Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update-AzSentinelAlertRule Can't Take More than One GroupByEntity Value Though the API Supports More Than One #22318

Open
jreinhardtproarch opened this issue Jul 13, 2023 · 1 comment
Open

Update-AzSentinelAlertRule Can't Take More than One GroupByEntity Value Though the API Supports More Than One #22318

jreinhardtproarch opened this issue Jul 13, 2023 · 1 comment
Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported SecurityInsights Sentinel Service Attention This issue is responsible by Azure service team.

Comments

@jreinhardtproarch
Copy link

Description

I cannot pass more than one GroupByEntity value to Update-AzSentinelAlertRule in the module Az.SecurityInsights. The module documentation does indicate that only a single value of EntityMappingType can be passed, and not an array. However, this seems to me to be unexpected behavior because the API definition indicates that you can pass an array of strings to the GroupByEntites property. This just doesn't seem to have been translated adequately into the module. I also verified that the Update command does replace all group by entities where more than one was configured before, and that it does not add another one as one would expect.

The impact of this is that the module will not be usable as most analytic rules have more than one entity and therefore this cmdlet needs to be able to pass more than one group by entity to it. I will have to attempt my own API call using Invoke-RestMethod or something similar. Thanks for your review!

Issue script & Debug output

PS C:\Users\JacobReinhardt> $DebugPreference = 'Continue'
PS C:\Users\JacobReinhardt> [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType]$TestEntityMappingTypeHost = "Host"
PS C:\Users\JacobReinhardt> [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType]$TestEntityMappingTypeIP = "IP"
PS C:\Users\JacobReinhardt> [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType]$TestEntityMappingTypeAccount = "Account"
PS C:\Users\JacobReinhardt> [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType[]]$TestEntityMappingTypeArray =  $TestEntityMappingTypeAccount,$TestEntityMappingTypeHost,$TestEntityMappingTypeIP
PS C:\Users\JacobReinhardt> Update-AzSentinelAlertRule -ResourceGroupName $ResourceGroupName -WorkspaceName $WorkspaceName -ruleid $RuleId -GroupByEntity $TestEntityMappingTypeArray -Scheduled
DEBUG: 10:54:23 AM - GetAzureRMContextCommand end processing.
DEBUG: 10:54:23 AM - GetAzureRMContextCommand end processing.
DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing:
DEBUG: CmdletProcessRecordStart:
DEBUG: CmdletGetPipeline:
DEBUG: CmdletBeforeAPICall:
DEBUG: URLCreated: /subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxxxx/providers/Microsoft.SecurityInsights/alertRules/xxxxxxxxxx?api-version=2021-09-01-preview
DEBUG: RequestCreated: /subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxxxx/providers/Microsoft.SecurityInsights/alertRules/xxxxxxxxxx?api-version=2021-09-01-preview
DEBUG: HeaderParametersAdded:
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxxxx/providers/Microsoft.SecurityInsights/alertRules/xxxxxxxxxx?api-version=2021-09-01-preview

Headers:
x-ms-unique-id                : 33
x-ms-client-request-id        : 4220bc91-ce6f-41eb-b795-10f81099fce5
CommandName                   : Az.SecurityInsights\Get-AzSentinelAlertRule
FullCommandName               : Get-AzSentinelAlertRule_Get
ParameterSetName              : __AllParameterSets
User-Agent                    : AzurePowershell/v10.0.0,PSVersion/v7.3.5,Az.SecurityInsights/3.0.0

Body:



DEBUG: BeforeCall:
DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
Server                        : Kestrel
x-ms-ratelimit-remaining-subscription-reads: 11998
x-ms-request-id               : e1035bc2-cde8-41ed-bab3-fb7c8acc650f
x-ms-correlation-request-id   : e1035bc2-cde8-41ed-bab3-fb7c8acc650f
x-ms-routing-request-id       : CANADACENTRAL:20230713T145422Z:e1035bc2-cde8-41ed-bab3-fb7c8acc650f
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Date                          : Thu, 13 Jul 2023 14:54:21 GMT

