-
Notifications
You must be signed in to change notification settings - Fork 82
New AzSentinelAlertRule
Create Azure Sentinal Alert Rules
New-AzSentinelAlertRule [-SubscriptionId <String>] -WorkspaceName <String> -DisplayName <String>
-Description <String> -Severity <Severity> -Enabled <Boolean> -Query <String> -QueryFrequency <String>
[-QueryPeriod <String>] -TriggerOperator <TriggerOperator> -TriggerThreshold <Int32>
-SuppressionDuration <String> -SuppressionEnabled <Boolean> -Tactics <Tactics[]> [-WhatIf] [-Confirm]
[<CommonParameters>]
Use this function creates Azure Sentinal Alert rules from provided CMDLET
New-AzSentinelAlertRule -WorkspaceName "" -DisplayName "" -Description "" -Severity "" -Enabled -Query '' -QueryFrequency "" -QueryPeriod "" -TriggerOperator "" -TriggerThreshold -SuppressionDuration "" -SuppressionEnabled $false -Tactics @("","")
In this example you create a new Alert rule by defining the rule properties from CMDLET
Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Enter the Workspace name
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Enter the Display name for the Alert rule
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Enter the Description for the Alert rule
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Enter the Severity, valid values: Medium", "High", "Low", "Informational"
Type: Severity
Parameter Sets: (All)
Aliases:
Accepted values: Medium, High, Low, Informational
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Set $true to enable the Alert Rule or $false to disable Alert Rule
Type: Boolean
Parameter Sets: (All)
Aliases:
Required: True
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
Enter the Query that you want to use
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Enter the query frequency, example: 5H or 5M (H stands for Hour and M stands for Minute)
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Enter the quury period, exmaple: 5H or 5M (H stands for Hour and M stands for Minute)
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Select the triggert Operator, valid values are: "GreaterThan", "FewerThan", "EqualTo", "NotEqualTo"
Type: TriggerOperator
Parameter Sets: (All)
Aliases:
Accepted values: GreaterThan, FewerThan, EqualTo, NotEqualTo
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Enter the trigger treshold
Type: Int32
Parameter Sets: (All)
Aliases:
Required: True
Position: Named
Default value: 0
Accept pipeline input: False
Accept wildcard characters: False
Enter the suppression duration, example: 5H or 5M (H stands for Hour and M stands for Minute)
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Set $true to enable Suppression or $false to disable Suppression
Type: Boolean
Parameter Sets: (All)
Aliases:
Required: True
Position: Named
Default value: False
Accept pipeline input: False
Accept wildcard characters: False
Enter the Tactics, valid values: "InitialAccess", "Persistence", "Execution", "PrivilegeEscalation", "DefenseEvasion", "CredentialAccess", "LateralMovement", "Discovery", "Collection", "Exfiltration", "CommandAndControl", "Impact"
Type: Tactics[]
Parameter Sets: (All)
Aliases:
Accepted values: InitialAccess, Persistence, Execution, PrivilegeEscalation, DefenseEvasion, CredentialAccess, LateralMovement, Discovery, Collection, Exfiltration, CommandAndControl, Impact
Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Prompts you for confirmation before running the cmdlet.
Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.