diff --git a/Solutions/AI Analyst Darktrace/Data Connectors/AIA-Darktrace.json b/Solutions/AI Analyst Darktrace/Data Connectors/AIA-Darktrace.json index 8c53bb5d532..e69eeacbe87 100644 --- a/Solutions/AI Analyst Darktrace/Data Connectors/AIA-Darktrace.json +++ b/Solutions/AI Analyst Darktrace/Data Connectors/AIA-Darktrace.json @@ -1,8 +1,8 @@ { "id": "Darktrace", - "title": "AI Analyst Darktrace", + "title": "[Deprecated] AI Analyst Darktrace via Legacy Agent", "publisher": "Darktrace", - "descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Azure Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Azure Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.", + "descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.", "graphQueries": [ { "metricName": "Total data received", @@ -61,15 +61,15 @@ "instructionSteps": [ { "title": "1. Linux Syslog agent configuration", - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", + "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", "innerSteps": [ { "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Azure Sentinel will use as the proxy between your security solution and Azure Sentinel this machine can be on your on-prem environment, Azure or other clouds." + "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." }, { "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", + "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", "instructions": [ { "parameters": { @@ -88,7 +88,7 @@ }, { "title": "2. Forward Common Event Format (CEF) logs to Syslog agent", - "description": "Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Azure Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Azure Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes." + "description": "Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Microsoft Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Microsoft Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes." }, { "title": "3. Validate connection", diff --git a/Solutions/AI Analyst Darktrace/Data Connectors/template_AIA-DarktraceAMA.json b/Solutions/AI Analyst Darktrace/Data Connectors/template_AIA-DarktraceAMA.json new file mode 100644 index 00000000000..e1df9e91d92 --- /dev/null +++ b/Solutions/AI Analyst Darktrace/Data Connectors/template_AIA-DarktraceAMA.json @@ -0,0 +1,117 @@ +{ + "id": "DarktraceAma", + "title": "[Recommended] AI Analyst Darktrace via AMA", + "publisher": "Darktrace", + "descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Darktrace", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Darktrace'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "sampleQueries": [ + { + "description": "first 10 most recent data breaches", + "query": "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\"\n| order by TimeGenerated desc \n| limit 10" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (Darktrace)", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Darktrace'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'Darktrace'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": "", + "instructions": [ + { + "parameters": { + "title": "1. Kindly follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine", + "instructions": [ + ] + }, + { + "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", + "description": "Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Microsoft Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Microsoft Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes.", + "instructions": [ + ] + }, + { + "title": "Step C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + + }, + + + { + "title": "2. Secure your machine ", + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)" + } + ] +} diff --git a/Solutions/AI Analyst Darktrace/Data/Solution_AIAnalystDarktrace.json b/Solutions/AI Analyst Darktrace/Data/Solution_AIAnalystDarktrace.json index 21eba0cc887..8357eedf98c 100644 --- a/Solutions/AI Analyst Darktrace/Data/Solution_AIAnalystDarktrace.json +++ b/Solutions/AI Analyst Darktrace/Data/Solution_AIAnalystDarktrace.json @@ -2,15 +2,16 @@ "Name": "AI Analyst Darktrace", "Author": "Darktrace", "Logo": "", - "Description": "The [AI Analyst Darktrace](https://www.darktrace.com/en/cyber-ai-analyst/) Solution for Microsoft Sentinel lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats. \n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \n1.[Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format) \n For more details about this solution refer to https://www.darktrace.com/en/microsoft/sentinel/", + "Description": "The [AI Analyst Darktrace](https://www.darktrace.com/en/cyber-ai-analyst/) Solution for Microsoft Sentinel lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.\n\r\n1. **AI Analyst Darktrace via AMA** - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **AI Analyst Darktrace via Legacy Agent** - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of AI Analyst Darktrace via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", "Workbooks": [ "Solutions/AI Analyst Darktrace/Workbooks/AIA-Darktrace.json" ], "Data Connectors": [ - "Solutions/AI Analyst Darktrace/DataConnectors/AIA-Darktrace.json" + "Solutions/AI Analyst Darktrace/Data Connectors/AIA-Darktrace.json", + "Solutions/AI Analyst Darktrace/Data Connectors/template_AIA-DarktraceAMA.json" ], - "BasePath": "C:\\Sentinel-Repos\\Azure-Sentinel", - "Version": "2.0.1", + "BasePath": "C:\\Github\\Azure-Sentinel\\Solutions", + "Version": "3.0.0", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/AI Analyst Darktrace/Data/system_generated_metadata.json b/Solutions/AI Analyst Darktrace/Data/system_generated_metadata.json new file mode 100644 index 00000000000..dbd4b15b9e8 --- /dev/null +++ b/Solutions/AI Analyst Darktrace/Data/system_generated_metadata.json @@ -0,0 +1,29 @@ +{ + "Name": "AI Analyst Darktrace", + "Author": "Darktrace", + "Logo": "", + "Description": "The [AI Analyst Darktrace](https://www.darktrace.com/en/cyber-ai-analyst/) Solution for Microsoft Sentinel lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.\n\r\n1. **AI Analyst Darktrace via AMA** - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **AI Analyst Darktrace via Legacy Agent** - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of AI Analyst Darktrace via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", + "BasePath": "C:\\Sentinel-Repos\\Azure-Sentinel", + "Version": "3.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": false, + "publisherId": "darktrace1655286944672", + "offerId": "darktrace_mss", + "providers": [ + "Darktrace" + ], + "categories": { + "domains": [ + "Security - Threat Protection" + ] + }, + "firstPublishDate": "2022-05-02", + "support": { + "tier": "Partner", + "name": "Darktrace", + "link": "https://www.darktrace.com/en/contact/" + }, + "Data Connectors": "[\n \"Solutions/AI Analyst Darktrace/DataConnectors/AIA-Darktrace.json\",\n \"Solutions/AI Analyst Darktrace/DataConnectors/template_AIA-DarktraceAMA.json\"\n]", + "Workbooks": "[\n \"AIA-Darktrace.json\"\n]" +} diff --git a/Solutions/AI Analyst Darktrace/Package/3.0.0.zip b/Solutions/AI Analyst Darktrace/Package/3.0.0.zip new file mode 100644 index 00000000000..3f4a8d2b89d Binary files /dev/null and b/Solutions/AI Analyst Darktrace/Package/3.0.0.zip differ diff --git a/Solutions/AI Analyst Darktrace/Package/createUiDefinition.json b/Solutions/AI Analyst Darktrace/Package/createUiDefinition.json index 7b3bd196efa..876213e5024 100644 --- a/Solutions/AI Analyst Darktrace/Package/createUiDefinition.json +++ b/Solutions/AI Analyst Darktrace/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [AI Analyst Darktrace](https://www.darktrace.com/en/cyber-ai-analyst/) Solution for Microsoft Sentinel lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats. \n\n**Underlying Microsoft Technologies used:**\n\n This solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n1. [Agent-based log collection (CEF over Syslog)](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\nFor more details about this solution refer to https://www.darktrace.com/en/microsoft/sentinel/\n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/AI%20Analyst%20Darktrace/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [AI Analyst Darktrace](https://www.darktrace.com/en/cyber-ai-analyst/) Solution for Microsoft Sentinel lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.\n\r\n1. **AI Analyst Darktrace via AMA** - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **AI Analyst Darktrace via Legacy Agent** - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of AI Analyst Darktrace via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Data Connectors:** 2, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -60,9 +60,10 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This solution installs the data connector for ingesting AI Analyst Darktrace Events in the CEF format into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This solution installs the data connector for ingesting AI Analyst Darktrace Events in the CEF format into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } }, + { "name": "dataconnectors-link2", "type": "Microsoft.Common.TextBlock", @@ -88,7 +89,7 @@ "name": "workbooks-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This solution installs workbook to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." } }, { @@ -100,6 +101,20 @@ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" } } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "AI Analyst Darktrace Model Breach Summary", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "A workbook containing relevant KQL queries to help you visualise the data in model breaches from the Darktrace Connector" + } + } + ] } ] } diff --git a/Solutions/AI Analyst Darktrace/Package/mainTemplate.json b/Solutions/AI Analyst Darktrace/Package/mainTemplate.json index 5b99632ce22..6b81efbf67a 100644 --- a/Solutions/AI Analyst Darktrace/Package/mainTemplate.json +++ b/Solutions/AI Analyst Darktrace/Package/mainTemplate.json @@ -38,52 +38,48 @@ } }, "variables": { + "_solutionName": "AI Analyst Darktrace", + "_solutionVersion": "3.0.0", "solutionId": "darktrace1655286944672.darktrace_mss", "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.1.0", "workbookContentId1": "DarktraceSummaryWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", "_workbookContentId1": "[variables('workbookContentId1')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", "uiConfigId1": "Darktrace", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "Darktrace", "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", - "dataConnectorVersion1": "1.0.0" + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "uiConfigId2": "DarktraceAma", + "_uiConfigId2": "[variables('uiConfigId2')]", + "dataConnectorContentId2": "DarktraceAma", + "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", + "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "_dataConnectorId2": "[variables('dataConnectorId2')]", + "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", + "dataConnectorVersion2": "1.0.0", + "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('workbookTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, - "properties": { - "description": "AI Analyst Darktrace Workbook with template", - "displayName": "AI Analyst Darktrace workbook template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AIA-DarktraceWorkbook Workbook with template version 2.0.1", + "description": "AIA-DarktraceWorkbook Workbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -101,7 +97,7 @@ }, "properties": { "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"45805ae8-29d7-4774-a10a-8d60af407bbf\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Overview\",\"subTarget\":\"overview\",\"style\":\"link\"},{\"id\":\"a4b35478-499a-4fcc-8424-63abbb698bfa\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"AI Analyst\",\"subTarget\":\"ai-analyst\",\"style\":\"link\"},{\"id\":\"2eac3f00-5164-4a77-9781-118eb681b729\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Antigena Response\",\"subTarget\":\"agn\",\"style\":\"link\"},{\"id\":\"7a64cd79-3a09-4046-8d6f-ba24fc2bab6c\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cloud\",\"subTarget\":\"cloud\",\"style\":\"link\"}]},\"name\":\"tabs\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"96e10804-35d4-4d5c-b2d8-1af544471721\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Timeframe\",\"type\":4,\"description\":\"Pick the timerange for all queries in the graph \",\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Timescale \"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"610136a1-b7cf-4eb3-9ef6-51a2d22e1621\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_severity\",\"type\":1,\"description\":\"parameter to drill down on clicked severity tile\",\"value\":\"hidden\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"label\":\"severity\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"datatable (Count: long, status: string, status_count: long) [0, \\\"Low\\\", 1, 0, \\\"Medium\\\", 2, 0, \\\"High\\\", 3, 0, \\\"Critical\\\", 4]\\r\\n| union\\r\\n (\\r\\n CommonSecurityLog\\r\\n | where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n | extend status = case( \\r\\n toint(LogSeverity) > 6, \\\"Critical\\\",\\r\\n toint(LogSeverity) < 3, \\\"Low\\\",\\r\\n toint(LogSeverity) >= 5 and toint(LogSeverity)<= 6, \\\"High\\\",\\r\\n toint(LogSeverity) < 5 and toint(LogSeverity) >= 3, \\\"Medium\\\", \\r\\n \\\"True\\\"\\r\\n )\\r\\n | where status != \\\"True\\\"\\r\\n | extend status_count = case(status == \\\"Critical\\\", 4, status == \\\"High\\\", 3, status == \\\"Medium\\\", 2, 1)\\r\\n | summarize Count = count() by status, status_count\\r\\n )\\r\\n| summarize Count=sum(Count) by status, status_count\\r\\n| sort by status_count asc\",\"size\":3,\"title\":\"Model Breaches By Severity\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"exportFieldName\":\"status\",\"exportParameterName\":\"_severity\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"model breaches by severity\"},{\"type\":1,\"content\":{\"json\":\"_Click on the tiles to view more details (maximum 100 entries displayed)_\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//low severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) < 3\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Low Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Low\"},\"name\":\"Low severity model breaches\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//medium severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) >=3 and toint(LogSeverity) < 5\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Medium Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Medium\"},\"name\":\"Medium severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//high severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) >=5 and toint(LogSeverity) < 7\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"High Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"High\"},\"name\":\"High severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//critical severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) >6\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Critical Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"red\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Critical\"},\"name\":\"Critical severity model breaches\"}]},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isNotEqualTo\",\"value\":\"hidden\"},\"name\":\"Drill down group for different severities\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"Model Breaches Over Time \",\"color\":\"orange\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"breaches in group\"},{\"type\":1,\"content\":{\"json\":\"_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _\",\"style\":\"info\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| summarize event_count=count() by Activity \\r\\n| where Activity!=\\\"System/System\\\" \\r\\n| top 10 by event_count\",\"size\":0,\"title\":\"Top 10 Most Breached Models\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Activity\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"}},{\"columnMatch\":\"event_count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"event_count\",\"label\":\"Count\"}]}},\"customWidth\":\"55\",\"name\":\"most breached models\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nCommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where isnotempty(DestinationHostName) \\r\\n| summarize count(Activity) by DestinationHostName\",\"size\":3,\"title\":\"Top External Hostnames\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"45\",\"name\":\"top external hostnames\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName !contains(\\\"#\\\")\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend Severity = toint(LogSeverity)\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, Severity, DarktraceURL\\r\\n| top 10 by toint(Severity) desc \",\"size\":0,\"title\":\"Top 10 Devices By Severity\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Severity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"Severity\"}]}},\"name\":\"Top 10 hitting devices\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName contains '#'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| top 10 by toint(LogSeverity) desc \\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, toint(LogSeverity), DarktraceURL\",\"size\":0,\"title\":\"Top 10 C-Sensor activities\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"}]}},\"name\":\"c-sensor top 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog | where DeviceVendor == \\\"Darktrace\\\" | where isnotempty(DestinationIP) | where DestinationIP !startswith \\\"10\\\"| where DestinationIP !startswith \\\"192\\\"| where DestinationIP !startswith \\\"172\\\"| summarize event_count=count() by DestinationIP | top 10 by event_count\",\"size\":0,\"title\":\"Top 10 External IPs\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"80\",\"name\":\"top 10 external IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog | where DeviceVendor == \\\"Darktrace\\\" \\r\\n| where Activity contains \\\"Compliance\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":0,\"title\":\"Compliance Breaches Over Time\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"compliance breaches over time\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"overview\"},\"name\":\"overview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"610136a1-b7cf-4eb3-9ef6-51a2d22e1621\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_severity\",\"type\":1,\"description\":\"parameter to drill down on clicked severity tile\",\"value\":\"hidden\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"label\":\"severity\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"datatable (Count: long, status: string, status_count: long) [0, \\\"Low\\\", 1, 0, \\\"Medium\\\", 2, 