Closed rcegan closed 1 year ago
github-actions[bot]
commented
2 years ago Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
github-actions[bot]
commented
2 years ago Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
github-actions[bot]
commented
2 years ago Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
azurekid
commented
2 years ago @rcegan Has this already been fixed? I have been playing around a lot with tactics and techniques lately in detection rules and building a pester test that validates if the correct tactics and techniques are used. Also noticed that not all tactics are supported due to Microsoft Sentinel relying on the Mitre Att&ck framework vs9
I did not experience any issues with rules not showing the techniques after importing them from a json template
rcegan
commented
2 years ago @azurekid I haven't tried for a while - maybe the v9 thing is why. I'll test it out later if I've got a sec and report back.
azurekid
commented
2 years ago @azurekid I haven't tried for a while - maybe the v9 thing is why. I'll test it out later if I've got a sec and report back.
Cool! I've you are interested in the testing of analytics rules, you can find it on my github or in the GitHub marketplace ;-) https://github.com/SecureHats/validate-detections https://github.com/marketplace/actions/validate-detections
2Wanderer
commented
2 years ago I'm currenty expericing exactly the same problems. The "Techniques": ["T1078"], key/value ie, is not preserved during a deployment by devops. any light on this yet?
azurekid
commented
2 years ago I'm currently experiencing exactly the same problems. The "Techniques": ["T1078"], key/value ie, is not preserved during a deployment by devops. any light on this yet?
Can you share the template?
I haven't been able to reproduce the error from both Azure DevOps, GitHub and manually. Used to repositories option from Microsoft Sentinel, PowerShell and manual uploaded it to the portal.
I'm not with #Microsoft, so would be nice if someone from the team would pick this up also @vmanojreddy @ashishsyal
2Wanderer
commented
2 years ago @azurekid sure,
this an example template, please don't mind the ttp mapping, there were just for testing purposes. The rule got pushed, as expected, but none of the ttp's got pushed to Sentinel. see screenshot
{
"severity": "Medium",
"query": "AuditLogs\n| where LoggedByService =~ \"PIM\"\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName has \"Disable PIM Alert\"\n| extend IpAddress = case(\n isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \n isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\n 'Not Available')\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \n tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"displayName": "[#{customername}#] [UC1] Detect PIM Alert Disabling activity",
"enabled": true,
"description": "Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access",
"lastUpdatedDateUTC": "2021-10-19T00:00:00Z",
"createdDateUTC": "2021-09-30T00:00:00Z",
"status": "Available",
"kind": "Scheduled",
"tactics":["Persistence", "PrivilegeEscalation"],
"Techniques":["T1548","T1098","T1078", "T0890"]
},
sandeep5234
commented
2 years ago I am going through same issue as well. I am using azsentinel 0.6.21 powershell module to import Analytics rules into Microsoft Sentinel. Powershell command I am using in "import-azsentinelalertrule". Below is one of the rule in JSON format. Everything in this rule get deployed except Techniques values.
{
"displayName": "TEARDROP memory-only dropper",
"description": "Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f",
"severity": "High",
"enabled": true,
"query": "DeviceEvents\n| where ActionType has \"ExploitGuardNonMicrosoftSignedBlocked\"\n| where InitiatingProcessFileName contains \"svchost.exe\" and FileName contains \"NetSetupSvc.dll\"\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = \"SHA1\"",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5H",
"suppressionEnabled": false,
"tactics": [
"Execution",
"Persistence",
"DefenseEvasion"
],
"techniques": [
"T1059"
],
"alertRuleTemplateName": null,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"reopenClosedIncident": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
},
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"alertDetailsOverride": null,
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
}
]
},
{
"entityType": "FileHash",
"fieldMappings": [
{
"identifier": "Algorithm",
"columnName": "FileHashType"
},
{
"identifier": "Value",
"columnName": "FileHashCustomEntity"
}
]
}
],
"sentinelEntitiesMappings": null,
"templateVersion": "1.0.3"
}
After further investigation I can tell that powershell command "import-azsentinelalertrule" doesn't have feature to deploy Techniques yet.
sandeep5234
commented
2 years ago Is there any update on this?
Kaloszer
commented
1 year ago Is there any update on this?
I've implemented this and it seems to be working when importing through ARM templates!
LiamCloudGuard
commented
1 year ago Is there any update on this?
I've implemented this and it seems to be working when importing through ARM templates!
ARM Templates work for including the Techniques, however using the Powershell Az Module does not. After digging around I discovered it is because the API is outdated and not built to handle the technique variable yet.
v-amolpatil
commented
1 year ago Hi @rcegan , thank you for flagging this. Apologies for the delayed response. If you still need assistance, please reply here within 5 business days.
v-amolpatil
commented
1 year ago Gentle Reminder: We are awaiting for your response on this issue. If you still need to keep this issue active please respond within next 2 days. If we don't receive response by 17 Feb 2023, we will close this issue.
v-amolpatil
commented
1 year ago Since we have not received a response in the last 5 days, we are closing your issue #4386 as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation.
github-actions[bot]
commented
1 year ago Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.
I've noticed that deploying detections in JSON format (as exported by the GUI) through a DevOps pipeline, or importing manually through the GUI, does not preserve the techniques configured. Tactics are preserved.
To reproduce, export any single detection with Techniques that have been mapped (e.g. T1136) and import to another Sentinel environment.
Expected behaviour is that the detection would preserve the mapped MITRE techniques. The techniques are present within the JSON file itself as well, however they're not reflected in the GUI in Sentinel.
The section of JSON with the techniques:
The imported rule without the technique: