Feature Request - Azure Sentinel - Configure entityMappings and Custom Details on Alert Rules

[jstaffin-presidio]

Azure Sentinel has added a new method for configuring Entity mappings and a method for defining custom details (key/value pairs).

This page describes the Azure Portal method for configuring the Entity Mappings on an alert rule https://docs.microsoft.com/en-us/azure/sentinel/map-data-fields-to-entities

This page describes the Azure Portal method for configuring the custom details key/value Paris on an alert rule https://docs.microsoft.com/en-us/azure/sentinel/surface-custom-details-in-alerts

Neither the current GA nor the preview REST or SDK for go support configuring these elements on an alert rule.

At the moment all other aspects of our sentinel deployment are automated except for this capability. We require the ability to map these values to surface required context on the generated alert for use in our SOAR workflows. We currently deploy rules using an automated method and require Azure Portal manual configuration to perform the remaining entity mapping and custom details configuration.

[kaovd]

Echoing this standpoint on SOAR Workflows in order to migrate to this new method we need this to come into the specs and downstream to relevant SDK providers for 2021-03-01-preview https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview From the looks of it this still seems heavy in dev and there is no SecurityInsights.json laid out. Is this getting backported to 2019-01-01-preview at all?

[kaovd]

I see this got removed from needs triage but still has no assigne - is there any attention to this? I think that https://github.com/Azure/azure-rest-api-specs/pull/14753 is going to resolve this.

[miaxou]

Would really like to see the functionality to add/update entityMappings via REST API restored.

[FormindGMO]

@kaovd you mentionned PR #14753 of swagger specs, flagged as "Merged", yet doesn't seem available in documentation. I don't know about MS internal processes, do you know when could we get the feature implemented?

[kaovd]

@FormindGMO in terms of the full RP / Spec this has been pushed back a fair bit and is now scheduled for 2021-09-01 API Spec - See here. https://github.com/Azure/azure-sdk-for-go/issues/14800

The change did go in, but they need the full stack of specs to produce a Package for it in the SDK and downstream - for that got a central tracker up here in azurerm https://github.com/hashicorp/terraform-provider-azurerm/issues/11667

However if you are just looking at the API sure you can call the 2021-03-01 API now and just use that Endpoints at https://management.azure.com/subscriptions/{subid}/resourceGroups/{rg}/providers/Microsoft.OperationalInsights/workspaces/{workspace}/providers/Microsoft.SecurityInsights/alertRules/{id}?api-version=2021-03-01-preview And doc is still https://github.com/Azure/azure-rest-api-specs/blob/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-03-01-preview/AlertRules.json. In terms of examples you can just rip the API calls out of the portal when you do stuff to get a better understanding. Also https://docs.microsoft.com/en-us/rest/api/securityinsights/alert-rules/create-or-update#code-try-0 is a nice interface

i.e If you are using something like terraform you can potentially use a null resource script provisioner and pwsh in order to Patch the entityDetails over your current infrastructure - although a bit hacky its a good temporary work around.

[kaovd]

@jstaffin-presidio this is closed with release of 2021-09-01-preview