azure-powershell icon indicating copy to clipboard operation
azure-powershell copied to clipboard

Published 20 hours ago verified publisher icon Azure

Get-AzSentinelAlertRuleTemplate "Tactics" value always empty

Open ErnieBot opened this issue 4 years ago • 9 comments
trafficstars

Description

The "Tactics" value appears to be always empty when retrieving all rule templates using Get-AzSentinelAlertRuleTemplate.

There do appear to be tactics associate with the templates when using the API or manually viewing the templates in the interface. (Sentinel => Configuration => Analytics => Rule templates)

Issue script & Debug output

Get-AzSentinelAlertRuleTemplate

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.18362.1801
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.18362.1801
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Script     2.6.1      Az.Accounts                         {Add-AzEnvironment, Clear-AzContext, Clear-AzDefault, Conn...
Script     1.1.0      Az.SecurityInsights                 {Get-AzSentinelAlertRule, Get-AzSentinelAlertRuleAction, G...

Error output

No response

ErnieBot avatar Nov 08 '21 16:11 ErnieBot

Thank you for your reporting. Tagging and routing to the team member best able to assist.

dingmeng-xue avatar Nov 09 '21 06:11 dingmeng-xue

@ErnieBot I can confirm the same. Looks like it does populate for the Fusion Kind of the Rule Templates but not for the others. We are routing this to the appropriate team.

PramodValavala-MSFT avatar Nov 09 '21 08:11 PramodValavala-MSFT

Hi @ErnieBot We are aware of this issue. The API version used by the PowerShell client does not always return tactics. Updated APIs are coming and we will be updating the module to use them.

dicolanl avatar Nov 17 '21 22:11 dicolanl

Any movement on this one? I've got a Sentinel deployment script that creates ARM templates and tactics is still coming out as 'null'. I did work at some point but can't remember when it last did

opticon454 avatar May 24 '22 05:05 opticon454

Hi @opticon454 We have a new version in review. the PR is here https://github.com/Azure/azure-powershell/pull/17286

dicolanl avatar May 24 '22 13:05 dicolanl

@dicolanl any updates on this? It doesn't appear that the fix is live yet.

camalloy avatar Sep 14 '22 20:09 camalloy

@camalloy

They've released a v2 preview version. I haven't had a chance to test it yet for this specific issue

https://www.powershellgallery.com/packages/Az.SecurityInsights/2.0.0-preview

opticon454 avatar Sep 15 '22 00:09 opticon454

Just released!!!!

dicolanl avatar Sep 15 '22 12:09 dicolanl

Can confirm that this works now, the preview fix now populates the Tactic field. image

camalloy avatar Sep 15 '22 12:09 camalloy

@dicolanl @camalloy Thanks for confirming! Closing this out.

PramodValavala-MSFT avatar Jan 18 '23 15:01 PramodValavala-MSFT