I believe the issue you're facing comes down to the interpretation of the resolution_id field. If you're using v1.2 of the MS Sentinel App, I believe you should be able use the actual name of the resolution field value rather than the ID.
Based on the custom changes you may have made, different values may be present and should be mapped appropriately.
Original Message:
Sent: Wed December 13, 2023 04:30 AM
From: Srinivas Joshi
Subject: Azure sentinel Integration New Incident Filter
Also have a small doubt on the Closure comments from SOAR to Sentinel, I see the below code can be used to close the Sentinel Incident
{{# JINJA template for closing a new Sentinel incident from a SOAR incident. #}"properties": {"title": "{{ name|soar_splitpart(1)}}","severity": "{{ severity_code|string|soar_substitute('{"4": "Low", "5": "Medium","6": "High"}') }}","status": "Closed","classification": "{{ resolution_id|string|soar_substitute('{"7": "TruePositive","8": "Undetermined", "9": "FalsePositive", "10": "TruePositive", "DEFAULT":"Undetermined"}') }}","classificationComment": "{{ resolution_summary|striptags|safe }}",{# modify as necessary #}"classificationReason": "{{ resolution_id|string|soar_substitute('{"7": "", "8":"", "9": "InaccurateData", "10": "SuspiciousActivity", "DEFAULT": ""}') }}"}
But in our case, I have changed it as per below, it still takes it as Undetermined as Reason.
{{# JINJA template for closing a new Sentinel incident from a SOAR incident. #}"properties": {"title": "{{ name|soar_splitpart(1)}}","severity": "{{ severity_code|string|soar_substitute('{"4": "Low", "5": "Medium","6": "High"}') }}","status": "Closed","classification": "{{ resolution_id|string|soar_substitute('{"7": "FalsePositive","8": "FalsePositive", "9": "TruePositive", "10": "TruePositive"}') }}","classificationComment": "{{ resolution_summary|striptags|safe }}",{# modify as necessary #}"classificationReason": "{{ resolution_id|string|soar_substitute('{"7": "FalsePositive", "8":"FalsePositive", "9": "InaccurateData", "10": "SuspiciousActivity"}') }}"}}
The fields in Sentinel are as below.
TruePositive - SuspiciousActivityBenignPositive - SuspiciousButExpectedFalsePositive - InaccurateDataFalsePositive - IncorrectAlertLogicUndetermined
And in SOAR are as below. How can I make this reflect in Sentinel while closing.
True PositiveTrue Positive-BenignFalse PositiveInconclusiveDuplicate
------------------------------
Regards
Joshi
Original Message:
Sent: Tue December 12, 2023 12:28 AM
From: Srinivas Joshi
Subject: Azure sentinel Integration New Incident Filter
Hi Mark,
1: Rule name is not part of JSON, so guess it cannot be done as of now.
2: Yes, we should be able to escalate using multiple templates, as there are chances that Analysts will filter using many options on Sentinel UI.
The more ways we have to filter the better. Thanks for the response. Any ETA please, if possible for the upcoming change.
------------------------------
Regards
Joshi
Original Message:
Sent: Fri December 08, 2023 08:08 AM
From: Mark Scherfling
Subject: Azure sentinel Integration New Incident Filter
Hi Joshi,
Per your questions:
1. If rule name or rule ID is part of the JSON response, you should be able to filter on it (but see my response to question 3 below).
2. Correct me if wrong, but I believe you're asking if more than one create case template can be used per each new_incident_filters criteria. The answer is no, but that's a good requirement we can look to include in a future release.
3. Because "labels" is a list, the current logic for testing the values as "labels.labelName" will not work. This is true of any list based value set. This issue will be picked up as a bug for an upcoming change.
------------------------------
Mark Scherfling
Original Message:
Sent: Fri December 08, 2023 04:16 AM
From: Srinivas Joshi
Subject: Azure sentinel Integration New Incident Filter
Hi Team, I have 3 questions and thank you in advance for the answers.
1 : Is there way to pull the incidents on the basis of Rule Name of Rule ID?
2 : Does multiple new incident template can be set example shown below or is there any & condition we can use
#new_incident_filters = "status": ["New", "Active"], "severity": ["High", "Medium"], "alertProductNames" : ["Azure Sentinel", ] #new_incident_filters = "status": ["New", "Active"], "severity": ["High", "Medium", "Low"],, "alertProductNames" : ["Microsoft Defender for Cloud Apps", "Microsoft Defender for Cloud", ]
3 : How can I get the Labels included in the New Incident filter, showing the API response of one Incident from Sentinel.
#new_incident_filters = "status": ["New", "Active"], "severity": ["High", "Medium"], "alertProductNames" : ["Azure Sentinel", ] , "labels.labelName" : ["Gated"]
Does the above work for the below JSON.
Response JSON :
"properties": { "status": "Closed", "classification": "BenignPositive",, "owner": { "objectId": "66f8eadc-faf8-4efe-abcf-72bebd2b451c", "email": null, "assignedTo": "Karthik Mylaram", "userPrincipalName": "AZADMIN@onnmicrosoft.com" }, "labels": [ { "labelName": "Gated", "labelType": "User" } ], "firstActivityTimeUtc": "2023-12-07T10:48:02.175Z",
------------------------------
Regards
Joshi
------------------------------