New-AzSentinelAlertRule does not work with tactic parameter even if the values are formatted correctly

[jutlag]

Environment

Windows build number:10.0.19043.0
PowerShell version (if applicable): 5.1

Any other software?
Az.SecurityInsights version 1.0.0

# Steps to reproduce

 New-AzSentinelAlertRule `
                -ResourceGroupName testrg`
                -WorkspaceName testlaw`
                -DisplayName "Test" `
                -Description "Test Description" `
                -Enabled `
                -Query "AddonAzureBackupJobs\r\n| summarize arg_max(TimeGenerated,*) by JobUniqueId\r\n| where JobStatus == \"Failed\"" `
                -QueryFrequency (New-TimeSpan -days 1) `
                -QueryPeriod (New-TimeSpan -days 3) `
                -Severity "Medium" `
                -SuppressionDuration (New-TimeSpan -hours 3) `
                -TriggerOperator 0 `
                -TriggerThreshold 1 `
                -Scheduled `
                -Tactic "Impact"
or

$requiredTactic = New-Object System.Collections.Generic.List[string]
 $requiredTactic.Add("Impact")

 New-AzSentinelAlertRule `
                -ResourceGroupName testrg`
                -WorkspaceName testlaw`
                -DisplayName "Test" `
                -Description "Test Description" `
                -Enabled `
                -Query "AddonAzureBackupJobs\r\n| summarize arg_max(TimeGenerated,*) by JobUniqueId\r\n| where JobStatus == \"Failed\"" `
                -QueryFrequency (New-TimeSpan -days 1) `
                -QueryPeriod (New-TimeSpan -days 3) `
                -Severity "Medium" `
                -SuppressionDuration (New-TimeSpan -hours 3) `
                -TriggerOperator 0 `
                -TriggerThreshold 1 `
                -Scheduled `
                -Tactic  $requiredTactic


# Expected behavior

Should add the Sentinel Rule with specified Tactic

# Actual behavior

I a getting an Error
New-AzSentinelAlertRule : Cannot convert 'null' to the type 'System.Collections.Generic.IList`1[System.String]' required by parameter 'Tactic'. Constructor on type 
'System.Collections.Generic.IList`1[[System.String, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]]' not found.
At line:18 char:26
+                 -Tactic  $requiredTactic
+                          ~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [New-AzSentinelAlertRule], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgument,Microsoft.Azure.Commands.SecurityInsights.Cmdlets.AlertRules.NewAlertRules
 

[pkhabazi]

hi @jutlag, The property "resourceGroupName" is not port of AzSentinel so I think you are using the MS PowerShell module. In AzSentinel Tactics are configured as following:

-Tactics @("Persistence","LateralMovement")

see readme for more info

[jutlag]

Exactly that is what we tried and still get the same error. The same error message is received.

[pkhabazi]

can you try running it as following:

AzSentinel\New-AzSentinelAlertRule -WorkspaceName "dev" -DisplayName "test0103" -Description "something" -Severity High -Enabled $true -Query 'SecurityEvent' -QueryFrequency "5H" -QueryPeriod "6H" -TriggerOperator GreaterThan -TriggerThreshold 5 -SuppressionDuration "5h" -SuppressionEnabled $false -Tactics @("Persistence","LateralMovement") 

[jutlag]

Still getting the same error

I had tried all these options before contacting you guys. I understand the data type expected by the parameter value. I can dump the existing tactics with the get command and see the format used as well. I have taken examples from the ARM templates. I know how the expected data type i.e. "System.Collections.Generic.IList`1[System.String]" can be constructed and passed. There seems to be a problem in the module code in parsing the data provided to this parameter. I would really appreciate if you could review the code please.