Update-AzSentinelAlertRule
Syntax
Update-AzSentinelAlertRule
-ResourceGroupName <String>
-WorkspaceName <String>
-RuleId <String>
[-SubscriptionId <String>]
[-AlertRuleTemplateName <String>]
[-Enabled]
[-Disabled]
[-Description <String>]
[-Query <String>]
[-DisplayName <String>]
[-SuppressionDuration <TimeSpan>]
[-SuppressionEnabled]
[-Severity <AlertSeverity>]
[-Tactic <AttackTactic>]
[-CreateIncident]
[-GroupingConfigurationEnabled]
[-ReOpenClosedIncident]
[-LookbackDuration <TimeSpan>]
[-MatchingMethod <String>]
[-GroupByAlertDetail <AlertDetail[]>]
[-GroupByCustomDetail <String[]>]
[-GroupByEntity <EntityMappingType[]>]
[-EntityMapping <EntityMapping[]>]
[-AlertDescriptionFormat <String>]
[-AlertDisplayNameFormat <String>]
[-AlertSeverityColumnName <String>]
[-AlertTacticsColumnName <String>]
[-QueryFrequency <TimeSpan>]
[-QueryPeriod <TimeSpan>]
[-TriggerOperator <TriggerOperator>]
[-TriggerThreshold <Int32>]
[-EventGroupingSettingAggregationKind <EventGroupingAggregationKind>]
[-DefaultProfile <PSObject>]
[-Scheduled]
[-AsJob]
[-NoWait]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Update-AzSentinelAlertRule
-ResourceGroupName <String>
-WorkspaceName <String>
-RuleId <String>
[-SubscriptionId <String>]
[-AlertRuleTemplateName <String>]
[-Enabled]
[-Disabled]
[-DefaultProfile <PSObject>]
[-AsJob]
[-NoWait]
[-FusionMLorTI]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Update-AzSentinelAlertRule
-ResourceGroupName <String>
-WorkspaceName <String>
-RuleId <String>
[-SubscriptionId <String>]
[-AlertRuleTemplateName <String>]
[-Enabled]
[-Disabled]
[-Description <String>]
[-DisplayNamesFilter <String[]>]
[-DisplayNamesExcludeFilter <String[]>]
[-ProductFilter <MicrosoftSecurityProductName>]
[-SeveritiesFilter <AlertSeverity[]>]
[-DefaultProfile <PSObject>]
[-AsJob]
[-NoWait]
[-MicrosoftSecurityIncidentCreation]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Update-AzSentinelAlertRule
-ResourceGroupName <String>
-WorkspaceName <String>
-RuleId <String>
[-SubscriptionId <String>]
[-AlertRuleTemplateName <String>]
[-Enabled]
[-Disabled]
[-Description <String>]
[-Query <String>]
[-DisplayName <String>]
[-SuppressionDuration <TimeSpan>]
[-SuppressionEnabled]
[-Severity <AlertSeverity>]
[-Tactic <AttackTactic>]
[-CreateIncident]
[-GroupingConfigurationEnabled]
[-ReOpenClosedIncident]
[-LookbackDuration <TimeSpan>]
[-MatchingMethod <String>]
[-GroupByAlertDetail <AlertDetail[]>]
[-GroupByCustomDetail <String[]>]
[-GroupByEntity <EntityMappingType[]>]
[-EntityMapping <EntityMapping[]>]
[-AlertDescriptionFormat <String>]
[-AlertDisplayNameFormat <String>]
[-AlertSeverityColumnName <String>]
[-AlertTacticsColumnName <String>]
[-DefaultProfile <PSObject>]
[-AsJob]
[-NoWait]
[-NRT]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Update-AzSentinelAlertRule
-InputObject <ISecurityInsightsIdentity>
[-AlertRuleTemplateName <String>]
[-Enabled]
[-Disabled]
[-DefaultProfile <PSObject>]
[-AsJob]
[-NoWait]
[-FusionMLorTI]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Update-AzSentinelAlertRule
-InputObject <ISecurityInsightsIdentity>
[-AlertRuleTemplateName <String>]
[-Enabled]
[-Disabled]
[-Description <String>]
[-DisplayNamesFilter <String[]>]
[-DisplayNamesExcludeFilter <String[]>]
[-ProductFilter <MicrosoftSecurityProductName>]
[-SeveritiesFilter <AlertSeverity[]>]
[-DefaultProfile <PSObject>]
[-AsJob]
[-NoWait]
[-MicrosoftSecurityIncidentCreation]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Update-AzSentinelAlertRule
-InputObject <ISecurityInsightsIdentity>
[-AlertRuleTemplateName <String>]
[-Enabled]
[-Disabled]
[-Description <String>]
[-Query <String>]
[-DisplayName <String>]
[-SuppressionDuration <TimeSpan>]
[-SuppressionEnabled]
[-Severity <AlertSeverity>]
[-Tactic <AttackTactic>]
[-CreateIncident]
[-GroupingConfigurationEnabled]
[-ReOpenClosedIncident]
[-LookbackDuration <TimeSpan>]
[-MatchingMethod <String>]
[-GroupByAlertDetail <AlertDetail[]>]
[-GroupByCustomDetail <String[]>]
[-GroupByEntity <EntityMappingType[]>]
[-EntityMapping <EntityMapping[]>]
[-AlertDescriptionFormat <String>]
[-AlertDisplayNameFormat <String>]
[-AlertSeverityColumnName <String>]
[-AlertTacticsColumnName <String>]
[-DefaultProfile <PSObject>]
[-AsJob]
[-NoWait]
[-NRT]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Update-AzSentinelAlertRule
-InputObject <ISecurityInsightsIdentity>
[-AlertRuleTemplateName <String>]
[-Enabled]
[-Disabled]
[-Description <String>]
[-Query <String>]
[-DisplayName <String>]
[-SuppressionDuration <TimeSpan>]
[-SuppressionEnabled]
[-Severity <AlertSeverity>]
[-Tactic <AttackTactic>]
[-CreateIncident]
[-GroupingConfigurationEnabled]
[-ReOpenClosedIncident]
[-LookbackDuration <TimeSpan>]
[-MatchingMethod <String>]
[-GroupByAlertDetail <AlertDetail[]>]
[-GroupByCustomDetail <String[]>]
[-GroupByEntity <EntityMappingType[]>]
[-EntityMapping <EntityMapping[]>]
[-AlertDescriptionFormat <String>]
[-AlertDisplayNameFormat <String>]
[-AlertSeverityColumnName <String>]
[-AlertTacticsColumnName <String>]
[-QueryFrequency <TimeSpan>]
[-QueryPeriod <TimeSpan>]
[-TriggerOperator <TriggerOperator>]
[-TriggerThreshold <Int32>]
[-EventGroupingSettingAggregationKind <EventGroupingAggregationKind>]
[-DefaultProfile <PSObject>]
[-Scheduled]
[-AsJob]
[-NoWait]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