Body:
{
  "id": "/subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxxxx/providers/Microsoft.SecurityInsights/alertRules/xxxxxxxxxx",
  "name": "xxxxxxxxxx",
  "etag": "\"xxxxxxxxxx\"",
  "type": "Microsoft.SecurityInsights/alertRules",
  "kind": "Scheduled",
  "properties": {
    "incidentConfiguration": {
      "createIncident": false,
      "groupingConfiguration": {
        "enabled": false,
        "reopenClosedIncident": false,
        "lookbackDuration": "xxxx",
        "matchingMethod": "AllEntities",
        "groupByEntities": [
          "Host"
        ],
        "groupByAlertDetails": null,
        "groupByCustomDetails": null
      }
    },
    "entityMappings": [
      {
        "entityType": "Account",
        "fieldMappings": [
          {
            "identifier": "FullName",
            "columnName": "AccountCustomEntity"
          }
        ]
      },
      {
        "entityType": "Host",
        "fieldMappings": [
          {
            "identifier": "FullName",
            "columnName": "HostCustomEntity"
          }
        ]
      },
      {
        "entityType": "IP",
        "fieldMappings": [
          {
            "identifier": "Address",
            "columnName": "IPCustomEntity"
          }
        ]
      }
    ],
    "queryFrequency": "P1D",
    "queryPeriod": "P8D",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0,
    "eventGroupingSettings": {
      "aggregationKind": "SingleAlert"
    },
    "severity": "Medium",
    "query": "xxxxxxxxxx",
    "suppressionDuration": "xxxx",
    "suppressionEnabled": false,
    "tactics": [
      "LateralMovement"
    ],
    "displayName": "RDP Nesting",
    "enabled": true,
    "description": "xxxxxx",
    "alertRuleTemplateName": "xxxxxxxxxx",
    "lastModifiedUtc": "2023-07-13T13:48:10.2798364Z"
  }
}


DEBUG: ResponseCreated:
DEBUG: BeforeResponseDispatch:
DEBUG: Finally:
DEBUG: CmdletAfterAPICall:
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: CmdletProcessRecordEnd:
DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing:
DEBUG: CmdletProcessRecordStart:
DEBUG: CmdletGetPipeline:
DEBUG: CmdletBeforeAPICall:
DEBUG: URLCreated: /subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxxxx/providers/Microsoft.SecurityInsights/alertRules/xxxxxxxxxx?api-version=2021-09-01-preview
DEBUG: RequestCreated: /subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxxxx/providers/Microsoft.SecurityInsights/alertRules/xxxxxxxxxx?api-version=2021-09-01-preview
DEBUG: HeaderParametersAdded:
DEBUG: BodyContentSet:
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PUT

Absolute Uri:
https://management.azure.com/subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxxxx/providers/Microsoft.SecurityInsights/alertRules/xxxxxxxxxx?api-version=2021-09-01-preview

Headers:
x-ms-unique-id                : 34
x-ms-client-request-id        : 6822c83a-f7b0-4b4a-abad-0c3e73db557d
CommandName                   : Az.SecurityInsights.internal\Update-AzSentinelAlertRule
FullCommandName               : Update-AzSentinelAlertRule_Update
ParameterSetName              : __AllParameterSets
User-Agent                    : AzurePowershell/v10.0.0,PSVersion/v7.3.5,Az.SecurityInsights/3.0.0

Body:
{
  "etag": "\"xxxxxxxxxx\"",
  "kind": "Scheduled",
  "properties": {
    "eventGroupingSettings": {
      "aggregationKind": "SingleAlert"
    },
    "queryFrequency": "xxxxxxxxxx",
    "queryPeriod": "xxxxxxxxxx",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0,
    "incidentConfiguration": {
      "groupingConfiguration": {
        "enabled": false,
        "reopenClosedIncident": false,
        "lookbackDuration": "xxxxxxxxxx",
        "matchingMethod": "AllEntities",
        "groupByEntities": [
          "Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType[]"
        ]
      },
      "createIncident": false
    },
    "alertRuleTemplateName": "xxxxxxxxxx",
    "description": "xxxxxxxxxx",
    "query": "s",
    "displayName": "RDP Nesting",
    "enabled": true,
    "suppressionDuration": "xxxxxx=",
    "suppressionEnabled": false,
    "severity": "Medium",
    "tactics": [
      "LateralMovement"
    ],
    "entityMappings": [
      {
        "entityType": "Account",
        "fieldMappings": [
          {
            "identifier": "FullName",
            "columnName": "AccountCustomEntity"
          }
        ]
      },
      {
        "entityType": "Host",
        "fieldMappings": [
          {
            "identifier": "FullName",
            "columnName": "HostCustomEntity"
          }
        ]
      },
      {
        "entityType": "IP",
        "fieldMappings": [
          {
            "identifier": "Address",
            "columnName": "IPCustomEntity"
          }
        ]
      }
    ]
  }
}


DEBUG: BeforeCall:
DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
BadRequest

