你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn。
New-AzSentinelIncident
创建或更新事件。
语法
New-AzSentinelIncident
-ResourceGroupName <String>
-WorkspaceName <String>
[-Id <String>]
[-SubscriptionId <String>]
[-Classification <IncidentClassification>]
[-ClassificationComment <String>]
[-ClassificationReason <IncidentClassificationReason>]
[-Description <String>]
[-FirstActivityTimeUtc <DateTime>]
[-Label <IIncidentLabel[]>]
[-LastActivityTimeUtc <DateTime>]
[-OwnerAssignedTo <String>]
[-OwnerEmail <String>]
[-OwnerObjectId <String>]
[-OwnerUserPrincipalName <String>]
[-ProviderIncidentId <String>]
[-ProviderName <String>]
[-Severity <IncidentSeverity>]
[-Status <IncidentStatus>]
[-Title <String>]
[-DefaultProfile <PSObject>]
[-Confirm]
[-WhatIf]
[<CommonParameters>]
New-AzSentinelIncident
-ResourceGroupName <String>
-WorkspaceName <String>
-Incident <IIncident>
[-Id <String>]
[-SubscriptionId <String>]
[-DefaultProfile <PSObject>]
[-Confirm]
[-WhatIf]
[<CommonParameters>]
说明
创建或更新事件。
示例
示例 1:创建事件
New-AzSentinelIncident -ResourceGroupName "myResourceGroup" -WorkspaceName "myWorkspaceName" -Id ((New-Guid).Guid) -Title "NewIncident" -Description "My Description" -Severity Low -Status New
Title : NewIncident
Description : My Description
Severity : Low
Status : New
Number : 779
CreatedTimeUtc : 2/3/2022 7:47:03 PM
Name : c831b5a7-5644-403f-9dc3-96d651e04c6d
Url : https://portal.azure.com/#asset/Microsoft_Azure_Security_Insights/Incident/subscriptions/274b1a41-c53c-4092-8d4a-7210f6a44a0c/resourceGroups/cyber-soc/providers/Microsoft.OperationalInsights/workspaces/myworkspace/providers/Microsoft.SecurityInsights/Incidents/c831b5a7-5644-403f-9dc3-96d651e04c6d
此命令创建事件。
参数
-Classification
事件关闭的原因
Type: | IncidentClassification |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ClassificationComment
描述事件关闭的原因
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ClassificationReason
事件被关闭的分类原因
Type: | IncidentClassificationReason |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Confirm
提示你在运行 cmdlet 之前进行确认。
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-DefaultProfile
DefaultProfile 参数不起作用。 如果对其他订阅执行 cmdlet,请使用 SubscriptionId 参数。
Type: | PSObject |
Aliases: | AzureRMContext, AzureCredential |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Description
事件的说明
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-FirstActivityTimeUtc
事件中第一个活动的时间
Type: | DateTime |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Id
事件 ID
Type: | String |
Aliases: | IncidentId |
Position: | Named |
Default value: | (New-Guid).Guid |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Incident
表示 Azure 安全见解中的事件。 若要构造,请参阅 INCIDENT 属性的 NOTES 部分并创建哈希表。
Type: | IIncident |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Label
要构造与此事件相关的标签列表,请参阅 LABEL 属性的 NOTES 部分,并创建哈希表。
Type: | IIncidentLabel[] |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-LastActivityTimeUtc
事件中最后一个活动的时间
Type: | DateTime |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-OwnerAssignedTo
事件分配给的用户的名称。
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-OwnerEmail
事件分配给的用户的电子邮件。
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-OwnerObjectId
事件分配给的用户的对象 ID。
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-OwnerUserPrincipalName
事件分配给的用户的用户主体名称。
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ProviderIncidentId
事件提供程序分配的事件 ID
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ProviderName
生成事件的源提供程序的名称
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ResourceGroupName
资源组的名称。 此名称不区分大小写。
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Severity
事件的严重性
Type: | IncidentSeverity |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Status
事件的状态
Type: | IncidentStatus |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-SubscriptionId
目标订阅的 ID。
Type: | String |
Position: | Named |
Default value: | (Get-AzContext).Subscription.Id |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Title
事件的标题
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-WhatIf
显示运行该 cmdlet 时会发生什么情况。 cmdlet 未运行。
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-WorkspaceName
工作区的名称。
Type: | String |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | False |
Accept wildcard characters: | False |
输入
输出
备注
别名
复杂参数属性
若要创建下面所述的参数,请构造一个包含相应属性的哈希表。 有关哈希表的信息,请运行 Get-Help about_Hash_Tables。
INCIDENT <IIncident>
:表示 Azure 安全见解中的事件。
[Etag <String>]
:Azure 资源的 Etag[SystemDataCreatedAt <DateTime?>]
:资源创建时间戳(UTC)。[SystemDataCreatedBy <String>]
:创建资源的标识。[SystemDataCreatedByType <CreatedByType?>]
:创建资源的标识的类型。[SystemDataLastModifiedAt <DateTime?>]
:资源上次修改的时间戳(UTC)[SystemDataLastModifiedBy <String>]
:上次修改资源的标识。[SystemDataLastModifiedByType <CreatedByType?>]
:上次修改资源的标识类型。[Classification <IncidentClassification?>]
:事件关闭的原因[ClassificationComment <String>]
:描述事件关闭的原因[ClassificationReason <IncidentClassificationReason?>]
:事件已关闭的分类原因[Description <String>]
:事件的说明[FirstActivityTimeUtc <DateTime?>]
:事件中第一个活动的时间[Label <IIncidentLabel[]>]
:与此事件相关的标签列表LabelName <String>
:标签的名称
[LastActivityTimeUtc <DateTime?>]
:事件中最后一个活动的时间[OwnerAssignedTo <String>]
:事件分配给的用户的名称。[OwnerEmail <String>]
:事件分配给的用户的电子邮件。[OwnerObjectId <String>]
:事件分配给的用户的对象 ID。[OwnerUserPrincipalName <String>]
:事件分配给的用户的用户主体名称。[ProviderIncidentId <String>]
:事件提供程序分配的事件 ID[ProviderName <String>]
:生成事件的源提供程序的名称[Severity <IncidentSeverity?>]
:事件的严重性[Status <IncidentStatus?>]
:事件的状态[Title <String>]
:事件的标题
LABEL <IIncidentLabel[]>
:与此事件相关的标签列表
LabelName <String>
:标签的名称
反馈
https://aka.ms/ContentUserFeedback。
即将发布:在整个 2024 年,我们将逐步淘汰作为内容反馈机制的“GitHub 问题”,并将其取代为新的反馈系统。 有关详细信息,请参阅:提交和查看相关反馈