Darktrace CCF Connector: Account Entity Mapping Added to Analytic Rules, Closing SaaS Identity Correlation Gap

What Changed

Darktrace solution v3.0.0 to v3.1.0: two CCF Analytic Rules and their backing DCR/custom table schemas updated.

Analytic Rules

DarktraceIncidentEvent (v1.0.0 to v1.1.0)

• Account entity mapping added: accountName (string) now sourced from DarktraceIncidents_CL and mapped to entityType Account with identifier FullName. This enables Sentinel to correlate Darktrace AI Analyst incidents with user account entities for SaaS and identity-layer investigations.
• modelBreaches custom detail added: A new modelBreaches (dynamic) column is included in the DCR schema for DarktraceIncidents_CL and exposed as a custom detail in alerts. This surfaces the full list of associated Darktrace model breach events within a single Sentinel incident – previously absent, requiring separate Darktrace portal review.

DarktraceModelAlert (v1.0.0 to v1.1.0)

• Account entity mapping added: accountName (string) added to DarktraceModelAlerts_CL schema and mapped to entityType Account with identifier FullName in the Analytic Rule.

Data Fidelity

Before this change, DarktraceIncidents_CL rows contained no modelBreaches field – queries referencing this column returned null for all rows. The accountName field was similarly absent from both tables, meaning Account entity mapping was impossible. Detections ran correctly but incidents lacked identity correlation and model-breach enrichment context.

Reviewer Note

Per Copilot review: identifier FullName is not a supported Sentinel Account entity identifier. The correct identifiers are Name (and optionally UPNSuffix, or AadUserId/Sid). With FullName, the Account entity mapping will be silently ignored – no Account entities will appear on incidents. Confirm with the Darktrace team whether a corrective follow-up PR is needed.

Affected Files

.script/tests/KqlvalidationsTests/CustomTables/DarktraceIncidents_CL.json
.script/tests/KqlvalidationsTests/CustomTables/DarktraceModelAlerts_CL.json
Solutions/Darktrace/Analytic Rules/DarktraceIncidentEvent.yaml
Solutions/Darktrace/Analytic Rules/DarktraceModelAlert.yaml
Solutions/Darktrace/Data Connectors/ccf/DarktraceIncidents_CL.json
Solutions/Darktrace/Data Connectors/ccf/DarktraceModelAlerts_CL.json
Solutions/Darktrace/Data Connectors/ccf/Darktrace_DCR.json
(packaging artefacts: 3.1.0.zip, ReleaseNotes.md, Solution_DarktraceEnterpriseImmuneSystem.json, mainTemplate.json)