MicrosoftHey Tiander Turpijn , great article!
Here's a challenge:
I want to add Mitre TECHNIQUES (not tactics) to my alerts/rules.
I see the Github rules have a field: relevantTechniques - but I don't think that field is usable in a playbook? i.e. it's not passed on as an entity or other field that's seen in the alert?
So the best place I can see to add this is as an alert entity, where I can look it up in a playbook and do something with it like map it to mitre defensive actions.
So how can I write an alert entity using Update-AzSentinelAlertRule?
eg:
Get-AzSentinelAlertRule -WorkspaceName xxxx -RuleName "test1"
Here's an exported rule.
How can I use Get-AzSentinelAlertRule to write the entityMappings?
queryFrequency : PT5H queryPeriod : PT5H triggerOperator : GreaterThan
triggerThreshold : 0
eventGroupingSettings : @{aggregationKind=SingleAlert}
severity : Medium
query : SecurityAlert|project technique="T1234"
suppressionDuration : PT5H
suppressionEnabled : False
entityMappings : {@{entityType=URL; fieldMappings=System.Object[]}}
displayName : test
enabled : False
description :
tactics : {}
alertRuleTemplateName :
lastModifiedUtc : 6/25/2021 12:52:20 PM
name : xxx
etag : "xxx"
id : /subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.OperationalInsights/works
paces/3psiem/providers/Microsoft.SecurityInsights/alertRules/xxx
kind : Scheduled
createIncident : False
groupingConfiguration : @{enabled=False; reopenClosedIncident=False; lookbackDuration=PT5H; entitiesMatchingMethod=All;
groupByEntities=System.Object[]}
playbookName :