0, \\\"High\\\", 3, 0, \\\"Critical\\\", 4]\\r\\n| union\\r\\n (\\r\\n CommonSecurityLog\\r\\n | where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n | extend status = case( \\r\\n toint(LogSeverity) > 6, \\\"Critical\\\",\\r\\n toint(LogSeverity) < 3, \\\"Low\\\",\\r\\n toint(LogSeverity) >= 5 and toint(LogSeverity)<= 6, \\\"High\\\",\\r\\n toint(LogSeverity) < 5 and toint(LogSeverity) >= 3, \\\"Medium\\\", \\r\\n \\\"True\\\"\\r\\n )\\r\\n | where status != \\\"True\\\"\\r\\n | extend status_count = case(status == \\\"Critical\\\", 4, status == \\\"High\\\", 3, status == \\\"Medium\\\", 2, 1)\\r\\n | summarize Count = count() by status, status_count\\r\\n )\\r\\n| summarize Count=sum(Count) by status, status_count\\r\\n| sort by status_count asc\",\"size\":3,\"title\":\"Model Breaches By Severity\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"exportFieldName\":\"status\",\"exportParameterName\":\"_severity\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"model breaches by severity\"},{\"type\":1,\"content\":{\"json\":\"_Click on the tiles to view more details (maximum 100 entries displayed)_\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//low severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) < 3\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Low Severity Model Breaches\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Low\"},\"name\":\"Low severity model breaches\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//medium severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) >=3 and toint(LogSeverity) < 5\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Medium Severity Model Breaches\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Medium\"},\"name\":\"Medium severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//high severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) >=5 and toint(LogSeverity) < 7\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"High Severity Model Breaches\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"High\"},\"name\":\"High severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//critical severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) >6\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| extend Severity = toint(LogSeverity)\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, Severity, DarktraceURL\\r\\n| sort by Severity desc\",\"size\":0,\"title\":\"Critical Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">\",\"thresholdValue\":\"0\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"greenRed\"}},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Critical\"},\"name\":\"Critical severity model breaches\"}]},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isNotEqualTo\",\"value\":\"hidden\"},\"name\":\"Drill down group for different severities\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"SaaS User Breaches Over Time \",\"color\":\"orange\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"customWidth\":\"50\",\"name\":\"saas user graph / time \",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"iaas\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"IaaS User Breaches Over Time \",\"color\":\"orange\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"customWidth\":\"50\",\"name\":\"iaas user graph / time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _\",\"style\":\"info\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| summarize event_count=count() by Activity, DeviceName\\r\\n| where Activity!=\\\"System/System\\\" \\r\\n| top 10 by event_count\\r\\n| project DeviceName, Activity, event_count\",\"size\":0,\"title\":\"Top 10 Most Breached SaaS Users\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Activity\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"}},{\"columnMatch\":\"event_count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"DeviceName\",\"label\":\"Device\"},{\"columnId\":\"event_count\",\"label\":\"Count\"}]}},\"name\":\"most breached SaaS users\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName !contains(\\\"#\\\")\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend Severity = toint(LogSeverity)\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, Severity, DarktraceURL\\r\\n| top 10 by toint(Severity) desc \",\"size\":0,\"title\":\"Top 10 SaaS Devices By Severity\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Severity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"Severity\"}]}},\"name\":\"Top 10 hitting SaaS devices\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName contains '#'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| top 10 by toint(LogSeverity) desc \\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, toint(LogSeverity), DarktraceURL\",\"size\":0,\"title\":\"Top 10 C-Sensor SaaS activities\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"}]}},\"name\":\"c-sensor top 10 saas\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog | where DeviceVendor == \\\"Darktrace\\\" \\r\\n| where Activity contains \\\"Compliance\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":0,\"title\":\"Compliance Breaches Over Time\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"compliance breaches over time\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloud\"},\"name\":\"Cloud group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"272e8563-290b-4ca9-822b-18ae680cf1e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"tripleDrillDown\",\"type\":1,\"description\":\"toggles drilldown \",\"value\":\"false\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"57ae0969-b409-47e6-85a2-7b3c6895bb60\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"groupingID\",\"type\":1,\"value\":\"false\",\"isHiddenWhenLocked\":true},{\"id\":\"d44afad0-d6fa-433d-98a1-504ce53c5215\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"groupByActivity\",\"type\":1,\"value\":\"false\",\"isHiddenWhenLocked\":true}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"clicked triple drilldown \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AIAnalystAlerts =\\r\\n CommonSecurityLog\\r\\n | where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n | extend status = case( \\r\\n toint(LogSeverity) > 6, \\\"Critical\\\",\\r\\n toint(LogSeverity) < 3, \\\"Low\\\",\\r\\n toint(LogSeverity) >= 5 and toint(LogSeverity)<= 6, \\\"High\\\",\\r\\n toint(LogSeverity) < 5 and toint(LogSeverity) >= 3, \\\"Medium\\\", \\r\\n \\\"True\\\"\\r\\n )\\r\\n | sort by TimeGenerated asc;\\r\\nunion (\\r\\n AIAnalystAlerts\\r\\n | parse AdditionalExtensions with * \\\"groupByActivity=\\\" GroupByActivity \\\";\\\" null\\r\\n | where GroupByActivity == 0\\r\\n | parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n | extend d = pack(\\\"Activity\\\", Activity, \\\"TimeGenerated\\\", TimeGenerated, \\\"status\\\", status, \\\"DeviceName\\\", DeviceName, \\\"DeviceAddress\\\", DeviceAddress, \\\"GroupByActivity\\\", GroupByActivity)\\r\\n | summarize status = make_list(d)[0].status, Left = iff(make_list(d)[0].DeviceName != \\\"\\\", make_list(d)[0].DeviceName, make_list(d)[0].DeviceAddress), TimeGenerated = todatetime(make_list(d)[0].TimeGenerated), list = make_list(d), GroupByActivity = make_list(d)[0].GroupByActivity by GroupingID\\r\\n | extend FirstActivity = list[0].Activity\\r\\n | extend SecondActivity = iff(FirstActivity != \\\"\\\" and list[1].Activity != \\\"\\\", strcat(\\\", \\\", list[1].Activity), \\\"\\\")\\r\\n | extend ThirdActivity = iff(FirstActivity != \\\"\\\" and SecondActivity != \\\"\\\" and list[2].Activity != \\\"\\\", strcat(\\\", \\\", list[2].Activity), \\\"\\\")\\r\\n | extend Right = strcat(FirstActivity, SecondActivity, ThirdActivity, iff(ThirdActivity != \\\"\\\", \\\"...\\\", \\\"\\\"))\\r\\n | extend showGroupBy = GroupingID\\r\\n), (\\r\\n AIAnalystAlerts\\r\\n | parse AdditionalExtensions with * \\\"groupByActivity=\\\" GroupByActivity \\\";\\\" null\\r\\n | where GroupByActivity == 1\\r\\n | extend d = pack(\\\"Activity\\\", Activity, \\\"TimeGenerated\\\", TimeGenerated, \\\"status\\\", status, \\\"DeviceName\\\", DeviceName, \\\"DeviceAddress\\\", DeviceAddress, \\\"ActivityID\\\", DeviceEventClassID, \\\"GroupByActivity\\\", GroupByActivity)\\r\\n | summarize status = make_list(d)[0].status, Left = make_list(d)[0].Activity, Devices = make_list(d), TimeGenerated = todatetime(make_list(d)[0].TimeGenerated), list = make_list(d), GroupByActivity = make_list(d)[0].GroupByActivity by DeviceEventClassID\\r\\n | extend FirstDevice = iff(list[0].DeviceName != \\\"\\\", list[0].DeviceName, list[0].DeviceAddress)\\r\\n | extend SecondDeviceName = iff(list[1].DeviceName != \\\"\\\", list[1].DeviceName, list[1].DeviceAddress)\\r\\n | extend SecondDevice = iff(FirstDevice != \\\"\\\" and SecondDeviceName != \\\"\\\", strcat(\\\", \\\", SecondDeviceName), \\\"\\\")\\r\\n | extend ThirdDeviceName = iff(list[2].DeviceName != \\\"\\\", list[2].DeviceName, list[2].DeviceAddress)\\r\\n | extend ThirdDevice = iff(FirstDevice != \\\"\\\" and SecondDevice != \\\"\\\" and ThirdDeviceName != \\\"\\\", strcat(\\\", \\\", ThirdDeviceName), \\\"\\\")\\r\\n | extend Right = strcat(FirstDevice, SecondDevice, ThirdDevice, iff(ThirdDevice != \\\"\\\", \\\"...\\\", \\\"\\\"))\\r\\n | extend showGroupBy = DeviceEventClassID\\r\\n | extend showGroupByActivity = 1\\r\\n)\\r\\n| sort by TimeGenerated\",\"size\":2,\"title\":\"AI Analyst Incidents\",\"timeContext\":{\"durationMs\":604800000,\"endTime\":\"2021-02-11T09:00:00Z\"},\"timeContextFromParameter\":\"Timeframe\",\"exportedParameters\":[{\"fieldName\":\"showGroupByActivity\",\"parameterName\":\"groupByActivity\",\"parameterType\":1},{\"fieldName\":\"showGroupBy\",\"parameterName\":\"groupingID\",\"parameterType\":1},{\"fieldName\":\"TimeGenerated\",\"parameterName\":\"tripleDrillDown\",\"parameterType\":1}],\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"url\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"sortBy\":[{\"itemKey\":\"DeviceEventClassID\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"GroupingID\",\"label\":\"Grouping ID \"},{\"columnId\":\"GroupByActivity\",\"label\":\"Group By Activity\"}]},\"sortBy\":[{\"itemKey\":\"DeviceEventClassID\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"lightBlue\",\"text\":\"\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"lightBlue\",\"text\":\"\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"blue\",\"text\":\"\"},{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"blue\",\"text\":\"\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"\"}]}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Left\",\"formatter\":1},\"rightContent\":{\"columnMatch\":\"Right\",\"formatter\":1},\"showBorder\":true,\"size\":\"full\"}},\"name\":\"All Incidents\"},{\"type\":1,\"content\":{\"json\":\"_ Click on an incident to see related incidents _\",\"style\":\"info\"},\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| where DeviceEventClassID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend id = split(tostring(DarktraceURL), '#aiincident/')[1]\\r\\n| extend d = pack_array(id)\\r\\n| extend p = pack(\\\"GroupingID\\\", GroupingID)\\r\\n| summarize packed = make_list(d), GroupingID = make_list(p)[0].GroupingID\\r\\n| extend ids = strcat_array(packed, ',')\\r\\n| project GroupingID = tostring(GroupingID), ids)\\r\\n| join (\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| where DeviceEventClassID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend url = split(tostring(DarktraceURL), '#aiincident/')[0]\\r\\n| extend Device = iff(DeviceName != \\\"\\\", DeviceName, DeviceAddress)\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, GroupingID = tostring(GroupingID), url = tostring(url)\\r\\n) on GroupingID\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, DarktraceURL = strcat(url, '#aiincident/', ids)\",\"size\":0,\"title\":\"Related Incidents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"Message\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"30%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":10,\"palette\":\"blue\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"GroupingID\",\"formatter\":5},{\"columnMatch\":\"DeviceEventClassID\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\"}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Device\",\"formatter\":1},\"secondaryContent\":{\"columnMatch\":\"Message\",\"formatter\":1},\"showBorder\":true,\"size\":\"full\"}},\"conditionalVisibility\":{\"parameterName\":\"groupByActivity\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"3drilldownlate - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| where GroupingID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend id = split(tostring(DarktraceURL), '#aiincident/')[1]\\r\\n| extend d = pack_array(id)\\r\\n| extend p = pack(\\\"GroupingID\\\", GroupingID)\\r\\n| summarize packed = make_list(d), GroupingID = make_list(p)[0].GroupingID\\r\\n| extend ids = strcat_array(packed, ',')\\r\\n| project GroupingID = tostring(GroupingID), ids)\\r\\n| join (\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| where GroupingID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend url = split(tostring(DarktraceURL), '#aiincident/')[0]\\r\\n| extend Device = iff(DeviceName != \\\"\\\", DeviceName, DeviceAddress)\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, GroupingID = tostring(GroupingID), url = tostring(url)\\r\\n) on GroupingID\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, DarktraceURL = strcat(url, '#aiincident/', ids)\",\"size\":0,\"title\":\"Related Incidents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"Message\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"35%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":10,\"palette\":\"blue\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"Message\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\"}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Device\",\"formatter\":1},\"secondaryContent\":{\"columnMatch\":\"Message\"},\"showBorder\":true,\"size\":\"full\"},\"mapSettings\":{\"locInfo\":\"LatLong\"}},\"conditionalVisibilities\":[{\"parameterName\":\"groupByActivity\",\"comparison\":\"isEqualTo\",\"value\":\"false\"},{\"parameterName\":\"groupingID\",\"comparison\":\"isNotEqualTo\",\"value\":\"false\"}],\"name\":\"3drilldownlate\"}],\"exportParameters\":true},\"conditionalVisibilities\":[{\"parameterName\":\"groupingID\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"tripleDrillDown\",\"comparison\":\"isNotEqualTo\",\"value\":\"false\"}],\"name\":\"GROUP BY drilldown \"}],\"exportParameters\":true},\"name\":\"triple drilldown\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"AI Analyst Incidents Over Time\",\"color\":\"lightBlue\",\"timeContext\":{\"durationMs\":604800000,\"endTime\":\"2021-02-11T09:00:00Z\"},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false,\"ySettings\":{\"numberFormatSettings\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumFractionDigits\":0,\"maximumFractionDigits\":0}}}}},\"name\":\"incidents in group\"},{\"type\":1,\"content\":{\"json\":\"_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _\",\"style\":\"info\"},\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| summarize event_count=count() by Activity \\r\\n| where Activity!=\\\"System/System\\\" \\r\\n| top 10 by event_count\",\"size\":0,\"title\":\"Top 10 Most Frequent Incidents \",\"timeContext\":{\"durationMs\":604800000,\"endTime\":\"2021-02-11T09:00:00Z\"},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"event_count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blue\"}}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"event_count\",\"label\":\"Count\"}]}},\"name\":\"Top 10 Most Frequent Incidents \"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"ai-analyst\"},\"name\":\"ai- analyst group \"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"Antigena\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupByActivity=\\\" GroupByActivity \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message_s \\\";\\\" null\\r\\n| extend Device = iff(DeviceName != \\\"\\\", DeviceName, DeviceAddress)\\r\\n| extend agnActivity = split(Activity, \\\"/\\\")[2]\\r\\n| extend arr = split(Message_s,\\\"/\\\")\\r\\n| extend msgInfo = arr[(array_length(arr)-1)]\",\"size\":3,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"agnActivity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\"}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Device\"},\"secondaryContent\":{\"columnMatch\":\"msgInfo\",\"formatter\":1},\"showBorder\":true,\"sortCriteriaField\":\"TimeGenerated\",\"sortOrderField\":2,\"size\":\"full\"}},\"name\":\"top level query \"}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"agn\"},\"name\":\"agn group\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-AI Darktrace v1.0\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"45805ae8-29d7-4774-a10a-8d60af407bbf\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Overview\",\"subTarget\":\"overview\",\"style\":\"link\"},{\"id\":\"a4b35478-499a-4fcc-8424-63abbb698bfa\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"AI Analyst\",\"subTarget\":\"ai-analyst\",\"style\":\"link\"},{\"id\":\"2eac3f00-5164-4a77-9781-118eb681b729\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Antigena Response\",\"subTarget\":\"agn\",\"style\":\"link\"},{\"id\":\"7a64cd79-3a09-4046-8d6f-ba24fc2bab6c\",\"cellValue\":\"tab\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Cloud\",\"subTarget\":\"cloud\",\"style\":\"link\"}]},\"name\":\"tabs\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"96e10804-35d4-4d5c-b2d8-1af544471721\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Timeframe\",\"type\":4,\"description\":\"Pick the timerange for all queries in the graph \",\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"doNotRunWhenHidden\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Timescale \"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"610136a1-b7cf-4eb3-9ef6-51a2d22e1621\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_severity\",\"type\":1,\"description\":\"parameter to drill down on clicked severity tile\",\"value\":\"hidden\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"label\":\"severity\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"datatable (Count: long, status: string, status_count: long) [0, \\\"Low\\\", 1, 0, \\\"Medium\\\", 2, 0, \\\"High\\\", 3, 0, \\\"Critical\\\", 4]\\r\\n| union\\r\\n (\\r\\n CommonSecurityLog\\r\\n | where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n | extend status = case( \\r\\n toint(LogSeverity) > 6, \\\"Critical\\\",\\r\\n toint(LogSeverity) < 3, \\\"Low\\\",\\r\\n toint(LogSeverity) >= 5 and toint(LogSeverity)<= 6, \\\"High\\\",\\r\\n toint(LogSeverity) < 5 and toint(LogSeverity) >= 3, \\\"Medium\\\", \\r\\n \\\"True\\\"\\r\\n )\\r\\n | where status != \\\"True\\\"\\r\\n | extend status_count = case(status == \\\"Critical\\\", 4, status == \\\"High\\\", 3, status == \\\"Medium\\\", 2, 1)\\r\\n | summarize Count = count() by status, status_count\\r\\n )\\r\\n| summarize Count=sum(Count) by status, status_count\\r\\n| sort by status_count asc\",\"size\":3,\"title\":\"Model Breaches By Severity\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"exportFieldName\":\"status\",\"exportParameterName\":\"_severity\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"model breaches by severity\"},{\"type\":1,\"content\":{\"json\":\"_Click on the tiles to view more details (maximum 100 entries displayed)_\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//low severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) < 3\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Low Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Low\"},\"name\":\"Low severity model breaches\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//medium severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) >=3 and toint(LogSeverity) < 5\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Medium Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Medium\"},\"name\":\"Medium severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//high severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) >=5 and toint(LogSeverity) < 7\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"High Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"High\"},\"name\":\"High severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//critical severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where toint(LogSeverity) >6\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Critical Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"red\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Critical\"},\"name\":\"Critical severity model breaches\"}]},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isNotEqualTo\",\"value\":\"hidden\"},\"name\":\"Drill down group for different severities\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"Model Breaches Over Time \",\"color\":\"orange\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"breaches in group\"},{\"type\":1,\"content\":{\"json\":\"_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _\",\"style\":\"info\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| summarize event_count=count() by Activity \\r\\n| where Activity!=\\\"System/System\\\" \\r\\n| top 10 by event_count\",\"size\":0,\"title\":\"Top 10 Most Breached Models\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Activity\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"}},{\"columnMatch\":\"event_count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"event_count\",\"label\":\"Count\"}]}},\"customWidth\":\"55\",\"name\":\"most breached models\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"\\r\\nCommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where isnotempty(DestinationHostName) \\r\\n| summarize count(Activity) by DestinationHostName\",\"size\":3,\"title\":\"Top External Hostnames\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"45\",\"name\":\"top external hostnames\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName !contains(\\\"#\\\")\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend Severity = toint(LogSeverity)\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, Severity, DarktraceURL\\r\\n| top 10 by toint(Severity) desc \",\"size\":0,\"title\":\"Top 10 Devices By Severity\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Severity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"Severity\"}]}},\"name\":\"Top 10 hitting devices\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity !contains (\\\"saas\\\")\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName contains '#'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| top 10 by toint(LogSeverity) desc \\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, toint(LogSeverity), DarktraceURL\",\"size\":0,\"title\":\"Top 10 C-Sensor activities\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"}]}},\"name\":\"c-sensor top 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog | where DeviceVendor == \\\"Darktrace\\\" | where isnotempty(DestinationIP) | where DestinationIP !startswith \\\"10\\\"| where DestinationIP !startswith \\\"192\\\"| where DestinationIP !startswith \\\"172\\\"| summarize event_count=count() by DestinationIP | top 10 by event_count\",\"size\":0,\"title\":\"Top 10 External IPs\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"barchart\"},\"customWidth\":\"80\",\"name\":\"top 10 external IPs\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog | where DeviceVendor == \\\"Darktrace\\\" \\r\\n| where Activity contains \\\"Compliance\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":0,\"title\":\"Compliance Breaches Over Time\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"compliance breaches over time\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"overview\"},\"name\":\"overview\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"610136a1-b7cf-4eb3-9ef6-51a2d22e1621\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"_severity\",\"type\":1,\"description\":\"parameter to drill down on clicked severity tile\",\"value\":\"hidden\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000},\"label\":\"severity\"}],\"style\":\"above\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"datatable (Count: long, status: string, status_count: long) [0, \\\"Low\\\", 1, 0, \\\"Medium\\\", 2, 0, \\\"High\\\", 3, 0, \\\"Critical\\\", 4]\\r\\n| union\\r\\n (\\r\\n CommonSecurityLog\\r\\n | where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n | extend status = case( \\r\\n toint(LogSeverity) > 6, \\\"Critical\\\",\\r\\n toint(LogSeverity) < 3, \\\"Low\\\",\\r\\n toint(LogSeverity) >= 5 and toint(LogSeverity)<= 6, \\\"High\\\",\\r\\n toint(LogSeverity) < 5 and toint(LogSeverity) >= 3, \\\"Medium\\\", \\r\\n \\\"True\\\"\\r\\n )\\r\\n | where status != \\\"True\\\"\\r\\n | extend status_count = case(status == \\\"Critical\\\", 4, status == \\\"High\\\", 3, status == \\\"Medium\\\", 2, 1)\\r\\n | summarize Count = count() by status, status_count\\r\\n )\\r\\n| summarize Count=sum(Count) by status, status_count\\r\\n| sort by status_count asc\",\"size\":3,\"title\":\"Model Breaches By Severity\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"exportFieldName\":\"status\",\"exportParameterName\":\"_severity\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"green\",\"text\":\"{0}{1}\"}]}},\"leftContent\":{\"columnMatch\":\"Count\",\"formatter\":1,\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":false,\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"showBorder\":true,\"size\":\"auto\"}},\"name\":\"model breaches by severity\"},{\"type\":1,\"content\":{\"json\":\"_Click on the tiles to view more details (maximum 100 entries displayed)_\",\"style\":\"info\"},\"name\":\"text - 3\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//low severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) < 3\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Low Severity Model Breaches\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Low\"},\"name\":\"Low severity model breaches\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//medium severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"Enterprise Immune System\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) >=3 and toint(LogSeverity) < 5\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"Medium Severity Model Breaches\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"orange\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"OtherExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"50%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Medium\"},\"name\":\"Medium severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//high severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) >=5 and toint(LogSeverity) < 7\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, LogSeverity, DarktraceURL\\r\\n| sort by TimeGenerated desc\",\"size\":0,\"title\":\"High Severity Model Breaches\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"High\"},\"name\":\"High severity model breaches \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//critical severity\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where toint(LogSeverity) >6\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"long=\\\" Longitude \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"lat=\\\" Latitude \\\";\\\" null\\r\\n| extend Severity = toint(LogSeverity)\\r\\n| limit 100\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, Severity, DarktraceURL\\r\\n| sort by Severity desc\",\"size\":0,\"title\":\"Critical Severity Model Breaches\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Severity\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">\",\"thresholdValue\":\"0\",\"representation\":\"red\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"greenRed\"}},{\"columnMatch\":\"DarktraceUrl\",\"formatter\":5,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"AdditionalExtensions\",\"formatter\":5,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"DarktraceURL\"}]}},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isEqualTo\",\"value\":\"Critical\"},\"name\":\"Critical severity model breaches\"}]},\"conditionalVisibility\":{\"parameterName\":\"_severity\",\"comparison\":\"isNotEqualTo\",\"value\":\"hidden\"},\"name\":\"Drill down group for different severities\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"SaaS User Breaches Over Time \",\"color\":\"orange\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"customWidth\":\"50\",\"name\":\"saas user graph / time \",\"styleSettings\":{\"showBorder\":true}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"iaas\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"IaaS User Breaches Over Time \",\"color\":\"orange\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"customWidth\":\"50\",\"name\":\"iaas user graph / time\",\"styleSettings\":{\"showBorder\":true}},{\"type\":1,\"content\":{\"json\":\"_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _\",\"style\":\"info\"},\"name\":\"text - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| summarize event_count=count() by Activity, DeviceName\\r\\n| where Activity!=\\\"System/System\\\" \\r\\n| top 10 by event_count\\r\\n| project DeviceName, Activity, event_count\",\"size\":0,\"title\":\"Top 10 Most Breached SaaS Users\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Activity\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"60ch\"}},{\"columnMatch\":\"event_count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"DeviceName\",\"label\":\"Device\"},{\"columnId\":\"event_count\",\"label\":\"Count\"}]}},\"name\":\"most breached SaaS users\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName !contains(\\\"#\\\")\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend Severity = toint(LogSeverity)\\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, Severity, DarktraceURL\\r\\n| top 10 by toint(Severity) desc \",\"size\":0,\"title\":\"Top 10 SaaS Devices By Severity\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Severity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"Severity\"}]}},\"name\":\"Top 10 hitting SaaS devices\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"saas\\\"\\r\\n| where isnotempty(DeviceName) \\r\\n| where DeviceName contains '#'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| top 10 by toint(LogSeverity) desc \\r\\n| project TimeGenerated, Activity, DeviceName, DeviceAddress, toint(LogSeverity), DarktraceURL\",\"size\":0,\"title\":\"Top 10 C-Sensor SaaS activities\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"40%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":1,\"max\":10,\"palette\":\"yellowOrangeRed\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"}]}},\"name\":\"c-sensor top 10 saas\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog | where DeviceVendor == \\\"Darktrace\\\" \\r\\n| where Activity contains \\\"Compliance\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":0,\"title\":\"Compliance Breaches Over Time\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":604800000},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false}},\"name\":\"compliance breaches over time\"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"cloud\"},\"name\":\"Cloud group\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"272e8563-290b-4ca9-822b-18ae680cf1e1\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"tripleDrillDown\",\"type\":1,\"description\":\"toggles drilldown \",\"value\":\"false\",\"isHiddenWhenLocked\":true,\"timeContext\":{\"durationMs\":86400000}},{\"id\":\"57ae0969-b409-47e6-85a2-7b3c6895bb60\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"groupingID\",\"type\":1,\"value\":\"false\",\"isHiddenWhenLocked\":true},{\"id\":\"d44afad0-d6fa-433d-98a1-504ce53c5215\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"groupByActivity\",\"type\":1,\"value\":\"false\",\"isHiddenWhenLocked\":true}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"clicked triple drilldown \"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let AIAnalystAlerts =\\r\\n CommonSecurityLog\\r\\n | where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n | extend status = case( \\r\\n toint(LogSeverity) > 6, \\\"Critical\\\",\\r\\n toint(LogSeverity) < 3, \\\"Low\\\",\\r\\n toint(LogSeverity) >= 5 and toint(LogSeverity)<= 6, \\\"High\\\",\\r\\n toint(LogSeverity) < 5 and toint(LogSeverity) >= 3, \\\"Medium\\\", \\r\\n \\\"True\\\"\\r\\n )\\r\\n | sort by TimeGenerated asc;\\r\\nunion (\\r\\n AIAnalystAlerts\\r\\n | parse AdditionalExtensions with * \\\"groupByActivity=\\\" GroupByActivity \\\";\\\" null\\r\\n | where GroupByActivity == 0\\r\\n | parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n | extend d = pack(\\\"Activity\\\", Activity, \\\"TimeGenerated\\\", TimeGenerated, \\\"status\\\", status, \\\"DeviceName\\\", DeviceName, \\\"DeviceAddress\\\", DeviceAddress, \\\"GroupByActivity\\\", GroupByActivity)\\r\\n | summarize status = make_list(d)[0].status, Left = iff(make_list(d)[0].DeviceName != \\\"\\\", make_list(d)[0].DeviceName, make_list(d)[0].DeviceAddress), TimeGenerated = todatetime(make_list(d)[0].TimeGenerated), list = make_list(d), GroupByActivity = make_list(d)[0].GroupByActivity by GroupingID\\r\\n | extend FirstActivity = list[0].Activity\\r\\n | extend SecondActivity = iff(FirstActivity != \\\"\\\" and list[1].Activity != \\\"\\\", strcat(\\\", \\\", list[1].Activity), \\\"\\\")\\r\\n | extend ThirdActivity = iff(FirstActivity != \\\"\\\" and SecondActivity != \\\"\\\" and list[2].Activity != \\\"\\\", strcat(\\\", \\\", list[2].Activity), \\\"\\\")\\r\\n | extend Right = strcat(FirstActivity, SecondActivity, ThirdActivity, iff(ThirdActivity != \\\"\\\", \\\"...\\\", \\\"\\\"))\\r\\n | extend showGroupBy = GroupingID\\r\\n), (\\r\\n AIAnalystAlerts\\r\\n | parse AdditionalExtensions with * \\\"groupByActivity=\\\" GroupByActivity \\\";\\\" null\\r\\n | where GroupByActivity == 1\\r\\n | extend d = pack(\\\"Activity\\\", Activity, \\\"TimeGenerated\\\", TimeGenerated, \\\"status\\\", status, \\\"DeviceName\\\", DeviceName, \\\"DeviceAddress\\\", DeviceAddress, \\\"ActivityID\\\", DeviceEventClassID, \\\"GroupByActivity\\\", GroupByActivity)\\r\\n | summarize status = make_list(d)[0].status, Left = make_list(d)[0].Activity, Devices = make_list(d), TimeGenerated = todatetime(make_list(d)[0].TimeGenerated), list = make_list(d), GroupByActivity = make_list(d)[0].GroupByActivity by DeviceEventClassID\\r\\n | extend FirstDevice = iff(list[0].DeviceName != \\\"\\\", list[0].DeviceName, list[0].DeviceAddress)\\r\\n | extend SecondDeviceName = iff(list[1].DeviceName != \\\"\\\", list[1].DeviceName, list[1].DeviceAddress)\\r\\n | extend SecondDevice = iff(FirstDevice != \\\"\\\" and SecondDeviceName != \\\"\\\", strcat(\\\", \\\", SecondDeviceName), \\\"\\\")\\r\\n | extend ThirdDeviceName = iff(list[2].DeviceName != \\\"\\\", list[2].DeviceName, list[2].DeviceAddress)\\r\\n | extend ThirdDevice = iff(FirstDevice != \\\"\\\" and SecondDevice != \\\"\\\" and ThirdDeviceName != \\\"\\\", strcat(\\\", \\\", ThirdDeviceName), \\\"\\\")\\r\\n | extend Right = strcat(FirstDevice, SecondDevice, ThirdDevice, iff(ThirdDevice != \\\"\\\", \\\"...\\\", \\\"\\\"))\\r\\n | extend showGroupBy = DeviceEventClassID\\r\\n | extend showGroupByActivity = 1\\r\\n)\\r\\n| sort by TimeGenerated\",\"size\":2,\"title\":\"AI Analyst Incidents\",\"timeContext\":{\"durationMs\":604800000,\"endTime\":\"2021-02-11T09:00:00Z\"},\"timeContextFromParameter\":\"Timeframe\",\"exportedParameters\":[{\"fieldName\":\"showGroupByActivity\",\"parameterName\":\"groupByActivity\",\"parameterType\":1},{\"fieldName\":\"showGroupBy\",\"parameterName\":\"groupingID\",\"parameterType\":1},{\"fieldName\":\"TimeGenerated\",\"parameterName\":\"tripleDrillDown\",\"parameterType\":1}],\"exportToExcelOptions\":\"all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"url\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}}],\"sortBy\":[{\"itemKey\":\"DeviceEventClassID\",\"sortOrder\":1}],\"labelSettings\":[{\"columnId\":\"GroupingID\",\"label\":\"Grouping ID \"},{\"columnId\":\"GroupByActivity\",\"label\":\"Group By Activity\"}]},\"sortBy\":[{\"itemKey\":\"DeviceEventClassID\",\"sortOrder\":1}],\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"status\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Low\",\"representation\":\"lightBlue\",\"text\":\"\"},{\"operator\":\"==\",\"thresholdValue\":\"Medium\",\"representation\":\"lightBlue\",\"text\":\"\"},{\"operator\":\"==\",\"thresholdValue\":\"High\",\"representation\":\"blue\",\"text\":\"\"},{\"operator\":\"==\",\"thresholdValue\":\"Critical\",\"representation\":\"blue\",\"text\":\"\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"blue\",\"text\":\"\"}]}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Left\",\"formatter\":1},\"rightContent\":{\"columnMatch\":\"Right\",\"formatter\":1},\"showBorder\":true,\"size\":\"full\"}},\"name\":\"All Incidents\"},{\"type\":1,\"content\":{\"json\":\"_ Click on an incident to see related incidents _\",\"style\":\"info\"},\"name\":\"text - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"expandable\":true,\"expanded\":true,\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| where DeviceEventClassID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend id = split(tostring(DarktraceURL), '#aiincident/')[1]\\r\\n| extend d = pack_array(id)\\r\\n| extend p = pack(\\\"GroupingID\\\", GroupingID)\\r\\n| summarize packed = make_list(d), GroupingID = make_list(p)[0].GroupingID\\r\\n| extend ids = strcat_array(packed, ',')\\r\\n| project GroupingID = tostring(GroupingID), ids)\\r\\n| join (\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| where DeviceEventClassID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend url = split(tostring(DarktraceURL), '#aiincident/')[0]\\r\\n| extend Device = iff(DeviceName != \\\"\\\", DeviceName, DeviceAddress)\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, GroupingID = tostring(GroupingID), url = tostring(url)\\r\\n) on GroupingID\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, DarktraceURL = strcat(url, '#aiincident/', ids)\",\"size\":0,\"title\":\"Related Incidents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"Message\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"30%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":10,\"palette\":\"blue\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5},{\"columnMatch\":\"GroupingID\",\"formatter\":5},{\"columnMatch\":\"DeviceEventClassID\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\"}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Device\",\"formatter\":1},\"secondaryContent\":{\"columnMatch\":\"Message\",\"formatter\":1},\"showBorder\":true,\"size\":\"full\"}},\"conditionalVisibility\":{\"parameterName\":\"groupByActivity\",\"comparison\":\"isEqualTo\",\"value\":\"1\"},\"name\":\"3drilldownlate - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"(CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| where GroupingID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend id = split(tostring(DarktraceURL), '#aiincident/')[1]\\r\\n| extend d = pack_array(id)\\r\\n| extend p = pack(\\\"GroupingID\\\", GroupingID)\\r\\n| summarize packed = make_list(d), GroupingID = make_list(p)[0].GroupingID\\r\\n| extend ids = strcat_array(packed, ',')\\r\\n| project GroupingID = tostring(GroupingID), ids)\\r\\n| join (\\r\\nCommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupingId=\\\" GroupingID \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message \\\";\\\" null\\r\\n| where GroupingID == '{groupingID}'\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| extend url = split(tostring(DarktraceURL), '#aiincident/')[0]\\r\\n| extend Device = iff(DeviceName != \\\"\\\", DeviceName, DeviceAddress)\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, GroupingID = tostring(GroupingID), url = tostring(url)\\r\\n) on GroupingID\\r\\n| project TimeGenerated, Activity, Device, Message, LogSeverity, DarktraceURL = strcat(url, '#aiincident/', ids)\",\"size\":0,\"title\":\"Related Incidents\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"TimeGenerated\",\"formatter\":6,\"formatOptions\":{\"customColumnWidthSetting\":\"17.5%\"}},{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\",\"customColumnWidthSetting\":\"20%\"}},{\"columnMatch\":\"DeviceName\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"DeviceAddress\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"10%\"}},{\"columnMatch\":\"Message\",\"formatter\":1,\"formatOptions\":{\"customColumnWidthSetting\":\"35%\"}},{\"columnMatch\":\"LogSeverity\",\"formatter\":8,\"formatOptions\":{\"min\":0,\"max\":10,\"palette\":\"blue\"}},{\"columnMatch\":\"DarktraceURL\",\"formatter\":5}],\"labelSettings\":[{\"columnId\":\"TimeGenerated\",\"label\":\"Time\"},{\"columnId\":\"Activity\"},{\"columnId\":\"DeviceName\",\"label\":\"Device Name\"},{\"columnId\":\"DeviceAddress\",\"label\":\"Device Address\"},{\"columnId\":\"Message\"},{\"columnId\":\"LogSeverity\",\"label\":\"Severity\"},{\"columnId\":\"DarktraceURL\"}]},\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Activity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\"}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Device\",\"formatter\":1},\"secondaryContent\":{\"columnMatch\":\"Message\"},\"showBorder\":true,\"size\":\"full\"},\"mapSettings\":{\"locInfo\":\"LatLong\"}},\"conditionalVisibilities\":[{\"parameterName\":\"groupByActivity\",\"comparison\":\"isEqualTo\",\"value\":\"false\"},{\"parameterName\":\"groupingID\",\"comparison\":\"isNotEqualTo\",\"value\":\"false\"}],\"name\":\"3drilldownlate\"}],\"exportParameters\":true},\"conditionalVisibilities\":[{\"parameterName\":\"groupingID\",\"comparison\":\"isNotEqualTo\"},{\"parameterName\":\"tripleDrillDown\",\"comparison\":\"isNotEqualTo\",\"value\":\"false\"}],\"name\":\"GROUP BY drilldown \"}],\"exportParameters\":true},\"name\":\"triple drilldown\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| make-series count() default=0 on TimeGenerated in range({Timeframe:start}, now(), {Timeframe:grain})\",\"size\":3,\"title\":\"AI Analyst Incidents Over Time\",\"color\":\"lightBlue\",\"timeContext\":{\"durationMs\":604800000,\"endTime\":\"2021-02-11T09:00:00Z\"},\"timeContextFromParameter\":\"Timeframe\",\"timeBrushParameterName\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"areachart\",\"chartSettings\":{\"showMetrics\":false,\"ySettings\":{\"numberFormatSettings\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"useGrouping\":true,\"minimumFractionDigits\":0,\"maximumFractionDigits\":0}}}}},\"name\":\"incidents in group\"},{\"type\":1,\"content\":{\"json\":\"_ Selecting a timeframe on the graph will change the timeframe for all queries in this tab _\",\"style\":\"info\"},\"name\":\"text - 6\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog \\r\\n| where DeviceVendor == \\\"Darktrace\\\" and DeviceProduct == \\\"AI Analyst\\\"\\r\\n| summarize event_count=count() by Activity \\r\\n| where Activity!=\\\"System/System\\\" \\r\\n| top 10 by event_count\",\"size\":0,\"title\":\"Top 10 Most Frequent Incidents \",\"timeContext\":{\"durationMs\":604800000,\"endTime\":\"2021-02-11T09:00:00Z\"},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"event_count\",\"formatter\":3,\"formatOptions\":{\"palette\":\"blue\"}}],\"labelSettings\":[{\"columnId\":\"Activity\"},{\"columnId\":\"event_count\",\"label\":\"Count\"}]}},\"name\":\"Top 10 Most Frequent Incidents \"}],\"exportParameters\":true},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"ai-analyst\"},\"name\":\"ai- analyst group \"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CommonSecurityLog\\r\\n| where DeviceVendor == \\\"Darktrace\\\" and Activity contains \\\"Antigena\\\"\\r\\n| parse AdditionalExtensions with * \\\"groupByActivity=\\\" GroupByActivity \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"darktraceUrl=\\\" DarktraceURL \\\";\\\" null\\r\\n| parse AdditionalExtensions with * \\\"message=\\\" Message_s \\\";\\\" null\\r\\n| extend Device = iff(DeviceName != \\\"\\\", DeviceName, DeviceAddress)\\r\\n| extend agnActivity = split(Activity, \\\"/\\\")[2]\\r\\n| extend arr = split(Message_s,\\\"/\\\")\\r\\n| extend msgInfo = arr[(array_length(arr)-1)]\",\"size\":3,\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"Timeframe\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"agnActivity\",\"formatter\":1,\"formatOptions\":{\"linkColumn\":\"DarktraceURL\",\"linkTarget\":\"Url\"}},\"subtitleContent\":{\"columnMatch\":\"TimeGenerated\",\"formatter\":6},\"leftContent\":{\"columnMatch\":\"Device\"},\"secondaryContent\":{\"columnMatch\":\"msgInfo\",\"formatter\":1},\"showBorder\":true,\"sortCriteriaField\":\"TimeGenerated\",\"sortOrderField\":2,\"size\":\"full\"}},\"name\":\"top level query \"}]},\"conditionalVisibility\":{\"parameterName\":\"tab\",\"comparison\":\"isEqualTo\",\"value\":\"agn\"},\"name\":\"agn group\",\"styleSettings\":{\"showBorder\":true}}],\"fromTemplateId\":\"sentinel-AI Darktrace v1.0\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -129,41 +125,51 @@ "tier": "Partner", "name": "Darktrace", "link": "https://www.darktrace.com/en/contact/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "CommonSecurityLog", + "kind": "DataType" + }, + { + "contentId": "Darktrace", + "kind": "DataConnector" + }, + { + "contentId": "DarktraceAma", + "kind": "DataConnector" + } + ] } } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('dataConnectorTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "AI Analyst Darktrace data connector with template", - "displayName": "AI Analyst Darktrace template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AI Analyst Darktrace data connector with template version 2.0.1", + "description": "AI Analyst Darktrace data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -179,9 +185,9 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId1')]", - "title": "AI Analyst Darktrace", + "title": "[Deprecated] AI Analyst Darktrace via Legacy Agent", "publisher": "Darktrace", - "descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Azure Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Azure Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.", + "descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.", "graphQueries": [ { "metricName": "Total data received", @@ -239,15 +245,15 @@ }, "instructionSteps": [ { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", + "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", "innerSteps": [ { "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Azure Sentinel will use as the proxy between your security solution and Azure Sentinel this machine can be on your on-prem environment, Azure or other clouds." + "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." }, { "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", + "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", "instructions": [ { "parameters": { @@ -266,7 +272,7 @@ "title": "1. Linux Syslog agent