New-AzSentinelAlertRule throws the error that playbook property is missing if no playbook configured is for a new rule, for existing rule there is no error

When enabling Azure Sentinel test to see if the required resource providers are installed. if not try to activate the required resource providers

Summary of the new feature/enhancement

Add support to automatically upload workbooks

feedback from: Edoardo Gerosa

Summary of the new feature/enhancement

minimize the amount of parameters, automatically resolve the workspace RG and subid

Proposed technical implementation details (optional)

example

   Get-LogAnalyticWorkspace -WorkspaceName "PKM02"

Feature Request

Rename "New-AzAnalytic" to "New-AlertRule" to better align with Azure Sentinel naming.

Not sure if this is an error with this code or with the way the default queries are written in the Azure Sentinel GitHub repository.

I tried to use Import-AzureSentinelAlertRule going against the exchange_auditlogdisabled.yaml rule stored in the Detections/OfficeActivity folder in the Azure Sentinel GitHub repository (copied locally of course) and received the following error:

Import-AzSentinelAlertRule : Unable to initiate class with error: Exception setting "TriggerOperator": "Cannot convert value "gt" to type "TriggerOperator". Error: "Unable to match the identifier name gt to a valid enumerator name. Specify one of the following enumerator names and try again:
GreaterThan, FewerThan, EqualTo, NotEqualTo""
At line:1 char:1

• Import-AzSentinelAlertRule -WorkspaceName "LA-Sentinel-Beta" -Setting ...
• CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
• FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Import-AzSentinelAlertRule

ConvertFrom-Json : Conversion from JSON failed with error: Unexpected character encountered while parsing value: R. Path '', line 0, position 0.
At C:\Users\garyb\OneDrive\Documents\PowerShell\Modules\AzSentinel\0.6.1\AzSentinel.psm1:790 char:52

• ... $errorResult = ($errorReturn | ConvertFrom-Json ).error + ~~~~~~~~~~~~~~~~ + CategoryInfo : NotSpecified: (:) [ConvertFrom-Json], ArgumentException + FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.ConvertFromJsonCommand

Even after fixing that issue I then get another issue with the way the Timespan is stored.

First of all, thanks so much for this module as it is extremely useful.

Any idea when the new release is coming out?

Also, when I use the Import-AzSentinelAlertRule to import one of the Template rules, the templates are not flagged as IN USE as they would if you created a new rule based on the template directly from the Azure portal.

Thanks
Felipe

Summary of the new feature/enhancement

I want to use this commandlet to import a couple of hundred rules from one workspace to another.

1. Currently the command will iterate accross all rules in an array and do a separate API call for every rule in that array to see if it already exists or not. You could optimise this by providing your own command Get-AzSentinelAlertRule with an array of Rulenames, reducing it to 1 call.

A second optimisation is to not fetch the alertruleaction (playbookname) for that rule if we simply want to know if the rule exists or not.
I see that in a later phase, that fetched playbookname of that alertruleaction is used to verify if a rule has changed playbookname. It might be useful to provide a flag 'UpdatePlaybooks' to either enable or disable this feature as we use separate AlertAction files to enable a certain playbook for a certain customer, meaning that we do not care about playbooks while importing a set of new rules.

        foreach ($item in $analytics) {
            try {
                $content = Get-AzSentinelAlertRule @arguments -RuleName $($item.displayName) -ErrorAction SilentlyContinue
                if ($content) {
                    Write-Output "Rule $($item.displayName) exists in Azure Sentinel"
...
                else {
                    Write-Verbose -Message "Rule $($item.displayName) doesn't exist in Azure Sentinel"
...
                }
            }

Environment

Windows build number: Microsoft Windows [Version 10.0.18363.778]
PowerShell version (if applicable): PowerShell 7 x64

Steps to reproduce

install-module -Name AzSentinel
Connect-AzAccount
Set-AzContext -Subscription -Tenant
get-AzSentinelAlertRule -WorkspaceName ""

Expected behavior

Would expect the playbookName field would be populated for rules that have playbooks assigned.

Actual behavior

playbookName :

InvalidOperation: C:\Users<username>\Documents\PowerShell\Modules\AzSentinel\0.6.4\AzSentinel.psm1:506
Line |
506 | … $playbookName = ($playbook.properties.logicAppResourceId) …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| You cannot call a method on a null-valued expression.

I think a useful feature would be a command let to enable the a rule templates, this feature would be useful if someone is required to enable it across multiple sentinel workspaces

Steps to reproduce

I've used the command Get-AzSentinelAlertRule to export all alert rules to a JSON.
Now I want to import these Rule in another workspace and I experience the below issue.

Expected behavior

An exported rule should be imported flawlessly

Actual behavior

There is an error while Creating a new AlertProp object, causing an empty body to be sent.

Exception setting "TriggerOperator": "Cannot convert value "" to type "TriggerOperator". Error: "The identifier name cannot be processed because it is either too similar or identical to the following enumerator names: GreaterThan, LessThan, Equal, NotEqual, gt, lt, eq, ne. Use a more specific identifier name.""`

Summary of the new feature/enhancement

Proposed technical implementation details (optional)

Summary of the new feature/enhancement

Add new, get, remove and import functions for hunting rules

How can we set the following parameters for a Sentinel alert rule ( type scheduled) using AZSentinel module ?

1. incidentConfiguration (i.e CreateIncident = True)

2. queryResultsAggregationSettings

Update documentation and provide example code

Summary of the new feature/enhancement

It would be really handy to be able to retrieve all the incidents that took place in a timeframe, and be able to pass through a date/time range.

Enhancement

Is there ETA for enabling Sentinel Connectors using PowerShell?

Active Directory Connectors
ATP Connectors
Office 365

Summary of the new feature/enhancement

New function which can be used to updated existing incidents, list of properties:

• update status
• close incident with argument
• add comment
• add owner

Please let me know which other properties need to be covered

Although I very much appreciate the creation/deletion of rules in Sentinel, Im also looking for ways to programmatically do the deployment of Sentinel. You have one such function, Set-AzSentinel, which is awesome. But Im missing functions for:

• enable the data connectors on machines. In the GUI: Home > Azure Sentinel workspaces > Azure Sentinel - Data connectors > $SomeConnectorName > Virtual Machines > $MachineName - click on connect
• configuring and enabling the data connectors. In the GUI: Home > Azure Sentinel workspaces > Azure Sentinel - Data connectors > $SomeConnectorName - click on 'Apply Changes', or in the case of for example the 'Security Events' connector also a configuration check box.

I understand if this is not on the top of you list. These steps in most cases are not done that often. But Im finding myself in a corner case where I need to deploy and completely rebuild entire resource groups for labs, including Sentinel, lots of times :)

Summary of the new feature/enhancement

After we create some AlertRules from Powershell using New-AzSentinelAlertRule
I would like to get all of them too without going to the portal.

And why not implenting Remove-AzSentinelAlertRule?

Proposed technical implementation details (optional)

I think most of the code is already there.

An example of all functions combined:
Get-AzOperationalInsightsWorkspace | Get-AzSentinelAlertRule | Remove-AzSentinelAlertRule
This would clear out all alert rules from all workspaces! 😈

Environment

Powershell 7.0, Az 3.8.0, Yaml 0.4.2

Steps to reproduce

Get-AzSentinelHuntingRule -WorkspaceName <workspace name>

Expected behavior

Based on the material, the expected behavior is to return the hunting rules configured

Actual behavior

It is returning me the list of queries under query explorer

Hi,
This behavior is hard to describe but it seems that logic apps that get configured via powershell do not get triggered correctly.

• If I configure a logic app via Gui, everything is fine and it will get triggered by alerts
• If I configure it using the playbookName paramter, it appears in Gui to be set correct (it is selected in the automation tab). But the playbook does not get triggered on alert. This behavior is reproducible when setting the logic app on a new alert, and while setting by updating an existing alert.

It is not sure to me if this is a consequence of configuring a playbook over API (and if the problem is at Microsoft side) or if this is an issue of the PS module

When adding multiple alertrules it would be nice to use multiple files in one line.

I think it is good practise to have alertrules together in one file about one subject.
The naming of the file describes the subject of alertrules defined in the file.
One customer could need less or more subjects and so alertrules.

To implement a certain amount of rules you could filter using where or wildcard with Get-ChildItem
You could pass the result to new-azanalytic

Example
gci mdm-*.json | new-analytic -subscription -resourcegroup -workspace

Currently there is no way (or at least I cannot find how) to add "Automated Response" to an alerting rule.
It would be nice if we could also specify a logic app in the analytics settingsfiles.

I tried to rename an alert by specifying "name" (the alert id) and displayName: the alert name. But I get an error when I change displayName to something else (Add-Member : Cannot add a member with the name "DisplayName" because a member with that name already exists. To overwrite the member anyway, add the Force parameter to your command.)

It then proceeds, but just creates a new instance of the new alert. The wanted behavior would be: rename the alert.

Very impressed so far and having great success with Import-AzSentinelAlertRule (JSON) except for

"severity": "Informational"

which imports without error but has a "High" severity on the portal that needs a manual change.

Trying to run a script>
Get-AzSentinelHuntingRule -SubscriptionId $Subscription -WorkspaceName $Workspace

But getting the error everytime : Unable to get hunting rules with error code: Cannot validate argument on parameter "Property". The argument is null or empty.

If WorkspaceName is the only required parameter why is it showing this error?

Expected behavior

To get a list with all open incidents.

To get all Incidnets from Sentinel

Actual behavior

ConvertFrom-Json: C:\Users\A002633\Documents\PowerShell\Modules\AzSentinel\0.6.2\AzSentinel.psm1:810
Line |
810 | ($incident.Content | ConvertFrom-Json).value | ForEac …
| ~~~~~~~~~~~~~~~~
| Cannot bind argument to parameter 'InputObject' because it is null.

This bug tracker is monitored by contributors and the community.

Please use this form and describe your issue, concisely but precisely, with as much detail as possible.
installed ps6 and azsentinel powershell from wotell github. set subscription id and workspace id

Environment

prod

PowerShell version (if applicable):
6

Steps to reproduce

Expected behavior

the rules should be imported to sentinel workspace

i have used the set-Azsentinel to ensure im in the correct azcontext

Actual behavior
input
PS C:\Users\XXXXX\Downloads\sentinel-attack\detections> Import-AzSentinelAlertRule -WorkspaceName "XXXXXXX" -SettingsFile "sentinel_attack_rules.json"
result

`Import-AzSentinelAlertRule : Unable to connect to APi to get Analytic rules with message: The gateway did not receive a response from 'Microsoft.SecurityInsights' within the specified time period.
At line:1 char:1
+ Import-AzSentinelAlertRule -WorkspaceName "XXXXXXXX" -SettingsFile  ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Import-AzSentinelAlertRule
`

i know this reeks of a permission issue but im stumped

Hi, Thanks for implementing this functionality.
I notice one issue though: when I specify -SubscriptionId, it does not seem to be taken into account correctly. The AlertRuleAction fails, but points to a different subscriptionId then specified with -SubscriptionId.

Unable to find LogicApp under Subscription Id:
This failure is not pointing to the Subscription Id I specified with -SubscriptionId

Summary of the new feature/enhancement

Enhancement / Question

Is there ETA for setting Alert Aggregation using New-AZSentinelAlertRule or Import-AzSentinelAlertRule?

We created a SP with Contributor rigths and Azure Sentinel Contributor rights.

When we use the SP to create alter rules of type Fusion or MicrosoftSecurityIncidentCreation or MLBehaviorAnalyticswe we get the following error:
Unable to invoke webrequest with error message: The client '' with object id '' does not have authorization to perform action 'Microsoft.SecurityInsights/alertRules/write' over scope '/subscriptions//resourceGroups//providers/Microsoft.OperationalInsights/workspaces//providers/Microsoft.SecurityInsights/alertRules/*************' or the scope is invalid. If access was recently granted, please refresh your credentials.
##[error]PowerShell exited with code '1'.

Do the SP need som additional roles or?

Hi, it would be convenient to have a -Force update flag in case a rule setting was changed. Current behavior asks for confirmation to the end user. However this limits the automation of using this module in CI pipelines.

Same comment for the other type of settings (e.g. hunting queries), a Force flag would be useful

Summary of the new feature/enhancement

It would be nice if the object(s) that returned from
New-AzOperationalInsightsWorkspace (speaking of long functionnames ;-) )
or
Get-AzOperationalInsightsWorkspace
could be used to provision Sentinel on it using Set-AzSentinel.

Proposed technical implementation details (optional)

Remove-AzSentinelAlertRule
I was thinking I could do the following Example, but instead I received errors, Maybe I am using it wrong.

I did see RuleName accepts pipeline input in the helpfiles and it says (ByValue).
Perhaps I am doing this wrong, I just expected it work like in my example.
I have seen a similar way of working in other modules.

Confirm works perfect, great choice of options.

I do think it always should prompt for deletion and -Force will ovveride this behaviour.

Originally posted by @MauRiEEZZZ in #9 (comment)

Summary of the new feature/enhancement

New-AzSentinelAlertRule at the moment only supports Scheduled rules, update New-AzSentinelAlertRule to include all the rule types available :

• Scheduled
• Fusion
• MicrosoftSecurityIncidentCreation
• MLBehaviorAnalytics

Proposed technical implementation details (optional)

Environment

> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.0.3
PSEdition                      Core
GitCommitId                    7.0.3
OS                             Darwin 18.7.0 Darwin Kernel Version 18.7.0: Tue Aug 20 16:57:14 PDT 2019; root:xnu-4903.271.2~2/RELEASE_X86_64
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Steps to reproduce

Attempt to disable a scheduled rule that is currently enabled.

Disable-AzSentinelAlertRule -Verbose -Debug -SubscriptionId XXX -WorkspaceName XXX -RuleName "(Preview) TI map Email entity to OfficeActivity"

Expected behavior

The rule gets disabled.

Actual behavior

The command produces errors when, I'm guessing, it tries to build the Scheduled Alert rule object:

<snip>
InvalidOperation: /x/powershell/Modules/AzSentinel/0.6.5/AzSentinel.psm1:644
Line |
 644 |                  $bodyAlertProp = [AlertProp]::new(
     |                                   ~~~~~~~~~~~
     | Unable to find type [AlertProp].

MethodException: /x/powershell/Modules/AzSentinel/0.6.5/AzSentinel.psm1:648
Line |
 648 |                  $body = [AlertRule]::new(
     |                  ~~~~~~~~~~~~~~~~~~~~~~~~~
     | Cannot find an overload for "new" and the argument count: "2".
<snip>
Disable-AzSentinelAlertRule: Response status code does not indicate success: 400 (Bad Request).

Environment

$PSVersionTable
Name                           Value
----                           -----
PSVersion                      7.0.0-rc.2
PSEdition                      Core
GitCommitId                    7.0.0-rc.2
OS                             Microsoft Windows 10.0.18363
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Get-Module AzSentinel

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     0.6.1                 AzSentinel                          {Get-AzSentinelAlertRule, Get-AzSentinelHuntingRule, Get-AzSentinelIncident, Import-AzSentinelAlertRule…}

Steps to reproduce

1. Get a singular analytic rule and store it as a PSCustomObject (Ex: $rule = Get-AzSentinelAlertRule -RuleName $ruleName)
2. Run New-AzSentinelAlertRule -Severity $rule.severity -Query $rule.query -QueryFrequency $rule.queryFrequency -QueryPeriod $rule.queryPeriod -TriggerOperator $rule.triggerOperator -TriggerThreshold $rule.triggerThreshold -SuppressionDuration $rule.suppressionDuration -SuppressionEnabled $rule.suppressionEnabled -DisplayName "Chris2" -Enabled $rule.enabled -Description "just copying stuff" -Tactics $rule.tactics

Expected behavior

Expect to have a similar rule created in Sentinel

Actual behavior

New-AzSentinelAlertRule: Unable to invoke webrequest with error message: The string 'PTPT5M' is not a valid TimeSpan value. ISO 8601 format is expected. Path 'Properties.QueryFrequency'

Summary of the new feature/enhancement

some idea for code optimization and cleanup :

• clean code, class contains unused code
• replace invoke-webrequest with invoke-restmethod

Currently it does not seem possible to use day notation in the timing fields.
As a result I have to use 24H, which Sentinel always converts to 1D. This is seen as a change whenever I synchronize rules.

Remove-AzSentinelAlertRule not working

Summary of the new feature/enhancement

import-alertrules and import-huntingrules function stops when one of the rules triggers a error, update the function to continue when a error is triggered.

feedback from Edoardo Gerosa

Steps to reproduce

It appears that it's failing on import because it's expecting a Description field. I added it to one of the json files and worked.

Expected behavior

It should accept null value

Actual behavior

Please upload this module to PowerShell Gallery, then this can be trivially used in Azure Functions.

Hi,

i tried to import the YAML files from the Sentinel Github using the Import-AzSentinel command, however this failed without any error messages.

https://github.com/Azure/Azure-Sentinel/tree/master/Detections - ideally i wanted to deploy quiet a few of these alert rules via YML files.

Summary of the new feature/enhancement

Add get function for incidents

The example to show all the rules:
Get-AzSentinelAlertRule -WorkspaceName "" -RuleName "",""

Throws an error stating there needs to be a value for WorkspaceName. Even with filling in the WorkspaceName, an error is thrown stating that RuleName cannot be null, empty, or has an element of the argument collection that is null

We need a cmdlet to allow us to deploy query Parsers. At the moment we save these parsers under query explorer and we save it as a function. It will be ideal if we can automate the deployments.

It appears when running Get-AzSentinelIncident, it only returns the last 200 results, whether they are open or closed. We were not able to find a limit in the AzSentinel.psm1 code for the function.

It would be nice to increase or set a time frame in the script an increase results past 200 returned cases.

I have tested new parameters for -createincident -groupingconfigurationenabled -entitiesmappingmethod .... under the New-AzsentinelAlertRule

They all work when creating a new rule however they dont appear to work when updating the rules. Example after I created the rule and set the -createincident to True, and then I update it to False. This doesnt update the alert rule in Sentinel.