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
Server                        : Kestrel
x-ms-ratelimit-remaining-subscription-writes: 1198
x-ms-request-id               : 51771963-1758-406a-88a5-6533ceddc96c
x-ms-correlation-request-id   : 51771963-1758-406a-88a5-6533ceddc96c
x-ms-routing-request-id       : CANADACENTRAL:20230713T145423Z:51771963-1758-406a-88a5-6533ceddc96c
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Date                          : Thu, 13 Jul 2023 14:54:22 GMT

Body:
{
  "error": {
    "code": "BadRequest",
    "message": "Field 'groupByEntities[0]' contains an invalid value 'Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType[]'."
  }
}


DEBUG: ResponseCreated:
DEBUG: BeforeResponseDispatch:
Update-AzSentinelAlertRule_Update: C:\Users\JacobReinhardt\OneDrive - ProArch\Documents\PowerShell\Modules\Az.SecurityInsights\3.0.0\custom\Update-AzSentinelAlertRule.ps1:826
Line |
 826 |              Az.SecurityInsights.internal\Update-AzSentinelAlertRule @ …
     |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Field 'groupByEntities[0]' contains an invalid value
     | 'Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType[]'.
DEBUG: [Finally]: Getting exception 'Microsoft.Azure.Commands.Common.Exceptions.AzPSCloudException: InternalException' from response
DEBUG: Finally:
DEBUG: CmdletAfterAPICall:
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: CmdletProcessRecordEnd:
DEBUG: AzureQoSEvent:  Module: Az.SecurityInsights:3.0.0; CommandName: Update-AzSentinelAlertRule; PSVersion: 7.3.5; IsSuccess: False; Duration: 00:00:00.5097301; Exception: InternalException;

Environment data

Name                           Value
----                           -----
PSVersion                      7.3.5
PSEdition                      Core
GitCommitId                    7.3.5
OS                             Microsoft Windows 10.0.22621
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.12.3                Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzConte…
Script     3.0.0                 Az.SecurityInsights                 {Get-AzSentinelAlertRule, Get-AzSentinelAlertRule

Error output

DEBUG: 10:55:12 AM - ResolveError begin processing with ParameterSet 'LastErrorParameterSet'.
DEBUG: 10:55:12 AM - using account id 'xxxxxxxxxx@xxxxxxxxxx.yyyy'...
DEBUG: 10:55:12 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release.  Please change any scripts that use this alias to use `Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.

   HistoryId: 92

Message        : [BadRequest] : Field 'groupByEntities[0]' contains an invalid value
                 'Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType[]'.
StackTrace     :
Exception      : System.Exception
InvocationInfo : {Update-AzSentinelAlertRule_Update}
Line           :             Az.SecurityInsights.internal\Update-AzSentinelAlertRule @PSBoundParameters

Position       : At C:\Users\JacobReinhardt\OneDrive - ProArch\Documents\PowerShell\Modules\Az.SecurityInsights\3.0.0\c
                 ustom\Update-AzSentinelAlertRule.ps1:826 char:13
                 +             Az.SecurityInsights.internal\Update-AzSentinelAlertRule @ …
                 +             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 92



DEBUG: 10:55:12 AM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:2.12.3; CommandName: Resolve-AzError; PSVersion: 7.3.5; IsSuccess: True; Duration: 00:00:00.0122799
DEBUG: 10:55:12 AM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 10:55:12 AM - ResolveError end processing.
@jreinhardtproarch jreinhardtproarch added bug This issue requires a change to an existing behavior in the product in order to be resolved. needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Jul 13, 2023
@ghost ghost added customer-reported and removed needs-triage This is a new issue that needs to be triaged to the appropriate team. labels Jul 13, 2023
@isra-fel isra-fel added Service Attention This issue is responsible by Azure service team. SecurityInsights Sentinel labels Jul 16, 2023
@ghost
Copy link

ghost commented Jul 16, 2023

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @nazang.

Issue Details

Description

I cannot pass more than one GroupByEntity value to Update-AzSentinelAlertRule in the module Az.SecurityInsights. The module documentation does indicate that only a single value of EntityMappingType can be passed, and not an array. However, this seems to me to be unexpected behavior because the API definition indicates that you can pass an array of strings to the GroupByEntites property. This just doesn't seem to have been translated adequately into the module. I also verified that the Update command does replace all group by entities where more than one was configured before, and that it does not add another one as one would expect.

The impact of this is that the module will not be usable as most analytic rules have more than one entity and therefore this cmdlet needs to be able to pass more than one group by entity to it. I will have to attempt my own API call using Invoke-RestMethod or something similar. Thanks for your review!

