你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
New-AzSentinelAlertRule
语法
New-AzSentinelAlertRule
-ResourceGroupName <String>
-WorkspaceName <String>
-AlertRuleTemplate <String>
-Kind <AlertRuleKind>
[-RuleId <String>]
[-SubscriptionId <String>]
[-Enabled]
[-DefaultProfile <PSObject>]
[-AsJob]
[-NoWait]
[-Confirm]
[-WhatIf]
[<CommonParameters>]
New-AzSentinelAlertRule
-ResourceGroupName <String>
-WorkspaceName <String>
-Kind <AlertRuleKind>
-ProductFilter <MicrosoftSecurityProductName>
[-RuleId <String>]
[-SubscriptionId <String>]
[-AlertRuleTemplateName <String>]
[-Description <String>]
[-DisplayNamesExcludeFilter <String[]>]
[-DisplayNamesFilter <String[]>]
[-Enabled]
[-SeveritiesFilter <AlertSeverity[]>]
[-DefaultProfile <PSObject>]
[-AsJob]
[-NoWait]
[-Confirm]
[-WhatIf]
[<CommonParameters>]
New-AzSentinelAlertRule
-ResourceGroupName <String>
-WorkspaceName <String>
-DisplayName <String>
-Kind <AlertRuleKind>
-Query <String>
-Severity <AlertSeverity>
[-RuleId <String>]
[-SubscriptionId <String>]
[-AlertDescriptionFormat <String>]
[-AlertDisplayNameFormat <String>]
[-AlertRuleTemplateName <String>]
[-AlertSeverityColumnName <String>]
[-AlertTacticsColumnName <String>]
[-CreateIncident]
[-Description <String>]
[-Enabled]
[-EntityMapping <EntityMapping[]>]
[-GroupByAlertDetail <AlertDetail[]>]
[-GroupByCustomDetail <String[]>]
[-GroupByEntity <EntityMappingType[]>]
[-GroupingConfigurationEnabled]
[-LookbackDuration <TimeSpan>]
[-MatchingMethod <String>]
[-ReOpenClosedIncident]
[-SuppressionDuration <TimeSpan>]
[-SuppressionEnabled]
[-Tactic <String[]>]
[-DefaultProfile <PSObject>]
[-AsJob]
[-NoWait]
[-Confirm]
[-WhatIf]
[<CommonParameters>]
New-AzSentinelAlertRule
-ResourceGroupName <String>
-WorkspaceName <String>
-DisplayName <String>
-Kind <AlertRuleKind>
-Query <String>
-QueryFrequency <TimeSpan>
-QueryPeriod <TimeSpan>
-Severity <AlertSeverity>
-TriggerOperator <TriggerOperator>
-TriggerThreshold <Int32>
[-RuleId <String>]
[-SubscriptionId <String>]
[-AlertDescriptionFormat <String>]
[-AlertDisplayNameFormat <String>]
[-AlertRuleTemplateName <String>]
[-AlertSeverityColumnName <String>]
[-AlertTacticsColumnName <String>]
[-CreateIncident]
[-Description <String>]
[-Enabled]
[-EntityMapping <EntityMapping[]>]
[-EventGroupingSettingAggregationKind <EventGroupingAggregationKind>]
[-GroupByAlertDetail <AlertDetail[]>]
[-GroupByCustomDetail <String[]>]
[-GroupByEntity <EntityMappingType[]>]
[-GroupingConfigurationEnabled]
[-LookbackDuration <TimeSpan>]
[-MatchingMethod <String>]
[-ReOpenClosedIncident]
[-SuppressionDuration <TimeSpan>]
[-SuppressionEnabled]
[-Tactic <String[]>]
[-DefaultProfile <PSObject>]
[-AsJob]
[-NoWait]
[-Confirm]
[-WhatIf]
[<CommonParameters>]
说明
创建警报规则。
示例
示例 1:创建 Fusion 警报规则
$AlertRuleTemplateName = "f71aba3d-28fb-450b-b192-4e76a83015c8"
New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind Fusion -Enabled -AlertRuleTemplateName $AlertRuleTemplateName
此命令基于模板“高级多阶段攻击检测”创建融合类型的警报规则
示例 2:创建 ML 行为分析警报规则
$AlertRuleTemplateName = "fa118b98-de46-4e94-87f9-8e6d5060b60b"
New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind MLBehaviorAnalytics -Enabled -AlertRuleTemplateName $AlertRuleTemplateName
此命令基于模板“异常 SSH 登录检测”创建 MLBehaviorAnalytics 类型的警报规则
示例 3:创建威胁情报警报规则
$AlertRuleTemplateName = "0dd422ee-e6af-4204-b219-f59ac172e4c6"
New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind ThreatIntelligence -Enabled -AlertRuleTemplateName $AlertRuleTemplateName
此命令基于模板“Microsoft Threat Intelligence Analytics”创建 ThreatIntelligence 类型的警报规则
示例 4:创建 Microsoft 安全事件创建警报规则
$AlertRuleTemplateName = "a2e0eb51-1f11-461a-999b-cd0ebe5c7a72"
New-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -WorkspaceName "myWorkspaceName" -Kind MicrosoftSecurityIncidentCreation -Enabled -AlertRuleTemplateName $AlertRuleTemplateName -ProductFilter "Azure Security Center for IoT"
此命令基于基于 IoT 警报Azure 安全中心创建事件的模板,创建 MicrosoftSecurityIncidentCreation 类型的警报规则。
示例 5:创建计划警报规则
New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind Scheduled -Enabled -DisplayName "Powershell Exection Alert (Several Times per Hour)" -Severity Low -Query "SecurityEvent | where EventId == 4688" -QueryFrequency (New-TimeSpan -Hours 1) -QueryPeriod (New-TimeSpan -Hours 1) -TriggerThreshold 10
此命令将创建计划类型的警报规则。
请注意,查询(参数 -Query)需要以字符串的形式位于单个行上。
示例 6:创建近实时警报规则
New-AzSentinelAlertRule -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Kind NRT -Enabled -DisplayName "Break glass account accessed" -Severity High -Query "let Break_Glass_Account = _GetWatchlist('break_glass_account')\n|project UPN;\nSigninLogs\n| where UserPrincipalName in (Break_Glass_Account)"
此命令将创建 NRT 类型的警报规则。
请注意,查询(参数 -Query)需要以字符串的形式位于单个行上。
参数
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AlertRuleTemplate
