groupingConfiguration error #132
Comments
|
I find the issue: On file AzSentinel.psm1 on function Import-AzSentinelAlertRule, the line Because, will enable, or set to true the groupingConfiguration. And now I can set to true or false groupingConfiguration |
|
Confirmed, seeing the same issue here |
|
hi @rleal124, thanks for the feedback! So you want to create a scheduled analytic rule where the group configuration is disabled. I think there are two issues here. The first issue is indeed in the If statement. Because now if the value/property is not set then Group configuration will be enabled by default (which should not be the default). {
"Scheduled": [
{
"displayName": "AlertRule01",
"description": "",
"severity": "Medium",
"enabled": true,
"query": "SecurityEvent | where EventID == \"4688\" | where CommandLine contains \"-noni -ep bypass $\"",
"queryFrequency": "5H",
"queryPeriod": "6H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 5,
"suppressionDuration": "6H",
"suppressionEnabled": false,
"tactics": [
"Persistence",
"LateralMovement",
"Collection"
],
"playbookName": "",
"aggregationKind": "SingleAlert",
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"reopenClosedIncident": false,
"lookbackDuration": "PT5H",
"entitiesMatchingMethod": "All",
"groupByEntities": [
"Account",
"Ip",
"Host",
"Url"
]
}
}
],
"Fusion": [
],
"MLBehaviorAnalytics": [
],
"MicrosoftSecurityIncidentCreation": [
]
}If you run the above you will get the following result: |
|
@pkhabazi ahh that did get me, I was trying to use a rule I'd downloaded with incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
reopenClosedIncident: false
lookbackDuration: PT5H
entitiesMatchingMethod: All
groupByEntities: [] |
|
@pkhabazi Hi, Thanks for your feedback. I used the same template for tests, Also I using one in JSON format and other for YAML format. In below my format in json: And in YAML format
|
|
Working for me now, also had to move |
That's a good one! I tried to simplify the JSON input format, so I changed the format a little. Maybe a good point to update the output in the same format as input format or the way around. |
|
@rleal124 so thus the template that you shared work or not? And which version of AzSentinel are you using? |
|
Hi, YAML FILE `
And For JSON
|
|
I guess the pulled structure is truer to the API, and may be future proofed if for some reason the names of nested keys overlap, though that seems quite unlikely. I'm happy with either as long as there is consensus. I've referenced the output schema in the Azure/Azure-Sentinel#585 in the hopes that all rule definitions will be more easily compatible. |
|
Reopening issue because we need to find a solution for the correct schema |
|
I have updated the get-azsentinelalertrule function output to match the JSON template format. This will solve the issue with exported rules. |
When I upload a analytic rule to sentinel I want to disable the grouping configuration.
the following stanza following the documentation should be work and disable the grouping configuration, But the not have effect and the grouping configuration still happened enable. Can please help me?
groupingConfiguration:
GroupingConfigurationEnabled: false
reopenClosedIncident: false
lookbackDuration: PT5H
entitiesMatchingMethod: All
groupByEntities:
- Account
- Ip
- Host
- Url
The text was updated successfully, but these errors were encountered: