I'm attempting to utilize Entity Mappings to add ResourceGroup (or Subscription, any unique group identifier) to all of my analytics rules. This seems to be present for some of the templates, however, there are a large number of rules where this is not possible, and it appears I can not directly add this in the query itself.
The issue I'm facing is having alerts that span multiple Subscriptions & ResourceGroups that are then received by a 3rd party platform for analysis and review. I need to be able to split out these alerts by group (preferably RG or Sub) so that they can be playbooked to the appropriate team.
Question: Is there a method to which I can map/add/inject RG or Subscription into every alert that triggers in Sentinel?