search

briandelmsft / SentinelAutomationModules

The Microsoft Sentinel Triage AssistanT (STAT) enables easy to create incident triage automation in Microsoft Sentinel
MIT License
201 stars 55 forks source link

[QUESTION] RelatedAlerts filter out MITRE scoring #410

Closed mikedizzle closed 1 year ago

mikedizzle commented 1 year ago

Is there a way to filter out the MITRE tactics from being scored in the Get-RelatedAlerts module?

briandelmsft commented 1 year ago

It's possible, but will require a manual manipulation of the Related Alerts module output before passing it to the scoring module. To bypass the scoring, you will need to change the 'AllTacticsCount' to 0 before passing it to the scoring module.

To do this, after the related alerts module runs, add a compose step to the logic app and in the compose step add the following using the expression editor:

setProperty(body('Related_Alerts_Module'),'AllTacticsCount',0)

You may need to change the Related_Alerts_Module part if your step name for this module has been changed from the default.

Then when you pass the related alerts body to the scoring module, pass the compose output in place of the Related Alerts Module Body.

It should look something like this: image

mikedizzle commented 1 year ago

Excellent. Thank you for this. I'm going to create a feature request to have this available as a parameter in the related alerts mod action. I'll do this in the meantime.