\n | parse AdditionalExtensions with * \\\"groupByActivity=\\\" GroupByActivity \\\";\\\" null\\r\\n | where GroupByActivity == 0\\r\\n | parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n | extend d = pack(\\\"Activity\\\", Activity, \\\"TimeGenerated\\\", TimeGenerated, \\\"status\\\", status, \\\"DeviceName\\\", DeviceName, \\\"DeviceAddress\\\", DeviceAddress, \\\"GroupByActivity\\\", GroupByActivity)\\r\\n | summarize status = make_list(d)[0].status, Left = iff(make_list(d)[0].DeviceName != \\\"\\\", make_list(d)[0].DeviceName, make_list(d)[0].DeviceAddress), TimeGenerated = todatetime(make_list(d)[0].TimeGenerated), list = make_list(d), GroupByActivity = make_list(d)[0].GroupByActivity by GroupingID\\r\\n | extend FirstActivity = list[0].Activity\\r\\n | extend SecondActivity = iff(FirstActivity != \\\"\\\" and list[1].Activity != \\\"\\\", strcat(\\\", \\\", list[1].Activity), \\\"\\\")\\r\\n | extend ThirdActivity = iff(FirstActivity != \\\"\\\" and SecondActivity != \\\"\\\" and list[2].Activity != \\\"\\\", strcat(\\\", \\\", list[2].Activity), \\\"\\\")\\r\\n | extend Right = strcat(FirstActivity, SecondActivity, ThirdActivity, iff(ThirdActivity != \\\"\\\", \\\"...\\\", \\\"\\\"))\\r\\n | extend showGroupBy = GroupingID\\r\\n), (\\r\\n AIAnalystAlerts\\r\\n | parse AdditionalExtensions with * \\\"groupByActivity=\\\" GroupByActivity \\\";\\\" null\\r\\n | where GroupByActivity == 1\\r\\n | extend d = pack(\\\"Activity\\\", Activity, \\\"TimeGenerated\\\", TimeGenerated, \\\"status\\\", status, \\\"DeviceName\\\", DeviceName, \\\"DeviceAddress\\\", DeviceAddress, \\\"ActivityID\\\", DeviceEventClassID, \\\"GroupByActivity\\\", GroupByActivity)\\r\\n | summarize status = make_list(d)[0].status, Left = make_list(d)[0].Activity, Devices = make_list(d), TimeGenerated = todatetime(make_list(d)[0].TimeGenerated), list = make_list(d), GroupByActivity = make_list(d)[0].GroupByActivity by DeviceEventClassID\\r\\n | extend FirstDevice = iff(list[0].DeviceName != \\\"\\\", list[0].DeviceName, list[0].DeviceAddress)\\r\\n | extend SecondDeviceName = iff(list[1].DeviceName != \\\"\\\", list[1].DeviceName, list[1].DeviceAddress)\\r\\n | extend SecondDevice = iff(FirstDevice != \\\"\\\" and SecondDeviceName != \\\"\\\", strcat(\\\", \\\", SecondDeviceName), \\\"\\\")\\r\\n | extend ThirdDeviceName = iff(list[2].DeviceName != \\\"\\\", list[2].DeviceName, list[2].DeviceAddress)\\r\\n | extend ThirdDevice = iff(FirstDevice != \\\"\\\" and SecondDevice != \\\"\\\" and ThirdDeviceName != \\\"\\\", strcat(\\\", \\\", ThirdDeviceName), \\\"\\\")\\r\\n | extend Right = strcat(FirstDevice, SecondDevice, ThirdDevice, iff(ThirdDevice != \\\"\\\", \\\"...\\\", \\\"\\\"))\\r\\n | extend showGroupBy = DeviceEventClassID\\r\\n | extend showGroupByActivity = 1\\r\\n)\\r\\n| sort by TimeGenerated\",\"size\":2,\"title\":\"AI Analyst Incidents\",\"timeContext\":{\"durationMs\":604800000,\"endTime\":\"2021-02-11T09:00:00Z\"},\"timeContextFromParameter\":\"Timeframe\",\"exportedParameters\":[{\"fieldName\":\"showGroupByActivity\",\"parameterName\":\"groupByActivity\",\"parameterType\":1},{\"fieldName\":\"showGroupBy\",\"parameterName\":\"groupingID\",\"parameterType\":1},{\"fieldName\":\"TimeGenerated\",\"parameterName\":\"tripleDrillDown\",\"parameterType\":1}],\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"url\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"sortBy\":[{\"itemKey\":\"DeviceEventClassID\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"GroupingID\",\"label\":\"Grouping ID \"},{\"columnId\":\"GroupByActivity\",\"label\":\"Group By Activity\"}]},\"sortBy\":[{\"itemKey\":\"DeviceEventClassID\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"lightBlue\",\"text\":\"\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"lightBlue\",\"text\":\"\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"blue\",\"text\":\"\"},{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"blue\",\"text\":\"\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"blue\",\"text\":\"\"}]}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Left\",\"formatter\":1},\"rightContent\":{\"columnMatch\":\"Right\",\"formatter\":1},\"showBorder\":true,\"size\":\"full\"}},\"name\":\"All Incidents\"},{\"type\":1,\"content\":{\"json\":\"_ Click on an incident to see related incidents _\",\"style\":\"info\"},\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| where DeviceEventClassID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend id = split(tostring(DarktraceURL), '#aiincident/')[1]\\r\\n| extend d = pack_array(id)\\r\\n| extend p = pack(\\\"GroupingID\\\", GroupingID)\\r\\n| summarize packed = make_list(d), GroupingID = make_list(p)[0].GroupingID\\r\\n| extend ids = strcat_array(packed, ',')\\r\\n| project GroupingID = tostring(GroupingID), ids)\\r\\n| join (\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| where DeviceEventClassID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend url = split(tostring(DarktraceURL), '#aiincident/')[0]\\r\\n| extend Device = iff(DeviceName != \\\"\\\", DeviceName, DeviceAddress)\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, GroupingID = tostring(GroupingID), url = tostring(url)\\r\\n) on GroupingID\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, DarktraceURL = strcat(url, '#aiincident/', ids)\",\"size\":0,\"title\":\"Related Incidents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"Message\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"30%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":10,\"palette\":\"blue\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"GroupingID\",\"formatter\":5},{\"columnMatch\":\"DeviceEventClassID\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\"}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Device\",\"formatter\":1},\"secondaryContent\":{\"columnMatch\":\"Message\",\"formatter\":1},\"showBorder\":true,\"size\":\"full\"}},\"conditionalVisibility\":{\"parameterName\":\"groupByActivity\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"3drilldownlate - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| where GroupingID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend id = split(tostring(DarktraceURL), '#aiincident/')[1]\\r\\n| extend d = pack_array(id)\\r\\n| extend p = pack(\\\"GroupingID\\\", GroupingID)\\r\\n| summarize packed = make_list(d), GroupingID = make_list(p)[0].GroupingID\\r\\n| extend ids = strcat_array(packed, ',')\\r\\n| project GroupingID = tostring(GroupingID), ids)\\r\\n| join (\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| where GroupingID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend url = split(tostring(DarktraceURL), '#aiincident/')[0]\\r\\n| extend Device = iff(DeviceName != \\\"\\\", DeviceName, DeviceAddress)\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, GroupingID = tostring(GroupingID), url = tostring(url)\\r\\n) on GroupingID\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, DarktraceURL = strcat(url, '#aiincident/', ids)\",\"size\":0,\"title\":\"Related Incidents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"Message\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"35%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":10,\"palette\":\"blue\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"Message\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\"}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Device\",\"formatter\":1},\"secondaryContent\":{\"columnMatch\":\"Message\"},\"showBorder\":true,\"size\":\"full\"},\"mapSettings\":{\"locInfo\":\"LatLong\"}},\"conditionalVisibilities\":[{\"parameterName\":\"groupByActivity\",\"comparison\":\"isEqualTo\",\"value\":\"false\"},{\"parameterName\":\"groupingID\",\"comparison\":\"isNotEqualTo\",\"value\":\"false\"}],\"name\":\"3drilldownlate\"}],\"exportParameters\":true},\"conditionalVisibilities\":[{\"parameterName\":\"groupingID\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"tripleDrillDown\",\"comparison\":\"isNotEqualTo\",\"value\":\"false\"}],\"name\":\"GROUP BY drilldown \"}],\"exportParameters\":true},\"name\":\"triple drilldown\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"AI Analyst Incidents Over Time\",\"color\":\"lightBlue\",\"timeContext\":{\"durationMs\":604800000,\"endTime\":\"2021-02-11T09:00:00Z\"},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false,\"ySettings\":{\"numberFormatSettings\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumFractionDigits\":0,\"maximumFractionDigits\":0}}}}},\"name\":\"incidents in group\"},{\"type\":1,\"content\":{\"json\":\"_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _\",\"style\":\"info\"},\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| summarize event_count=count() by Activity \\r\\n| where Activity!=\\\"System/System\\\" \\r\\n| top 10 by event_count\",\"size\":0,\"title\":\"Top 10 Most Frequent Incidents \",\"timeContext\":{\"durationMs\":604800000,\"endTime\":\"2021-02-11T09:00:00Z\"},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"event_count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blue\"}}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"event_count\",\"label\":\"Count\"}]}},\"name\":\"Top 10 Most Frequent Incidents \"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"ai-analyst\"},\"name\":\"ai- analyst group \"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"Antigena\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupByActivity=\\\" GroupByActivity \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message_s \\\";\\\" null\\r\\n| extend Device = iff(DeviceName != \\\"\\\", DeviceName, DeviceAddress)\\r\\n| extend agnActivity = split(Activity, \\\"/\\\")[2]\\r\\n| extend arr = split(Message_s,\\\"/\\\")\\r\\n| extend msgInfo = arr[(array_length(arr)-1)]\",\"size\":3,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"agnActivity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\"}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Device\"},\"secondaryContent\":{\"columnMatch\":\"msgInfo\",\"formatter\":1},\"showBorder\":true,\"sortCriteriaField\":\"TimeGenerated\",\"sortOrderField\":2,\"size\":\"full\"}},\"name\":\"top level query \"}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"agn\"},\"name\":\"agn group\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-AI Darktrace v1.0\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -129,357 +107,56 @@ "tier": "Partner", "name": "Darktrace", "link": "https://www.darktrace.com/en/contact/" - } - } - } - ] - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('dataConnectorTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "AI Analyst Darktrace data connector with template", - "displayName": "AI Analyst Darktrace template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" - ], - "properties": { - "description": "AI Analyst Darktrace data connector with template version 2.0.1", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('dataConnectorVersion1')]", - "parameters": {}, - "variables": {}, - "resources": [ - { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", - "location": "[parameters('workspace-location')]", - "kind": "GenericUI", - "properties": { - "connectorUiConfig": { - "id": "[variables('_uiConfigId1')]", - "title": "AI Analyst Darktrace", - "publisher": "Darktrace", - "descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Azure Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Azure Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Darktrace", - "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\" " - } - ], - "sampleQueries": [ - { - "description": "first 10 most recent data breaches", - "query": "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\"\n| order by TimeGenerated desc \n| limit 10" - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Darktrace)", - "lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\"\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\"\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Azure Sentinel will use as the proxy between your security solution and Azure Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, + }, + "dependencies": { + "operator": "AND", + "criteria": [ { - "description": "Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Azure Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Azure Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes.", - "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" + "contentId": "CommonSecurityLog", + "kind": "DataType" }, { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" + "contentId": "Darktrace", + "kind": "DataConnector" }, { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " + "contentId": "DarktraceAma", + "kind": "DataConnector" } ] } } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "AI Analyst Darktrace", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Darktrace" - }, - "support": { - "tier": "Partner", - "name": "Darktrace", - "link": "https://www.darktrace.com/en/contact/" - } - } } ] - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", - "dependsOn": [ - "[variables('_dataConnectorId1')]" - ], - "location": "[parameters('workspace-location')]", - "properties": { - "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", - "contentId": "[variables('_dataConnectorContentId1')]", - "kind": "DataConnector", - "version": "[variables('dataConnectorVersion1')]", - "source": { - "kind": "Solution", - "name": "AI Analyst Darktrace", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Darktrace" }, - "support": { - "tier": "Partner", - "name": "Darktrace", - "link": "https://www.darktrace.com/en/contact/" - } + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" } }, { - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", - "apiVersion": "2021-03-01-preview", - "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", - "kind": "GenericUI", "properties": { - "connectorUiConfig": { - "title": "AI Analyst Darktrace", - "publisher": "Darktrace", - "descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Azure Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Azure Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.", - "graphQueries": [ - { - "metricName": "Total data received", - "legend": "Darktrace", - "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\" " - } - ], - "dataTypes": [ - { - "name": "CommonSecurityLog (Darktrace)", - "lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\"\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" - } - ], - "connectivityCriterias": [ - { - "type": "IsConnectedQuery", - "value": [ - "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\"\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)" - ] - } - ], - "sampleQueries": [ - { - "description": "first 10 most recent data breaches", - "query": "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\"\n| order by TimeGenerated desc \n| limit 10" - } - ], - "availability": { - "status": 1, - "isPreview": false - }, - "permissions": { - "resourceProvider": [ - { - "provider": "Microsoft.OperationalInsights/workspaces", - "permissionsDisplayText": "read and write permissions are required.", - "providerDisplayName": "Workspace", - "scope": "Workspace", - "requiredPermissions": { - "read": true, - "write": true, - "delete": true - } - }, - { - "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", - "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", - "providerDisplayName": "Keys", - "scope": "Workspace", - "requiredPermissions": { - "action": true - } - } - ] - }, - "instructionSteps": [ - { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", - "innerSteps": [ - { - "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Azure Sentinel will use as the proxy between your security solution and Azure Sentinel this machine can be on your on-prem environment, Azure or other clouds." - }, - { - "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId", - "PrimaryKey" - ], - "label": "Run the following command to install and apply the CEF collector:", - "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" - }, - "type": "CopyableLabel" - } - ] - } - ], - "title": "1. Linux Syslog agent configuration" - }, - { - "description": "Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Azure Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Azure Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes.", - "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" - }, - { - "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", - "instructions": [ - { - "parameters": { - "fillWith": [ - "WorkspaceId" - ], - "label": "Run the following command to validate your connectivity:", - "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" - }, - "type": "CopyableLabel" - } - ], - "title": "3. Validate connection" - }, - { - "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", - "title": "4. Secure your machine " - } - ], - "id": "[variables('_uiConfigId1')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "location": "[parameters('workspace-location')]", - "properties": { - "version": "2.0.1", + "version": "3.0.0", "kind": "Solution", - "contentSchemaVersion": "2.0.0", + "contentSchemaVersion": "3.0.0", + "displayName": "AI Analyst Darktrace", + "publisherDisplayName": "Darktrace", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The AI Analyst Darktrace Solution for Microsoft Sentinel lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.

\n
    \n

  1. AI Analyst Darktrace via AMA - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.

    \n
    2. \n

  2. AI Analyst Darktrace via Legacy Agent - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the legacy Log Analytics agent.

    \n
    3. \n
\n

NOTE: Microsoft recommends installation of AI Analyst Darktrace via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { @@ -502,11 +179,6 @@ "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", "version": "[variables('workbookVersion1')]" - }, - { - "kind": "DataConnector", - "contentId": "[variables('_dataConnectorContentId1')]", - "version": "[variables('dataConnectorVersion1')]" } ] }, From e6d6be805df4787e622bf9a282ce55f59ab5251d Mon Sep 17 00:00:00 2001 From: v-rusraut Date: Mon, 18 Sep 2023 14:00:15 +0530 Subject: [PATCH 4/4] updated CreateUiDefinition and Release Notes --- .../Data/Solution_AIAnalystDarktrace.json | 6 +- .../AI Analyst Darktrace/Package/3.0.0.zip | Bin 10291 -> 15117 bytes .../Package/createUiDefinition.json | 27 +- .../Package/mainTemplate.json | 686 +++++++++++++++++- .../AI Analyst Darktrace/ReleaseNotes.md | 5 + 5 files changed, 716 insertions(+), 8 deletions(-) create mode 100644 Solutions/AI Analyst Darktrace/ReleaseNotes.md diff --git a/Solutions/AI Analyst Darktrace/Data/Solution_AIAnalystDarktrace.json b/Solutions/AI Analyst Darktrace/Data/Solution_AIAnalystDarktrace.json index eb41224a5c5..8357eedf98c 100644 --- a/Solutions/AI Analyst Darktrace/Data/Solution_AIAnalystDarktrace.json +++ b/Solutions/AI Analyst Darktrace/Data/Solution_AIAnalystDarktrace.json @@ -7,10 +7,10 @@ "Solutions/AI Analyst Darktrace/Workbooks/AIA-Darktrace.json" ], "Data Connectors": [ - "Solutions/AI Analyst Darktrace/DataConnectors/AIA-Darktrace.json", - "Solutions/AI Analyst Darktrace/DataConnectors/template_AIA-DarktraceAMA.json" + "Solutions/AI Analyst Darktrace/Data Connectors/AIA-Darktrace.json", + "Solutions/AI Analyst Darktrace/Data Connectors/template_AIA-DarktraceAMA.json" ], - "BasePath": "C:\\Sentinel-Repos\\Azure-Sentinel", + "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions", "Version": "3.0.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, diff --git a/Solutions/AI Analyst Darktrace/Package/3.0.0.zip b/Solutions/AI Analyst Darktrace/Package/3.0.0.zip index 1ec304dab4a871f31e90d9df55777a5d6a8a03e5..3f4a8d2b89dd47e8695258fb044a7ebc27be4dee 100644 GIT binary patch literal 15117 zcmZ|0V{j%;@GctLwrzWpjW>2S+}O60jcwbu?c|NMv2DIF-<;q7-l|)->YOw4p?jvL z`_oL%Q{DY2%Rxe6fq{X+fnC~j{9avP_A`V71N$HV1H=7q*TmV($kj~4O2W+C%HGP= z%E6w++Qq?sM(fi4s0|xrP;l#5(3XKO{%=h&7)OeCbi{p8@|s3lZ~`?xz>z9$Bnv|$ z>At3!ecs}{_*ljn#f^00xl196#T}RO;!dy6Wi{O38)4w1Hc~Z@{T8ZcX=5mdDScTc zqcMkC=&%!c{iXE8sHEvVSDPeEdf!Re(x3I!-m8kg`7^uS!k5w6D0FgoN>vAFhXWd} z_~gyIH7#X|r(UJHRF%-dZ*AS51l~ARMBaAtj7LPk4qdE5FESnCL?#?S67L(8+}Hl< zf)v6y5d{8NWGAuD!K;oBalf}@GCFg40h(dLcDc(ryflB7r>C8to;}9Gt8*q`O@O~` zo|@7QLPE5A&QiJ*`K|LCVY#5}Z=74FMDf&~Q;j_EQp~Na_hat?D!)e%={nkwf)l{V zVnPC?*h!<vf+NsC;wkdSd;i;09sPCBUj}QQC(5kiLj%dk5w~x$2p=ZgK*K;G%ZO3i zhL#GbLekE5EoP&PLEWYIYgf5I2}n}fQW~HNU5s)MU61M_SEXQV>7q@!>1?EM(i?`~ z=Y$j*lZf|3dKrp{O&Aj1`(gS|n_5H6)s}LhOx|clIqQ*nJ=5|vc_mD`lm>-|S{I35 zy8fXU4F#oaD_9J_hUIq#8@Lp9mxy^9_dpS(Dhpyb&-?eBi<6RTx3+epXFWQ%fsojlT)&KVz&U3j+?6VNsn(cvf3cI+wsBl8 z(~v#x@JZkuGv@2jc=+M);qFHT>oJ(7J|vAsX^iOcKaEixvz|7W(IhVMmCh!^$s%O} z{;<1P$TN&xbkZVGNaQwIraF}+FwoENa#JSrUgtD#2@X#H+K-NTXfYV6-P!s)uwS4Ef+Rp&EcZ|)nhrmwT z@;WodPS&T&X!*Vw>tA7ol z#s%Al19Wq(^b^_eK=@_CaQ{LL?U+Xo;+M}}M{JZ`9sOr~Zjnn;>UCXmtE4jTC1}*438odu zmdFdhir7!llBHnllxJZw)R7oaFJ-vNVn^|JHG%Xsk(Y~+oC3K18yf3QL*_NA0_ ze5IaH5=G;68~t!;WO^WMs78x^Y~nfnF%cOgaW&_?e%A>9XrUQVup_Z!7$}T{@{LDC zGNZgtf7`~O;N|p^h$1vf6570+sX2;|(gtZg!J~)q=E{YIp`=QEXg$&83<8Hyir9$` z!lMRodESPMRHl61cq{pIwiI`3<( z{ZjZICpz_)aAGS@9r?m%(rEBT7@Vp!!U{+sS;bz|oS+GsCmaH<1rR-ttah{hMsKos;BtiCWO@c}cu4e!*UH~`^>MvgUAq;2E`EIpI<^+d52p^8^52C%^6y|3A zv8O8Dw_PIu)Hjm;S;88Ih?#=JF^I`2v&e57loov(p*q9vz(u;vt?UsoN4{8Zh>*8= z-MC+{e*RYGBQQHL7qua=>unhq8``?iMaI$iL8e~IxnjLRWwy+&ztY#IzSr2++uEUW zWI+eP3VHhvhzkR9qyK)OYGpq6!AchWvSKK3z+f3QNZ+UrdN?~w>?v|CyI%;!NtobS z{!W4WZI;IV#byjt$N85}Pa0E`F)bzi{yyNing<^jWtW>-&GLMyo!~51Ec(LKe%D^l z3bu;C+<|XO7pFtL!am%6!b+D0SFP}{-m1?k$hApsiG@*IfJeObOiD}m^Qk!Zu^|@w z*wOpuIkKQ#!-rS5FgEu)T%0S8@ZsAy;n}HU6uYZ)pJrd`vo5)Z*QvX*v(bo+-3M|i zEBx(m$);U|xtLCK6~8=C)FA;&W6Fk(EkG^c1BkA>SlJ1 zw*Nts{|Am->HE2C@+5zMo8Jf)-25=PlxmT@_@T6oKW3$-luLtKe!VrChebgii7Z(~ zg*~Q367Ztig9i0Vq0)3U&a$n@gg#&le#PS74Yq0kdJsX|_^2PxOTypr341Pc5{l0w zCI-@mb6y?7XQGP;k9_Nd9L=Mc7cmJm>72}4y2Ye<9VK+)Zq0k&j@#bsXApt#p+W6F z3M+xcuk0ybQbXg&z8mpgYenCY_xO>G!6uV~xbI*j`;tP)VmeRIC?WvzHu(DK@fpkC z=*+!vJ(5TgDog@Whh!487H1=4I|^9EE&O(VQ-V2%XyWAq@&8J3*Z598Bc<=y`Z6&$ zl(5384#bunMaVGNEEy~od%W?{QIE*oQRZ51{0;x1FGu}w`+Q5%Ac{A?yA}T0n;a4x>`j#-};0^Yytmswylo$yGl!CJh<*fpJukgn3eHWP(va zgmPs8gv3}n8)Ezq<3**98Fg!v=j8h@sYC0hwN`RgeC^H_4TAeynSgOvsZ5$2Sj;+v zMjPpdG%BjIRGV;7tQZqlaOV-BL{D}DffN-qUoK=>?`CSIf3lAVM+@R};z6R5 zEI7^hC=Qy{+O2P|)S1u>wG(j8;_6pJv_xH=N9fB;zQ0C}afR=OjDBrW*)Rg?a~ z64m)!EHjgp*?hL^xX+LUbN}oLq{NF%7ttx@wEMBH|5#I!dnWwXGOmF+ow4h5zK3|;#;DR8Mpgm!psh(#YDqL1Eq^* zLKr+}?4uR8{awDjTjqqxgoAN?VW4CGozz%S*yIdU$(;6LOXg7dX7@t zUHABrS%`cq33Riva{m&l6-;P$(&$!md&%I+5!7g&+}B}Z#H(c1mQMEgTBps(XlB;x zYnWFDap+z$H1li_|ECvmSkV4@&L@6^F^TJm9m@&9xF4QbmXs_tb~Sd4`c1wqk2mKd zeA4rxu8|slVstkFZ6G9ov6xC1_K5kHA+I|M(zvyTCw>X$W|!!dirZr4m_`6BV-!m$cC(9uYSpb+m#_F2G(2BiZ)* zYI&a@L>|?+va---&{?UUz6P%lIZUY3Jcwes7|UZP^SFRCfzcnbEr?bLDJ{P0w-MLHLO99<^m+9>NwR=N*Mg$r zogN*m?~F2^$5*_?{4dpr1H$-*BD{Et=kZ_xc$HNnv)r44quho8wBX-1e8%6J7Yo3x)z2X)-nS}qzX<=WLrAZa26fEFYh_tCN1 zmJY1PSYZ3UtfMjA4!kpn~6C(Y?N02DrdvJ(;@1J76#amBTXu0|#)}Z+`A~8OT zT4Mh9{SMWYWmOVGOC8ZL3A--jTF-_)EY95d24LJ7CM1#GO z(P_MooBEXawE|B;6Bug~V4B7phC}{LD+G%9p`;_n7Tz*MHS$1zkVfe(2h!;<+zXT< zVu3qWV!}k4(RM6&h>B}ny+G1=Jk?}#7CpdYav8b2UqtAVYjjgIm!@36xo(~dr=FV; zl@aa!y;8JDPk-K0o0KG4UxQqujSs8op(Ul1SwSRP&CO)8eUVX0W##~FrtdOO&v^Or z@k0gB5;zGXj*@>Egq?=zY;)J`z9ys&y8sx-m_LXz7%+5++XRJt;PCf!Xgei0+}}@+HJ_Z z&8KW%8mwa8pV!V3R5tOFoKRzav=L2Fm^)BH0?8@n!HD3Oe`Y|#h~1CQQi^M-9YL)M zL%2Hl7z#xMW2hR6kJR`k@%S*LWosk%J*y+kLT+%R21Q{=U3a%!pTltkg-bVVHnZHy zb^IF@gW+%kx2f0ixBGz?ToXc}M5B4O$EEcOZQQTZPnRMh4Ci~)v9JzL$$jr~v4BrE zvtn72l#nU~uQT0Y#y<*Wlt_N#(6+M`UhM-q4ESAh9Z zCiqBn2U3sn74;J`7@ar?8k5YkH#te5SgPnmf<^)_$6yDRLeY|8-btPi!n&H)JzSHP z&h^(1K1`O(Ag9v(JaX8`R}HBygaWdMtjS+Buu(Q=vH#}`q^SbHd9{onrpu@X(3Tygt? ztG(C~1!iafD`IwEBByx*a7iOrV_qB{nO<(NjEgtqu7s27&PmWY9z*RrWk>11*(rV2 zQNN=HBD}8!>bwUz<1W4_*+!~6Ip9u%Bq2g=X!jQ@6E9wum4q=y50ZfCgGUvCn&2G{ z=QnoTwUs;HUtJ5n6HX(Pqu^CrRyjDuz%Q#kewFtObY!u?;F>!QQ$e=vsJ9LX;nA@% z@6jcZ!e^uSnR%kgzsIf#ynEvjs*Qkj9|N6sgK6DHFZC<2GYJ`1aL7B4+faHl8B(zK z{BT#R+nrc0m%s?PPG*^ZPerhILD;h!;7>*WRAFW1Ts!Mueab^kTDO%e*6`^ z1EMbdm+5nMik~Et+SLKtW^N?Cw!|j}$r)ryY$L8p1=n!?_PX&iD)5T!_b*6j7;E8TCb)fak9<0S^aJzeux-zz<@8F=n^ zmkfSI--S3<)xV|-qL*l8s|kiH+4nf!{6ZZIBEl=7UJ~*+0jSeby|KL}4|Gv0OzXgPik{nLz=wiZo?VqPAzbX$k1Bv~F)wEPasISHLh z&G@I|8|zVAJf{bDMNijXmI6~7y3{m2y=j%+f)#tX3W?=<;)>M$_apVlC#YL(iEelO zD{v0kX;$^sOM|0OdtW(xO@BcGE^ehnkE)sC_w>BYUsNM&*=qL&*Vt}7Ppi)e=rk-d zrPPlY>4W>MTtJa!CK$0!wz}wp8UFRJNFcXIZ`q2gk3)Cu&ojX#ebknvzt=KgJS5T;?7Fe**3)gp8Fp4|^#EIL^I~eji1j42 zR+!B{=LHNt{q}P6b_m&{ixBpuumQV;An(0W7<(m%j)me(g0|&`+AupogiX!dcww9) zO;fe%=O)+M4{qO0vsb_zi2Lq28KL?HzH6PlAMvhaPuJl`hN^fAE%-u`4KufVwUG|; zqC0NcGFUB)WjtCzX*&&f0*y!R{o+Ek9p|eY8ty|z&r_k(D}|p|$ab9xYZm{FC(_+S zJZ9fEGx5<$0_6sjfF?{J=Vv0`BeCA!kqHIYM8%s9$y?zIxS=O>#9LC|M8dabI)IVy zri8zv-@GM7sVRooTstzhGgGg=;%=}RF-4<&9$VT)=8!5_(|N3m&XZS1MA@6}F>16H zTQ*{bvM}VM+R5m!mE%{`NTJOl?3Ht^KTyM)uP))YK2!RZ2lU>UD%(3|h)NEUU?Vj!ezRB2v~68#c#uz>z>rd0iBe-|I%Iq@o&-CW0Tp$NlCL( z_pgK};*QcczksJn8%}JnyMY+0XVuoFly4qA@6}{cn8(h18TAkcyvv2xRREa3y;$Py zS(n9;f1*{H!`Rj(l|QU;U%1Ce&`uu`w3?%|%Yp+ zk44p`A}gjtDr`m3<%Y;#s^fAh2;abGt}u3qddSe_S(7{R4NI2Vc$NQnbq>*NvyC!a zYWL-;^cENJKy^yB2;}aL6+6FeTi#$a;$y?B&{9e)$tIe}_QYbO}BUMPvBunOt_M_0@<2F>1UyJVGIuy`M#)+GttS#+d`6(~&2#=gBO++pi+ z80{PzSft5bPeu~5<3RU-6SC{={#T(UGjDbBZmezo%K0V1uj&Nd&-|TL7~QV!%o7Et zF+`0cxvQ|C%6i&t7XRR$)H$Eg^QUn`HX{q6n@-qvt+Qb;Tf{4zl#)XH-=XVh(# z&LzNQGrl;zzuA)AQ=EZl+V(5o(Y@$3`x1|pZs@(*(Nv*d%3GJPr93zZ%5L}B_)&FB zI7NKe%!?eFc8}*bOwohRd7pxY1P!Xy^02H`>11W7k10QQ;IQQJ2pR=Np*T$^XhjKw*E~d33bEdto;B z5Xov-JWnde;u@qEl^DQTQC{3%J9#p#k zYaN0v^?cVAD4oJJs!9|`%AeF}4|Ii|Bz!N$A_c$=Rs?s3V*CG7a{nr!4=f6R?^Yqo zxIy$ur~P$+f39l2U1rU(<^I^I3zNA4p7r~m9`*f!(DoNW#;P`p_H+8}nLEjOqh#y*uNouETQRF&J&N3;Au*C*CyuWfPQ8ounHn-is)^J1B= zrt+Xc(0r*{MXNNoNXkgVP$hOKZ#nacN6N(QAT3wQM2W3=M}I*pm#ki(H!32!28i?E zzM#!*NrPXVe6}1>BW0R-(+5NJ(T5b#nnu=$fwZ!Pu|n905UOvBda^w><##2fTiX6^ zZP~dvf6o{=BG7F>t<`;;{+&Lw8t%`n*kA7-2!wve?%Fl??sqFhuYK=Wd_TtUFxwd{ zijKo^&GPc^qr{qmH|PEHux;7y>ENMPv7L)?(X3NJDps*AR=6WymafNI|Ddm_I(XIB zbbtIwQLk%3TiK|+GZnK~-}P*@Y7HrwkN5y~7Rhlu+xjv44uj%V8NX#+hg$DJD|3R- zpdXUbjFfgfo5D~{J7H?vv}b%j&gI#hqwMBAELg&8`ftcb@8x)=e_!UBrtM4y0L_~j zAvglvzO%h@sE(Qua$z+RoB}y|%#V^8>f90fo_%GRWSV=dj1HH1oFD^r;-m) zG!wALd?KtUPU4up-b-Bk?>ObS5(T|^?xi_WeOEZj1jS9WGxwf?2Zf@nsl8kK*p^j` zFLU6(8jI#@x>t=ELsP6R=F9G|`@@R1Uo=uzZ<`UaE@iRFVIg}%O`;JB+c~n%^BPt5 zQ7xo)mQM)rXD?ixU!9Ou3tx6G3knTpmUjqsoe6AcriMAkgvHU#`FVy!1kmFnqb01j zko}@1OsZVT8&D9jZpPQk&LeQ$ zW`YE}#?@6Dr_g2BZIijJ!0+c@99SK@Ug}PUJTYg)UTmk!x6Kl{6sEVu1zaBjz!^g4 z=H!CW@~ZeAB(lZLv+wpRdujGwWLumwj?r5Ddd#}Xz+SwtOHg&_b@kSjFZCd`dOTaS zW$BR;2p)9^+#3hc)(|t(iId9u&6w)(KB2n?eLPO51fFa9-Qqf|Ibdg(1$i`w6ssGEI z;{s!Zhf}r^wNNcDk|*H=iz&?$^h)F9zQe|nvMQh}W^1v6IHefzlObkC&nN~@=3-0l z5LQ6=v)trY5KOO8Lc1G`br;ZIRtDolmvdQ)As?HMCsoW_FUT zdRocevAg*_KPG2k&Z+S#Uf&gGMg}pgwwMt(UQzz$DvunX6jS~spo2|9(rsw=HP(^b3K>O_umE~IL zfH(7lS2zL^^xG9>Y2|PBOaG`nMTqnVvZFT#7e+b=5=GqCWltbhKD6`Vp_)BrYDB?& z7ZLOhXE(aF3Sp6=)T+a!^rcMwt0;y$iOk?`@_ZOC`=hhEO^4Rm8OuF8rO5W#Vs8@d z854cY+I02TQbRNW*q)0WwxyZI&j+We9`)rw7Uvws-8dVX#jPbwM~wt6VI6H41Ibh5 zF63j4(>NllDKcW)Gj73hvGg^V->xo4wQI<$Kt+#hvGH8r5^T##?T8uPexI^V27~jJ z-6XllN(K!x$2aww3#;mLnn^)S*_2E356>9`x-DP#@kIZO<3h^*4pRUE2wt8`;&pog3L7 z1dcV@J}w&IyD-}=xBJ|UAHWlklyI8f-o}@=#LaIFk7%ngy?k%hhPky$LVaVRMTsFf zBF<-Pc1%$1yZJ#X8jUdHZIQYXMMgp?g5JT4zWw9u`lMCGxZT9xX#0sRrzO_izW=h5 z-k|>XYG%f;n@glpyY>Sb2insCf}Jt(e)_7@V#cln&G#zHlRUs`cav1L@CKB-GEl0% z1k~x?d!!i9roW~OMjjf_sy~o)(6qU!`*kw<-R^PRYe%UK`i6cM#9E4Ogg%Q%edOW^ z_vm%E7#rtr6pWQ5!fTO`lb}+iRCVXt&YbJJ?G@0Xs@9^S=2xUBT8JnW_|xm{@uelZ zk1lHI`@&Uk|8kku)9;@RD7;tj;ukv_o2eUHtO*7Bqjp{2ybZwuLb|qJH_VNiH+IOj zr#V$n3mLYwXqy9N3;nb+^2&$3*mGS>^c6cbdwWg<@BYj`g;<-q5%w7#5IQ|M&(a`I zF7@z`*tqwI^s*z>lN8!xjx)R zN<#yo)#*1SiQ;Fbv;wURM?C4ve~(xx?e~v@zHeD;>2FIESrMwi+dPD)GZ4x}pgsMK zfkJULXgavSZsAls>1Hqe2Z??F_##@Hz&FT&>E)NmlJ~UE&$LGP-y4hQZEuc{LXy(B zx3~0PzNb?(KG*R8^1to@M9i9eA*Qm7yEk&r!K|Hupz(Iv-6%>1si&P1^P?6^srLs- zSIERkikskRPfAu`)KXiI*PXB#!bo=TO)%uALm$}jy#unovU`LeS*0gLaf#~bzdzm0 z={HtN0&bG0f21FGk_9)nFB|A>FNNFR_*YD#7Z<>hyH~@;2HtUM@U()kNek)+L@f*S zMS~e%Z$*ygSwELKshcfQ{?t$zDXno4NY4$P6>XHxcmro%;TOYv-A9f*Io=1Z?7_Wu zVqp^xqx<{S-*hkp+JhGU0ZSzaz3DjXmEs&ov`#m32sM=>u#;%J0{ zr+X-V5h`D=_)2!(4s~~H*Td2~@=wk!*bt5akaL7n%Y+;7x!&&ckg487HE_9;(7YgB*36&Z#rBhy>X)?gU8xqo2yw4nIr|X5X zAh5E!Q;c`z*59<+8sdQTaFyLD4C#IxiF91c0?+<9}q8(H3Z4zHO0ilK|ZE5|s zudnTtM&FO_|GT;7#u<;*EJh`jHEzWBPYfF)tF$=pVH8z?nxyi`NW#B_wL|Gj>`ve- zi?IeVjp~su0b?!hz6`2IYXlbsYDMw~X%qZe_<9W&YS9#nW2DGpDc^LY?q>nkUr*TW zX!B5tdy{Vk6!1SGxjYgwEK#N6Jb&m^YeLvGW3 zS06Bimr@j zDeJ#-{%OV7le&`%aY(gWsaMxhVX{mB=T1Oq?MzcBLfKEIdfIC;MV*YnKs zVI5C{>D;+ohie8U-&@s_3=!4L0hf}iaAnao6U;rjr?#G$=H zQ{j5+31t;PPEAEKCtTOD;xTcFyr^6Kw8;5P4_X@Ee|V=SfCYC;~y%UKz@m`QdFngDamDF*z5p8uG*2J&R!Ew2$ zP{MA-ct%%}k2=LU&mAMl1IZDytscJ&_Age=j}8yyZf$ueub#U1jRV%YI=HqqYder$ z6#s)zl*E`pQeWxr*t-s4^lA`s$j|0 znBYCbGf!u1uV|GmqpG_lqkBuLvfwb29ZfxSgg0L{arOrz5TS@-5PR%~N!a>}@kuyl zkG5CHM1KWPR2q+3e}#*{L~ug`2HhPjreM*S$ph9If=UqQef$mt#Tw~@Q?^)mzv~5E zWJ!2r5^rtcYRY<;`alOP+foevd`;+zmo3_?L@iR|7wEq?CWS90&;ja=`_q)e z!Un|8Ivq7iP~OPmdJ`Zz(BYd}&=FIvofh$A?_bNU37j!{%ubrWi3PU7S!Un*jrTaU zeBTX@w}Atu@$&@)54SxBmk!gmPHGnN=AWeI_XdW}G|~F81LsVn#_7}qT_lU3MMs$; z&WSogVDL%%uvJvn^K_^qq}iJSj+Lib47Bf+Jnel^WYADh+nglgZgE2MtdKL?2R5xi zjYv44@q^c+yP%z9+nuj&s=5{zp_miyEV-y1&2{wUF>zQK+W1oBNcdD8F~g(kvgb4@ z(Q?+BVFw+ycOaCz^W%^~Ej4AA>7IrZ7u^R`F@`A$s`65f_JR@VtgjOUCUSbl0q_+; zD)W5@0@bvj(*v6s(+-a4?XYi}rqE(bZtjgevcxs%yPq+rLzpJc^L^`uE$2oI4*}@# zspc9gEw#;iX8fME$5vTS75WQQ}!$T{Pa`}Cp=$V5E+ z`4=<9ph$*5wF&w|Zs>snEX|Q-HF=UaNh^@Bx*#17MZX{xNt^VB5!hz9~i+BCxLtTV<~eB+|c!^58JYFT``TYw$>}%^s!bF4a*X4-@)UXq^LzEFlj+puQsuM(<1l)|ZY9>}hGd5D z@#{G+=TTzi8K(0l->}8AX$b=V=0li%UN3L&`1cS=UVr+QqEOjT5pTpQRi^AGSO4kC z;+&2tU)&8gJ;>8@RTjQ%DY;2F2fCw^oq%l_M>@PB^m zS0Z7kr}78HeEc*Q5g9fBi9x~9Gf#hy1+!ko2eT^Dq_4AsDul3EKL=#jptN6Pq@T5-n?4nRNf<&@EszG?AeF4 zD8_g~9pD7R)Vg6>1p)*!LCW&uFm}&+2l;5&8@bBpSUMgOP{ERW$LbP_!!lT-eG@y3 zSgF5O%Z0H$>qRXFiD^I?x9VHnf2~N{)>YhL@llt(I=~7!(Oxl7A!A(NXUXd$>ALKm zS_7hc{vz$Zba+fFq9NXy!LET#1wP5M*K4!;PLTn)Liz41kdK_>-VuFSnFSH_pSJ_) zD1lzHl<`arI@8}Ia&Lceevt&kBdB|ZjyLalQ%7Xaq!s=&N!q<^G#Fl*P^k&oQ65c1 z`xqc_j6EZBIwCt6b$`9LhR#YSjL6~WF}J0!0W&DDw=)-77Rla zsQzBHThBf{I<$QAUi!Nj9E@<6EpJr3*(G=@$CU%~bt$#S6j;wDr8v zAEtPIuCN+glf@*5#7${sE94qLaoRmLY3;z?%fEsbJ*S3}L6t0oVt|MpAAIbV{;LGZ zxti}uahPY&GP#-ds{)FOCL-_1q;YY!v{i%)>;rCuiH`nqL)WKP7y0{mkfOMIkXG?1j&xys zKHUg2$);YUQ>gE};RWoaZkVB^7XOw`OROSOS3e|HJ-$g`h&tb$%MHI$TFm_DU&|x# zMP+0Uh%%5EG9c;f(b4zjjQ?Ts8ScmuZ1e4cMq5BX)&zQOr&EM`-(KIeDQ~vqL$fPU z*fMJGR%L%#GWr9LAS3J!;Fh4S1i8)2yol*Ig*{eAgiN|uhD0SP<>oFuY&skRW`qLPf;+A)|JwlYzF=;9p?QjRyn(@Okd@N>>9OV;h|mf;6F^< zGC7jsjmEfqixT3kn=ZLAO*`i&>(E4pxvfX$oflN6N~Vq%s_*ao0m3GUQTR-Cry1zy z*FmCI9XL&kF8@hqVb$B*c9bwMvX0uV7d2x0o$C1;*j(&U52yCP)AfXFff*ohUGn{z zJEaT6B7~g<>{(6zdYar1z3jvo^Il$PYJ!s+}u>#a_KO8cg$X%zur1{T25=rlrH82Bf%|mCQKjq97~j9Sq=NV&**p7*vuwj@HVY^EB)KxxHuaI)jC$i{9MMkYB^O;q0h8!Rlbo8|uNA=)uI^j7-Q zR@*$$B<)5AN@fzez{VB7e`BgSN~B|WrC(F&86+b|&Qsseb+d9fmedpO{|w2C?<3E@ zU@qvZ+;ZHY2l9Lg`l*sW24VyBAfq3C{L$clU8t{W8R*ga%C529qkf6itTKzuuB~al zuB%FkciP(4NbRm>U}SK7sAeD(#aittYWnH7&B%cGU$~a~FI@k8*d4}BH8%Ptq#igt$qU43W$ce#9OJ6vNGZMk7?6i)RgF9 zw*2>7aNwI50@PnvO@9j=(+1d#8&CCddpPbj+|xIjnsPU<(5Sqfh|PX6bLc~n`ZRg! z-P}H}TxjiHT!h!OhqH8mGOdqzstpFZL9A^5bi@7GtF^~~)Le)JG_5qzrNq&^ND9h)$i{UidHYAri-Yf^x3%@ zMdGV^)JE%x2UrdW9DI?bz!mbZD}2Q|g5}NtA;1lME|mV^_ynJL1x<9+Kt5nO zTNm;mDf8EBk=w5TcF^f!pGU+F!ezIZ+!?L~)uwjFiw4rY`}6CV~4*$UTmM3Vf5n`f~JIZPmNqiOBH+^KTnje zsQTp9F*4C<(%=$KK_9}S7XMCMQygwgvz9R`)J0;A)^e={NL$QO#zCG@jZS92wZw~$ zqVJNM-D*1x7cQBLw%gec2Hd(9rnwC~vUyXcT*o#_O*Hx0Tg;X{GEGfoX@-d7PTYek z8NnxE!$q0$WT79O*C6r%(Kgr%xdRR)KwDLUnw>;0$Q`1vWDWbT zx0zb2;FrqQZ=JPh2LLX!V^y&!gvs~)!zbq_Kad@u9zdG4b|8Um5yVWa`=@pa6(P=j zFn?-rF?MiaT?^Mh?QXbm-)ulrq7tsQ$L;Z*iuYT2U`q!Zh4)xd7SZI_!c~zwqX6*~ z4(y5G9P^#;y1pq^Cu!)wSnjpJE;8EnRWw`i@MZ1DW6@x*PTbqmsK69HURv?Dl@DPY zo2P?Umd8+l8#v~!=*!^THf(T>UlP9SAII3J8jEk{7;eDAPzhr(+?*4V+hAJFn(CVL zsl*;QhKgrftpbQs|ETPbw&S-ijKb{dHpI7p0ZohED<0@0Kv@nP0t@W_PCEUM;sFK@ zM)p7Azwv*ep#J}z{GUi7|6}_9I!XPH&-%YnMwI2CVgBa`#D6p7Kj|XyKdb)*@9>UV literal 10291 zcmZ{qRZtz^@1}7$2X~j^?!~2WaCdjN;ts{FxH}Z5xZAZ(VKulvpK;ZtTYwB!n>}sxVEoN?EZEx*r z?O@MrHrqXqGaQ`$r&$GX<3_RuUb+hma^Rln z-%n=yI$D?f)E@v8=9&kE^+Rm#xT$L`u}A9`lobPN=FrRSuj=QBnzH!zg{JLpoquQV z=jSzRzgsLV&r93Y@Os((j0k%#NnJXpGa8$*9*vhghe@4G-K}l!G%6BJ>I}dbxecOt z!%m==Sl&rJdZzX&Sda#7Z9ZOby&t>N1k|YD<#)@-eF=}(fjwmwVzsXw( zMBB6j$<}7cTn8+xQ)Y#KI-1Fuk*yu+22CjRVzvL_qVw}-fl2TV?c5rmDsawYFNJqw zxqJ4YRPupw6z9scwR~m6?Z=x!$8)T;9T?71jHua6Qk9Llwnnndj}w*%mlN;<8vJ9V z?o6$t=v3~{5^2?zFAb%ug60y#yyD=3N+#w3KEw944y~npW|KPo>*#4f*=25Y4|;OP zK=V-GEVi-hs*$U^M&bLBdUDNR>~Q$l^q25PdA$(U0m%)x)z{}KH*(zU+zs5q=@TPE z%&Ls(f=hb4zW)Gpw`NV4XN?mHnJ4s7o?{4!SO1@lp<7MujZ71AQ)rBUg!@Wyd z@5qD7)aor=SAg12vTLTyB>1(h#^B-l@9P{dbG+3;2dS@r^)IucYsU-fIuF#UyBU;K z4K=uCc35`IwUu;+3>>5UOoDSaKyNQ?@F{cHNkgp0iMwjJ5@(!jqm<}=Brgqe5p6M% z@fWb`04&+zX1LCge;p+_vjSh zqaOR?`3?7B;R9vx(bwrSeDGzEu0ybE_WH1W-G8-7zhKcw49pI0?F(4L)$pajl2&BT zQ__-Zk|_@#sOrWVT5a5%oupw+o4M~u113>zHeHck?2;g!`%6Ga4F$mcq)`>46m|@? zeOykxG0{+V)S&7=ca?gc_qrF``&MyybiS#%pl0pf!ckh2KfB=5dgV2e*(5zS`HeM6 z!OQ@4OF?78<}%w)N7J(=xaDkz(~R;+G4$M(IOMFyhrRR77r2NDa>mFhMjusXJI-HB z$;p)(tO^Iq?3}3imPpB|AAj?Rbx)vMZtB^IWp&!|Gn-TUw=>sGWxYWOCHEAR_v4C` zqoU0A95WOuJ-<8# z@Mxm3+~cGEwo=ijRGnt{2g{hC<~LgV30VIdK^cCu=C^5vTK)6apdy3lakTKMMZS*xFvr{HLSce{}r6 zYxjlzm*)CV{a2^|;8N!m-d3I6I2YVp{2hX|j>2df;oM^fe6}l7)z9zs2R7yrS>s=y z7Tq=vlUze+QUe#r&5!Hn=jRia7MlJ4uF%RqqWDbNdz)zfa>ee`{hG7+O*08VxsH&N zLgT&>ZiwK_aU>tNs+ezns&b#US!YU<`*55(?W9R6i!+^jj|%HWZGt=71_a|p`q7|2 z^aUWBa<8BJ7kG-AobRQ_eBpQXV+uqK8xPQT^~?_Q^r7skdl_PKA(@Ak<_kyVOJa?S z%(6z$?6UD8)e4ug$>@OgZG~2_B=O*2R1$aJXL{@MO(axqbAbal~!)DZG<(PUN;BaD9P5`@rUA*Yp6 zZwmC}DlmPGgM%SsMkDX?EpLjIa)CVPWkpf+$Mt}xr%@aLK zXNSi^CZww*v$xvlixSNGZlznf?S@ljb(XJ5<}2h)f{sM)#+N1M$Z6R8M`NAP=24Cr z`zE98BS7 z;_IV$^`~v`im1dPJ>hG8MN@H|Lj48~aB)hL2gCbmrAf71t-6;q(lkS(9;{(Je5s*7 zu5!ndw`D~%pIWYPhHN$=EX=jdnZcHv!jpp$elx)JRNHoU-&O9weOeU~t-3cs&XQ~E zd>Uh3RaFtF?l1v$b%l=})L}mJkst3Ed>;f{ZDKhk|L&$R&Of zmCB+Z*qjKr5bIhE;A5e@;JGSY%_ezTBPaV`&`)+rYbzIc0sI ziAW`Z2=`OI@Olo~RzWvW-3D<^40pfG@;FS4xsl+J=3uhH$6g=jzqz`s-ZiWY0DOjV^;=O&Y~nBb6b0dp2yCl zZQT3`aBrQN4>E_WH<_-L6)(BGex8|o)xDrC64vv&;eqT;GeJ(U<_u9EG|1DS`M$CF z2H~CE!J+&4l$^z43^Jm)Dc{yh}H=Cm-rq)0QVre?GW@B>5G!2+i6=zWlO{IR3Ms* zhJ#0orEz;qm0-*EP``nX2P@ufGs?{`ly&tq@bD84K|;FlQuJ&njpq+vgGac(=3F9Z z+=O_OeQF6MSxv$<`rH^cP7X7hCl{C6ogcsK9>QWxFCO>=E4BxNd-J-xx$*WUm9lm& zpuFoWjT;;x2Z_;UE^9ZN-Ov4|Pj@%2F-|US4)B4qp7KSiXG7U`48eyoBiIhZZ>I&&q!uLAA7pOi{QMko`CK zUBH}h63tGbV}s%?s(GZw|IGoLx2!7h{NMf2$`xjNC;U)(`+nbE8-MKg<5r*4m~j41 z1Bd0Ui+!{J)WxT!C~uv`cJ?eK`5v5;nAqv3O{mqt4&>v1GylMk9&=lwZ6PXymu2ttre8W#Chx845XBb+E6@lMxc=ETq_{ta49^fAtGe2n_OrXZg>*dm%}s z_AMV_cYDOc70&h9Azuv&+{eNKsRq;Qx7RI(H`?5(NM|6OS*dg@Y0C!u_GS?Gn8;4m zB1gHr!(L%k_1DhnOcO`94xx$jh=uBWSLdO{Lkxnk5oph1ViqP@8lR<~#$~qpElj)T zsn%c2lO{es^NO@ButPY@o0J$_lqfZjlbIEyO~AAiVE0IcvHiiF%RGwjTyLFCF>o%c zirzJpF)b-(majYkS0-0XCono;%GnDE^TTQZ8bCoAK{TJb1?i(eXruCfF0Pp>J%|s6 z1RyGP!ywsLE|G5D4M`#Sz?n3Xo6ThzH$Y;H$!71F$$G5_@fc&UW7AjfS`TZX2o>f# z65qi)KYL0U=4*rWHE?)}ho88o3X=#?Va4aQm(YG(E!>pMpXilYp5#uUUurIo;ho3{ zaYC*xU6WSJ*D=02{h3Bic!4LpL^7c_43*lx8HN zjmpxIfa_BGCppKvu!j)JHdqVSqvpjofK79{f8^v_AuF=5nDo;1SJ5S7v0uiBSHU$d5VgxB4zQlw~fk2lbe z;Zu-tdat=1He`a^72$2o?-v~=B_Ke!&4~_Dof}%MAXUIqWzi4nwZM9yFMBv?l#%S% zRUxo8tB+M&hD}Yy4T8M?M>w-%EMdr>g$x928tAV{>p7a$Zt+h@8ZpJA77v<^vAB09 z*1L}^H{?swK?-v3UsPQi<)E-8aR-{~(J0GHrnmmOa}=z(pe+%TxC<}E{O83^9uQdwY~(?d7KN{ zkXsvAOB=l8v%0@v@W^7M8WS}M$ZSzn?8a9^{n!|tEI3hUBs(gE1-MDZMZDs29{rt) z^;pw&ZbaWySy2$3B9%iHIn%ny>Va7*A;!1~%M3Iu=>6&dJ)XqQ^$l(IRIIyp(y0}R zCxFoM059V1KXCx4q0d;s$x<4Vj;D z#67bWHJ?TSo8J_cT9rcCZIc;cI)wlm)YGf_>`<{9n2?VCXIh5l25jz>2`)e11S5;I zu;E43AhxEEybFrAV>`aV1rqXSmKo{7uG6nP{xDvzzndKn+K6;LmDpLghutP&_rK0#sZgfO&73do*FUU$MpB;J#&omsENifhFp!7rT9pz&v$`3v{T)gC#Ry5wSU> z+NbNi$vjLK%DxG~qAn>N(2$ZP?t0zrU7TZ?5Cu{Qwyt1(eMZC{g}1;hZ-0!;F-RCA zDiZf-LEbgv_fg*DrBDfa2re1P*7j>9@(U)xK5dtM9$ClQnmt*e8CLJe@;dc_mS=l* zC;T|PnDeG@8RH~JD1V#NRJl-`g===Vx?gt$tcw8z2o`>&bRsHz|N0dBH^sCu>hs~+ z{h;Q>uBVEDX4e(4C(hCiD1mVIME}yb2&;8Na)`Z-_yfmhSEbXBt{l6|??f2}52?xz zc4=!uSNf?VDv_K02R=-lXWd?pX9MUdnHnVcnfr#;mtc$knO#mCu6j+ZB`NWBDD~O- z_mjS;ZcVQm;;tg#+3jh@qGgC6pc4z!vit+{gX^pbug?s(m#9KlUA|i4ugl;-C$BjID z$?3Fg-WUpI$~27&TEBZQ&yf2ii9B_N(|@G|mb&3NMfJ=Ng)_wPrNHD+8<3@$2MO0H zMw4S|My%gD@PIvsDJ`oaX1KA0*$OBHhI$H)rZakZWohOU=xxrO!U9D1%TL$Y?7;J{ zs1H7@R@$nGeAyUFX3$5B+a5!;ObuF+OLPQ*NL0o*Z}Z z@ck~oI4N8LMd#HVi=4J;2vEQB`lMHirx~@ts(vM8NrmPrAGNt!w{e7|2<2GW47uvm z+M23ZS#dF#DfAqMpA$`E6Po5nJ_s2vDiWZ!es!HLdZume?9>{WVa?+Gin$y0ljm|* z-wpV`b2po_h_r~cnki8=-XCU#ZOK{dA2n3&>P0B2$L&?>)o^V0-Kqpop>nDoQ7LLx(Y5Lu?s%?^k7n!N=3@+P zup4WzV`=Z=9;sh?{cS1UK{y+m%PDbB21>9oQ0?y$tp^< z3h9>5DTtX#{j;B*VR5n`Bu zU|?)Vz$#d^Sj5-U8V!AUT79UEet)AS$7$-OKO;+!%yb&~6*iq?S>S2Md%@RET;DQ( zrIYjV*mKJ3xxIGg3YXd$F701)f%LOpL4iNMxJ>bxZ71qlro@wO+736o5M5TbFKO+@ zw10x$B?F77?bj(EGrIF9e|vi4)7#rp-ttz9cYBe;#l=o+6aO*aN9RXQZ{D_n=_f@7 z_tCSs`zd#3l62Yn+3q*@_0)AzlZxdF@X{wqb5)M}^f!Ke%Tm*;O4*Y;FQ8tPyglE` zHWp5jy-t7eL!z7y?En*%5Fu+cgvQM7%{L|X(wlt6g7gCDlU3v^7*`)|*`}6WP9Kj1lQ_Z2qtSH*9@lKUq zQX-U5`-AjVq}w<{zi}8i^skEacC8B|A4gXEkt)PGCqSxL_rJ5Y6p@nrt_2Ak+SV;E zqDl&GLXfmAKn^?`V;XFr7n8e4r}49tl+iXjOP*oS9kZ{=5EHj=IX$Pjc*gGoPbJn_ zJLHvbzvB;z_KIT-Q$6@R&e?%BcT?RUCt49dmy`;A?;KQetKL z#g#RAfJpOA5&90jC>?@I`vl^aw0W+Pw8dT(i_MQl-OnVvN>Zrg{&`UFq{q&Q%OLY& zFVLz%pgXcD6KNA6ChuM+BX&B?@(*2(K>>P9Yz+DZ6~!7X#Tqxk?1Ja5bX^xiVd0N_ zb3(@D?!ksD#*AO3Mvpng4cu@Yy9X|z+G}ZS)T&=Ykp`Ud96XB^`FnSiH5EIWE36XG zrW`WjS(F~kq8k=Q)k(k!s%lg|6e84)iD!u#`!V1SL8tta5k8h8kN$!N7 zZ^FBvEuI(-r)>*U+J0Aye*(gD`Dx2hzV`aEuLE2jMzWGx3oaNQTE+A4eOLnrz&_rW zt|Z!>x9d_xl$%KpmD;QAX;@&+ly}TsrFO3_e*0mm>`Mzfvr2gHA908)O?K`nSQVdg z>a*?yZl;Sx1x`N&78hsVJRsWL1rUWK@_=JLQ@@B!L5}_3`kBHB!xYmc$Ea_vkEwOi z??G<%fr84t7u;&DEE(UXPwvO&bRogQhF)i0-CO5F8S4>zfhk#f+c6g$M!Po!%kLxK z4bqu?NA&*4fv-W^+{pjR)0*8P9f`;kxh$po=)TdCcL@X~ZEo#QKThT3b_di!icxpb zUq)CSmGvCmhB|EO!;KZhUl9*J%`Ietv(Qz)vW+6n-dgJ^W{ZY>L3|ILo(w31hAXS= zy3qF3Ujc$tAyuzjJc1cQ$+BONlIXb(UYG7AeGB(5lXzk7NiR=9-Ew_8PESoe_}G

