Add capability to deploy Techniques in analytics rule for Microsoft Sentinel

[sandeep5234]

Analytics Rules with mapped MITRE techniques do not get imported as JSON

Currently "import-azsentinlealertrule" command under module "azsentinel" 0.6.21 doesn't deploy Techniques values when deploying the analytics rules. For example below rule has Techniques "T1059". If we deploy this rule via the powershell module "azsentinel" "import-azsentinlealertrule" command , the techniques values doesn't get applied. Please see image attached after the creating the below rule.

{ "displayName": "TEARDROP memory-only dropper", "description": "Identifies SolarWinds TEARDROP memory-only dropper IOCs in Window's defender Exploit Guard activity\nReferences:\n- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html\n- https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f", "severity": "High", "enabled": true, "query": "DeviceEvents\n| where ActionType has "ExploitGuardNonMicrosoftSignedBlocked"\n| where InitiatingProcessFileName contains "svchost.exe" and FileName contains "NetSetupSvc.dll"\n| extend timestamp = TimeGenerated, AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),\nHostCustomEntity = DeviceName, FileHashCustomEntity = InitiatingProcessSHA1, FileHashType = "SHA1"", "queryFrequency": "P1D", "queryPeriod": "P1D", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "suppressionDuration": "PT5H", "suppressionEnabled": false, "tactics": [ "Execution", "Persistence", "DefenseEvasion" ], "techniques": [ "T1059" ], "alertRuleTemplateName": null, "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { "enabled": false, "reopenClosedIncident": false, "lookbackDuration": "PT5H", "matchingMethod": "AllEntities", "groupByEntities": [], "groupByAlertDetails": [], "groupByCustomDetails": [] } }, "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "alertDetailsOverride": null, "customDetails": null, "entityMappings": [ { "entityType": "Account", "fieldMappings": [ { "identifier": "FullName", "columnName": "AccountCustomEntity" } ] }, { "entityType": "Host", "fieldMappings": [ { "identifier": "FullName", "columnName": "HostCustomEntity" } ] }, { "entityType": "FileHash", "fieldMappings": [ { "identifier": "Algorithm", "columnName": "FileHashType" }, { "identifier": "Value", "columnName": "FileHashCustomEntity" } ] } ], "sentinelEntitiesMappings": null, "templateVersion": "1.0.3" }

After further investigation I can tell that powershell command "import-azsentinelalertrule" doesn't have feature to deploy Techniques yet.

Please add capability in "import-azsentinlealertrule" command to deploy techniques and update the powershell Gallery as per the changes.