Update to lastest API version

[OllyNO]

Summary of the new feature / enhancement

MITRE subtechniques does not work with API version 2023-02-01-preview. Deploying the same rules but changing API version to 2023-12-01-preview fixes this.

Proposed technical implementation details (optional)

No response

[f-bader]

Hi @OllyNO

Based on the official docs techniques are supported and 2023-02-01-preview seems to be the latest version.

Do you have another reference?

https://learn.microsoft.com/en-us/azure/templates/microsoft.securityinsights/2023-02-01-preview/alertrules?pivots=deployment-language-arm-template

[OllyNO]

Hi,

Just to clarify; Techniques work, but subtechniques doesn't.

I didn't really have any references other than looking at the json of rules I exported from Sentinel showed api version 2023-12-01-preview. But looking around today I found this:

https://learn.microsoft.com/en-us/rest/api/securityinsights/api-versions

[f-bader]

Thank you very much. I will take a look if the tests are all successful after changing to it before I change the default. But in the meantime you can already change the API version using the parameter apiversion

[OllyNO]

Excellent, thank you!

And thank you for making this script, it's helped us a lot in automating conversion and deployment of analytic rules to multiple workspaces.

[f-bader]

Found a bit more documentation https://learn.microsoft.com/en-us/rest/api/securityinsights/api-versions#2024-01-01-preview https://github.com/Azure/azure-rest-api-specs/tree/main/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2024-01-01-preview

[f-bader]

Example ARM configuration. Minimum is indeed 2023-12-01-preview

"tactics": [
    "Reconnaissance"
],
"techniques": [
    "T1589",
    "T1592",
    "T1598"
],
"subTechniques": [
    "T1589.001",
    "T1592.001"
]

[f-bader]

Implemented in v.2.4.0