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AlertRuleTemplateName
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AlertSeverityColumnName
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AlertTacticsColumnName
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AsJob
以作业身份运行命令
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Confirm
提示你在运行 cmdlet 之前进行确认。
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-CreateIncident
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DefaultProfile
用于与 Azure 通信的凭据、帐户、租户和订阅。
| Type: | PSObject |
| Aliases: | AzureRMContext, AzureCredential |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Description
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisplayName
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisplayNamesExcludeFilter
| Type: | String[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DisplayNamesFilter
| Type: | String[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Enabled
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EntityMapping
“Account”、“Host”、“IP”、“Malware”、“File”、“Process”、“CloudApplication”、“DNS”、“AzureResource”、“FileHash”、“RegistryKey”、“RegistryValue”、“SecurityGroup”、“URL”、“Mailbox”、“MailCluster”、“MailMessage”、“SubmissionMail”,请参阅 ENTITYMAPPING 属性的 NOTES 部分并创建哈希表。
| Type: | EntityMapping[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-EventGroupingSettingAggregationKind
| Type: | EventGroupingAggregationKind |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-GroupByAlertDetail
| Type: | AlertDetail[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-GroupByCustomDetail
| Type: | String[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-GroupByEntity
| Type: | EntityMappingType[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-GroupingConfigurationEnabled
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Kind
数据连接的类型
| Type: | AlertRuleKind |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-LookbackDuration
| Type: | TimeSpan |
| Position: | Named |
| Default value: | New-TimeSpan -Hours 5 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-MatchingMethod
| Type: | String |
| Position: | Named |
| Default value: | "AllEntities" |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-NoWait
异步运行命令
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ProductFilter
| Type: | MicrosoftSecurityProductName |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Query
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-QueryFrequency
| Type: | TimeSpan |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-QueryPeriod
| Type: | TimeSpan |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ReOpenClosedIncident
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ResourceGroupName
资源组名称。
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-RuleId
[Alias('RuleId')]规则的 ID。
| Type: | String |
| Position: | Named |
| Default value: | (New-Guid).Guid |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SeveritiesFilter
高、中、低、信息性
| Type: | AlertSeverity[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Severity
| Type: | AlertSeverity |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SubscriptionId
获取唯一标识 Microsoft Azure 订阅的订阅凭据。
此订阅 ID 是每个服务调用的 URI 的一部分。
| Type: | String |
| Position: | Named |
| Default value: | (Get-AzContext).Subscription.Id |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SuppressionDuration
| Type: | TimeSpan |
| Position: | Named |
| Default value: | New-TimeSpan -Hours 5 |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SuppressionEnabled
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Tactic
[Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AttackTactic] InitialAccess, Execution, Persistence, PrivilegeEscalation, DefenseEvasion, CredentialAccess, Discovery, LateralMovement, Collection, Exfiltration, CommandAndControl, Impact, PreAttack
| Type: | String[] |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TriggerOperator
| Type: | TriggerOperator |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TriggerThreshold
| Type: | Int32 |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-WhatIf
显示运行该 cmdlet 时会发生什么情况。
cmdlet 未运行。
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-WorkspaceName
工作区的名称。
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
输出
AlertRule
备注
别名
复杂参数属性
若要创建下面所述的参数,请构造一个包含相应属性的哈希表。 有关哈希表的信息,请运行 Get-Help about_Hash_Tables。
ENTITYMAPPING <EntityMapping[]>:“Account”、“Host”、“IP”、“Malware”、“File”、“Process”、“CloudApplication”、“DNS”、“AzureResource”、“FileHash”、“RegistryKey”、“RegistryValue”、“SecurityGroup”、“URL”、“Mailbox”、“MailCluster”、“MailMessage”、“SubmissionMail”
[EntityType <EntityMappingType?>]:映射实体的 V3 类型[FieldMapping <IFieldMapping[]>]:给定实体映射的字段映射数组
[ColumnName <String>]:要映射到标识符的列名[Identifier <String>]:实体的 V3 标识符
