Darktrace for Microsoft Sentinel

Darktrace plc

Darktrace for Microsoft Sentinel

Darktrace plc

Darktrace solution for Microsoft Sentinel

Please note, this solution is replacing “AI Analyst Darktrace” Microsoft Sentinel solution which will not be supported from 01 Dec, 2022. For full installation guidance please visit the Darktrace Customer Portal.


The new Darktrace solution for Microsoft Sentinel brings unparalleled Self-Learning AI insights from Darktrace to be analyzed and correlated against the Microsoft product suite data in Microsoft Sentinel SIEM. Microsoft Sentinel users will find a detailed Darktrace Workbook which graphs a broad set of Darktrace data, including AI Analyst, apps, network and email alerting. Alongside that, Analytic Rule templates are provided to assist with automatic Microsoft Sentinel incident creation from AI Analyst breaches and Alert creation from Darktrace Model Breaches and System Alerts.

The setup is greatly simplified with the Darktrace Data Connector. This outbound REST API connector only requires authentication details and web connectivity between Darktrace and Microsoft Sentinel, allowing users to connect Darktrace data to their SIEM in minutes, without having to rely on complex log-forwarding scenarios.

Changes and improvements

New Data Connector

The Darktrace solution for Microsoft Sentinel moves away from using limited CEF Syslog data and pushes all Darktrace information directly into Microsoft Sentinel using Azure Monitor API over HTTPs. Not only does this greatly simplify initial setup and troubleshooting, but it also ensures that more context-rich data is collected in Microsoft Sentinel minimizing analyst context-switching.

With the added flexibility of consuming JSON data, additional new data categories are now brought to Microsoft Sentinel:

  • Darktrace/Email
  • AI Analyst Incidents
  • Darktrace/Endpoint
  • System Status Alerts

All data ingested from Darktrace is now placed in the custom log table.

Redesigned Workbook

The Darktrace workbook has been redesigned from the ground up, ensuring Microsoft Sentinel analysts can get a comprehensive overview of Darktrace data at a glance:

  • AI Analyst data now ingested into Microsoft Sentinel. A queue of AI Analyst incidents is displayed with a one-click pivot into a list of AI Analyst Incident Events belonging to the current incident grouping
  • Darktrace/Email data now ingested which provides a breakdown of actions over emails in a specified timeframe as well as a recipient search allowing to quickly locate held emails and evaluate specific users for threats
  • Data from Darktrace DETECT, graphed and organized based on new model breach tags – Compliance, Information, Suspicious, Critical
  • A dedicated tab for Darktrace RESPOND for a quick review of the latest autonomous response actions
  • Darktrace/Endpoint data graphed in a separate tab, allowing a quick overview of threats beyond the perimeter
  • System Status alerts tab ensuring Darktrace users can stay on top of system health

Analytic Rule Templates

The new solution ships with a selection of Analytics Rules templates which automate the creation of Microsoft Sentinel Incidents and Alerts from Darktrace data.

  • AI Analyst Incidents - runs as a Near-Real-Time (NRT) rule, a Microsoft Sentinel Incident is created with a dynamic severity setting for AI Analyst Incidents
  • Model Breaches - runs as a Near-Real-Time (NRT) rule, a Microsoft Sentinel alert is created with a dynamic severity based on Model Breach
  • System Status Alerts - runs as a scheduled rule with 5 minute frequency and creates Microsoft Sentinel Alerts out of Darktrace System Status Alerts

The Microsoft Sentinel analysts can pick which rules to activate and can modify the severities of resulting events according to the workflow standards for their organization.