You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Analytics Rules with mapped MITRE techniques do not get imported as JSON
Currently "import-azsentinlealertrule" command under module "azsentinel" 0.6.21 doesn't deploy Techniques values when deploying the analytics rules. For example below rule has Techniques "T1059". If we deploy this rule via the powershell module "azsentinel" "import-azsentinlealertrule" command , the techniques values doesn't get applied. Please see image attached after the creating the below rule.
Analytics Rules with mapped MITRE techniques do not get imported as JSON
Currently "import-azsentinlealertrule" command under module "azsentinel" 0.6.21 doesn't deploy Techniques values when deploying the analytics rules. For example below rule has Techniques "T1059". If we deploy this rule via the powershell module "azsentinel" "import-azsentinlealertrule" command , the techniques values doesn't get applied. Please see image attached after the creating the below rule.
{
"displayName": "TEARDROP memory-only dropper",
"description": "Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
"severity": "High",
"enabled": true,
"query": "DeviceEvents\n| where ActionType has "ExploitGuardNonMicrosoftSignedBlocked"\n| where InitiatingProcessFileName contains "svchost.exe" and FileName contains "NetSetupSvc.dll"\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = "SHA1"",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"Execution",
"Persistence",
"DefenseEvasion"
],
"techniques": [
"T1059"
],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"reopenClosedIncident": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": null,
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"identifier": "Algorithm",
"columnName": "FileHashType"
},
{
"identifier": "Value",
"columnName": "FileHashCustomEntity"
}
]
}
],
"sentinelEntitiesMappings": null,
"templateVersion": "1.0.3"
}
After further investigation I can tell that powershell command "import-azsentinelalertrule" doesn't have feature to deploy Techniques yet.
Please add capability in "import-azsentinlealertrule" command to deploy techniques and update the powershell Gallery as per the changes.
The text was updated successfully, but these errors were encountered: