Creating Alert rules fails with "suppressionDuration" set #161
Comments
|
Change to |
|
That makes no difference. 1H is transformed to PT1H regardless: # Format hour and minute time periods
if ($value -match ".*[HM]") {
return "PT$value"
}
return $value |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
I've noticed that creating a new rule using
New-AzSentinelAlertRuleand setting any value to theSuppressionDurationparameter, the rule creation fails with the following error:##[error]Unable to initiate class with error: Invalid Properties for Scheduled alert rule: 'suppressionDuration' should be greater than or equal to 'queryFrequency'I'm using this data to create a rule:
{ "Tactics": [ "InitialAccess", "CredentialAccess" ], "LookbackDuration": "1H", "TriggerThreshold": 5, "TriggerOperator": "GreaterThan", "SuppressionEnabled": true, "GroupingConfigurationEnabled": false, "Kind": "Scheduled", "CreateIncident": true, "SuppressionDuration": "1H", "PlaybookName": [], "ReopenClosedIncident": false, "WorkspaceName": "TEST-DevLab", "AggregationKind": "SingleAlert", "GroupByEntities": [ "Account", "Ip", "Host", "Url", "FileHash" ], "DisplayName": "Multiple failed login attempts", "Enabled": false, "QueryFrequency": "5M", "EntitiesMatchingMethod": "All", "Description": "", "Severity": "Low", "Query": "<removed for readability>", "QueryPeriod": "30M" }So my parameters are:
I think I have tracked the issue down to this line in
ScheduledAlertProp.ps1.It seems to use
-geto compareQueryFrequencyandSuppressionDuration. However, running the compare manually gives:This is clearly wrong. There is a workaround though, for now. Specify all times in the same format. So
1Hbecomes60M:The text was updated successfully, but these errors were encountered: