Get-AzSentinelAlertRule
Gets the alert rule.
Syntax
Get-AzSentinelAlertRule
-ResourceGroupName <String>
-WorkspaceName <String>
[-SubscriptionId <String[]>]
[-DefaultProfile <PSObject>]
[<CommonParameters>]
Get-AzSentinelAlertRule
-ResourceGroupName <String>
-RuleId <String>
-WorkspaceName <String>
[-SubscriptionId <String[]>]
[-DefaultProfile <PSObject>]
[<CommonParameters>]
Get-AzSentinelAlertRule
-InputObject <ISecurityInsightsIdentity>
[-DefaultProfile <PSObject>]
[<CommonParameters>]
Description
Gets the alert rule.
Examples
Example 1: List all Alert Rules
Get-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName"
AlertDisplayName : (Preview) TI map IP entity to SigninLogs
FriendlyName : (Preview) TI map IP entity to SigninLogs
Description : Identifies a match in SigninLogs from any IP IOC from TI
Kind : SecurityAlert
Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244
ProductName : Azure Sentinel
Status : New
ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181
Tactic : {Impact}
This command lists all Alert Rules under a Microsoft Sentinel workspace.
Example 2: Get an Alert Rule
Get-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "d6c7a42b-c0da-41ef-9629-b3d2d407b181"
AlertDisplayName : (Preview) TI map IP entity to SigninLogs
FriendlyName : (Preview) TI map IP entity to SigninLogs
Description : Identifies a match in SigninLogs from any IP IOC from TI
Kind : SecurityAlert
Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244
ProductName : Azure Sentinel
Status : New
ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181
Tactic : {Impact}
This command gets an Alert Rule.
Example 3: Get an Alert Rule by object Id
$rules = Get-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName"
$rules[0] | Get-AzSentinelAlertRule
AlertDisplayName : (Preview) TI map IP entity to SigninLogs
FriendlyName : (Preview) TI map IP entity to SigninLogs
Description : Identifies a match in SigninLogs from any IP IOC from TI
Kind : SecurityAlert
Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244
ProductName : Azure Sentinel
Status : New
ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181
Tactic : {Impact}
This command gets an Alert Rule by object
Parameters
-DefaultProfile
The DefaultProfile parameter is not functional. Use the SubscriptionId parameter when available if executing the cmdlet against a different subscription.
Type: | PSObject |
Aliases: | AzureRMContext, AzureCredential |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-InputObject
Identity Parameter To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
Type: | ISecurityInsightsIdentity |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-ResourceGroupName
The name of the resource group. The name is case insensitive.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-RuleId
Alert rule ID
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-SubscriptionId
The ID of the target subscription.
Type: | String[] |
Position: | Named |
Default value: | (Get-AzContext).Subscription.Id |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-WorkspaceName
The name of the workspace.
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
Inputs
Outputs
Notes
ALIASES
COMPLEX PARAMETER PROPERTIES
To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
INPUTOBJECT <ISecurityInsightsIdentity>
: Identity Parameter
[ActionId <String>]
: Action ID[AlertRuleTemplateId <String>]
: Alert rule template ID[AutomationRuleId <String>]
: Automation rule ID[BookmarkId <String>]
: Bookmark ID[ConsentId <String>]
: consent ID[DataConnectorId <String>]
: Connector ID[EntityId <String>]
: entity ID[EntityQueryId <String>]
: entity query ID[EntityQueryTemplateId <String>]
: entity query template ID[Id <String>]
: Resource identity path[IncidentCommentId <String>]
: Incident comment ID[IncidentId <String>]
: Incident ID[MetadataName <String>]
: The Metadata name.[Name <String>]
: Threat intelligence indicator name field.[RelationName <String>]
: Relation Name[ResourceGroupName <String>]
: The name of the resource group. The name is case insensitive.[RuleId <String>]
: Alert rule ID[SentinelOnboardingStateName <String>]
: The Sentinel onboarding state name. Supports - default[SettingsName <String>]
: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba[SourceControlId <String>]
: Source control Id[SubscriptionId <String>]
: The ID of the target subscription.[WorkspaceName <String>]
: The name of the workspace.
Azure PowerShell
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for