SentinelAlertRule
Parameters
Parameter |
Attribute |
DataType |
Description |
Allowed Values |
DisplayName |
Key |
String |
The display name of the indicator |
|
SubscriptionId |
Write |
String |
The name of the resource group. The name is case insensitive. |
|
ResourceGroupName |
Write |
String |
The name of the resource group. The name is case insensitive. |
|
WorkspaceName |
Write |
String |
The name of the workspace. |
|
Id |
Write |
String |
The unique id of the indicator. |
|
Description |
Write |
String |
The name of the workspace. |
|
ProductFilter |
Write |
String |
The alerts' productName on which the cases will be generated |
|
Enabled |
Write |
Boolean |
Determines whether this alert rule is enabled or disabled. |
|
Severity |
Write |
String |
The severity for alerts created by this alert rule. |
|
Tactics |
Write |
StringArray[] |
The tactics of the alert rule |
|
Techniques |
Write |
StringArray[] |
The techniques of the alert rule |
|
SubTechniques |
Write |
StringArray[] |
The sub-techniques of the alert rule |
|
Query |
Write |
String |
The query that creates alerts for this rule. |
|
QueryFrequency |
Write |
String |
The frequency (in ISO 8601 duration format) for this alert rule to run. |
|
QueryPeriod |
Write |
String |
The period (in ISO 8601 duration format) that this alert rule looks at. |
|
TriggerOperator |
Write |
String |
The operation against the threshold that triggers alert rule. |
|
TriggerThreshold |
Write |
UInt32 |
The threshold triggers this alert rule. |
|
SuppressionDuration |
Write |
String |
The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. |
|
SuppressionEnabled |
Write |
String |
Determines whether the suppression for this alert rule is enabled or disabled. |
|
AlertRuleTemplateName |
Write |
String |
The Name of the alert rule template used to create this rule. |
|
DisplayNamesExcludeFilter |
Write |
StringArray[] |
The alerts' displayNames on which the cases will not be generated. |
|
DisplayNamesFilter |
Write |
StringArray[] |
The alerts' displayNames on which the cases will be generated. |
|
SeveritiesFilter |
Write |
StringArray[] |
The alerts' severities on which the cases will be generated |
|
EventGroupingSettings |
Write |
MSFT_SentinelAlertRuleEventGroupingSettings |
The event grouping settings. |
|
CustomDetails |
Write |
MSFT_SentinelAlertRuleCustomDetails[] |
Dictionary of string key-value pairs of columns to be attached to the alert |
|
EntityMappings |
Write |
MSFT_SentinelAlertRuleEntityMapping[] |
Array of the entity mappings of the alert rule |
|
AlertDetailsOverride |
Write |
MSFT_SentinelAlertRuleAlertDetailsOverride |
The alert details override settings |
|
IncidentConfiguration |
Write |
MSFT_SentinelAlertRuleIncidentConfiguration |
The settings of the incidents that created from alerts triggered by this analytics rule |
|
Kind |
Write |
String |
The kind of the alert rule |
|
Ensure |
Write |
String |
Present ensures the instance exists, absent ensures it is removed. |
Absent , Present |
Credential |
Write |
PSCredential |
Credentials of the workload's Admin |
|
ApplicationId |
Write |
String |
Id of the Azure Active Directory application to authenticate with. |
|
TenantId |
Write |
String |
Id of the Azure Active Directory tenant used for authentication. |
|
CertificateThumbprint |
Write |
String |
Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. |
|
ManagedIdentity |
Write |
Boolean |
Managed ID being used for authentication. |
|
AccessTokens |
Write |
StringArray[] |
Access token used for authentication. |
|
MSFT_SentinelAlertRuleEventGroupingSettings
Parameters
Parameter |
Attribute |
DataType |
Description |
Allowed Values |
aggregationKind |
Write |
String |
The event grouping aggregation kinds |
|
MSFT_SentinelAlertRuleCustomDetails
Parameters
Parameter |
Attribute |
DataType |
Description |
Allowed Values |
DetailKey |
Write |
String |
Key of the custom detail. |
|
DetailValue |
Write |
String |
Associated value with the custom detail. |
|
MSFT_SentinelAlertRuleEntityMapping
Parameters
Parameter |
Attribute |
DataType |
Description |
Allowed Values |
entityType |
Write |
String |
Type of entity. |
|
fieldMappings |
Write |
MSFT_SentinelAlertRuleEntityMappingFieldMapping[] |
List of field mappings. |
|
MSFT_SentinelAlertRuleEntityMappingFieldMapping
Parameters
Parameter |
Attribute |
DataType |
Description |
Allowed Values |
columnName |
Write |
String |
Name of the column |
|
identifier |
Write |
String |
Identifier of the associated field. |
|
MSFT_SentinelAlertRuleAlertDetailsOverride
Parameters
Parameter |
Attribute |
DataType |
Description |
Allowed Values |
alertDescriptionFormat |
Write |
String |
The format containing columns name(s) to override the alert description |
|
alertDisplayNameFormat |
Write |
String |
The format containing columns name(s) to override the alert name |
|
alertSeverityColumnName |
Write |
String |
The column name to take the alert severity from |
|
alertTacticsColumnName |
Write |
String |
The column name to take the alert tactics from |
|
alertDynamicProperties |
Write |
MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty[] |
List of additional dynamic properties to override |
|
MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty
Parameters
Parameter |
Attribute |
DataType |
Description |
Allowed Values |
alertProperty |
Write |
String |
Dynamic property key. |
|
alertPropertyValue |
Write |
String |
Dynamic property value. |
|
MSFT_SentinelAlertRuleIncidentConfiguration
Parameters
Parameter |
Attribute |
DataType |
Description |
Allowed Values |
createIncident |
Write |
Boolean |
Create incidents from alerts triggered by this analytics rule |
|
groupingConfiguration |
Write |
MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration |
Set how the alerts that are triggered by this analytics rule, are grouped into incidents |
|
MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration
Parameters
Parameter |
Attribute |
DataType |
Description |
Allowed Values |
enabled |
Write |
Boolean |
Grouping enabled |
|
groupByAlertDetails |
Write |
MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail[] |
A list of alert details to group by (when matchingMethod is Selected) |
|
groupByCustomDetails |
Write |
StringArray[] |
A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used. |
|
groupByEntities |
Write |
StringArray[] |
A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used. |
|
lookbackDuration |
Write |
String |
Limit the group to alerts created within the lookback duration (in ISO 8601 duration format) |
|
matchingMethod |
Write |
String |
Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty. |
|
reopenClosedIncident |
Write |
Boolean |
Re-open closed matching incidents |
|
MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfigurationAlertDetail
Parameters
Parameter |
Attribute |
DataType |
Description |
Allowed Values |
DisplayName |
Write |
String |
Display name of the alert detail. |
|
Severity |
Write |
String |
Severity level associated with the alert detail. |
|
Description
Configures alert rules in Azure Sentinel.
Permissions
Microsoft Graph
To authenticate with the Microsoft Graph API, this resource required the following permissions:
Delegated permissions
Application permissions
Examples
Example 1
This example is used to test new resources and showcase the usage of new resources being worked on.
It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SentinelAlertRule "SentinelAlertRule-MyNRTRule"
{
AlertDetailsOverride = MSFT_SentinelAlertRuleAlertDetailsOverride{
alertDescriptionFormat = 'This is an example of the alert content'
alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} '
};
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
CustomDetails = @(
MSFT_SentinelAlertRuleCustomDetails{
DetailKey = 'Color'
DetailValue = 'TenantId'
}
);
Description = "Test";
DisplayName = "MyNRTRule";
Enabled = $True;
Ensure = "Present";
EntityMappings = @(
MSFT_SentinelAlertRuleEntityMapping{
fieldMappings = @(
MSFT_SentinelAlertRuleEntityMappingFieldMapping{
identifier = 'AppId'
columnName = 'Id'
}
)
entityType = 'CloudApplication'
}
);
IncidentConfiguration = MSFT_SentinelAlertRuleIncidentConfiguration{
groupingConfiguration = MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration{
lookbackDuration = 'PT5H'
matchingMethod = 'Selected'
groupByCustomDetails = @('Color')
groupByEntities = @('CloudApplication')
reopenClosedIncident = $True
enabled = $True
}
createIncident = $True
};
Query = "ThreatIntelIndicators";
ResourceGroupName = "ResourceGroupName";
Severity = "Medium";
SubscriptionId = "xxxx";
SuppressionDuration = "PT5H";
Tactics = @();
Techniques = @();
TenantId = $TenantId;
WorkspaceName = "SentinelWorkspace";
}
}
}
Example 2
This example is used to test new resources and showcase the usage of new resources being worked on.
It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SentinelAlertRule "SentinelAlertRule-MyNRTRule"
{
AlertDetailsOverride = MSFT_SentinelAlertRuleAlertDetailsOverride{
alertDescriptionFormat = 'This is an example of the alert content'
alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} '
};
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
CustomDetails = @(
MSFT_SentinelAlertRuleCustomDetails{
DetailKey = 'Color'
DetailValue = 'TenantId'
}
);
Description = "Test";
DisplayName = "MyNRTRule";
Enabled = $True;
Ensure = "Present";
EntityMappings = @(
MSFT_SentinelAlertRuleEntityMapping{
fieldMappings = @(
MSFT_SentinelAlertRuleEntityMappingFieldMapping{
identifier = 'AppId'
columnName = 'Id'
}
)
entityType = 'CloudApplication'
}
);
IncidentConfiguration = MSFT_SentinelAlertRuleIncidentConfiguration{
groupingConfiguration = MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration{
lookbackDuration = 'PT5H'
matchingMethod = 'Selected'
groupByCustomDetails = @('Color')
groupByEntities = @('CloudApplication')
reopenClosedIncident = $True
enabled = $True
}
createIncident = $True
};
Query = "ThreatIntelIndicators";
ResourceGroupName = "ResourceGroupName";
Severity = "High"; #Drift
SubscriptionId = "xxxx";
SuppressionDuration = "PT5H";
Tactics = @();
Techniques = @();
TenantId = $TenantId;
WorkspaceName = "SentinelWorkspace";
}
}
}
Example 3
This example is used to test new resources and showcase the usage of new resources being worked on.
It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SentinelAlertRule "SentinelAlertRule-MyNRTRule"
{
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
Description = "Test";
DisplayName = "MyNRTRule";
Ensure = "Absent";
ResourceGroupName = "ResourceGroupName";
Severity = "Medium";
SubscriptionId = "xxxx";
TenantId = $TenantId;
WorkspaceName = "SentinelWorkspace";
}
}
}