SentinelAlertRule
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| DisplayName |
Key |
String |
The display name of the indicator |
|
| SubscriptionId |
Write |
String |
The name of the resource group. The name is case insensitive. |
|
| ResourceGroupName |
Write |
String |
The name of the resource group. The name is case insensitive. |
|
| WorkspaceName |
Write |
String |
The name of the workspace. |
|
| Id |
Write |
String |
The unique id of the indicator. |
|
| Description |
Write |
String |
The name of the workspace. |
|
| ProductFilter |
Write |
String |
The alerts' productName on which the cases will be generated |
|
| Enabled |
Write |
Boolean |
Determines whether this alert rule is enabled or disabled. |
|
| Severity |
Write |
String |
The severity for alerts created by this alert rule. |
|
| Tactics |
Write |
StringArray[] |
The tactics of the alert rule |
|
| Techniques |
Write |
StringArray[] |
The techniques of the alert rule |
|
| SubTechniques |
Write |
StringArray[] |
The sub-techniques of the alert rule |
|
| Query |
Write |
String |
The query that creates alerts for this rule. |
|
| QueryFrequency |
Write |
String |
The frequency (in ISO 8601 duration format) for this alert rule to run. |
|
| QueryPeriod |
Write |
String |
The period (in ISO 8601 duration format) that this alert rule looks at. |
|
| TriggerOperator |
Write |
String |
The operation against the threshold that triggers alert rule. |
|
| TriggerThreshold |
Write |
UInt32 |
The threshold triggers this alert rule. |
|
| SuppressionDuration |
Write |
String |
The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. |
|
| SuppressionEnabled |
Write |
String |
Determines whether the suppression for this alert rule is enabled or disabled. |
|
| AlertRuleTemplateName |
Write |
String |
The Name of the alert rule template used to create this rule. |
|
| DisplayNamesExcludeFilter |
Write |
StringArray[] |
The alerts' displayNames on which the cases will not be generated. |
|
| DisplayNamesFilter |
Write |
StringArray[] |
The alerts' displayNames on which the cases will be generated. |
|
| SeveritiesFilter |
Write |
StringArray[] |
The alerts' severities on which the cases will be generated |
|
| EventGroupingSettings |
Write |
MSFT_SentinelAlertRuleEventGroupingSettings |
The event grouping settings. |
|
| CustomDetails |
Write |
MSFT_SentinelAlertRuleCustomDetails[] |
Dictionary of string key-value pairs of columns to be attached to the alert |
|
| EntityMappings |
Write |
MSFT_SentinelAlertRuleEntityMapping[] |
Array of the entity mappings of the alert rule |
|
| AlertDetailsOverride |
Write |
MSFT_SentinelAlertRuleAlertDetailsOverride |
The alert details override settings |
|
| IncidentConfiguration |
Write |
MSFT_SentinelAlertRuleIncidentConfiguration |
The settings of the incidents that created from alerts triggered by this analytics rule |
|
| Kind |
Write |
String |
The kind of the alert rule |
|
| Ensure |
Write |
String |
Present ensures the instance exists, absent ensures it is removed. |
Absent, Present |
| Credential |
Write |
PSCredential |
Credentials of the workload's Admin |
|
| ApplicationId |
Write |
String |
Id of the Azure Active Directory application to authenticate with. |
|
| TenantId |
Write |
String |
Id of the Azure Active Directory tenant used for authentication. |
|
| CertificateThumbprint |
Write |
String |
Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. |
|
| ManagedIdentity |
Write |
Boolean |
Managed ID being used for authentication. |
|
| AccessTokens |
Write |
StringArray[] |
Access token used for authentication. |
|
MSFT_SentinelAlertRuleEventGroupingSettings
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| aggregationKind |
Write |
String |
The event grouping aggregation kinds |
|
MSFT_SentinelAlertRuleCustomDetails
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| DetailKey |
Write |
String |
Key of the custom detail. |
|
| DetailValue |
Write |
String |
Associated value with the custom detail. |
|
MSFT_SentinelAlertRuleEntityMapping
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| entityType |
Write |
String |
Type of entity. |
|
| fieldMappings |
Write |
MSFT_SentinelAlertRuleEntityMappingFieldMapping[] |
List of field mappings. |
|
MSFT_SentinelAlertRuleEntityMappingFieldMapping
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| columnName |
Write |
String |
Name of the column |
|
| identifier |
Write |
String |
Identifier of the associated field. |
|
MSFT_SentinelAlertRuleAlertDetailsOverride
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| alertDescriptionFormat |
Write |
String |
The format containing columns name(s) to override the alert description |
|
| alertDisplayNameFormat |
Write |
String |
The format containing columns name(s) to override the alert name |
|
| alertSeverityColumnName |
Write |
String |
The column name to take the alert severity from |
|
| alertTacticsColumnName |
Write |
String |
The column name to take the alert tactics from |
|
| alertDynamicProperties |
Write |
MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty[] |
List of additional dynamic properties to override |
|
MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| alertProperty |
Write |
String |
Dynamic property key. |
|
| alertPropertyValue |
Write |
String |
Dynamic property value. |
|
MSFT_SentinelAlertRuleIncidentConfiguration
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| createIncident |
Write |
Boolean |
Create incidents from alerts triggered by this analytics rule |
|
| groupingConfiguration |
Write |
MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration |
Set how the alerts that are triggered by this analytics rule, are grouped into incidents |
|
MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| enabled |
Write |
Boolean |
Grouping enabled |
|
| groupByAlertDetails |
Write |
MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail[] |
A list of alert details to group by (when matchingMethod is Selected) |
|
| groupByCustomDetails |
Write |
StringArray[] |
A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used. |
|
| groupByEntities |
Write |
StringArray[] |
A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used. |
|
| lookbackDuration |
Write |
String |
Limit the group to alerts created within the lookback duration (in ISO 8601 duration format) |
|
| matchingMethod |
Write |
String |
Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty. |
|
| reopenClosedIncident |
Write |
Boolean |
Re-open closed matching incidents |
|
MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail
Parameters
| Parameter |
Attribute |
DataType |
Description |
Allowed Values |
| DisplayName |
Write |
String |
Display name of the alert detail. |
|
| Severity |
Write |
String |
Severity level associated with the alert detail. |
|
Description
Configures alert rules in Azure Sentinel.
