Forum Discussion
No Analytics Rule for Dark Trace??
Hello, We have a client having Dark Trace installed within their environment and we have Data Connector enabled. however I dont see any Analytics rule associated with Dark Trace. Is it to any wo...
A word of warning, if it is for a client, the DarkTrace logs are desperate lacking in verbosity. It just sends alerts. 95% of the time you will need access to the DarkTrace console to actually find out the affected entities. For example, I get alerts about High DGA/Low TTL DNS requests. The logs neither give me the DNS name or the IP address of the activity which caused the alert. You have to go into DarkTrace to see the domain, and then back into Sentinel to query DNS logs.
CommonSecurityLog
| where DeviceVendor == "Darktrace"
Use the above as an incident rule to create a new alert per result returned. Then set the incident setting to create a new incident per alert (you could do some alert grouping or certain entities).
CommonSecurityLog
| where DeviceVendor == "Darktrace"
Use the above as an incident rule to create a new alert per result returned. Then set the incident setting to create a new incident per alert (you could do some alert grouping or certain entities).