| { | |
| "Scheduled": [ | |
| { | |
| "displayName": "AlertRule01", | |
| "description": "", | |
| "severity": "Medium", | |
| "enabled": true, | |
| "query": "SecurityEvent | where EventID == \"4688\" | where CommandLine contains \"-noni -ep bypass $\"", | |
| "queryFrequency": "5H", | |
| "queryPeriod": "6H", | |
| "triggerOperator": "GreaterThan", | |
| "triggerThreshold": 5, | |
| "suppressionDuration": "6H", | |
| "suppressionEnabled": false, | |
| "tactics": [ | |
| "Persistence", | |
| "LateralMovement", | |
| "Collection" | |
| ], | |
| "playbookName": "Playbook01", | |
| "aggregationKind": "SingleAlert", | |
| "createIncident": true, | |
| "groupingConfiguration": { | |
| "enabled": false, | |
| "reopenClosedIncident": false, | |
| "lookbackDuration": "PT5H", | |
| "entitiesMatchingMethod": "All", | |
| "groupByEntities": [ | |
| "Account", | |
| "Ip", | |
| "Host", | |
| "Url" | |
| ] | |
| } | |
| }, | |
| { | |
| "displayName": "AlertRule02", | |
| "description": "", | |
| "severity": "Medium", | |
| "enabled": true, | |
| "query": "SecurityEvent | where EventID == \"4688\" | where CommandLine contains \"-noni -ep bypass $\"", | |
| "queryFrequency": "5H", | |
| "queryPeriod": "6H", | |
| "triggerOperator": "GreaterThan", | |
| "triggerThreshold": 5, | |
| "suppressionDuration": "6H", | |
| "suppressionEnabled": false, | |
| "tactics": [ | |
| "Persistence", | |
| "LateralMovement", | |
| "Collection" | |
| ], | |
| "playbookName": "Playbook01" | |
| } | |
| ], | |
| "Fusion": [ | |
| { | |
| "displayName": "Advanced Multistage Attack Detection", | |
| "enabled": true, | |
| "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8" | |
| } | |
| ], | |
| "MLBehaviorAnalytics": [ | |
| { | |
| "displayName": "(Preview) Anomalous SSH Login Detection", | |
| "enabled": true, | |
| "alertRuleTemplateName": "fa118b98-de46-4e94-87f9-8e6d5060b60b" | |
| } | |
| ], | |
| "MicrosoftSecurityIncidentCreation": [ | |
| { | |
| "displayName": "Create incidents based on Azure Active Directory Identity Protection alerts", | |
| "description": "Create incidents based on all alerts generated in Azure Active Directory Identity Protection", | |
| "enabled": true, | |
| "productFilter": "Microsoft Cloud App Security", | |
| "severitiesFilter": [ | |
| "High", | |
| "Medium", | |
| "Low" | |
| ], | |
| "displayNamesFilter": null | |
| } | |
| ] | |
| } |
Get Azure Sentinel Alert Rules Templates
Get-AzSentinelAlertRuleTemplates [-SubscriptionId <String>] -WorkspaceName <String> [-Kind <Kind[]>]
[<CommonParameters>]
With this function you can get the configuration of the Azure Sentinel Alert Rules Templates from Azure Sentinel
Get-AzSentinelAlertRuleTemplates -WorkspaceName ""
In this example you can get Sentinel alert rules templates in once
Get-AzSentinelAlertRuleTemplates -WorkspaceName "" -Kind Fusion, MicrosoftSecurityIncidentCreation
Filter on the Kind
New-AzSentinelAlertRule -WorkspaceName "" -DisplayName "" -Description "" -Severity -Enabled $true -Query '' -QueryFrequency "" -QueryPeriod "" -TriggerOperator -TriggerThreshold -SuppressionDuration "" -SuppressionEnabled $false -Tactics @("","") -PlaybookName ""
Example on how to create a scheduled rule
New-AzSentinelAlertRule -WorkspaceName "" -Kind Fusion -DisplayName "Advanced Multistage Attack Detection" -Enabled $true -AlertRuleTemplateName "f71aba3d-28fb-450b-b192-4e76a83015c8"
Example on how to create a Fusion rule
New-AzSentinelAlertRule -WorkspaceName "" -Kind MLBehaviorAnalytics -DisplayName "(Preview) Anomalous SSH Login Detection" -Enabled $true -AlertRuleTemplateName "fa118b98-de46-4e94-87f9-8e6d5060b60b"
Example on how to create a MLBehaviorAnalytics rule
New-AzSentinelAlertRule -WorkspaceName "" -Kind MicrosoftSecurityIncidentCreation -DisplayName "" -Description "" -Enabled $true -ProductFilter "" -SeveritiesFilter "","" -DisplayNamesFilter ""
Example on how to create a MicrosoftSecurityIncidentCreation rule
| { | |
| "Scheduled": [ | |
| ], | |
| "Fusion": [ | |
| ], | |
| "MLBehaviorAnalytics": [ | |
| ], | |
| "MicrosoftSecurityIncidentCreation": [ | |
| ] | |
| } |