SentinelAlertRule¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| DisplayName | Key | String | The display name of the indicator | |
| SubscriptionId | Write | String | The name of the resource group. The name is case insensitive. | |
| ResourceGroupName | Write | String | The name of the resource group. The name is case insensitive. | |
| WorkspaceName | Write | String | The name of the workspace. | |
| Id | Write | String | The unique id of the indicator. | |
| Description | Write | String | The name of the workspace. | |
| ProductFilter | Write | String | The alerts' productName on which the cases will be generated | |
| Enabled | Write | Boolean | Determines whether this alert rule is enabled or disabled. | |
| Severity | Write | String | The severity for alerts created by this alert rule. | |
| Tactics | Write | StringArray[] | The tactics of the alert rule | |
| Techniques | Write | StringArray[] | The techniques of the alert rule | |
| SubTechniques | Write | StringArray[] | The sub-techniques of the alert rule | |
| Query | Write | String | The query that creates alerts for this rule. | |
| QueryFrequency | Write | String | The frequency (in ISO 8601 duration format) for this alert rule to run. | |
| QueryPeriod | Write | String | The period (in ISO 8601 duration format) that this alert rule looks at. | |
| TriggerOperator | Write | String | The operation against the threshold that triggers alert rule. | |
| TriggerThreshold | Write | UInt32 | The threshold triggers this alert rule. | |
| SuppressionDuration | Write | String | The suppression (in ISO 8601 duration format) to wait since last time this alert rule been triggered. | |
| SuppressionEnabled | Write | String | Determines whether the suppression for this alert rule is enabled or disabled. | |
| AlertRuleTemplateName | Write | String | The Name of the alert rule template used to create this rule. | |
| DisplayNamesExcludeFilter | Write | StringArray[] | The alerts' displayNames on which the cases will not be generated. | |
| DisplayNamesFilter | Write | StringArray[] | The alerts' displayNames on which the cases will be generated. | |
| SeveritiesFilter | Write | StringArray[] | The alerts' severities on which the cases will be generated | |
| EventGroupingSettings | Write | MSFT_SentinelAlertRuleEventGroupingSettings | The event grouping settings. | |
| CustomDetails | Write | MSFT_SentinelAlertRuleCustomDetails[] | Dictionary of string key-value pairs of columns to be attached to the alert | |
| EntityMappings | Write | MSFT_SentinelAlertRuleEntityMapping[] | Array of the entity mappings of the alert rule | |
| AlertDetailsOverride | Write | MSFT_SentinelAlertRuleAlertDetailsOverride | The alert details override settings | |
| IncidentConfiguration | Write | MSFT_SentinelAlertRuleIncidentConfiguration | The settings of the incidents that created from alerts triggered by this analytics rule | |
| Kind | Write | String | The kind of the alert rule | |
| Ensure | Write | String | Present ensures the instance exists, absent ensures it is removed. | Absent, Present |
| Credential | Write | PSCredential | Credentials of the workload's Admin | |
| ApplicationId | Write | String | Id of the Azure Active Directory application to authenticate with. | |
| TenantId | Write | String | Id of the Azure Active Directory tenant used for authentication. | |
| CertificateThumbprint | Write | String | Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication. | |
| CertificatePassword | Write | PSCredential | Username can be made up to anything but password will be used for CertificatePassword | |
| CertificatePath | Write | String | Path to certificate used in service principal usually a PFX file. | |
| ManagedIdentity | Write | Boolean | Managed ID being used for authentication. | |
| AccessTokens | Write | StringArray[] | Access token used for authentication. |
Embedded Instances¶
MSFT_SentinelAlertRuleEventGroupingSettings¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| aggregationKind | Write | String | The event grouping aggregation kinds |
MSFT_SentinelAlertRuleCustomDetails¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| DetailKey | Write | String | Key of the custom detail. | |
| DetailValue | Write | String | Associated value with the custom detail. |
MSFT_SentinelAlertRuleEntityMapping¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| entityType | Write | String | Type of entity. | |
| fieldMappings | Write | MSFT_SentinelAlertRuleEntityMappingFieldMapping[] | List of field mappings. |
MSFT_SentinelAlertRuleEntityMappingFieldMapping¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| columnName | Required | String | Name of the column | |
| identifier | Required | String | Identifier of the associated field. |
MSFT_SentinelAlertRuleAlertDetailsOverride¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| alertDescriptionFormat | Write | String | The format containing columns name(s) to override the alert description | |
| alertDisplayNameFormat | Write | String | The format containing columns name(s) to override the alert name | |
| alertSeverityColumnName | Write | String | The column name to take the alert severity from | |
| alertTacticsColumnName | Write | String | The column name to take the alert tactics from | |
| alertDynamicProperties | Write | MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty[] | List of additional dynamic properties to override |
MSFT_SentinelAlertRuleAlertDetailsOverrideAlertDynamicProperty¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| alertProperty | Required | String | Dynamic property key. | |
| alertPropertyValue | Write | String | Dynamic property value. |
MSFT_SentinelAlertRuleIncidentConfiguration¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| createIncident | Write | Boolean | Create incidents from alerts triggered by this analytics rule | |
| groupingConfiguration | Write | MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration | Set how the alerts that are triggered by this analytics rule, are grouped into incidents |
MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration¶
Parameters¶
| Parameter | Attribute | DataType | Description | Allowed Values |
|---|---|---|---|---|
| enabled | Write | Boolean | Grouping enabled | |
| groupByAlertDetails | Write | StringArray[] | A list of alert details to group by (when matchingMethod is Selected) | DisplayName, Severity |
| groupByCustomDetails | Write | StringArray[] | A list of custom details keys to group by (when matchingMethod is Selected). Only keys defined in the current alert rule may be used. | |
| groupByEntities | Write | StringArray[] | A list of entity types to group by (when matchingMethod is Selected). Only entities defined in the current alert rule may be used. | |
| lookbackDuration | Write | String | Limit the group to alerts created within the lookback duration (in ISO 8601 duration format) | |
| matchingMethod | Write | String | Grouping matching method. When method is Selected at least one of groupByEntities, groupByAlertDetails, groupByCustomDetails must be provided and not empty. | |
| reopenClosedIncident | Write | Boolean | Re-open closed matching incidents |
Description¶
Configures alert rules in Azure Sentinel.