Permissions
Examples
Example 1
This example is used to test new resources and showcase the usage of new resources being worked on.
It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SentinelAlertRule "SentinelAlertRule-MyNRTRule"
{
AlertDetailsOverride = MSFT_SentinelAlertRuleAlertDetailsOverride{
alertDescriptionFormat = 'This is an example of the alert content'
alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} '
};
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
CustomDetails = @(
MSFT_SentinelAlertRuleCustomDetails{
DetailKey = 'Color'
DetailValue = 'TenantId'
}
);
Description = "Test";
DisplayName = "MyNRTRule";
Enabled = $True;
Ensure = "Present";
EntityMappings = @(
MSFT_SentinelAlertRuleEntityMapping{
fieldMappings = @(
MSFT_SentinelAlertRuleEntityMappingFieldMapping{
identifier = 'AppId'
columnName = 'Id'
}
)
entityType = 'CloudApplication'
}
);
IncidentConfiguration = MSFT_SentinelAlertRuleIncidentConfiguration{
groupingConfiguration = MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration{
lookbackDuration = 'PT5H'
matchingMethod = 'Selected'
groupByCustomDetails = @('Color')
groupByEntities = @('CloudApplication')
reopenClosedIncident = $True
enabled = $True
}
createIncident = $True
};
Query = "ThreatIntelIndicators";
ResourceGroupName = "ResourceGroupName";
Severity = "Medium";
SubscriptionId = "xxxx";
SuppressionDuration = "PT5H";
Tactics = @();
Techniques = @();
TenantId = $TenantId;
WorkspaceName = "SentinelWorkspace";
}
}
}
Example 2
This example is used to test new resources and showcase the usage of new resources being worked on.
It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SentinelAlertRule "SentinelAlertRule-MyNRTRule"
{
AlertDetailsOverride = MSFT_SentinelAlertRuleAlertDetailsOverride{
alertDescriptionFormat = 'This is an example of the alert content'
alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} '
};
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
CustomDetails = @(
MSFT_SentinelAlertRuleCustomDetails{
DetailKey = 'Color'
DetailValue = 'TenantId'
}
);
Description = "Test";
DisplayName = "MyNRTRule";
Enabled = $True;
Ensure = "Present";
EntityMappings = @(
MSFT_SentinelAlertRuleEntityMapping{
fieldMappings = @(
MSFT_SentinelAlertRuleEntityMappingFieldMapping{
identifier = 'AppId'
columnName = 'Id'
}
)
entityType = 'CloudApplication'
}
);
IncidentConfiguration = MSFT_SentinelAlertRuleIncidentConfiguration{
groupingConfiguration = MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration{
lookbackDuration = 'PT5H'
matchingMethod = 'Selected'
groupByCustomDetails = @('Color')
groupByEntities = @('CloudApplication')
reopenClosedIncident = $True
enabled = $True
}
createIncident = $True
};
Query = "ThreatIntelIndicators";
ResourceGroupName = "ResourceGroupName";
Severity = "High"; #Drift
SubscriptionId = "xxxx";
SuppressionDuration = "PT5H";
Tactics = @();
Techniques = @();
TenantId = $TenantId;
WorkspaceName = "SentinelWorkspace";
}
}
}
Example 3
This example is used to test new resources and showcase the usage of new resources being worked on.
It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SentinelAlertRule "SentinelAlertRule-MyNRTRule"
{
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
Description = "Test";
DisplayName = "MyNRTRule";
Ensure = "Absent";
ResourceGroupName = "ResourceGroupName";
Severity = "Medium";
SubscriptionId = "xxxx";
TenantId = $TenantId;
WorkspaceName = "SentinelWorkspace";
}
}
}