Edit

New-AzSentinelAlertRule

  • Reference
Module:
Az.SecurityInsights

Creates the alert rule.

Syntax

New-AzSentinelAlertRule
   -ResourceGroupName <String>
   -WorkspaceName <String>
   -AlertRuleTemplate <String>
   -Kind <AlertRuleKind>
   [-RuleId <String>]
   [-SubscriptionId <String>]
   [-Enabled]
   [-DefaultProfile <PSObject>]
   [-AsJob]
   [-NoWait]
   [-Confirm]
   [-WhatIf]
   [<CommonParameters>]
New-AzSentinelAlertRule
   -ResourceGroupName <String>
   -WorkspaceName <String>
   -Kind <AlertRuleKind>
   -ProductFilter <MicrosoftSecurityProductName>
   [-RuleId <String>]
   [-SubscriptionId <String>]
   [-AlertRuleTemplateName <String>]
   [-Description <String>]
   [-DisplayNamesExcludeFilter <String[]>]
   [-DisplayNamesFilter <String[]>]
   [-Enabled]
   [-SeveritiesFilter <AlertSeverity[]>]
   [-DefaultProfile <PSObject>]
   [-AsJob]
   [-NoWait]
   [-Confirm]
   [-WhatIf]
   [<CommonParameters>]
New-AzSentinelAlertRule
   -ResourceGroupName <String>
   -WorkspaceName <String>
   -DisplayName <String>
   -Kind <AlertRuleKind>
   -Query <String>
   -Severity <AlertSeverity>
   [-RuleId <String>]
   [-SubscriptionId <String>]
   [-AlertDescriptionFormat <String>]
   [-AlertDisplayNameFormat <String>]
   [-AlertRuleTemplateName <String>]
   [-AlertSeverityColumnName <String>]
   [-AlertTacticsColumnName <String>]
   [-CreateIncident]
   [-Description <String>]
   [-Enabled]
   [-EntityMapping <EntityMapping[]>]
   [-GroupByAlertDetail <AlertDetail[]>]
   [-GroupByCustomDetail <String[]>]
   [-GroupByEntity <EntityMappingType[]>]
   [-GroupingConfigurationEnabled]
   [-LookbackDuration <TimeSpan>]
   [-MatchingMethod <String>]
   [-ReOpenClosedIncident]
   [-SuppressionDuration <TimeSpan>]
   [-SuppressionEnabled]
   [-Tactic <String[]>]
   [-DefaultProfile <PSObject>]
   [-AsJob]
   [-NoWait]
   [-Confirm]
   [-WhatIf]
   [<CommonParameters>]
New-AzSentinelAlertRule
   -ResourceGroupName <String>
   -WorkspaceName <String>
   -DisplayName <String>
   -Kind <AlertRuleKind>
   -Query <String>
   -QueryFrequency <TimeSpan>
   -QueryPeriod <TimeSpan>
   -Severity <AlertSeverity>
   -TriggerOperator <TriggerOperator>
   -TriggerThreshold <Int32>
   [-RuleId <String>]
   [-SubscriptionId <String>]
   [-AlertDescriptionFormat <String>]
   [-AlertDisplayNameFormat <String>]
   [-AlertRuleTemplateName <String>]
   [-AlertSeverityColumnName <String>]
   [-AlertTacticsColumnName <String>]
   [-CreateIncident]
   [-Description <String>]
   [-Enabled]
   [-EntityMapping <EntityMapping[]>]
   [-EventGroupingSettingAggregationKind <EventGroupingAggregationKind>]
   [-GroupByAlertDetail <AlertDetail[]>]
   [-GroupByCustomDetail <String[]>]
   [-GroupByEntity <EntityMappingType[]>]
   [-GroupingConfigurationEnabled]
   [-LookbackDuration <TimeSpan>]
   [-MatchingMethod <String>]
   [-ReOpenClosedIncident]
   [-SuppressionDuration <TimeSpan>]
   [-SuppressionEnabled]
   [-Tactic <String[]>]
   [-DefaultProfile <PSObject>]
   [-AsJob]
   [-NoWait]
   [-Confirm]
   [-WhatIf]
   [<CommonParameters>]

Description

Creates the alert rule.

Examples

Example 1: Create the Fusion Alert rule

$AlertRuleTemplateName = "f71aba3d-28fb-450b-b192-4e76a83015c8"
 New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind Fusion -Enabled -AlertRuleTemplateName $AlertRuleTemplateName

This command creates an Alert Rule of the Fusion kind based on the template "Advanced Multistage Attack Detection"

Example 2: Create the ML Behavior Analytics Alert Rule

$AlertRuleTemplateName = "fa118b98-de46-4e94-87f9-8e6d5060b60b"
 New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind MLBehaviorAnalytics -Enabled -AlertRuleTemplateName $AlertRuleTemplateName

This command creates an Alert Rule of the MLBehaviorAnalytics kind based on the template "Anomalous SSH Login Detection"

Example 3: Create the Threat Intelligence Alert Rule

$AlertRuleTemplateName = "0dd422ee-e6af-4204-b219-f59ac172e4c6"
 New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind ThreatIntelligence -Enabled -AlertRuleTemplateName $AlertRuleTemplateName

This command creates an Alert Rule of the ThreatIntelligence kind based on the template "Microsoft Threat Intelligence Analytics"

Example 4: Create a Microsoft Security Incident Creation Alert Rule

$AlertRuleTemplateName = "a2e0eb51-1f11-461a-999b-cd0ebe5c7a72"
 New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind MicrosoftSecurityIncidentCreation -Enabled -AlertRuleTemplateName $AlertRuleTemplateName -ProductFilter "Azure Security Center for IoT"

This command creates an Alert Rule of the MicrosoftSecurityIncidentCreation kind based on the template for Create incidents based on Azure Security Center for IoT alerts.

Example 5: Create a Scheduled Alert Rule

New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind Scheduled -Enabled -DisplayName "Powershell Exection Alert (Several Times per Hour)" -Severity Low -Query "SecurityEvent | where EventId == 4688" -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Hours 1) -TriggerThreshold 10

This command creates an Alert Rule of the Scheduled kind. Please note that that query (parameter -Query) needs to be on a single line as as string.

Example 6: Create a Near Realtime Alert Rule

New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind NRT -Enabled -DisplayName "Break glass account accessed" -Severity High -Query "let Break_Glass_Account = _GetWatchlist('break_glass_account')\n|project UPN;\nSigninLogs\n| where UserPrincipalName in (Break_Glass_Account)"

This command creates an Alert Rule of the NRT kind. Please note that that query (parameter -Query) needs to be on a single line as as string.

Parameters

-AlertDescriptionFormat

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-AlertDisplayNameFormat

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-AlertRuleTemplate

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-AlertRuleTemplateName

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-AlertSeverityColumnName

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-AlertTacticsColumnName

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-AsJob

Run the command as a job

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-CreateIncident

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DefaultProfile

The credentials, account, tenant, and subscription used for communication with Azure.

Type:PSObject
Aliases:AzureRMContext, AzureCredential
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Description

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DisplayName

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-DisplayNamesExcludeFilter

Type:String[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DisplayNamesFilter

Type:String[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Enabled

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-EntityMapping

'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail' To construct, see NOTES section for ENTITYMAPPING properties and create a hash table.

Type:EntityMapping[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-EventGroupingSettingAggregationKind

Type:EventGroupingAggregationKind
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-GroupByAlertDetail

Type:AlertDetail[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-GroupByCustomDetail

Type:String[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-GroupByEntity

Type:EntityMappingType[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-GroupingConfigurationEnabled

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Kind

Kind of the the data connection

Type:AlertRuleKind
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-LookbackDuration

Type:TimeSpan
Position:Named
Default value:New-TimeSpan -Hours 5
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-MatchingMethod

Type:String
Position:Named
Default value:"AllEntities"
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-NoWait

Run the command asynchronously

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ProductFilter

Type:MicrosoftSecurityProductName
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-Query

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-QueryFrequency

Type:TimeSpan
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-QueryPeriod

Type:TimeSpan
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-ReOpenClosedIncident

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ResourceGroupName

The Resource Group Name.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-RuleId

[Alias('RuleId')] The Id of the Rule.

Type:String
Position:Named
Default value:(New-Guid).Guid
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-SeveritiesFilter

High, Medium, Low, Informational

Type:AlertSeverity[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Severity

Type:AlertSeverity
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-SubscriptionId

Gets subscription credentials which uniquely identify Microsoft Azure subscription. The subscription ID forms part of the URI for every service call.

Type:String
Position:Named
Default value:(Get-AzContext).Subscription.Id
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-SuppressionDuration

Type:TimeSpan
Position:Named
Default value:New-TimeSpan -Hours 5
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-SuppressionEnabled

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Tactic

[Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AttackTactic] InitialAccess, Execution, Persistence, PrivilegeEscalation, DefenseEvasion, CredentialAccess, Discovery, LateralMovement, Collection, Exfiltration, CommandAndControl, Impact, PreAttack

Type:String[]
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-TriggerOperator

Type:TriggerOperator
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-TriggerThreshold

Type:Int32
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-WorkspaceName

The name of the workspace.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

Outputs

AlertRule

Notes

ALIASES

COMPLEX PARAMETER PROPERTIES

To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.

ENTITYMAPPING <EntityMapping[]>: 'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail'

  • [EntityType <EntityMappingType?>]: The V3 type of the mapped entity
  • [FieldMapping <IFieldMapping[]>]: array of field mappings for the given entity mapping
    • [ColumnName <String>]: the column name to be mapped to the identifier
    • [Identifier <String>]: the V3 identifier of the entity