Permissions¶
Examples¶
Example 1¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SentinelAlertRule "SentinelAlertRule-MyNRTRule"
{
AlertDetailsOverride = MSFT_SentinelAlertRuleAlertDetailsOverride{
alertDescriptionFormat = 'This is an example of the alert content'
alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} '
};
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
CustomDetails = @(
MSFT_SentinelAlertRuleCustomDetails{
DetailKey = 'Color'
DetailValue = 'TenantId'
}
);
Description = "Test";
DisplayName = "MyNRTRule";
Enabled = $True;
Ensure = "Present";
EntityMappings = @(
MSFT_SentinelAlertRuleEntityMapping{
fieldMappings = @(
MSFT_SentinelAlertRuleEntityMappingFieldMapping{
identifier = 'AppId'
columnName = 'Id'
}
)
entityType = 'CloudApplication'
}
);
IncidentConfiguration = MSFT_SentinelAlertRuleIncidentConfiguration{
groupingConfiguration = MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration{
lookbackDuration = 'PT5H'
matchingMethod = 'Selected'
groupByCustomDetails = @('Color')
groupByEntities = @('CloudApplication')
reopenClosedIncident = $True
enabled = $True
}
createIncident = $True
};
Query = "ThreatIntelIndicators";
ResourceGroupName = "ResourceGroupName";
Severity = "Medium";
SubscriptionId = "xxxx";
SuppressionDuration = "PT5H";
Tactics = @();
Techniques = @();
TenantId = $TenantId;
WorkspaceName = "SentinelWorkspace";
}
}
}
Example 2¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SentinelAlertRule "SentinelAlertRule-MyNRTRule"
{
AlertDetailsOverride = MSFT_SentinelAlertRuleAlertDetailsOverride{
alertDescriptionFormat = 'This is an example of the alert content'
alertDisplayNameFormat = 'Alert from {{{TimeGenerated}} '
};
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
CustomDetails = @(
MSFT_SentinelAlertRuleCustomDetails{
DetailKey = 'Color'
DetailValue = 'TenantId'
}
);
Description = "Test";
DisplayName = "MyNRTRule";
Enabled = $True;
Ensure = "Present";
EntityMappings = @(
MSFT_SentinelAlertRuleEntityMapping{
fieldMappings = @(
MSFT_SentinelAlertRuleEntityMappingFieldMapping{
identifier = 'AppId'
columnName = 'Id'
}
)
entityType = 'CloudApplication'
}
);
IncidentConfiguration = MSFT_SentinelAlertRuleIncidentConfiguration{
groupingConfiguration = MSFT_SentinelAlertRuleIncidentConfigurationGroupingConfiguration{
lookbackDuration = 'PT5H'
matchingMethod = 'Selected'
groupByCustomDetails = @('Color')
groupByEntities = @('CloudApplication')
reopenClosedIncident = $True
enabled = $True
}
createIncident = $True
};
Query = "ThreatIntelIndicators";
ResourceGroupName = "ResourceGroupName";
Severity = "High"; #Drift
SubscriptionId = "xxxx";
SuppressionDuration = "PT5H";
Tactics = @();
Techniques = @();
TenantId = $TenantId;
WorkspaceName = "SentinelWorkspace";
}
}
}
Example 3¶
This example is used to test new resources and showcase the usage of new resources being worked on. It is not meant to use as a production baseline.
Configuration Example
{
param(
[Parameter()]
[System.String]
$ApplicationId,
[Parameter()]
[System.String]
$TenantId,
[Parameter()]
[System.String]
$CertificateThumbprint
)
Import-DscResource -ModuleName Microsoft365DSC
node localhost
{
SentinelAlertRule "SentinelAlertRule-MyNRTRule"
{
ApplicationId = $ApplicationId;
CertificateThumbprint = $CertificateThumbprint;
Description = "Test";
DisplayName = "MyNRTRule";
Ensure = "Absent";
ResourceGroupName = "ResourceGroupName";
Severity = "Medium";
SubscriptionId = "xxxx";
TenantId = $TenantId;
WorkspaceName = "SentinelWorkspace";
}
}
}