Analytics Rules with mapped MITRE techniques do not get imported as JSON

[rcegan]

I've noticed that deploying detections in JSON format (as exported by the GUI) through a DevOps pipeline, or importing manually through the GUI, does not preserve the techniques configured. Tactics are preserved.

To reproduce, export any single detection with Techniques that have been mapped (e.g. T1136) and import to another Sentinel environment.

Expected behaviour is that the detection would preserve the mapped MITRE techniques. The techniques are present within the JSON file itself as well, however they're not reflected in the GUI in Sentinel.

The section of JSON with the techniques:

The imported rule without the technique:

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

[azurekid]

@rcegan Has this already been fixed? I have been playing around a lot with tactics and techniques lately in detection rules and building a pester test that validates if the correct tactics and techniques are used. Also noticed that not all tactics are supported due to Microsoft Sentinel relying on the Mitre Att&ck framework vs9

I did not experience any issues with rules not showing the techniques after importing them from a json template

[rcegan]

@azurekid I haven't tried for a while - maybe the v9 thing is why. I'll test it out later if I've got a sec and report back.

[azurekid]

@azurekid I haven't tried for a while - maybe the v9 thing is why. I'll test it out later if I've got a sec and report back.

Cool! I've you are interested in the testing of analytics rules, you can find it on my github or in the GitHub marketplace ;-) https://github.com/SecureHats/validate-detections https://github.com/marketplace/actions/validate-detections

[2Wanderer]

I'm currenty expericing exactly the same problems. The "Techniques": ["T1078"], key/value ie, is not preserved during a deployment by devops. any light on this yet?

[azurekid]

I'm currently experiencing exactly the same problems. The "Techniques": ["T1078"], key/value ie, is not preserved during a deployment by devops. any light on this yet?

Can you share the template?

I haven't been able to reproduce the error from both Azure DevOps, GitHub and manually. Used to repositories option from Microsoft Sentinel, PowerShell and manual uploaded it to the portal.

I'm not with #Microsoft, so would be nice if someone from the team would pick this up also @vmanojreddy @ashishsyal

[2Wanderer]

@azurekid sure,

this an example template, please don't mind the ttp mapping, there were just for testing purposes. The rule got pushed, as expected, but none of the ttp's got pushed to Sentinel. see screenshot

{
        "severity": "Medium",
        "query": "AuditLogs\n| where LoggedByService =~ \"PIM\"\n| where Category =~ \"RoleManagement\"\n| where ActivityDisplayName has \"Disable PIM Alert\"\n| extend IpAddress = case(\n  isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.user)).ipAddress), \n  isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).ipAddress)) and tostring(parse_json(tostring(InitiatedBy.app)).ipAddress) != 'null', tostring(parse_json(tostring(InitiatedBy.app)).ipAddress),\n  'Not Available')\n| extend InitiatedBy = iff(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)), \n  tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), tostring(parse_json(tostring(InitiatedBy.app)).displayName)), UserRoles = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n| project InitiatedBy, ActivityDateTime, ActivityDisplayName, IpAddress, AADOperationType, AADTenantId, ResourceId, CorrelationId, Identity\n| extend timestamp = ActivityDateTime, IPCustomEntity = IpAddress, AccountCustomEntity = tolower(InitiatedBy), ResourceCustomEntity = ResourceId",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "displayName": "[#{customername}#] [UC1] Detect PIM Alert Disabling activity",
        "enabled": true,
        "description": "Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization. \nThis query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access",
        "lastUpdatedDateUTC": "2021-10-19T00:00:00Z",
        "createdDateUTC": "2021-09-30T00:00:00Z",
        "status": "Available",
        "kind": "Scheduled",
        "tactics":["Persistence", "PrivilegeEscalation"],
        "Techniques":["T1548","T1098","T1078", "T0890"]
      },

[sandeep5234]

I am going through same issue as well. I am using azsentinel 0.6.21 powershell module to import Analytics rules into Microsoft Sentinel. Powershell command I am using in "import-azsentinelalertrule". Below is one of the rule in JSON format. Everything in this rule get deployed except Techniques values.
{ "displayName": "TEARDROP memory-only dropper", "description": "Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f", "severity": "High", "enabled": true, "query": "DeviceEvents\n| where ActionType has "ExploitGuardNonMicrosoftSignedBlocked"\n| where InitiatingProcessFileName contains "svchost.exe" and FileName contains "NetSetupSvc.dll"\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = "SHA1"", "queryFrequency": "P1D", "queryPeriod": "P1D", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "suppressionDuration": "PT5H", "suppressionEnabled": false, "tactics": [ "Execution", "Persistence", "DefenseEvasion" ], "techniques": [ "T1059" ], "alertRuleTemplateName": null, "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { "enabled": false, "reopenClosedIncident": false, "lookbackDuration": "PT5H", "matchingMethod": "AllEntities", "groupByEntities": [], "groupByAlertDetails": [], "groupByCustomDetails": [] } }, "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "alertDetailsOverride": null, "customDetails": null, "entityMappings": [ { "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } ] }, { "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", "columnName": "HostCustomEntity" } ] }, { "entityType": "FileHash", "fieldMappings": [ { "identifier": "Algorithm", "columnName": "FileHashType" }, { "identifier": "Value", "columnName": "FileHashCustomEntity" } ] } ], "sentinelEntitiesMappings": null, "templateVersion": "1.0.3" }

After further investigation I can tell that powershell command "import-azsentinelalertrule" doesn't have feature to deploy Techniques yet.

[sandeep5234]

Is there any update on this?

[Kaloszer]

Is there any update on this?

I've implemented this and it seems to be working when importing through ARM templates!

[LiamCloudGuard]

Is there any update on this?

I've implemented this and it seems to be working when importing through ARM templates!

ARM Templates work for including the Techniques, however using the Powershell Az Module does not. After digging around I discovered it is because the API is outdated and not built to handle the technique variable yet.

[v-amolpatil]

Hi @rcegan , thank you for flagging this. Apologies for the delayed response. If you still need assistance, please reply here within 5 business days.

[v-amolpatil]

Gentle Reminder: We are awaiting for your response on this issue. If you still need to keep this issue active please respond within next 2 days. If we don't receive response by 17 Feb 2023, we will close this issue.

[v-amolpatil]

Since we have not received a response in the last 5 days, we are closing your issue #4386 as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation.

[github-actions[bot]]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.