l@s+JPxj^)0>s3LBuuqb2+jANZQzn=#x^$S+#nfecS)=xv4-U|nAix%tW`(7*IQ;5w=y zHd*$L9=81&9GBhgzYf%ffZe@@d*-oII#~4<+(W-@@2hMk^Zv+%RJqpU)CnfbkGpp6 z?oRRPFYXVU@x(IAtv;DGp}cHp?rWhgJ9lsaqIGdiq{XGRZySSc9A6HxT6QTzhX0tL zzH^1}3G)L}Kzv{KF|)C>)9S;6+v}0IvtS=0a9eQFz9l?`qvnezrGL!pPR2mpkVV^| zOxXIU%LgCbNY3aqhNTLp%d;u|4f8txtbpkEi?(7>Rinou=n3 zfMt#y7M5g!eZI50vxFiI|&pk z>M->z?yu$n7FrC-HfQ;=`${}ocXWrHeYE_09*r!1H^ceySjn>nH2@$=U()u1yYZ6c6;&gaj)XN+Uu^u4Il9cf#wNWEU zo8+3#7M{*rS^jXOv`L$HT7PnGQ?Bjv)ClU#({{iFV9eq~0NtIUT|$q9cx{pC0C!$=aW1MhUzNI$ zQsFNEX)3#Tj(9qn<7&ihOz{!XS})9MLJjCVBE1$(9G&?=kK%{+Pd~ARhXnKnVld`h z9~CAymqx++DO#B{*lM3?t6PgNB4Lb(<6z08Gq|p`67M^YT7HpGuDmoT$+AW- zC4N83q{9`YBp#~b5bY1dsSObsYG&5y*uydByM<1H25hF=dh4@7|JQv;jSE^_S9C@u zXKpq5#nikrsKkh331V!}s0X*f9KeDHWwMye+YScX*zinO5dd`bn0TCQzn|)x2B*r4 zbP5gPUOq&btPufp^5(Qfytd{jndEn;U(7-aZ`@_}45S8=|2U2oX_i{tcpvoMgvz68jNIs2I4&{sWVMpLCWIKP6w;5Ne>}=I{|^1opS%pI;k8 z|9l(L0)#<6-4+4{>)|qAVN@SuPvXrn%?Hh(3WGrk5ODK&Z${dZlch{#SJt+#=K=wA z5IL|1*jXDd0b&{$WIrK8#pRBY>Fb{pB5{md>1mLJycs`3F!&=52s&W4BUSO9k9FT! z!f$@)b@jvXw*YGJEQ$V3grkH@ZFC1#pLn9}jT9pn{n~<4QPv(a&6X^vo=`wQx~H}S zu^s7S5cp7R*)|wm^NCa9HDp&a--(#HLavF>j8^u%7(cXfL6lNn_gLMy(BoL$seMJ; z&<8@AIN0x}a~(Q|3cW2q<>J?C9+T;L;}Li9$%)OGXe<16{7q!e*0w*eifC4g55*R` z=`{9Y*E1fu@*$#3_eeDMGP(%KNP{aE|2IG{zu(^iT~|g((Uk|v;QK6~7yWJ|4+gbQ z+b+7J(Je6hwX)p;1IjEhQd_pOLC3i{6%>YJ5twLcXUUHLlYFq>Oq>ErUk-vnMIN;_ zW;c33dO=Tpd@cxE`Yh64qIPl$6(PV>7Rv% zUJ23EzCY=gDDU85MR+@5LkcSD;4fKN<)tv>NYtvvoe6l}AN!1|ai1NzMD^PPd$t}3 z05<}HN1hVepE(&<1+3R?U8(mV(%TTskr1aKR*5-Oa(m2=p|%&`*fRj|9=582v-l@q z3u+gHg0l0)3TXZ@l5>JU_d+7#J33#D-205qTGR1ti0poxf zA`KBuoL54P(u{#QJffo66(-ERu&qweJ(b zngLsxzb3HCb)W6Nvz_Au#&9^~o5aV*s*PjUf;ufCOiBxFbQNQ4StW^Vn-kKY>kiPA zI?9B~Vt;RCB++rWFMbrv7Jr6i#uVel810rk%;T(lUp(8Y8~(m@T}(-n`g#sZMZc_a zgzD)@qO|BXZQ`dB(X>|&qY!s?GQOm9vQzHy=gzJL-4lh|(o+uHK=k_|s7c8^hnDHw zBqt-55!WIU)92MQ6=_XM9L-k+>f}zD2#udzRd>JnE6GAaVL|`@(Y*iM_Ww8g|A2b` m_mKaa4)|Xa`u;=x{XeXLk}NFTe|>@akB9u{&7k?O>c0VC01Q3= diff --git a/Solutions/AI Analyst Darktrace/Package/createUiDefinition.json b/Solutions/AI Analyst Darktrace/Package/createUiDefinition.json index 6abb65f9645..876213e5024 100644 --- a/Solutions/AI Analyst Darktrace/Package/createUiDefinition.json +++ b/Solutions/AI Analyst Darktrace/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [AI Analyst Darktrace](https://www.darktrace.com/en/cyber-ai-analyst/) Solution for Microsoft Sentinel lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.\n\r\n1. **AI Analyst Darktrace via AMA** - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **AI Analyst Darktrace via Legacy Agent** - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of AI Analyst Darktrace via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/AI%20Analyst%20Darktrace/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [AI Analyst Darktrace](https://www.darktrace.com/en/cyber-ai-analyst/) Solution for Microsoft Sentinel lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.\n\r\n1. **AI Analyst Darktrace via AMA** - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **AI Analyst Darktrace via Legacy Agent** - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of AI Analyst Darktrace via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,6 +51,31 @@ } ], "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the data connector for ingesting AI Analyst Darktrace Events in the CEF format into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, { "name": "workbooks", "label": "Workbooks", diff --git a/Solutions/AI Analyst Darktrace/Package/mainTemplate.json b/Solutions/AI Analyst Darktrace/Package/mainTemplate.json index 2a630be28e2..6b81efbf67a 100644 --- a/Solutions/AI Analyst Darktrace/Package/mainTemplate.json +++ b/Solutions/AI Analyst Darktrace/Package/mainTemplate.json @@ -38,10 +38,10 @@ } }, "variables": { - "solutionId": "darktrace1655286944672.darktrace_mss", - "_solutionId": "[variables('solutionId')]", "_solutionName": "AI Analyst Darktrace", "_solutionVersion": "3.0.0", + "solutionId": "darktrace1655286944672.darktrace_mss", + "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.1.0", "workbookContentId1": "DarktraceSummaryWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", @@ -49,6 +49,24 @@ "_workbookContentId1": "[variables('workbookContentId1')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "uiConfigId1": "Darktrace", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "Darktrace", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "uiConfigId2": "DarktraceAma", + "_uiConfigId2": "[variables('uiConfigId2')]", + "dataConnectorContentId2": "DarktraceAma", + "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", + "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "_dataConnectorId2": "[variables('dataConnectorId2')]", + "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", + "dataConnectorVersion2": "1.0.0", + "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ @@ -79,7 +97,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"45805ae8-29d7-4774-a10a-8d60af407bbf\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Overview\",\"subTarget\":\"overview\",\"style\":\"link\"},{\"id\":\"a4b35478-499a-4fcc-8424-63abbb698bfa\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"AI Analyst\",\"subTarget\":\"ai-analyst\",\"style\":\"link\"},{\"id\":\"2eac3f00-5164-4a77-9781-118eb681b729\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Antigena Response\",\"subTarget\":\"agn\",\"style\":\"link\"},{\"id\":\"7a64cd79-3a09-4046-8d6f-ba24fc2bab6c\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cloud\",\"subTarget\":\"cloud\",\"style\":\"link\"}]},\"name\":\"tabs\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"96e10804-35d4-4d5c-b2d8-1af544471721\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Timeframe\",\"type\":4,\"description\":\"Pick the timerange for all queries in the graph \",\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Timescale \"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"610136a1-b7cf-4eb3-9ef6-51a2d22e1621\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_severity\",\"type\":1,\"description\":\"parameter to drill down on clicked severity tile\",\"value\":\"hidden\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"label\":\"severity\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"datatable (Count: long, status: string, status_count: long) [0, \\\"Low\\\", 1, 0, \\\"Medium\\\", 2, 0, \\\"High\\\", 3, 0, \\\"Critical\\\", 4]\\r\\n| union\\r\\n (\\r\\n CommonSecurityLog\\r\\n | where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n | extend status = case( \\r\\n toint(LogSeverity) > 6, \\\"Critical\\\",\\r\\n toint(LogSeverity) < 3, \\\"Low\\\",\\r\\n toint(LogSeverity) >= 5 and toint(LogSeverity)<= 6, \\\"High\\\",\\r\\n toint(LogSeverity) < 5 and toint(LogSeverity) >= 3, \\\"Medium\\\", \\r\\n \\\"True\\\"\\r\\n )\\r\\n | where status != \\\"True\\\"\\r\\n | extend status_count = case(status == \\\"Critical\\\", 4, status == \\\"High\\\", 3, status == \\\"Medium\\\", 2, 1)\\r\\n | summarize Count = count() by status, status_count\\r\\n )\\r\\n| summarize Count=sum(Count) by status, status_count\\r\\n| sort by status_count asc\",\"size\":3,\"title\":\"Model Breaches By Severity\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"exportFieldName\":\"status\",\"exportParameterName\":\"_severity\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"model breaches by severity\"},{\"type\":1,\"content\":{\"json\":\"_Click on the tiles to view more details (maximum 100 entries displayed)_\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//low severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) < 3\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Low Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Low\"},\"name\":\"Low severity model breaches\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//medium severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) >=3 and toint(LogSeverity) < 5\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Medium Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Medium\"},\"name\":\"Medium severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//high severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) >=5 and toint(LogSeverity) < 7\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"High Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"High\"},\"name\":\"High severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//critical severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) >6\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Critical Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"red\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Critical\"},\"name\":\"Critical severity model breaches\"}]},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isNotEqualTo\",\"value\":\"hidden\"},\"name\":\"Drill down group for different severities\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"Model Breaches Over Time \",\"color\":\"orange\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"breaches in group\"},{\"type\":1,\"content\":{\"json\":\"_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _\",\"style\":\"info\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| summarize event_count=count() by Activity \\r\\n| where Activity!=\\\"System/System\\\" \\r\\n| top 10 by event_count\",\"size\":0,\"title\":\"Top 10 Most Breached Models\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Activity\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"}},{\"columnMatch\":\"event_count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"event_count\",\"label\":\"Count\"}]}},\"customWidth\":\"55\",\"name\":\"most breached models\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nCommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where isnotempty(DestinationHostName) \\r\\n| summarize count(Activity) by DestinationHostName\",\"size\":3,\"title\":\"Top External Hostnames\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"45\",\"name\":\"top external hostnames\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName !contains(\\\"#\\\")\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend Severity = toint(LogSeverity)\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, Severity, DarktraceURL\\r\\n| top 10 by toint(Severity) desc \",\"size\":0,\"title\":\"Top 10 Devices By Severity\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Severity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"Severity\"}]},\"sortBy\":[]},\"name\":\"Top 10 hitting devices\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName contains '#'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| top 10 by toint(LogSeverity) desc \\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, toint(LogSeverity), DarktraceURL\",\"size\":0,\"title\":\"Top 10 C-Sensor activities\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"}]}},\"name\":\"c-sensor top 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog | where DeviceVendor == \\\"Darktrace\\\" | where isnotempty(DestinationIP) | where DestinationIP !startswith \\\"10\\\"| where DestinationIP !startswith \\\"192\\\"| where DestinationIP !startswith \\\"172\\\"| summarize event_count=count() by DestinationIP | top 10 by event_count\",\"size\":0,\"title\":\"Top 10 External IPs\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"80\",\"name\":\"top 10 external IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog | where DeviceVendor == \\\"Darktrace\\\" \\r\\n| where Activity contains \\\"Compliance\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":0,\"title\":\"Compliance Breaches Over Time\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"compliance breaches over time\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"overview\"},\"name\":\"overview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"610136a1-b7cf-4eb3-9ef6-51a2d22e1621\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_severity\",\"type\":1,\"description\":\"parameter to drill down on clicked severity tile\",\"value\":\"hidden\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"label\":\"severity\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"datatable (Count: long, status: string, status_count: long) [0, \\\"Low\\\", 1, 0, \\\"Medium\\\", 2, 0, \\\"High\\\", 3, 0, \\\"Critical\\\", 4]\\r\\n| union\\r\\n (\\r\\n CommonSecurityLog\\r\\n | where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n | extend status = case( \\r\\n toint(LogSeverity) > 6, \\\"Critical\\\",\\r\\n toint(LogSeverity) < 3, \\\"Low\\\",\\r\\n toint(LogSeverity) >= 5 and toint(LogSeverity)<= 6, \\\"High\\\",\\r\\n toint(LogSeverity) < 5 and toint(LogSeverity) >= 3, \\\"Medium\\\", \\r\\n \\\"True\\\"\\r\\n )\\r\\n | where status != \\\"True\\\"\\r\\n | extend status_count = case(status == \\\"Critical\\\", 4, status == \\\"High\\\", 3, status == \\\"Medium\\\", 2, 1)\\r\\n | summarize Count = count() by status, status_count\\r\\n )\\r\\n| summarize Count=sum(Count) by status, status_count\\r\\n| sort by status_count asc\",\"size\":3,\"title\":\"Model Breaches By Severity\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"exportFieldName\":\"status\",\"exportParameterName\":\"_severity\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"model breaches by severity\"},{\"type\":1,\"content\":{\"json\":\"_Click on the tiles to view more details (maximum 100 entries displayed)_\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//low severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) < 3\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Low Severity Model Breaches\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Low\"},\"name\":\"Low severity model breaches\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//medium severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) >=3 and toint(LogSeverity) < 5\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Medium Severity Model Breaches\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Medium\"},\"name\":\"Medium severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//high severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) >=5 and toint(LogSeverity) < 7\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"High Severity Model Breaches\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"High\"},\"name\":\"High severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//critical severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) >6\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| extend Severity = toint(LogSeverity)\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, Severity, DarktraceURL\\r\\n| sort by Severity desc\",\"size\":0,\"title\":\"Critical Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">\",\"thresholdValue\":\"0\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"greenRed\"}},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"DarktraceURL\"}]},\"sortBy\":[]},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Critical\"},\"name\":\"Critical severity model breaches\"}]},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isNotEqualTo\",\"value\":\"hidden\"},\"name\":\"Drill down group for different severities\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"SaaS User Breaches Over Time \",\"color\":\"orange\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"customWidth\":\"50\",\"name\":\"saas user graph / time \",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"iaas\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"IaaS User Breaches Over Time \",\"color\":\"orange\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"customWidth\":\"50\",\"name\":\"iaas user graph / time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _\",\"style\":\"info\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| summarize event_count=count() by Activity, DeviceName\\r\\n| where Activity!=\\\"System/System\\\" \\r\\n| top 10 by event_count\\r\\n| project DeviceName, Activity, event_count\",\"size\":0,\"title\":\"Top 10 Most Breached SaaS Users\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Activity\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"}},{\"columnMatch\":\"event_count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"DeviceName\",\"label\":\"Device\"},{\"columnId\":\"event_count\",\"label\":\"Count\"}]}},\"name\":\"most breached SaaS users\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName !contains(\\\"#\\\")\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend Severity = toint(LogSeverity)\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, Severity, DarktraceURL\\r\\n| top 10 by toint(Severity) desc \",\"size\":0,\"title\":\"Top 10 SaaS Devices By Severity\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Severity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"Severity\"}]},\"sortBy\":[]},\"name\":\"Top 10 hitting SaaS devices\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName contains '#'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| top 10 by toint(LogSeverity) desc \\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, toint(LogSeverity), DarktraceURL\",\"size\":0,\"title\":\"Top 10 C-Sensor SaaS activities\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"}]}},\"name\":\"c-sensor top 10 saas\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog | where DeviceVendor == \\\"Darktrace\\\" \\r\\n| where Activity contains \\\"Compliance\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":0,\"title\":\"Compliance Breaches Over Time\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"compliance breaches over time\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloud\"},\"name\":\"Cloud group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"272e8563-290b-4ca9-822b-18ae680cf1e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"tripleDrillDown\",\"type\":1,\"description\":\"toggles drilldown \",\"value\":\"false\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"57ae0969-b409-47e6-85a2-7b3c6895bb60\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"groupingID\",\"type\":1,\"value\":\"false\",\"isHiddenWhenLocked\":true},{\"id\":\"d44afad0-d6fa-433d-98a1-504ce53c5215\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"groupByActivity\",\"type\":1,\"value\":\"false\",\"isHiddenWhenLocked\":true}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"clicked triple drilldown \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AIAnalystAlerts =\\r\\n CommonSecurityLog\\r\\n | where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n | extend status = case( \\r\\n toint(LogSeverity) > 6, \\\"Critical\\\",\\r\\n toint(LogSeverity) < 3, \\\"Low\\\",\\r\\n toint(LogSeverity) >= 5 and toint(LogSeverity)<= 6, \\\"High\\\",\\r\\n toint(LogSeverity) < 5 and toint(LogSeverity) >= 3, \\\"Medium\\\", \\r\\n \\\"True\\\"\\r\\n )\\r\\n | sort by TimeGenerated asc;\\r\\nunion (\\r\\n AIAnalystAlerts\\r\\n | parse AdditionalExtensions with * \\\"groupByActivity=\\\" GroupByActivity \\\";\\\" null\\r\\n | where GroupByActivity == 0\\r\\n | parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n | extend d = pack(\\\"Activity\\\", Activity, \\\"TimeGenerated\\\", TimeGenerated, \\\"status\\\", status, \\\"DeviceName\\\", DeviceName, \\\"DeviceAddress\\\", DeviceAddress, \\\"GroupByActivity\\\", GroupByActivity)\\r\\n | summarize status = make_list(d)[0].status, Left = iff(make_list(d)[0].DeviceName != \\\"\\\", make_list(d)[0].DeviceName, make_list(d)[0].DeviceAddress), TimeGenerated = todatetime(make_list(d)[0].TimeGenerated), list = make_list(d), GroupByActivity = make_list(d)[0].GroupByActivity by GroupingID\\r\\n | extend FirstActivity = list[0].Activity\\r\\n | extend SecondActivity = iff(FirstActivity != \\\"\\\" and list[1].Activity != \\\"\\\", strcat(\\\", \\\", list[1].Activity), \\\"\\\")\\r\\n | extend ThirdActivity = iff(FirstActivity != \\\"\\\" and SecondActivity != \\\"\\\" and list[2].Activity != \\\"\\\", strcat(\\\", \\\", list[2].Activity), \\\"\\\")\\r\\n | extend Right = strcat(FirstActivity, SecondActivity, ThirdActivity, iff(ThirdActivity != \\\"\\\", \\\"...\\\", \\\"\\\"))\\r\\n | extend showGroupBy = GroupingID\\r\\n), (\\r\\n AIAnalystAlerts\\r\\n | parse AdditionalExtensions with * \\\"groupByActivity=\\\" GroupByActivity \\\";\\\" null\\r\\n | where GroupByActivity == 1\\r\\n | extend d = pack(\\\"Activity\\\", Activity, \\\"TimeGenerated\\\", TimeGenerated, \\\"status\\\", status, \\\"DeviceName\\\", DeviceName, \\\"DeviceAddress\\\", DeviceAddress, \\\"ActivityID\\\", DeviceEventClassID, \\\"GroupByActivity\\\", GroupByActivity)\\r\\n | summarize status = make_list(d)[0].status, Left = make_list(d)[0].Activity, Devices = make_list(d), TimeGenerated = todatetime(make_list(d)[0].TimeGenerated), list = make_list(d), GroupByActivity = make_list(d)[0].GroupByActivity by DeviceEventClassID\\r\\n | extend FirstDevice = iff(list[0].DeviceName != \\\"\\\", list[0].DeviceName, list[0].DeviceAddress)\\r\\n | extend SecondDeviceName = iff(list[1].DeviceName != \\\"\\\", list[1].DeviceName, list[1].DeviceAddress)\\r\\n | extend SecondDevice = iff(FirstDevice != \\\"\\\" and SecondDeviceName != \\\"\\\", strcat(\\\", \\\", SecondDeviceName), \\\"\\\")\\r\\n | extend ThirdDeviceName = iff(list[2].DeviceName != \\\"\\\", list[2].DeviceName, list[2].DeviceAddress)\\r\\n | extend ThirdDevice = iff(FirstDevice != \\\"\\\" and SecondDevice != \\\"\\\" and ThirdDeviceName != \\\"\\\", strcat(\\\", \\\", ThirdDeviceName), \\\"\\\")\\r\\n | extend Right = strcat(FirstDevice, SecondDevice, ThirdDevice, iff(ThirdDevice != \\\"\\\", \\\"...\\\", \\\"\\\"))\\r\\n | extend showGroupBy = DeviceEventClassID\\r\\n | extend showGroupByActivity = 1\\r\\n)\\r\\n| sort by TimeGenerated\",\"size\":2,\"title\":\"AI Analyst Incidents\",\"timeContext\":{\"durationMs\":604800000,\"endTime\":\"2021-02-11T09:00:00Z\"},\"timeContextFromParameter\":\"Timeframe\",\"exportedParameters\":[{\"fieldName\":\"showGroupByActivity\",\"parameterName\":\"groupByActivity\",\"parameterType\":1},{\"fieldName\":\"showGroupBy\",\"parameterName\":\"groupingID\",\"parameterType\":1},{\"fieldName\":\"TimeGenerated\",\"parameterName\":\"tripleDrillDown\",\"parameterType\":1}],\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"url\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"sortBy\":[{\"itemKey\":\"DeviceEventClassID\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"GroupingID\",\"label\":\"Grouping ID \"},{\"columnId\":\"GroupByActivity\",\"label\":\"Group By Activity\"}]},\"sortBy\":[{\"itemKey\":\"DeviceEventClassID\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"lightBlue\",\"text\":\"\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"lightBlue\",\"text\":\"\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"blue\",\"text\":\"\"},{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"blue\",\"text\":\"\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"blue\",\"text\":\"\"}]}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Left\",\"formatter\":1},\"rightContent\":{\"columnMatch\":\"Right\",\"formatter\":1},\"showBorder\":true,\"size\":\"full\"}},\"name\":\"All Incidents\"},{\"type\":1,\"content\":{\"json\":\"_ Click on an incident to see related incidents _\",\"style\":\"info\"},\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| where DeviceEventClassID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend id = split(tostring(DarktraceURL), '#aiincident/')[1]\\r\\n| extend d = pack_array(id)\\r\\n| extend p = pack(\\\"GroupingID\\\", GroupingID)\\r\\n| summarize packed = make_list(d), GroupingID = make_list(p)[0].GroupingID\\r\\n| extend ids = strcat_array(packed, ',')\\r\\n| project GroupingID = tostring(GroupingID), ids)\\r\\n| join (\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| where DeviceEventClassID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend url = split(tostring(DarktraceURL), '#aiincident/')[0]\\r\\n| extend Device = iff(DeviceName != \\\"\\\", DeviceName, DeviceAddress)\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, GroupingID = tostring(GroupingID), url = tostring(url)\\r\\n) on GroupingID\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, DarktraceURL = strcat(url, '#aiincident/', ids)\",\"size\":0,\"title\":\"Related Incidents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"Message\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"30%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":10,\"palette\":\"blue\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"GroupingID\",\"formatter\":5},{\"columnMatch\":\"DeviceEventClassID\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\"}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Device\",\"formatter\":1},\"secondaryContent\":{\"columnMatch\":\"Message\",\"formatter\":1},\"showBorder\":true,\"size\":\"full\"}},\"conditionalVisibility\":{\"parameterName\":\"groupByActivity\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"3drilldownlate - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| where GroupingID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend id = split(tostring(DarktraceURL), '#aiincident/')[1]\\r\\n| extend d = pack_array(id)\\r\\n| extend p = pack(\\\"GroupingID\\\", GroupingID)\\r\\n| summarize packed = make_list(d), GroupingID = make_list(p)[0].GroupingID\\r\\n| extend ids = strcat_array(packed, ',')\\r\\n| project GroupingID = tostring(GroupingID), ids)\\r\\n| join (\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| where GroupingID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend url = split(tostring(DarktraceURL), '#aiincident/')[0]\\r\\n| extend Device = iff(DeviceName != \\\"\\\", DeviceName, DeviceAddress)\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, GroupingID = tostring(GroupingID), url = tostring(url)\\r\\n) on GroupingID\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, DarktraceURL = strcat(url, '#aiincident/', ids)\",\"size\":0,\"title\":\"Related Incidents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"Message\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"35%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":10,\"palette\":\"blue\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"Message\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\"}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Device\",\"formatter\":1},\"secondaryContent\":{\"columnMatch\":\"Message\"},\"showBorder\":true,\"size\":\"full\"},\"mapSettings\":{\"locInfo\":\"LatLong\"}},\"conditionalVisibilities\":[{\"parameterName\":\"groupByActivity\",\"comparison\":\"isEqualTo\",\"value\":\"false\"},{\"parameterName\":\"groupingID\",\"comparison\":\"isNotEqualTo\",\"value\":\"false\"}],\"name\":\"3drilldownlate\"}],\"exportParameters\":true},\"conditionalVisibilities\":[{\"parameterName\":\"groupingID\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"tripleDrillDown\",\"comparison\":\"isNotEqualTo\",\"value\":\"false\"}],\"name\":\"GROUP BY drilldown \"}],\"exportParameters\":true},\"name\":\"triple drilldown\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"AI Analyst Incidents Over Time\",\"color\":\"lightBlue\",\"timeContext\":{\"durationMs\":604800000,\"endTime\":\"2021-02-11T09:00:00Z\"},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false,\"ySettings\":{\"numberFormatSettings\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumFractionDigits\":0,\"maximumFractionDigits\":0}}}}},\"name\":\"incidents in group\"},{\"type\":1,\"content\":{\"json\":\"_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _\",\"style\":\"info\"},\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| summarize event_count=count() by Activity \\r\\n| where Activity!=\\\"System/System\\\" \\r\\n| top 10 by event_count\",\"size\":0,\"title\":\"Top 10 Most Frequent Incidents \",\"timeContext\":{\"durationMs\":604800000,\"endTime\":\"2021-02-11T09:00:00Z\"},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"event_count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blue\"}}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"event_count\",\"label\":\"Count\"}]}},\"name\":\"Top 10 Most Frequent Incidents \"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"ai-analyst\"},\"name\":\"ai- analyst group \"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"Antigena\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupByActivity=\\\" GroupByActivity \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message_s \\\";\\\" null\\r\\n| extend Device = iff(DeviceName != \\\"\\\", DeviceName, DeviceAddress)\\r\\n| extend agnActivity = split(Activity, \\\"/\\\")[2]\\r\\n| extend arr = split(Message_s,\\\"/\\\")\\r\\n| extend msgInfo = arr[(array_length(arr)-1)]\",\"size\":3,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"agnActivity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\"}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Device\"},\"secondaryContent\":{\"columnMatch\":\"msgInfo\",\"formatter\":1},\"showBorder\":true,\"sortCriteriaField\":\"TimeGenerated\",\"sortOrderField\":2,\"size\":\"full\"}},\"name\":\"top level query \"}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"agn\"},\"name\":\"agn group\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-AI Darktrace v1.0\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"45805ae8-29d7-4774-a10a-8d60af407bbf\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Overview\",\"subTarget\":\"overview\",\"style\":\"link\"},{\"id\":\"a4b35478-499a-4fcc-8424-63abbb698bfa\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"AI Analyst\",\"subTarget\":\"ai-analyst\",\"style\":\"link\"},{\"id\":\"2eac3f00-5164-4a77-9781-118eb681b729\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Antigena Response\",\"subTarget\":\"agn\",\"style\":\"link\"},{\"id\":\"7a64cd79-3a09-4046-8d6f-ba24fc2bab6c\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cloud\",\"subTarget\":\"cloud\",\"style\":\"link\"}]},\"name\":\"tabs\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"96e10804-35d4-4d5c-b2d8-1af544471721\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Timeframe\",\"type\":4,\"description\":\"Pick the timerange for all queries in the graph \",\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Timescale \"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"610136a1-b7cf-4eb3-9ef6-51a2d22e1621\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_severity\",\"type\":1,\"description\":\"parameter to drill down on clicked severity tile\",\"value\":\"hidden\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"label\":\"severity\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"datatable (Count: long, status: string, status_count: long) [0, \\\"Low\\\", 1, 0, \\\"Medium\\\", 2, 0, \\\"High\\\", 3, 0, \\\"Critical\\\", 4]\\r\\n| union\\r\\n (\\r\\n CommonSecurityLog\\r\\n | where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n | extend status = case( \\r\\n toint(LogSeverity) > 6, \\\"Critical\\\",\\r\\n toint(LogSeverity) < 3, \\\"Low\\\",\\r\\n toint(LogSeverity) >= 5 and toint(LogSeverity)<= 6, \\\"High\\\",\\r\\n toint(LogSeverity) < 5 and toint(LogSeverity) >= 3, \\\"Medium\\\", \\r\\n \\\"True\\\"\\r\\n )\\r\\n | where status != \\\"True\\\"\\r\\n | extend status_count = case(status == \\\"Critical\\\", 4, status == \\\"High\\\", 3, status == \\\"Medium\\\", 2, 1)\\r\\n | summarize Count = count() by status, status_count\\r\\n )\\r\\n| summarize Count=sum(Count) by status, status_count\\r\\n| sort by status_count asc\",\"size\":3,\"title\":\"Model Breaches By Severity\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"exportFieldName\":\"status\",\"exportParameterName\":\"_severity\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"model breaches by severity\"},{\"type\":1,\"content\":{\"json\":\"_Click on the tiles to view more details (maximum 100 entries displayed)_\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//low severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) < 3\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Low Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Low\"},\"name\":\"Low severity model breaches\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//medium severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) >=3 and toint(LogSeverity) < 5\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Medium Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Medium\"},\"name\":\"Medium severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//high severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) >=5 and toint(LogSeverity) < 7\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"High Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"High\"},\"name\":\"High severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//critical severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) >6\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Critical Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"red\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Critical\"},\"name\":\"Critical severity model breaches\"}]},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isNotEqualTo\",\"value\":\"hidden\"},\"name\":\"Drill down group for different severities\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"Model Breaches Over Time \",\"color\":\"orange\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"breaches in group\"},{\"type\":1,\"content\":{\"json\":\"_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _\",\"style\":\"info\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| summarize event_count=count() by Activity \\r\\n| where Activity!=\\\"System/System\\\" \\r\\n| top 10 by event_count\",\"size\":0,\"title\":\"Top 10 Most Breached Models\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Activity\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"}},{\"columnMatch\":\"event_count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"event_count\",\"label\":\"Count\"}]}},\"customWidth\":\"55\",\"name\":\"most breached models\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nCommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where isnotempty(DestinationHostName) \\r\\n| summarize count(Activity) by DestinationHostName\",\"size\":3,\"title\":\"Top External Hostnames\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"45\",\"name\":\"top external hostnames\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName !contains(\\\"#\\\")\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend Severity = toint(LogSeverity)\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, Severity, DarktraceURL\\r\\n| top 10 by toint(Severity) desc \",\"size\":0,\"title\":\"Top 10 Devices By Severity\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Severity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"Severity\"}]}},\"name\":\"Top 10 hitting devices\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName contains '#'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| top 10 by toint(LogSeverity) desc \\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, toint(LogSeverity), DarktraceURL\",\"size\":0,\"title\":\"Top 10 C-Sensor activities\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"}]}},\"name\":\"c-sensor top 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog | where DeviceVendor == \\\"Darktrace\\\" | where isnotempty(DestinationIP) | where DestinationIP !startswith \\\"10\\\"| where DestinationIP !startswith \\\"192\\\"| where DestinationIP !startswith \\\"172\\\"| summarize event_count=count() by DestinationIP | top 10 by event_count\",\"size\":0,\"title\":\"Top 10 External IPs\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"80\",\"name\":\"top 10 external IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog | where DeviceVendor == \\\"Darktrace\\\" \\r\\n| where Activity contains \\\"Compliance\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":0,\"title\":\"Compliance Breaches Over Time\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"compliance breaches over time\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"overview\"},\"name\":\"overview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"610136a1-b7cf-4eb3-9ef6-51a2d22e1621\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_severity\",\"type\":1,\"description\":\"parameter to drill down on clicked severity tile\",\"value\":\"hidden\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"label\":\"severity\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"datatable (Count: long, status: string, status_count: long) [0, \\\"Low\\\", 1, 0, \\\"Medium\\\", 2, 0, \\\"High\\\", 3, 0, \\\"Critical\\\", 4]\\r\\n| union\\r\\n (\\r\\n CommonSecurityLog\\r\\n | where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n | extend status = case( \\r\\n toint(LogSeverity) > 6, \\\"Critical\\\",\\r\\n toint(LogSeverity) < 3, \\\"Low\\\",\\r\\n toint(LogSeverity) >= 5 and toint(LogSeverity)<= 6, \\\"High\\\",\\r\\n toint(LogSeverity) < 5 and toint(LogSeverity) >= 3, \\\"Medium\\\", \\r\\n \\\"True\\\"\\r\\n )\\r\\n | where status != \\\"True\\\"\\r\\n | extend status_count = case(status == \\\"Critical\\\", 4, status == \\\"High\\\", 3, status == \\\"Medium\\\", 2, 1)\\r\\n | summarize Count = count() by status, status_count\\r\\n )\\r\\n| summarize Count=sum(Count) by status, status_count\\r\\n| sort by status_count asc\",\"size\":3,\"title\":\"Model Breaches By Severity\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"exportFieldName\":\"status\",\"exportParameterName\":\"_severity\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"model breaches by severity\"},{\"type\":1,\"content\":{\"json\":\"_Click on the tiles to view more details (maximum 100 entries displayed)_\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//low severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) < 3\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Low Severity Model Breaches\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Low\"},\"name\":\"Low severity model breaches\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//medium severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) >=3 and toint(LogSeverity) < 5\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Medium Severity Model Breaches\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Medium\"},\"name\":\"Medium severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//high severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) >=5 and toint(LogSeverity) < 7\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"High Severity Model Breaches\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"High\"},\"name\":\"High severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//critical severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) >6\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| extend Severity = toint(LogSeverity)\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, Severity, DarktraceURL\\r\\n| sort by Severity desc\",\"size\":0,\"title\":\"Critical Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">\",\"thresholdValue\":\"0\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"greenRed\"}},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Critical\"},\"name\":\"Critical severity model breaches\"}]},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isNotEqualTo\",\"value\":\"hidden\"},\"name\":\"Drill down group for different severities\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"SaaS User Breaches Over Time \",\"color\":\"orange\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"customWidth\":\"50\",\"name\":\"saas user graph / time \",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"iaas\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"IaaS User Breaches Over Time \",\"color\":\"orange\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"customWidth\":\"50\",\"name\":\"iaas user graph / time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _\",\"style\":\"info\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| summarize event_count=count() by Activity, DeviceName\\r\\n| where Activity!=\\\"System/System\\\" \\r\\n| top 10 by event_count\\r\\n| project DeviceName, Activity, event_count\",\"size\":0,\"title\":\"Top 10 Most Breached SaaS Users\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Activity\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"}},{\"columnMatch\":\"event_count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"DeviceName\",\"label\":\"Device\"},{\"columnId\":\"event_count\",\"label\":\"Count\"}]}},\"name\":\"most breached SaaS users\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName !contains(\\\"#\\\")\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend Severity = toint(LogSeverity)\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, Severity, DarktraceURL\\r\\n| top 10 by toint(Severity) desc \",\"size\":0,\"title\":\"Top 10 SaaS Devices By Severity\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Severity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"Severity\"}]}},\"name\":\"Top 10 hitting SaaS devices\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName contains '#'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| top 10 by toint(LogSeverity) desc \\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, toint(LogSeverity), DarktraceURL\",\"size\":0,\"title\":\"Top 10 C-Sensor SaaS activities\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"}]}},\"name\":\"c-sensor top 10 saas\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog | where DeviceVendor == \\\"Darktrace\\\" \\r\\n| where Activity contains \\\"Compliance\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":0,\"title\":\"Compliance Breaches Over Time\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"compliance breaches over time\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloud\"},\"name\":\"Cloud group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"272e8563-290b-4ca9-822b-18ae680cf1e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"tripleDrillDown\",\"type\":1,\"description\":\"toggles drilldown \",\"value\":\"false\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"57ae0969-b409-47e6-85a2-7b3c6895bb60\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"groupingID\",\"type\":1,\"value\":\"false\",\"isHiddenWhenLocked\":true},{\"id\":\"d44afad0-d6fa-433d-98a1-504ce53c5215\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"groupByActivity\",\"type\":1,\"value\":\"false\",\"isHiddenWhenLocked\":true}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"clicked triple drilldown \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AIAnalystAlerts =\\r\\n CommonSecurityLog\\r\\n | where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n | extend status = case( \\r\\n toint(LogSeverity) > 6, \\\"Critical\\\",\\r\\n toint(LogSeverity) < 3, \\\"Low\\\",\\r\\n toint(LogSeverity) >= 5 and toint(LogSeverity)<= 6, \\\"High\\\",\\r\\n toint(LogSeverity) < 5 and toint(LogSeverity) >= 3, \\\"Medium\\\", \\r\\n \\\"True\\\"\\r\\n )\\r\\n | sort by TimeGenerated asc;\\r\\nunion (\\r\\n AIAnalystAlerts\\r\\n | parse AdditionalExtensions with * \\\"groupByActivity=\\\" GroupByActivity \\\";\\\" null\\r\\n | where GroupByActivity == 0\\r\\n | parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n | extend d = pack(\\\"Activity\\\", Activity, \\\"TimeGenerated\\\", TimeGenerated, \\\"status\\\", status, \\\"DeviceName\\\", DeviceName, \\\"DeviceAddress\\\", DeviceAddress, \\\"GroupByActivity\\\", GroupByActivity)\\r\\n | summarize status = make_list(d)[0].status, Left = iff(make_list(d)[0].DeviceName != \\\"\\\", make_list(d)[0].DeviceName, make_list(d)[0].DeviceAddress), TimeGenerated = todatetime(make_list(d)[0].TimeGenerated), list = make_list(d), GroupByActivity = make_list(d)[0].GroupByActivity by GroupingID\\r\\n | extend FirstActivity = list[0].Activity\\r\\n | extend SecondActivity = iff(FirstActivity != \\\"\\\" and list[1].Activity != \\\"\\\", strcat(\\\", \\\", list[1].Activity), \\\"\\\")\\r\\n | extend ThirdActivity = iff(FirstActivity != \\\"\\\" and SecondActivity != \\\"\\\" and list[2].Activity != \\\"\\\", strcat(\\\", \\\", list[2].Activity), \\\"\\\")\\r\\n | extend Right = strcat(FirstActivity, SecondActivity, ThirdActivity, iff(ThirdActivity != \\\"\\\", \\\"...\\\", \\\"\\\"))\\r\\n | extend showGroupBy = GroupingID\\r\\n), (\\r\\n AIAnalystAlerts\\r\\n | parse AdditionalExtensions with * \\\"groupByActivity=\\\" GroupByActivity \\\";\\\" null\\r\\n | where GroupByActivity == 1\\r\\n | extend d = pack(\\\"Activity\\\", Activity, \\\"TimeGenerated\\\", TimeGenerated, \\\"status\\\", status, \\\"DeviceName\\\", DeviceName, \\\"DeviceAddress\\\", DeviceAddress, \\\"ActivityID\\\", DeviceEventClassID, \\\"GroupByActivity\\\", GroupByActivity)\\r\\n | summarize status = make_list(d)[0].status, Left = make_list(d)[0].Activity, Devices = make_list(d), TimeGenerated = todatetime(make_list(d)[0].TimeGenerated), list = make_list(d), GroupByActivity = make_list(d)[0].GroupByActivity by DeviceEventClassID\\r\\n | extend FirstDevice = iff(list[0].DeviceName != \\\"\\\", list[0].DeviceName, list[0].DeviceAddress)\\r\\n | extend SecondDeviceName = iff(list[1].DeviceName != \\\"\\\", list[1].DeviceName, list[1].DeviceAddress)\\r\\n | extend SecondDevice = iff(FirstDevice != \\\"\\\" and SecondDeviceName != \\\"\\\", strcat(\\\", \\\", SecondDeviceName), \\\"\\\")\\r\\n | extend ThirdDeviceName = iff(list[2].DeviceName != \\\"\\\", list[2].DeviceName, list[2].DeviceAddress)\\r\\n | extend ThirdDevice = iff(FirstDevice != \\\"\\\" and SecondDevice != \\\"\\\" and ThirdDeviceName != \\\"\\\", strcat(\\\", \\\", ThirdDeviceName), \\\"\\\")\\r\\n | extend Right = strcat(FirstDevice, SecondDevice, ThirdDevice, iff(ThirdDevice != \\\"\\\", \\\"...\\\", \\\"\\\"))\\r\\n | extend showGroupBy = DeviceEventClassID\\r\\n | extend showGroupByActivity = 1\\r\\n)\\r\\n| sort by TimeGenerated\",\"size\":2,\"title\":\"AI Analyst Incidents\",\"timeContext\":{\"durationMs\":604800000,\"endTime\":\"2021-02-11T09:00:00Z\"},\"timeContextFromParameter\":\"Timeframe\",\"exportedParameters\":[{\"fieldName\":\"showGroupByActivity\",\"parameterName\":\"groupByActivity\",\"parameterType\":1},{\"fieldName\":\"showGroupBy\",\"parameterName\":\"groupingID\",\"parameterType\":1},{\"fieldName\":\"TimeGenerated\",\"parameterName\":\"tripleDrillDown\",\"parameterType\":1}],\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"url\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"sortBy\":[{\"itemKey\":\"DeviceEventClassID\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"GroupingID\",\"label\":\"Grouping ID \"},{\"columnId\":\"GroupByActivity\",\"label\":\"Group By Activity\"}]},\"sortBy\":[{\"itemKey\":\"DeviceEventClassID\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"lightBlue\",\"text\":\"\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"lightBlue\",\"text\":\"\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"blue\",\"text\":\"\"},{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"blue\",\"text\":\"\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"blue\",\"text\":\"\"}]}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Left\",\"formatter\":1},\"rightContent\":{\"columnMatch\":\"Right\",\"formatter\":1},\"showBorder\":true,\"size\":\"full\"}},\"name\":\"All Incidents\"},{\"type\":1,\"content\":{\"json\":\"_ Click on an incident to see related incidents _\",\"style\":\"info\"},\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| where DeviceEventClassID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend id = split(tostring(DarktraceURL), '#aiincident/')[1]\\r\\n| extend d = pack_array(id)\\r\\n| extend p = pack(\\\"GroupingID\\\", GroupingID)\\r\\n| summarize packed = make_list(d), GroupingID = make_list(p)[0].GroupingID\\r\\n| extend ids = strcat_array(packed, ',')\\r\\n| project GroupingID = tostring(GroupingID), ids)\\r\\n| join (\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| where DeviceEventClassID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend url = split(tostring(DarktraceURL), '#aiincident/')[0]\\r\\n| extend Device = iff(DeviceName != \\\"\\\", DeviceName, DeviceAddress)\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, GroupingID = tostring(GroupingID), url = tostring(url)\\r\\n) on GroupingID\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, DarktraceURL = strcat(url, '#aiincident/', ids)\",\"size\":0,\"title\":\"Related Incidents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"Message\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"30%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":10,\"palette\":\"blue\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"GroupingID\",\"formatter\":5},{\"columnMatch\":\"DeviceEventClassID\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\"}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Device\",\"formatter\":1},\"secondaryContent\":{\"columnMatch\":\"Message\",\"formatter\":1},\"showBorder\":true,\"size\":\"full\"}},\"conditionalVisibility\":{\"parameterName\":\"groupByActivity\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"3drilldownlate - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| where GroupingID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend id = split(tostring(DarktraceURL), '#aiincident/')[1]\\r\\n| extend d = pack_array(id)\\r\\n| extend p = pack(\\\"GroupingID\\\", GroupingID)\\r\\n| summarize packed = make_list(d), GroupingID = make_list(p)[0].GroupingID\\r\\n| extend ids = strcat_array(packed, ',')\\r\\n| project GroupingID = tostring(GroupingID), ids)\\r\\n| join (\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| where GroupingID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend url = split(tostring(DarktraceURL), '#aiincident/')[0]\\r\\n| extend Device = iff(DeviceName != \\\"\\\", DeviceName, DeviceAddress)\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, GroupingID = tostring(GroupingID), url = tostring(url)\\r\\n) on GroupingID\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, DarktraceURL = strcat(url, '#aiincident/', ids)\",\"size\":0,\"title\":\"Related Incidents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"Message\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"35%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":10,\"palette\":\"blue\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"Message\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\"}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Device\",\"formatter\":1},\"secondaryContent\":{\"columnMatch\":\"Message\"},\"showBorder\":true,\"size\":\"full\"},\"mapSettings\":{\"locInfo\":\"LatLong\"}},\"conditionalVisibilities\":[{\"parameterName\":\"groupByActivity\",\"comparison\":\"isEqualTo\",\"value\":\"false\"},{\"parameterName\":\"groupingID\",\"comparison\":\"isNotEqualTo\",\"value\":\"false\"}],\"name\":\"3drilldownlate\"}],\"exportParameters\":true},\"conditionalVisibilities\":[{\"parameterName\":\"groupingID\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"tripleDrillDown\",\"comparison\":\"isNotEqualTo\",\"value\":\"false\"}],\"name\":\"GROUP BY drilldown \"}],\"exportParameters\":true},\"name\":\"triple drilldown\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"AI Analyst Incidents Over Time\",\"color\":\"lightBlue\",\"timeContext\":{\"durationMs\":604800000,\"endTime\":\"2021-02-11T09:00:00Z\"},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false,\"ySettings\":{\"numberFormatSettings\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumFractionDigits\":0,\"maximumFractionDigits\":0}}}}},\"name\":\"incidents in group\"},{\"type\":1,\"content\":{\"json\":\"_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _\",\"style\":\"info\"},\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| summarize event_count=count() by Activity \\r\\n| where Activity!=\\\"System/System\\\" \\r\\n| top 10 by event_count\",\"size\":0,\"title\":\"Top 10 Most Frequent Incidents \",\"timeContext\":{\"durationMs\":604800000,\"endTime\":\"2021-02-11T09:00:00Z\"},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"event_count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blue\"}}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"event_count\",\"label\":\"Count\"}]}},\"name\":\"Top 10 Most Frequent Incidents \"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"ai-analyst\"},\"name\":\"ai- analyst group \"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"Antigena\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupByActivity=\\\" GroupByActivity \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message_s \\\";\\\" null\\r\\n| extend Device = iff(DeviceName != \\\"\\\", DeviceName, DeviceAddress)\\r\\n| extend agnActivity = split(Activity, \\\"/\\\")[2]\\r\\n| extend arr = split(Message_s,\\\"/\\\")\\r\\n| extend msgInfo = arr[(array_length(arr)-1)]\",\"size\":3,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"agnActivity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\"}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Device\"},\"secondaryContent\":{\"columnMatch\":\"msgInfo\",\"formatter\":1},\"showBorder\":true,\"sortCriteriaField\":\"TimeGenerated\",\"sortOrderField\":2,\"size\":\"full\"}},\"name\":\"top level query \"}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"agn\"},\"name\":\"agn group\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-AI Darktrace v1.0\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -142,6 +160,656 @@ "version": "[variables('workbookVersion1')]" } }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "AI Analyst Darktrace data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId1')]", + "title": "[Deprecated] AI Analyst Darktrace via Legacy Agent", + "publisher": "Darktrace", + "descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Darktrace", + "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\" " + } + ], + "sampleQueries": [ + { + "description": "first 10 most recent data breaches", + "query": "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\"\n| order by TimeGenerated desc \n| limit 10" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (Darktrace)", + "lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\"\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\"\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", + "innerSteps": [ + { + "title": "1.1 Select or create a Linux machine", + "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." + }, + { + "title": "1.2 Install the CEF collector on the Linux machine", + "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId", + "PrimaryKey" + ], + "label": "Run the following command to install and apply the CEF collector:", + "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" + }, + "type": "CopyableLabel" + } + ] + } + ], + "title": "1. Linux Syslog agent configuration" + }, + { + "description": "Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Microsoft Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Microsoft Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes.", + "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" + }, + { + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" + }, + "type": "CopyableLabel" + } + ], + "title": "3. Validate connection" + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "4. Secure your machine " + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "AI Analyst Darktrace", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Darktrace" + }, + "support": { + "tier": "Partner", + "name": "Darktrace", + "link": "https://www.darktrace.com/en/contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "[Deprecated] AI Analyst Darktrace via Legacy Agent", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId1')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "contentId": "[variables('_dataConnectorContentId1')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion1')]", + "source": { + "kind": "Solution", + "name": "AI Analyst Darktrace", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Darktrace" + }, + "support": { + "tier": "Partner", + "name": "Darktrace", + "link": "https://www.darktrace.com/en/contact/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "[Deprecated] AI Analyst Darktrace via Legacy Agent", + "publisher": "Darktrace", + "descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Darktrace", + "baseQuery": "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\" " + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (Darktrace)", + "lastDataReceivedQuery": "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\"\n| summarize Time = max(TimeGenerated)\n| where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\"\n| summarize LastLogReceived = max(TimeGenerated)\n| project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "first 10 most recent data breaches", + "query": "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\"\n| order by TimeGenerated desc \n| limit 10" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ] + }, + "instructionSteps": [ + { + "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", + "innerSteps": [ + { + "title": "1.1 Select or create a Linux machine", + "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." + }, + { + "title": "1.2 Install the CEF collector on the Linux machine", + "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId", + "PrimaryKey" + ], + "label": "Run the following command to install and apply the CEF collector:", + "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}" + }, + "type": "CopyableLabel" + } + ] + } + ], + "title": "1. Linux Syslog agent configuration" + }, + { + "description": "Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Microsoft Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Microsoft Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes.", + "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" + }, + { + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "fillWith": [ + "WorkspaceId" + ], + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}" + }, + "type": "CopyableLabel" + } + ], + "title": "3. Validate connection" + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "4. Secure your machine " + } + ], + "id": "[variables('_uiConfigId1')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "AI Analyst Darktrace data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId2')]", + "title": "[Recommended] AI Analyst Darktrace via AMA", + "publisher": "Darktrace", + "descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Darktrace", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Darktrace'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "sampleQueries": [ + { + "description": "first 10 most recent data breaches", + "query": "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\"\n| order by TimeGenerated desc \n| limit 10" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (Darktrace)", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Darktrace'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'Darktrace'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "parameters": { + "title": "1. Kindly follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" + + }, + { + "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", + "description": "Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Microsoft Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Microsoft Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes." + + }, + { + "title": "Step C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "2. Secure your machine " + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", + "source": { + "kind": "Solution", + "name": "AI Analyst Darktrace", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Darktrace" + }, + "support": { + "tier": "Partner", + "name": "Darktrace", + "link": "https://www.darktrace.com/en/contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId2')]", + "contentKind": "DataConnector", + "displayName": "[Recommended] AI Analyst Darktrace via AMA", + "contentProductId": "[variables('_dataConnectorcontentProductId2')]", + "id": "[variables('_dataConnectorcontentProductId2')]", + "version": "[variables('dataConnectorVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId2')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", + "source": { + "kind": "Solution", + "name": "AI Analyst Darktrace", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Darktrace" + }, + "support": { + "tier": "Partner", + "name": "Darktrace", + "link": "https://www.darktrace.com/en/contact/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "[Recommended] AI Analyst Darktrace via AMA", + "publisher": "Darktrace", + "descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Darktrace", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Darktrace'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (Darktrace)", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Darktrace'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'Darktrace'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "first 10 most recent data breaches", + "query": "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\"\n| order by TimeGenerated desc \n| limit 10" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "parameters": { + "title": "1. Kindly follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" + + }, + { + "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", + "description": "Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Microsoft Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Microsoft Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes." + + }, + { + "title": "Step C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "2. Secure your machine " + } + ], + "id": "[variables('_uiConfigId2')]" + } + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", "apiVersion": "2023-04-01-preview", @@ -152,7 +820,7 @@ "contentSchemaVersion": "3.0.0", "displayName": "AI Analyst Darktrace", "publisherDisplayName": "Darktrace", - "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The AI Analyst Darktrace Solution for Microsoft Sentinel lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.

\n
    \n

  1. AI Analyst Darktrace via AMA - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.

    \n
    2. \n

  2. AI Analyst Darktrace via Legacy Agent - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the legacy Log Analytics agent.

    \n
    3. \n
\n

NOTE: Microsoft recommends installation of AI Analyst Darktrace via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The AI Analyst Darktrace Solution for Microsoft Sentinel lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.

\n
    \n

  1. AI Analyst Darktrace via AMA - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.

    \n
    2. \n

  2. AI Analyst Darktrace via Legacy Agent - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the legacy Log Analytics agent.

    \n
    3. \n
\n

NOTE: Microsoft recommends installation of AI Analyst Darktrace via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Data Connectors: 2, Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -179,6 +847,16 @@ "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", "version": "[variables('workbookVersion1')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId1')]", + "version": "[variables('dataConnectorVersion1')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId2')]", + "version": "[variables('dataConnectorVersion2')]" } ] }, diff --git a/Solutions/AI Analyst Darktrace/ReleaseNotes.md b/Solutions/AI Analyst Darktrace/ReleaseNotes.md new file mode 100644 index 00000000000..4cd8043e487 --- /dev/null +++ b/Solutions/AI Analyst Darktrace/ReleaseNotes.md @@ -0,0 +1,5 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.0 | 18-09-2023 | Addition of new AI Analyst Darktrace AMA **Data Connector** | | + +