Update-AzSentinelIncident
Creates or updates the incident.
Syntax
UpdateExpanded (Default)
Update-AzSentinelIncident
-Id <String>
-ResourceGroupName <String>
-WorkspaceName <String>
[-SubscriptionId <String>]
[-Classification <IncidentClassification>]
[-ClassificationComment <String>]
[-ClassificationReason <IncidentClassificationReason>]
[-Description <String>]
[-FirstActivityTimeUtc <DateTime>]
[-Label <IIncidentLabel[]>]
[-LastActivityTimeUtc <DateTime>]
[-OwnerAssignedTo <String>]
[-OwnerEmail <String>]
[-OwnerObjectId <String>]
[-OwnerUserPrincipalName <String>]
[-ProviderIncidentId <String>]
[-ProviderName <String>]
[-Severity <IncidentSeverity>]
[-Status <IncidentStatus>]
[-Title <String>]
[-DefaultProfile <PSObject>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
UpdateViaIdentityExpanded
Update-AzSentinelIncident
-InputObject <ISecurityInsightsIdentity>
[-Classification <IncidentClassification>]
[-ClassificationComment <String>]
[-ClassificationReason <IncidentClassificationReason>]
[-Description <String>]
[-FirstActivityTimeUtc <DateTime>]
[-Label <IIncidentLabel[]>]
[-LastActivityTimeUtc <DateTime>]
[-OwnerAssignedTo <String>]
[-OwnerEmail <String>]
[-OwnerObjectId <String>]
[-OwnerUserPrincipalName <String>]
[-ProviderIncidentId <String>]
[-ProviderName <String>]
[-Severity <IncidentSeverity>]
[-Status <IncidentStatus>]
[-Title <String>]
[-DefaultProfile <PSObject>]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
Creates or updates the incident.
Examples
Example 1: Update an Incident
Update-AzSentinelIncident -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Id "4a21e485-75ae-48b3-a7b9-e6a92bcfe434" -Title "Suspicious login activity" -Status "Active" -Severity "Medium" -OwnerAssignedTo "user@mydomain.local"
This command updates an incident by assigning an owner.
Note: The -Title, -Status, and -Severity parameters are required by the underlying API even though they are listed as optional.
Omitting any of them will result in an error.
When updating an incident, always include these three parameters.
$incident = Get-AzSentinelIncident -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Id "4a21e485-75ae-48b3-a7b9-e6a92bcfe434"
$labels = $incident.Label + [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IncidentLabel]::new()
$labels[-1].LabelName = "Reviewed"
Update-AzSentinelIncident -InputObject $incident -Title $incident.Title -Status $incident.Status -Severity $incident.Severity -Label $labels
This command adds a label to an existing incident using -InputObject.
When using -InputObject, you must still supply -Title, -Status, and -Severity (pass the original values to keep them unchanged).
$incident = Get-AzSentinelIncident -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Id "4a21e485-75ae-48b3-a7b9-e6a92bcfe434"
$newLabels = @( @{ LabelName = "Critical" } )
Update-AzSentinelIncident -InputObject $incident -Title $incident.Title -Status $incident.Status -Severity $incident.Severity -Label $newLabels
This command updates the labels on an existing incident.
Note that -Title, -Status, and -Severity must be included to avoid validation errors.
Passing the original values from $incident ensures those fields are not reset.
Parameters
-Classification
The reason the incident was closed
Parameter properties
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
Describes the reason the incident was closed
Type: String
Default value: None Supports wildcards: False DontShow: False
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ClassificationReason
The classification reason the incident was closed with
Parameter properties
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Confirm
Prompts you for confirmation before running the cmdlet.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False Aliases: cf
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-DefaultProfile
The DefaultProfile parameter is not functional.
Use the SubscriptionId parameter when available if executing the cmdlet against a different subscription.
Parameter properties
Type: PSObject
Default value: None Supports wildcards: False DontShow: False Aliases: AzureRMContext, AzureCredential
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Description
The description of the incident
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-FirstActivityTimeUtc
The time of the first activity in the incident
Parameter properties
Type: DateTime
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Id
Incident ID
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False Aliases: IncidentId
Parameter sets
UpdateExpanded
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
Identity Parameter
To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
UpdateViaIdentityExpanded
Position: Named Mandatory: True Value from pipeline: True Value from pipeline by property name: False Value from remaining arguments: False
-Label
List of labels relevant to this incident
To construct, see NOTES section for LABEL properties and create a hash table.
Parameter properties
Type: IIncidentLabel [ ]
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-LastActivityTimeUtc
The time of the last activity in the incident
Parameter properties
Type: DateTime
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-OwnerAssignedTo
The name of the user the incident is assigned to.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-OwnerEmail
The email of the user the incident is assigned to.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-OwnerObjectId
The object id of the user the incident is assigned to.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-OwnerUserPrincipalName
The user principal name of the user the incident is assigned to.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ProviderIncidentId
The incident ID assigned by the incident provider
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ProviderName
The name of the source provider that generated the incident
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-ResourceGroupName
The name of the resource group.
The name is case insensitive.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
UpdateExpanded
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Severity
The severity of the incident
Parameter properties
Type: IncidentSeverity
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Status
The status of the incident
Parameter properties
Type: IncidentStatus
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-SubscriptionId
The ID of the target subscription.
Parameter properties
Type: String
Default value: (Get-AzContext).Subscription.Id Supports wildcards: False DontShow: False
Parameter sets
UpdateExpanded
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-Title
The title of the incident
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-WhatIf
Shows what would happen if the cmdlet runs.
The cmdlet is not run.
Parameter properties
Type: SwitchParameter
Default value: None Supports wildcards: False DontShow: False Aliases: wi
Parameter sets
(All)
Position: Named Mandatory: False Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
-WorkspaceName
The name of the workspace.
Parameter properties
Type: String
Default value: None Supports wildcards: False DontShow: False
Parameter sets
UpdateExpanded
Position: Named Mandatory: True Value from pipeline: False Value from pipeline by property name: False Value from remaining arguments: False
CommonParameters
This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable,
-InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable,
-ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see
about_CommonParameters .
Outputs
