groupingConfiguration error

Question

groupingConfiguration error

rleal124 opened this issue 4 years ago · 12 comments

When I upload a analytic rule to sentinel I want to disable the grouping configuration.

the following stanza following the documentation should be work and disable the grouping configuration, But the not have effect and the grouping configuration still happened enable. Can please help me?
groupingConfiguration:
GroupingConfigurationEnabled: false
reopenClosedIncident: false
lookbackDuration: PT5H
entitiesMatchingMethod: All
groupByEntities:
- Account
- Ip
- Host
- Url

Answer 1 · 2020-11-04T21:34:40.000Z

I find the issue: On file AzSentinel.psm1 on function Import-AzSentinelAlertRule, the line
$this.enabled = if ($null -ne $Enabled ) { $Enabled } else { $true }, is not correct.

Because, will enable, or set to true the groupingConfiguration.
I change the line to
$this.enabled = if ($null -ne $Enabled ) { $Enabled } else { $false }

And now I can set to true or false groupingConfiguration

Answer 2 · 2020-11-05T11:37:05.000Z

Confirmed, seeing the same issue here

Answer 3 · 2020-11-05T11:45:43.000Z

hi @rleal124, thanks for the feedback! So you want to create a scheduled analytic rule where the group configuration is disabled. I think there are two issues here. The first issue is indeed in the If statement. Because now if the value/property is not set then Group configuration will be enabled by default (which should not be the default).
Second issue is, I think, in your template file. Because if the property is configured correct then that will be used in the deployment.
See below JSON template that I have used for testing:

{
  "Scheduled": [
    {
      "displayName": "AlertRule01",
      "description": "",
      "severity": "Medium",
      "enabled": true,
      "query": "SecurityEvent | where EventID == \"4688\" | where CommandLine contains \"-noni -ep bypass $\"",
      "queryFrequency": "5H",
      "queryPeriod": "6H",
      "triggerOperator": "GreaterThan",
      "triggerThreshold": 5,
      "suppressionDuration": "6H",
      "suppressionEnabled": false,
      "tactics": [
        "Persistence",
        "LateralMovement",
        "Collection"
      ],
      "playbookName": "",
      "aggregationKind": "SingleAlert",
      "createIncident": true,
      "groupingConfiguration": {
        "enabled": false,
        "reopenClosedIncident": false,
        "lookbackDuration": "PT5H",
        "entitiesMatchingMethod": "All",
        "groupByEntities": [
          "Account",
          "Ip",
          "Host",
          "Url"
        ]
      }
    }
  ],
  "Fusion": [

  ],
  "MLBehaviorAnalytics": [

  ],
  "MicrosoftSecurityIncidentCreation": [

  ]
}

If you run the above you will get the following result:

Answer 4 · 2020-11-05T11:55:56.000Z

@pkhabazi ahh that did get me, I was trying to use a rule I'd downloaded with Get-AzSentinelAlertRule and realised now that the schemas are completely different. It puts the groupingConfiguration under incidentConfiguration.

incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: PT5H
    entitiesMatchingMethod: All
    groupByEntities: []

Answer 5 · 2020-11-05T11:56:06.000Z

@pkhabazi Hi, Thanks for your feedback. I used the same template for tests, Also I using one in JSON format and other for YAML format.

In below my format in json:
{
"Scheduled": [
{
"displayName": "AlertRule01",
"description": "AlertRule01description",
"severity": "Medium",
"enabled": true,
"query": "SecurityEvent | where EventID == "4688" | where CommandLine contains "-noni -ep bypass $"",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Impact"
],
"playbookName": "",
"aggregationKind": "SingleAlert",
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"reopenClosedIncident": false,
"lookbackDuration": "PT5H",
"entitiesMatchingMethod": "All",
"groupByEntities": [
"Account",
"Ip",
"Host",
"Url"
]
}
}
]
}

And in YAML format
Scheduled:

displayName: AlertRule01
description: AlertRule01description
severity: Medium
enabled: true
query: |
SecurityEvent
| where EventID == "4688"
| where CommandLine contains "-noni -ep bypass $"
queryFrequency: PT5M
queryPeriod: PT5M
triggerOperator: GreaterThan
triggerThreshold: 0
suppressionDuration: PT1H
suppressionEnabled: false
tactics:
- Impact
  playbookName: ""
  aggregationKind: SingleAlert
  createIncident: true
  groupingConfiguration:
  enabled: false
  reopenClosedIncident: false
  lookbackDuration: PT5H
  entitiesMatchingMethod: All
  groupByEntities:
  - Account
  - Ip
  - Host
  - Url

Answer 6 · 2020-11-05T12:08:21.000Z

Working for me now, also had to move aggregationKind out from eventGroupingSettings into the root. Any reason why the schema would be different between the YAML exported and JSON for importing?

Answer 7 · 2020-11-06T14:49:01.000Z

@pkhabazi ahh that did get me, I was trying to use a rule I'd downloaded with Get-AzSentinelAlertRule and realised now that the schemas are completely different. It puts the groupingConfiguration under incidentConfiguration.
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: PT5H
    entitiesMatchingMethod: All
    groupByEntities: []

That's a good one! I tried to simplify the JSON input format, so I changed the format a little. Maybe a good point to update the output in the same format as input format or the way around.

Answer 8 · 2020-11-06T16:00:35.000Z

@rleal124 so thus the template that you shared work or not? And which version of AzSentinel are you using?

Answer 9 · 2020-11-06T16:05:33.000Z

Hi,
@pkhabazi yes is working and current I have the last version of AzSentinel installed (0.6.13)

YAML FILE

`
Scheduled:

displayName: AlertRule01
description: AlertRule01description
severity: Medium
enabled: true
query: |
SecurityEvent
| where EventID == "4688"
| where CommandLine contains "-noni -ep bypass $"
queryFrequency: PT5M
queryPeriod: PT5M
triggerOperator: GreaterThan
triggerThreshold: 0
suppressionDuration: PT1H
suppressionEnabled: false
tactics:
-Impact
playbookName: ""
aggregationKind: SingleAlert
createIncident: true
groupingConfiguration:
enabled: false
reopenClosedIncident: false
lookbackDuration: PT5H
entitiesMatchingMethod: All
groupByEntities:
-Account
-Ip
-Host
-Url
`

And For JSON

{ "Scheduled": [ { "displayName": "AlertRule01", "description": "AlertRule01description", "severity": "Medium", "enabled": true, "query": "SecurityEvent | where EventID == "4688" | where CommandLine contains "-noni -ep bypass $"", "queryFrequency": "PT5M", "queryPeriod": "PT5M", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "suppressionDuration": "PT1H", "suppressionEnabled": false, "tactics": [ "Impact" ], "playbookName": "", "aggregationKind": "SingleAlert", "createIncident": true, "groupingConfiguration": { "enabled": false, "reopenClosedIncident": false, "lookbackDuration": "PT5H", "entitiesMatchingMethod": "All", "groupByEntities": [ "Account", "Ip", "Host", "Url" ] } } ] }

Answer 10 · 2020-11-06T16:08:31.000Z

I guess the pulled structure is truer to the API, and may be future proofed if for some reason the names of nested keys overlap, though that seems quite unlikely. I'm happy with either as long as there is consensus.

I've referenced the output schema in the Azure/Azure-Sentinel#585 in the hopes that all rule definitions will be more easily compatible.

Answer 11 · 2020-11-10T15:03:01.000Z

Reopening issue because we need to find a solution for the correct schema

Answer 12 · 2020-12-09T20:33:06.000Z

I have updated the get-azsentinelalertrule function output to match the JSON template format. This will solve the issue with exported rules.