-
Notifications
You must be signed in to change notification settings - Fork 82
New AzSentinelAlertRule
Create Azure Sentinal Alert Rules
New-AzSentinelAlertRule [-SubscriptionId <String>] -WorkspaceName <String> [-Kind <Kind>]
[-DisplayName <String>] [-Description <String>] [-Severity <Severity>] [-Enabled <Boolean>] [-Query <String>]
[-QueryFrequency <String>] [-QueryPeriod <String>] [-TriggerOperator <TriggerOperator>]
[-TriggerThreshold <Int32>] [-SuppressionDuration <String>] [-SuppressionEnabled <Boolean>]
[-Tactics <String[]>] [-PlaybookName <String[]>] [-CreateIncident <Boolean>]
[-GroupingConfigurationEnabled <Boolean>] [-ReopenClosedIncident <Boolean>] [-LookbackDuration <String>]
[-EntitiesMatchingMethod <MatchingMethod>] [-GroupByEntities <String[]>] [-AggregationKind <AggregationKind>]
[-AlertRuleTemplateName <String>] [-ProductFilter <String>] [-SeveritiesFilter <Severity[]>]
[-DisplayNamesFilter <String>] [-WhatIf] [-Confirm] [<CommonParameters>]
Use this function creates Azure Sentinal Alert rules from provided CMDLET
New-AzSentinelAlertRule -WorkspaceName "" -DisplayName "" -Description "" -Severity -Enabled $true -Query '' -QueryFrequency "" -QueryPeriod "" -TriggerOperator -TriggerThreshold -SuppressionDuration "" -SuppressionEnabled $false -Tactics @("","") -PlaybookName ""
Example on how to create a scheduled rule
New-AzSentinelAlertRule -WorkspaceName "" -Kind Fusion -DisplayName "Advanced Multistage Attack Detection" -Enabled $true -AlertRuleTemplateName "f71aba3d-28fb-450b-b192-4e76a83015c8"
Example on how to create a Fusion rule
New-AzSentinelAlertRule -WorkspaceName "" -Kind MLBehaviorAnalytics -DisplayName "(Preview) Anomalous SSH Login Detection" -Enabled $true -AlertRuleTemplateName "fa118b98-de46-4e94-87f9-8e6d5060b60b"
Example on how to create a MLBehaviorAnalytics rule
New-AzSentinelAlertRule -WorkspaceName "" -Kind MicrosoftSecurityIncidentCreation -DisplayName "" -Description "" -Enabled $true -ProductFilter "" -SeveritiesFilter "","" -DisplayNamesFilter ""
Example on how to create a MicrosoftSecurityIncidentCreation rule
Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Enter the Workspace name
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
The alert rule kind
Type: Kind
Parameter Sets: (All)
Aliases:
Accepted values: Scheduled, Fusion, MLBehaviorAnalytics, MicrosoftSecurityIncidentCreation
Required: False
Position: Named
Default value: Scheduled
Accept pipeline input: False
Accept wildcard characters: False
The display name for alerts created by this alert rule.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
The description of the alert rule.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Enter the Severity, valid values: Medium", "High", "Low", "Informational"
Type: Severity
Parameter Sets: (All)
Aliases:
Accepted values: Medium, High, Low, Informational
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Determines whether this alert rule is enabled or disabled.
Type: Boolean
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
The query that creates alerts for this rule.
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Enter the query frequency, example: 5H, 5M, 5D (H stands for Hour, M stands for Minute and D stands for Day)
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Enter the query period, exmaple: 5H, 5M, 5D (H stands for Hour, M stands for Minute and D stands for Day)
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Select the triggert Operator, valid values are: "GreaterThan", "FewerThan", "EqualTo", "NotEqualTo"
Type: TriggerOperator
Parameter Sets: (All)
Aliases:
Accepted values: GreaterThan, LessThan, Equal, NotEqual, gt, lt, eq, ne
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Enter the trigger treshold
Type: Int32
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: 0
Accept pipeline input: False
Accept wildcard characters: False
Enter the suppression duration, example: 5H, 5M, 5D (H stands for Hour, M stands for Minute and D stands for Day)
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Set $true to enable Suppression or $false to disable Suppression
Type: Boolean
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
Enter the Tactics, valid values: "InitialAccess", "Persistence", "Execution", "PrivilegeEscalation", "DefenseEvasion", "CredentialAccess", "LateralMovement", "Discovery", "Collection", "Exfiltration", "CommandAndControl", "Impact"
Type: String[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Enter the Logic App name that you want to configure as playbook trigger
Type: String[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Create incidents from alerts triggered by this analytics rule
Type: Boolean
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
Group related alerts, triggered by this analytics rule, into incidents
Type: Boolean
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
Re-open closed matching incidents
Type: Boolean
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
Limit the group to alerts created within the selected time frame
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Group alerts triggered by this analytics rule into a single incident by
Type: MatchingMethod
Parameter Sets: (All)
Aliases:
Accepted values: All, None, Custom
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Grouping alerts into a single incident if the selected entities match:
Type: String[]
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Configure how rule query results are grouped into alerts
Type: AggregationKind
Parameter Sets: (All)
Aliases:
Accepted values: SingleAlert, AlertPerResult
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
The Name of the alert rule template used to create this rule
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
The alerts' productName on which the cases will be generated
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
The alerts' severities on which the cases will be generated
Type: Severity[]
Parameter Sets: (All)
Aliases:
Accepted values: Medium, High, Low, Informational
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
The alerts' displayNames on which the cases will be generated
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Prompts you for confirmation before running the cmdlet.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.