GroupingConfigurationEnabled: Not work.

Question

GroupingConfigurationEnabled: Not work.

rleal124 opened this issue 4 years ago · comments

rleal124 commented 4 years ago

Steps to reproduce

In below the rule I used for test.

Import-AzSentinelAlertRule -SubscriptionId SubID -WorkspaceName WSName -SettingsFile .\RuleForTestGroupping.yaml

And yaml file I used for tests:

---
Scheduled:
- displayName: Rule For Test groupingConfiguration
  description: Rule For Test groupingConfiguration
  severity: Low
  enabled: false
  query: |
         let ingestion_delay= 2min;
         let rule_look_back = 5min;
         CommonSecurityLog
         | where TimeGenerated >= ago(ingestion_delay + rule_look_back)
         | where ingestion_time() > (rule_look_back
  queryFrequency: 5M
  queryPeriod: 5M
  triggerOperator: GreaterThan
  triggerThreshold: 0
  suppressionDuration: 1H
  suppressionEnabled: false
  tactics:
  - Persistence
  - LateralMovement
  - Collection
  aggregationKind: AlertPerResult
  incidentConfiguration:
    createIncident: true
    groupingConfiguration:
      GroupingConfigurationEnabled: true
      reopenClosedIncident: true
      lookbackDuration: PT5H
      entitiesMatchingMethod: All
      groupByEntities:
      - Account
      - Ip
      - Host
      - Url
      - FileHash

Expected behavior

GroupingConfigurationEnabled enable on Sentinel.

Actual behavior

GroupingConfigurationEnabled not take any effect.

Pouyan Khabazi · Answer 1 · Sun Jan 24 2021 00:44:55 GMT+0800 (China Standard Time)

HI @rleal124 thanks for the feedback. Based on the API documentation "GroupingConfigurationEnabled" must be "Enabled". Changing the property name will solve the issue.

rleal124 · Answer 2 · Tue Feb 02 2021 17:58:42 GMT+0800 (China Standard Time)

@pkhabazi You are right i change the template to Enable and works. Thanks

Pouyan Khabazi · Answer 3 · Wed Feb 03 2021 05:50:57 GMT+0800 (China Standard Time)

Thanks for the feedback, closing issue