New-AzSentinelAlertRule
Syntax
New-AzSentinelAlertRule
-ResourceGroupName <String>
-WorkspaceName <String>
-AlertRuleTemplate <String>
-Kind <AlertRuleKind>
[-RuleId <String>]
[-SubscriptionId <String>]
[-Enabled]
[-DefaultProfile <PSObject>]
[-AsJob]
[-NoWait]
[-Confirm]
[-WhatIf]
[<CommonParameters>]
New-AzSentinelAlertRule
-ResourceGroupName <String>
-WorkspaceName <String>
-Kind <AlertRuleKind>
-ProductFilter <MicrosoftSecurityProductName>
[-RuleId <String>]
[-SubscriptionId <String>]
[-AlertRuleTemplateName <String>]
[-Description <String>]
[-DisplayNamesExcludeFilter <String[]>]
[-DisplayNamesFilter <String[]>]
[-Enabled]
[-SeveritiesFilter <AlertSeverity[]>]
[-DefaultProfile <PSObject>]
[-AsJob]
[-NoWait]
[-Confirm]
[-WhatIf]
[<CommonParameters>]
New-AzSentinelAlertRule
-ResourceGroupName <String>
-WorkspaceName <String>
-DisplayName <String>
-Kind <AlertRuleKind>
-Query <String>
-Severity <AlertSeverity>
[-RuleId <String>]
[-SubscriptionId <String>]
[-AlertDescriptionFormat <String>]
[-AlertDisplayNameFormat <String>]
[-AlertRuleTemplateName <String>]
[-AlertSeverityColumnName <String>]
[-AlertTacticsColumnName <String>]
[-CreateIncident]
[-Description <String>]
[-Enabled]
[-EntityMapping <EntityMapping[]>]
[-GroupByAlertDetail <AlertDetail[]>]
[-GroupByCustomDetail <String[]>]
[-GroupByEntity <EntityMappingType[]>]
[-GroupingConfigurationEnabled]
[-LookbackDuration <TimeSpan>]
[-MatchingMethod <String>]
[-ReOpenClosedIncident]
[-SuppressionDuration <TimeSpan>]
[-SuppressionEnabled]
[-Tactic <String[]>]
[-DefaultProfile <PSObject>]
[-AsJob]
[-NoWait]
[-Confirm]
[-WhatIf]
[<CommonParameters>]
New-AzSentinelAlertRule
-ResourceGroupName <String>
-WorkspaceName <String>
-DisplayName <String>
-Kind <AlertRuleKind>
-Query <String>
-QueryFrequency <TimeSpan>
-QueryPeriod <TimeSpan>
-Severity <AlertSeverity>
-TriggerOperator <TriggerOperator>
-TriggerThreshold <Int32>
[-RuleId <String>]
[-SubscriptionId <String>]
[-AlertDescriptionFormat <String>]
[-AlertDisplayNameFormat <String>]
[-AlertRuleTemplateName <String>]
[-AlertSeverityColumnName <String>]
[-AlertTacticsColumnName <String>]
[-CreateIncident]
[-Description <String>]
[-Enabled]
[-EntityMapping <EntityMapping[]>]
[-EventGroupingSettingAggregationKind <EventGroupingAggregationKind>]
[-GroupByAlertDetail <AlertDetail[]>]
[-GroupByCustomDetail <String[]>]
[-GroupByEntity <EntityMappingType[]>]
[-GroupingConfigurationEnabled]
[-LookbackDuration <TimeSpan>]
[-MatchingMethod <String>]
[-ReOpenClosedIncident]
[-SuppressionDuration <TimeSpan>]
[-SuppressionEnabled]
[-Tactic <String[]>]
[-DefaultProfile <PSObject>]
[-AsJob]
[-NoWait]
[-Confirm]
[-WhatIf]
[<CommonParameters>]
Description
Creates the alert rule.
Examples
Example 1: Create the Fusion Alert rule
$AlertRuleTemplateName = "f71aba3d-28fb-450b-b192-4e76a83015c8"
New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind Fusion -Enabled -AlertRuleTemplateName $AlertRuleTemplateName
This command creates an Alert Rule of the Fusion kind based on the template "Advanced Multistage Attack Detection"
Example 2: Create the ML Behavior Analytics Alert Rule
$AlertRuleTemplateName = "fa118b98-de46-4e94-87f9-8e6d5060b60b"
New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind MLBehaviorAnalytics -Enabled -AlertRuleTemplateName $AlertRuleTemplateName
This command creates an Alert Rule of the MLBehaviorAnalytics kind based on the template "Anomalous SSH Login Detection"
Example 3: Create the Threat Intelligence Alert Rule
$AlertRuleTemplateName = "0dd422ee-e6af-4204-b219-f59ac172e4c6"
New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind ThreatIntelligence -Enabled -AlertRuleTemplateName $AlertRuleTemplateName
This command creates an Alert Rule of the ThreatIntelligence kind based on the template "Microsoft Threat Intelligence Analytics"
Example 4: Create a Microsoft Security Incident Creation Alert Rule
$AlertRuleTemplateName = "a2e0eb51-1f11-461a-999b-cd0ebe5c7a72"
New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind MicrosoftSecurityIncidentCreation -Enabled -AlertRuleTemplateName $AlertRuleTemplateName -ProductFilter "Azure Security Center for IoT"
This command creates an Alert Rule of the MicrosoftSecurityIncidentCreation kind based on the template for Create incidents based on Azure Security Center for IoT alerts.