configuration" }, { - "description": "Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Azure Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Azure Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes.", + "description": "Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Microsoft Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Microsoft Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes.", "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" }, { @@ -295,7 +301,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", @@ -318,12 +324,23 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "[Deprecated] AI Analyst Darktrace via Legacy Agent", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "dependsOn": [ "[variables('_dataConnectorId1')]" @@ -357,9 +374,9 @@ "kind": "GenericUI", "properties": { "connectorUiConfig": { - "title": "AI Analyst Darktrace", + "title": "[Deprecated] AI Analyst Darktrace via Legacy Agent", "publisher": "Darktrace", - "descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Azure Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Azure Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.", + "descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.", "graphQueries": [ { "metricName": "Total data received", @@ -417,15 +434,15 @@ }, "instructionSteps": [ { - "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Azure Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", + "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace", "innerSteps": [ { "title": "1.1 Select or create a Linux machine", - "description": "Select or create a Linux machine that Azure Sentinel will use as the proxy between your security solution and Azure Sentinel this machine can be on your on-prem environment, Azure or other clouds." + "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds." }, { "title": "1.2 Install the CEF collector on the Linux machine", - "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Azure Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", + "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.", "instructions": [ { "parameters": { @@ -444,7 +461,7 @@ "title": "1. Linux Syslog agent configuration" }, { - "description": "Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Azure Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Azure Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes.", + "description": "Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Microsoft Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Microsoft Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes.", "title": "2. Forward Common Event Format (CEF) logs to Syslog agent" }, { @@ -472,14 +489,342 @@ } } }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "AI Analyst Darktrace data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId2')]", + "title": "[Recommended] AI Analyst Darktrace via AMA", + "publisher": "Darktrace", + "descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Darktrace", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Darktrace'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "sampleQueries": [ + { + "description": "first 10 most recent data breaches", + "query": "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\"\n| order by TimeGenerated desc \n| limit 10" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (Darktrace)", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Darktrace'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'Darktrace'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "parameters": { + "title": "1. Kindly follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" + + }, + { + "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", + "description": "Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Microsoft Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Microsoft Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes." + + }, + { + "title": "Step C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "2. Secure your machine " + } + ] + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", + "source": { + "kind": "Solution", + "name": "AI Analyst Darktrace", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Darktrace" + }, + "support": { + "tier": "Partner", + "name": "Darktrace", + "link": "https://www.darktrace.com/en/contact/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId2')]", + "contentKind": "DataConnector", + "displayName": "[Recommended] AI Analyst Darktrace via AMA", + "contentProductId": "[variables('_dataConnectorcontentProductId2')]", + "id": "[variables('_dataConnectorcontentProductId2')]", + "version": "[variables('dataConnectorVersion2')]" + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId2')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", + "source": { + "kind": "Solution", + "name": "AI Analyst Darktrace", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Darktrace" + }, + "support": { + "tier": "Partner", + "name": "Darktrace", + "link": "https://www.darktrace.com/en/contact/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", "location": "[parameters('workspace-location')]", + "kind": "GenericUI", "properties": { - "version": "2.0.1", + "connectorUiConfig": { + "title": "[Recommended] AI Analyst Darktrace via AMA", + "publisher": "Darktrace", + "descriptionMarkdown": "The Darktrace connector lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "Darktrace", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Darktrace'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (Darktrace)", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Darktrace'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'Darktrace'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "first 10 most recent data breaches", + "query": "CommonSecurityLog\n| where DeviceVendor == \"Darktrace\"\n| order by TimeGenerated desc \n| limit 10" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions are required.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "parameters": { + "title": "1. Kindly follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" + + }, + { + "title": "Step B. Forward Common Event Format (CEF) logs to Syslog agent", + "description": "Configure Darktrace to forward Syslog messages in CEF format to your Azure workspace via the Syslog agent. \n\n 1) Within the Darktrace Threat Visualizer, navigate to the System Config page in the main menu under Admin. \n\n 2) From the left-hand menu, select Modules and choose Microsoft Sentinel from the available Workflow Integrations.\\n 3) A configuration window will open. Locate Microsoft Sentinel Syslog CEF and click New to reveal the configuration settings, unless already exposed. \n\n 4) In the Server configuration field, enter the location of the log forwarder and optionally modify the communication port. Ensure that the port selected is set to 514 and is allowed by any intermediary firewalls. \n\n 5) Configure any alert thresholds, time offsets or additional settings as required. \n\n 6) Review any additional configuration options you may wish to enable that alter the Syslog syntax.\n\n 7) Enable Send Alerts and save your changes." + + }, + { + "title": "Step C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "2. Secure your machine " + } + ], + "id": "[variables('_uiConfigId2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", + "location": "[parameters('workspace-location')]", + "properties": { + "version": "3.0.0", "kind": "Solution", - "contentSchemaVersion": "2.0.0", + "contentSchemaVersion": "3.0.0", + "displayName": "AI Analyst Darktrace", + "publisherDisplayName": "Darktrace", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The AI Analyst Darktrace Solution for Microsoft Sentinel lets users connect Darktrace Model Breaches in real-time with Microsoft Sentinel, allowing creation of custom Dashboards, Workbooks, Notebooks and Custom Alerts to improve investigation. Microsoft Sentinel's enhanced visibility into Darktrace logs enables monitoring and mitigation of security threats.

\n
    \n

  1. AI Analyst Darktrace via AMA - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.

    \n
    2. \n

  2. AI Analyst Darktrace via Legacy Agent - This data connector helps in ingesting AI Analyst Darktrace logs into your Log Analytics Workspace using the legacy Log Analytics agent.

    \n
    3. \n
\n

NOTE: Microsoft recommends installation of AI Analyst Darktrace via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Data Connectors: 2, Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { @@ -507,6 +852,11 @@ "kind": "DataConnector", "contentId": "[variables('_dataConnectorContentId1')]", "version": "[variables('dataConnectorVersion1')]" + }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId2')]", + "version": "[variables('dataConnectorVersion2')]" } ] }, diff --git a/Solutions/AI Analyst Darktrace/ReleaseNotes.md b/Solutions/AI Analyst Darktrace/ReleaseNotes.md new file mode 100644 index 00000000000..4cd8043e487 --- /dev/null +++ b/Solutions/AI Analyst Darktrace/ReleaseNotes.md @@ -0,0 +1,5 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.0 | 18-09-2023 | Addition of new AI Analyst Darktrace AMA **Data Connector** | | + + diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json index 64ad99fb31b..936fe4a3736 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json @@ -1902,7 +1902,8 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "Darktrace" + "Darktrace", + "DarktraceAma" ], "previewImagesFileNames": [ "AIA-DarktraceSummaryWhite.png",