0

I am trying to customize and to create workbooks for Darktrace on Sentinel. I am using the data type darktrace_model_alerts_CL. For AI Analyst event type I am using the following KQL query.

darktrace_model_alerts_CL
| where dtProduct_s =="AI Analyst"
| project-rename  EventStartTime=breachTime_s, DtCurrentGroup=uuid_g, 
ThreatCategory=dtProduct_s, ThreatRiskLevel=score_d, SrcHostname=hostname_s,SrcIpAddr=deviceIP_s, DtURL=url_s, 
 DtSummary=description_s, DtGroupCategory=Category, 
 DtSrcDeviceIP=SourceIP,DtGroupByActivity=groupByActivity_b, 
DtSummaryFirstSentence=summaryFirstSentence_s,  DtNewEvent=newEvent_b, 
DtCGLegacy=currentGroup_s, DtGroupPreviousGroups=groupPreviousGroups_s, DtTime=time_s, 
DtSeverity=Severity, DtLongitude=longitude_d, DtLatitude=latitude_d  
| extend EventVendor = "Darktrace", EventProduct = "Darktrace DETECT", DtSentinelCategory=DtGroupCategory
| extend DtSentinelCategory = case (DtGroupCategory == "compliance", "Low", 
                                DtGroupCategory == "suspicious", "Medium",
                                "High") //compliance -> low, suspcious -> medium, critical -> high

Yet, I get errors related to darktrace column names like

project-rename: Failed to resolve column reference 'startTime_s'.

How can I find out correct column names of Darktrace so I can replace them in the query?

Thank you

MKH_Cerbebrus
  • 51
  • 2
  • 10

0 Answers0