diff --git a/README.md b/README.md index a461152..a08b040 100644 --- a/README.md +++ b/README.md @@ -174,6 +174,9 @@ This way the following KQL query will be converted... ## Changelog +### 2.4.2 + * FIX: Arm to YAML used `techniques` instead of `relevantTechniques` + ### 2.4.1 * FIX: Handle error if `incidentConfiguration` section is missing from source YAML in `Convert-SentinelARYamlToArm` when using `-DisableIncidentCreation` diff --git a/src/SentinelARConverter.psd1 b/src/SentinelARConverter.psd1 index 9086b80..c96ce9d 100644 --- a/src/SentinelARConverter.psd1 +++ b/src/SentinelARConverter.psd1 @@ -12,7 +12,7 @@ RootModule = 'SentinelARConverter.psm1' # Version number of this module. - ModuleVersion = '2.4.1' + ModuleVersion = '2.4.2' # Supported PSEditions # CompatiblePSEditions = @() diff --git a/src/public/Convert-SentinelARArmToYaml.ps1 b/src/public/Convert-SentinelARArmToYaml.ps1 index 4eb5e1d..88213c4 100644 --- a/src/public/Convert-SentinelARArmToYaml.ps1 +++ b/src/public/Convert-SentinelARArmToYaml.ps1 @@ -347,7 +347,7 @@ function Convert-SentinelARArmToYaml { # We must merge all techniques since (relevant)techniques could contain values not preset in subTechniques if ($PropertyName -like "*techniques") { foreach ($value in $AnalyticsRule.$PropertyName) { - $KeyName = "techniques" + $KeyName = "relevantTechniques" $technique = $value -replace "(T\d{4})\.\d{3}", '$1' # Create an empty key if ( -not $AnalyticsRuleCleaned.Contains($KeyName) ) { diff --git a/tests/Convert-SentinelARArmToYaml.tests.ps1 b/tests/Convert-SentinelARArmToYaml.tests.ps1 index f03f404..98c249f 100644 --- a/tests/Convert-SentinelARArmToYaml.tests.ps1 +++ b/tests/Convert-SentinelARArmToYaml.tests.ps1 @@ -133,8 +133,7 @@ Describe "Convert-SentinelARArmToYaml" { } BeforeEach { - $ARMTemplateContent = Get-Content -Path "TestDrive:/$ExampleFileName" -Raw - $ARMTemplateContent | Convert-SentinelARArmToYaml -OutFile $convertedExampleFilePath + Convert-SentinelARArmToYaml -Filename "TestDrive:/$ExampleFileName" -OutFile $convertedExampleFilePath } It "Properly converts the propertynames" { @@ -589,7 +588,7 @@ Describe "Simple example tests" { It "Merged RelevantTechniques, SubTechniques and Techniques into single property" { $converted = Convert-SentinelARArmToYaml -Filename "TestDrive:/Content/TTPWithTacticsNTechniques.json" | ConvertFrom-Yaml $converted.subTechniques | Should -Be $null - $converted.Techniques -join ", " | Should -Be "T1078.003, T1078.004" + $converted.RelevantTechniques -join ", " | Should -Be "T1078.003, T1078.004" } } } diff --git a/tests/examples/Scheduled.json b/tests/examples/Scheduled.json index 6c6c99b..b83d392 100644 --- a/tests/examples/Scheduled.json +++ b/tests/examples/Scheduled.json @@ -1,4 +1,3 @@ - { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", @@ -30,7 +29,9 @@ "tactics": [ "InitialAccess" ], - "techniques": [], + "techniques": [ + "T1078" + ], "alertRuleTemplateName": "2de8abd6-a613-450e-95ed-08e503369fb3", "incidentConfiguration": { "createIncident": true, @@ -71,4 +72,4 @@ } } ] -} +} \ No newline at end of file