如何在 Azure Sentinel 中将 alertProductNames 添加到事件

无法通过在 Azure Sentinel 中事件的附加属性中添加警报来直接创建警报，因为警报需要单独创建或由事件触发。 此外，在 MS 文档中：-事件 - 创建或更新 - REST API （Azure Sentinel） |Microsoft Learn > 请求正文不包含任何具有 alertProductNames 的属性。

我尝试使用 alertProductName 创建一个事件，但它没有创建，请参阅下文：-

URI：-

https://management.azure.com/subscriptions/xxxxxxx-xxxx-xxxx-xx-e2b6e97cb2a7/resourceGroups/sentinelrg/providers/Microsoft.OperationalInsights/workspaces/LoganalyticsWS/providers/Microsoft.SecurityInsights/incidents/id?api-version=2022-12-01-preview

正文参数：-

{

"properties": {

"title": "silicon Incident",

"description": "This is an silicon incident created using the Azure Sentinel API",

"severity": "Medium",

"status": "New",

"additionalData": {

"alertsCount": 1,

"bookmarksCount": 2,

"commentsCount": 2,

"alertProductNames": ["Azure Security Center"],

"tactics": [],

"techniques": ["T1189 - Drive-by-Compromise"]

}

  
  

}

}

输出：-

要使用 ProductName 创建警报，有一个不同的 API，请参阅以下内容：-

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/alertRules/{ruleId}?api-version=2022-12-01-preview

请求正文：-

{

"kind": "Scheduled",

"properties": {

"displayName": "My scheduled rule",

"description": "An example for a scheduled rule",

"severity": "High",

"enabled": true,

"tactics": [

"Persistence",

"LateralMovement"

],

"techniques": [

"T1037",

"T1021"

],

"query": "Heartbeat",

"queryFrequency": "PT1H",

"queryPeriod": "P2DT1H30M",

"triggerOperator": "GreaterThan",

"triggerThreshold": 0,

"suppressionDuration": "PT1H",

"suppressionEnabled": false,

"eventGroupingSettings": {

"aggregationKind": "AlertPerResult"

},

"customDetails": {

"OperatingSystemName": "OSName",

"OperatingSystemType": "OSType"

}

}

}

输出：-

引用：-

警报规则 - 创建或更新 - REST API （Azure Sentinel） |Microsoft 学习

按事件列出警报：-

事件 - 列表警报 - REST API （Azure Sentinel） |Microsoft 学习