Updates the alert rule.
Examples
Example 1: Update an scheduled alert rule
Update-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -ruleId "4a21e485-75ae-48b3-a7b9-e6a92bcfe434" -Query "SecurityAlert | take 2"
This command updates a scheduled alert rule
Parameters
Type: String
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
Type: String
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-AlertRuleTemplateName
Type: String
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-AlertSeverityColumnName
Type: String
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-AlertTacticsColumnName
Type: String
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-AsJob
Run the command as a job
Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: SwitchParameter
Aliases: cf
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-CreateIncident
Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-DefaultProfile
The credentials, account, tenant, and subscription used for communication with Azure.
Type: PSObject
Aliases: AzureRMContext, AzureCredential
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-Description
Type: String
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-Disabled
Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-DisplayName
Type: String
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-DisplayNamesExcludeFilter
Type: String [ ]
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-DisplayNamesFilter
Type: String [ ]
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-Enabled
Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-EntityMapping
'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail'
To construct, see NOTES section for ENTITYMAPPING properties and create a hash table.
Type: EntityMapping [ ]
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-EventGroupingSettingAggregationKind
Type: EventGroupingAggregationKind
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-FusionMLorTI
Type: SwitchParameter
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False
-GroupByAlertDetail
Type: AlertDetail [ ]
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-GroupByCustomDetail
Type: String [ ]
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-GroupByEntity
Type: EntityMappingType [ ]
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-GroupingConfigurationEnabled
Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
Identity Parameter
To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
Type: ISecurityInsightsIdentity
Position: Named
Default value: None
Required: True
Accept pipeline input: True
Accept wildcard characters: False
-LookbackDuration
Type: TimeSpan
Position: Named
Default value: New-TimeSpan -Hours 5
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-MatchingMethod
Type: String
Position: Named
Default value: "AllEntities"
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-MicrosoftSecurityIncidentCreation
Type: SwitchParameter
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False
-NoWait
Run the command asynchronously
Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-NRT
Type: SwitchParameter
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False
-ProductFilter
Type: MicrosoftSecurityProductName
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-Query
Type: String
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-QueryFrequency
Type: TimeSpan
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-QueryPeriod
Type: TimeSpan
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-ReOpenClosedIncident
Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-ResourceGroupName
The Resource Group Name.
Type: String
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False
-RuleId
[Alias('RuleId')]
The name of Operational Insights Resource Provider.
Type: String
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False
-Scheduled
Type: SwitchParameter
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False
-SeveritiesFilter
High, Medium, Low, Informational
Type: AlertSeverity [ ]
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-Severity
Type: AlertSeverity
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-SubscriptionId
Gets subscription credentials which uniquely identify Microsoft Azure subscription.
The subscription ID forms part of the URI for every service call.
Type: String
Position: Named
Default value: (Get-AzContext).Subscription.Id
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-SuppressionDuration
Type: TimeSpan
Position: Named
Default value: New-TimeSpan -Hours 5
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-SuppressionEnabled
Type: SwitchParameter
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-Tactic
Type: AttackTactic
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-TriggerOperator
Type: TriggerOperator
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-TriggerThreshold
Type: Int32
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
Type: SwitchParameter
Aliases: wi
Position: Named
Default value: None
Required: False
Accept pipeline input: False
Accept wildcard characters: False
-WorkspaceName
The name of the workspace.
Type: String
Position: Named
Default value: None
Required: True
Accept pipeline input: False
Accept wildcard characters: False
ISecurityInsightsIdentity
Outputs
AlertRule