Forum Discussion
Mitre information missing from incident
The Columns have to be in the returned data from the Alert, so the drop down will show you whats there or the Column name will error (see red text), if its missing you will have to add an Entity first
Maybe I misunderstand your answer but my initial post show what's seen by sentinel in the alert. In the analysis rule I've tried with with the column holding the Mitre ID or the Mitre name and neither work. The respective columns are visible and selectable without error in the analytics rule.
- I showed the Alert Details to answer this: "Now, in the analytics rule under Alert Details I've tried different settings for the tactics and/or techniques" Are you not getting an error in that part of the Analytic setup? If no error, which sounds like your situation then, the Values should appear in the Alert Name or Description of the Alert.
So if we use this as and example
Alert from {{Mitre_id}}
Do you just get the "Alert from " part in the Name / Description? Or do you get nothing?
https://learn.microsoft.com/en-gb/azure/sentinel/customize-alert-details?tabs=azure#how-to-customize-alert-detailsAh, now I understand. I've configured Alert Description to include the variables for Mitre ID and name and these are visible in the incident description, as shown below (some data deleted) but not as the Tactics or Techniques for the whole incident.
Update: I've dug around in the documentation for the security platform sending to Sentinel and it seems it doesn't operate with Tactics, it is only able to send Techniques.