Example 5: Create a Scheduled Alert Rule
New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind Scheduled -Enabled -DisplayName "Powershell Exection Alert (Several Times per Hour)" -Severity Low -Query "SecurityEvent | where EventId == 4688" -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Hours 1) -TriggerThreshold 10
This command creates an Alert Rule of the Scheduled kind.
Please note that that query (parameter -Query) needs to be on a single line as as string.
Example 6: Create a Near Realtime Alert Rule
New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind NRT -Enabled -DisplayName "Break glass account accessed" -Severity High -Query "let Break_Glass_Account = _GetWatchlist('break_glass_account')\n|project UPN;\nSigninLogs\n| where UserPrincipalName in (Break_Glass_Account)"
This command creates an Alert Rule of the NRT kind.
Please note that that query (parameter -Query) needs to be on a single line as as string.
Parameters
Type: String
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
Type: String
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-AlertRuleTemplate
Type: String
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False
-AlertRuleTemplateName
Type: String
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-AlertSeverityColumnName
Type: String
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-AlertTacticsColumnName
Type: String
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-AsJob
Run the command as a job
Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: SwitchParameter
Aliases: cf
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-CreateIncident
Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with Azure.
Type: PSObject
Aliases: AzureRMContext, AzureCredential
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-Description
Type: String
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-DisplayName
Type: String
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False
-DisplayNamesExcludeFilter
Type: String [ ]
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-DisplayNamesFilter
Type: String [ ]
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-Enabled
Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-EntityMapping
'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail'
To construct, see NOTES section for ENTITYMAPPING properties and create a hash table.
Type: EntityMapping [ ]
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-EventGroupingSettingAggregationKind
Type: EventGroupingAggregationKind
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-GroupByAlertDetail
Type: AlertDetail [ ]
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-GroupByCustomDetail
Type: String [ ]
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-GroupByEntity
Type: EntityMappingType [ ]
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-GroupingConfigurationEnabled
Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-Kind
Kind of the the data connection
Type: AlertRuleKind
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False
-LookbackDuration
Type: TimeSpan
Position: Named
Default value: New-TimeSpan -Hours 5
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-MatchingMethod
Type: String
Position: Named
Default value: "AllEntities"
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-NoWait
Run the command asynchronously
Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-ProductFilter
Type: MicrosoftSecurityProductName
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False
-Query
Type: String
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False
-QueryFrequency
Type: TimeSpan
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False
-QueryPeriod
Type: TimeSpan
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False
-ReOpenClosedIncident
Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-ResourceGroupName
The Resource Group Name.
Type: String
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False
-RuleId
[Alias('RuleId')]
The Id of the Rule.
Type: String
Position: Named
Default value: (New-Guid).Guid
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-SeveritiesFilter
High, Medium, Low, Informational
Type: AlertSeverity [ ]
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-Severity
Type: AlertSeverity
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False
-SubscriptionId
Gets subscription credentials which uniquely identify Microsoft Azure subscription.
The subscription ID forms part of the URI for every service call.
Type: String
Position: Named
Default value: (Get-AzContext).Subscription.Id
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-SuppressionDuration
Type: TimeSpan
Position: Named
Default value: New-TimeSpan -Hours 5
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-SuppressionEnabled
Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-Tactic
[Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AttackTactic]
InitialAccess, Execution, Persistence, PrivilegeEscalation, DefenseEvasion, CredentialAccess, Discovery, LateralMovement, Collection, Exfiltration, CommandAndControl, Impact, PreAttack
Type: String [ ]
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-TriggerOperator
Type: TriggerOperator
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False
-TriggerThreshold
Type: Int32
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False
-WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
Type: SwitchParameter
Aliases: wi
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-WorkspaceName
The name of the workspace.
Type: String
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False
Outputs
AlertRule
Notes
ALIASES
COMPLEX PARAMETER PROPERTIES
To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
ENTITYMAPPING <EntityMapping[]>
: 'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail'
[EntityType <EntityMappingType?>]
: The V3 type of the mapped entity
[FieldMapping <IFieldMapping[]>]
: array of field mappings for the given entity mapping
[ColumnName <String>]
: the column name to be mapped to the identifier
[Identifier <String>]
: the V3 identifier of the entity