Sentinel Scheduled Analytics rules using automation seems to not support entityMapping yet, will this get supported in the future?

Jun Yamog 21 Reputation points
2021-12-07T05:06:45.28+00:00

We are using Azure DevOps (terraform + ARM) to manage our sentinel instances. I realized that one aspect of doing an automated deploy of a scheduled analytics entityMapping isn't supported. There doesn't seem to be a way to set the entityMapping fields. I am aware that entityMapping is still on preview, but would this feature be supported via API? Is there an estimated timeline?

There doesn’t seem to be support from the docs.

https://learn.microsoft.com/en-us/rest/api/securityinsights/alert-rules/create-or-update#scheduledalertrule

https://learn.microsoft.com/en-us/powershell/module/az.securityinsights/new-azsentinelalertrule?view=azps-6.6.0

You can see using the compare with template feature, that is the major difference between the template and what we have deployed.

155533-screen-shot-2021-12-01-at-125010-pm.png

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
925 questions
{count} votes

Accepted answer
  1. Alistair Ross 7,081 Reputation points Microsoft Employee
    2021-12-07T10:47:45.647+00:00

    As this feature is still in preview, documentation may not be available or fully available until GA. However the preview APIs examples can be found on GitHub

    Also you can export the ARM templates from the portal, with the entity mappings, (See below)

    155663-image.png

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful