GroupingConfigurationEnabled: Not work.
rleal124 opened this issue · comments
Steps to reproduce
In below the rule I used for test.
Import-AzSentinelAlertRule -SubscriptionId SubID -WorkspaceName WSName -SettingsFile .\RuleForTestGroupping.yaml
And yaml file I used for tests:
---
Scheduled:
- displayName: Rule For Test groupingConfiguration
description: Rule For Test groupingConfiguration
severity: Low
enabled: false
query: |
let ingestion_delay= 2min;
let rule_look_back = 5min;
CommonSecurityLog
| where TimeGenerated >= ago(ingestion_delay + rule_look_back)
| where ingestion_time() > (rule_look_back
queryFrequency: 5M
queryPeriod: 5M
triggerOperator: GreaterThan
triggerThreshold: 0
suppressionDuration: 1H
suppressionEnabled: false
tactics:
- Persistence
- LateralMovement
- Collection
aggregationKind: AlertPerResult
incidentConfiguration:
createIncident: true
groupingConfiguration:
GroupingConfigurationEnabled: true
reopenClosedIncident: true
lookbackDuration: PT5H
entitiesMatchingMethod: All
groupByEntities:
- Account
- Ip
- Host
- Url
- FileHash
Expected behavior
GroupingConfigurationEnabled enable on Sentinel.
Actual behavior
GroupingConfigurationEnabled not take any effect.
HI @rleal124 thanks for the feedback. Based on the API documentation "GroupingConfigurationEnabled" must be "Enabled". Changing the property name will solve the issue.
Thanks for the feedback, closing issue