SentinelAlertRule¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| DisplayName | Key | String | The display name of the indicator | |
| SubscriptionId | Write | String | The name of the resource group. The name is case insensitive. | |
| ResourceGroupName | Write | String | The name of the resource group. The name is case insensitive. | |
| WorkspaceName | Write | String | The name of the workspace. | |
| Id | Write | String | The unique id of the indicator. | |
| Description | Write | String | The name of the workspace. | |
| ProductFilter | Write | String | The alerts' productName on which the cases will be generated | |
| Enabled | Write | Boolean | Determines whether this alert rule is enabled or disabled. | |
| Severity | Write | String | The severity for alerts created by this alert rule. | |
| Tactics | Write | StringArray[] | The tactics of the alert rule | |
| Techniques | Write | StringArray[] | The techniques of the alert rule | |
| SubTechniques | Write | StringArray[] | The sub-techniques of the alert rule | |
| Query | Write | String | The query that creates alerts for this rule. | |
| QueryFrequency | Write | String | The frequency (in ISO 8601 duration format) for this alert rule to run. | |
| QueryPeriod | Write | String | The period (in ISO 8601 duration format) that this alert rule looks at. | |
| TriggerOperator | Write | String | The operation against the threshold that triggers alert rule. | |
| TriggerThreshold | Write | UInt32 | The threshold triggers this alert rule. | |
| SuppressionDuration | Write | String | The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. | |
| SuppressionEnabled | Write | String | Determines whether the suppression for this alert rule is enabled or disabled. | |
| AlertRuleTemplateName | Write | String | The Name of the alert rule template used to create this rule. | |
| DisplayNamesExcludeFilter | Write | StringArray[] | The alerts' displayNames on which the cases will not be generated. | |
| DisplayNamesFilter | Write | StringArray[] | The alerts' displayNames on which the cases will be generated. | |
| SeveritiesFilter | Write | StringArray[] | The alerts' severities on which the cases will be generated | |
| EventGroupingSettings | Write | MSFT_SentinelAlertRuleEventGroupingSettings | The event grouping settings. | |
| CustomDetails | Write | MSFT_SentinelAlertRuleCustomDetails[] | Dictionary of string key-value pairs of columns to be attached to the alert | |
| EntityMappings | Write | MSFT_SentinelAlertRuleEntityMapping[] | Array of the entity mappings of the alert rule | |
| AlertDetailsOverride | Write | MSFT_SentinelAlertRuleAlertDetailsOverride | The alert details override settings | |
| IncidentConfiguration | Write | MSFT_SentinelAlertRuleIncidentConfiguration | The settings of the incidents that created from alerts triggered by this analytics rule | |
| Kind | Write | String | The kind of the alert rule | |
| Ensure | Write | String | Present ensures the instance exists, absent ensures it is removed. | Absent, Present |
| Credential | Write | PSCredential | Credentials of the workload's Admin | |
| ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
| TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
| CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | |
| ManagedIdentity | Write | Boolean | Managed ID being used for authentication. | |
| AccessTokens | Write | StringArray[] | Access token used for authentication. |
MSFT_SentinelAlertRuleEventGroupingSettings¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| aggregationKind | Write | String | The event grouping aggregation kinds |
MSFT_SentinelAlertRuleCustomDetails¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| DetailKey | Write | String | Key of the custom detail. | |
| DetailValue | Write | String | Associated value with the custom detail. |
MSFT_SentinelAlertRuleEntityMapping¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| entityType | Write | String | Type of entity. | |
| fieldMappings | Write | MSFT_SentinelAlertRuleEntityMappingFieldMapping[] | List of field mappings. |
MSFT_SentinelAlertRuleEntityMappingFieldMapping¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| columnName | Write | String | Name of the column | |
| identifier | Write | String | Identifier of the associated field. |
MSFT_SentinelAlertRuleAlertDetailsOverride¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| alertDescriptionFormat | Write | String | The format containing columns name(s) to override the alert description | |
| alertDisplayNameFormat | Write | String | The format containing columns name(s) to override the alert name | |
| alertSeverityColumnName | Write | String | The column name to take the alert severity from | |
| alertTacticsColumnName | Write | String | The column name to take the alert tactics from | |
| alertDynamicProperties | Write | MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty[] | List of additional dynamic properties to override |
MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| alertProperty | Write | String | Dynamic property key. | |
| alertPropertyValue | Write | String | Dynamic property value. |
MSFT_SentinelAlertRuleIncidentConfiguration¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| createIncident | Write | Boolean | Create incidents from alerts triggered by this analytics rule | |
| groupingConfiguration | Write | MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration | Set how the alerts that are triggered by this analytics rule, are grouped into incidents |
MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| enabled | Write | Boolean | Grouping enabled | |
| groupByAlertDetails | Write | MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail[] | A list of alert details to group by (when matchingMethod is Selected) | |
| groupByCustomDetails | Write | StringArray[] | A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used. | |
| groupByEntities | Write | StringArray[] | A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used. | |
| lookbackDuration | Write | String | Limit the group to alerts created within the lookback duration (in ISO 8601 duration format) | |
| matchingMethod | Write | String | Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty. | |
| reopenClosedIncident | Write | Boolean | Re-open closed matching incidents |
MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| DisplayName | Write | String | Display name of the alert detail. | |
| Severity | Write | String | Severity level associated with the alert detail. |
Description¶
Configures alert rules in Azure Sentinel.
Permissions¶
Microsoft Graph¶
To authenticate with the Microsoft Graph API, this resource required the following permissions:
Delegated permissions¶
-
Read
- None
-
Update
- None
Application permissions¶
-
Read
- None
-
Update
- None
Examples¶
Example 1¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SentinelAlertRule "SentinelAlertRule-MyNRTRule"
{
AlertDetailsOverride = MSFT_SentinelAlertRuleAlertDetailsOverride{
alertDescriptionFormat = 'This is an example of the alert content'
alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} '
};
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
CustomDetails = @(
MSFT_SentinelAlertRuleCustomDetails{
DetailKey = 'Color'
DetailValue = 'TenantId'
}
);
Description = "Test";
DisplayName = "MyNRTRule";
Enabled = $True;
Ensure = "Present";
EntityMappings = @(
MSFT_SentinelAlertRuleEntityMapping{
fieldMappings = @(
MSFT_SentinelAlertRuleEntityMappingFieldMapping{
identifier = 'AppId'
columnName = 'Id'
}
)
entityType = 'CloudApplication'
}
);
IncidentConfiguration = MSFT_SentinelAlertRuleIncidentConfiguration{
groupingConfiguration = MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration{
lookbackDuration = 'PT5H'
matchingMethod = 'Selected'
groupByCustomDetails = @('Color')
groupByEntities = @('CloudApplication')
reopenClosedIncident = $True
enabled = $True
}
createIncident = $True
};
Query = "ThreatIntelIndicators";
ResourceGroupName = "ResourceGroupName";
Severity = "Medium";
SubscriptionId = "xxxx";
SuppressionDuration = "PT5H";
Tactics = @();
Techniques = @();
TenantId = $TenantId;
WorkspaceName = "SentinelWorkspace";
}
}
}
Example 2¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SentinelAlertRule "SentinelAlertRule-MyNRTRule"
{
AlertDetailsOverride = MSFT_SentinelAlertRuleAlertDetailsOverride{
alertDescriptionFormat = 'This is an example of the alert content'
alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} '
};
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
CustomDetails = @(
MSFT_SentinelAlertRuleCustomDetails{
DetailKey = 'Color'
DetailValue = 'TenantId'
}
);
Description = "Test";
DisplayName = "MyNRTRule";
Enabled = $True;
Ensure = "Present";
EntityMappings = @(
MSFT_SentinelAlertRuleEntityMapping{
fieldMappings = @(
MSFT_SentinelAlertRuleEntityMappingFieldMapping{
identifier = 'AppId'
columnName = 'Id'
}
)
entityType = 'CloudApplication'
}
);
IncidentConfiguration = MSFT_SentinelAlertRuleIncidentConfiguration{
groupingConfiguration = MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration{
lookbackDuration = 'PT5H'
matchingMethod = 'Selected'
groupByCustomDetails = @('Color')
groupByEntities = @('CloudApplication')
reopenClosedIncident = $True
enabled = $True
}
createIncident = $True
};
Query = "ThreatIntelIndicators";
ResourceGroupName = "ResourceGroupName";
Severity = "High"; #Drift
SubscriptionId = "xxxx";
SuppressionDuration = "PT5H";
Tactics = @();
Techniques = @();
TenantId = $TenantId;
WorkspaceName = "SentinelWorkspace";
}
}
}
Example 3¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SentinelAlertRule "SentinelAlertRule-MyNRTRule"
{
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
Description = "Test";
DisplayName = "MyNRTRule";
Ensure = "Absent";
ResourceGroupName = "ResourceGroupName";
Severity = "Medium";
SubscriptionId = "xxxx";
TenantId = $TenantId;
WorkspaceName = "SentinelWorkspace";
}
}
}