cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

No Analytics Rule for Dark Trace??

FahadAhmed
Contributor

‎Nov 06 2021 11:25 PM

‎Nov 06 2021 11:25 PM

No Analytics Rule for Dark Trace??

Hello, 

 

We have a client having Dark Trace installed within their environment and we have Data Connector enabled. however I dont see any Analytics rule associated with Dark Trace. Is it to any worth to integrate Dark Trace with Azure Sentinel?? 

 

Since to-date I have never seen any alert being generated, while if I go to the Dark Trace workbook it shows some malicious activities?? Just want to understand the value of the integration?? Are the events from workbook considered malicious, if yes then why no Analytics rule in place to trigger incidents??

 

Thanks 

Fahad.

1,001 Views
0 Likes
6 Replies
Reply
6 Replies
Gary Bushey

‎Nov 07 2021 12:10 PM - edited ‎Nov 07 2021 12:11 PM

‎Nov 07 2021 12:10 PM - edited ‎Nov 07 2021 12:11 PM

Re: No Analytics Rule for Dark Trace??

@FahadAhmed You will see that a lot of the data connectors, especially those written by third parties, do not have any associate analytic rules.  It is up to the 3rd party as to what to provide with their data connector.   Hopefully, with the advent of the Content Hub, this will happen less and less as the analytic rules can be combined with the data connectors.

 

Based on the description of the Darktrace workbook, I would say the malicious activities shown are indeed items that need to be investigated.  I would also suggest looking at the KQL in the workbook and seeing if you can use that to make your Analytics rules to create the alerts.

 

 

1 Like
Reply
Clive_Watson

‎Nov 08 2021 01:48 AM

‎Nov 08 2021 01:48 AM

Re: No Analytics Rule for Dark Trace??

....and if you do create some Rules (or anything really) if you are happy sharing with the community, please see https://github.com/Azure/Azure-Sentinel#contributing
0 Likes
Reply
Magnus Tengmo

‎Nov 08 2022 12:38 AM

‎Nov 08 2022 12:38 AM

Re: No Analytics Rule for Dark Trace??

@Clive_Watson 

 

Have someone been able to create some analytics rules for Darktrace?

0 Likes
Reply
ClaudiaBothe

‎Nov 14 2022 02:48 AM

‎Nov 14 2022 02:48 AM

Re: No Analytics Rule for Dark Trace??

Double that! I'd also start by investigating the queries in the workbook and create own analytics rules first. Also would hope for more rules with the deployment via content hub, but it seems there are some now.
0 Likes
Reply
-jmn-

‎Nov 14 2022 09:04 AM

‎Nov 14 2022 09:04 AM

Re: No Analytics Rule for Dark Trace??

A word of warning, if it is for a client, the DarkTrace logs are desperate lacking in verbosity. It just sends alerts. 95% of the time you will need access to the DarkTrace console to actually find out the affected entities. For example, I get alerts about High DGA/Low TTL DNS requests. The logs neither give me the DNS name or the IP address of the activity which caused the alert. You have to go into DarkTrace to see the domain, and then back into Sentinel to query DNS logs.

CommonSecurityLog
| where DeviceVendor == "Darktrace"

Use the above as an incident rule to create a new alert per result returned. Then set the incident setting to create a new incident per alert (you could do some alert grouping or certain entities).
0 Likes
Reply