Issue script & Debug output

PS C:\Users\JacobReinhardt> $DebugPreference = 'Continue'
PS C:\Users\JacobReinhardt> [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType]$TestEntityMappingTypeHost = "Host"
PS C:\Users\JacobReinhardt> [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType]$TestEntityMappingTypeIP = "IP"
PS C:\Users\JacobReinhardt> [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType]$TestEntityMappingTypeAccount = "Account"
PS C:\Users\JacobReinhardt> [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType[]]$TestEntityMappingTypeArray =  $TestEntityMappingTypeAccount,$TestEntityMappingTypeHost,$TestEntityMappingTypeIP
PS C:\Users\JacobReinhardt> Update-AzSentinelAlertRule -ResourceGroupName $ResourceGroupName -WorkspaceName $WorkspaceName -ruleid $RuleId -GroupByEntity $TestEntityMappingTypeArray -Scheduled
DEBUG: 10:54:23 AM - GetAzureRMContextCommand end processing.
DEBUG: 10:54:23 AM - GetAzureRMContextCommand end processing.
DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing:
DEBUG: CmdletProcessRecordStart:
DEBUG: CmdletGetPipeline:
DEBUG: CmdletBeforeAPICall:
DEBUG: URLCreated: /subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxxxx/providers/Microsoft.SecurityInsights/alertRules/xxxxxxxxxx?api-version=2021-09-01-preview
DEBUG: RequestCreated: /subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxxxx/providers/Microsoft.SecurityInsights/alertRules/xxxxxxxxxx?api-version=2021-09-01-preview
DEBUG: HeaderParametersAdded:
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxxxx/providers/Microsoft.SecurityInsights/alertRules/xxxxxxxxxx?api-version=2021-09-01-preview

Headers:
x-ms-unique-id                : 33
x-ms-client-request-id        : 4220bc91-ce6f-41eb-b795-10f81099fce5
CommandName                   : Az.SecurityInsights\Get-AzSentinelAlertRule
FullCommandName               : Get-AzSentinelAlertRule_Get
ParameterSetName              : __AllParameterSets
User-Agent                    : AzurePowershell/v10.0.0,PSVersion/v7.3.5,Az.SecurityInsights/3.0.0

Body:



DEBUG: BeforeCall:
DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
Server                        : Kestrel
x-ms-ratelimit-remaining-subscription-reads: 11998
x-ms-request-id               : e1035bc2-cde8-41ed-bab3-fb7c8acc650f
x-ms-correlation-request-id   : e1035bc2-cde8-41ed-bab3-fb7c8acc650f
x-ms-routing-request-id       : CANADACENTRAL:20230713T145422Z:e1035bc2-cde8-41ed-bab3-fb7c8acc650f
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Date                          : Thu, 13 Jul 2023 14:54:21 GMT

Body:
{
  "id": "/subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxxxx/providers/Microsoft.SecurityInsights/alertRules/xxxxxxxxxx",
  "name": "xxxxxxxxxx",
  "etag": "\"xxxxxxxxxx\"",
  "type": "Microsoft.SecurityInsights/alertRules",
  "kind": "Scheduled",
  "properties": {
    "incidentConfiguration": {
      "createIncident": false,
      "groupingConfiguration": {
        "enabled": false,
        "reopenClosedIncident": false,
        "lookbackDuration": "xxxx",
        "matchingMethod": "AllEntities",
        "groupByEntities": [
          "Host"
        ],
        "groupByAlertDetails": null,
        "groupByCustomDetails": null
      }
    },
    "entityMappings": [
      {
        "entityType": "Account",
        "fieldMappings": [
          {
            "identifier": "FullName",
            "columnName": "AccountCustomEntity"
          }
        ]
      },
      {
        "entityType": "Host",
        "fieldMappings": [
          {
            "identifier": "FullName",
            "columnName": "HostCustomEntity"
          }
        ]
      },
      {
        "entityType": "IP",
        "fieldMappings": [
          {
            "identifier": "Address",
            "columnName": "IPCustomEntity"
          }
        ]
      }
    ],
    "queryFrequency": "P1D",
    "queryPeriod": "P8D",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0,
    "eventGroupingSettings": {
      "aggregationKind": "SingleAlert"
    },
    "severity": "Medium",
    "query": "xxxxxxxxxx",
    "suppressionDuration": "xxxx",
    "suppressionEnabled": false,
    "tactics": [
      "LateralMovement"
    ],
    "displayName": "RDP Nesting",
    "enabled": true,
    "description": "xxxxxx",
    "alertRuleTemplateName": "xxxxxxxxxx",
    "lastModifiedUtc": "2023-07-13T13:48:10.2798364Z"
  }
}


DEBUG: ResponseCreated:
DEBUG: BeforeResponseDispatch:
DEBUG: Finally:
DEBUG: CmdletAfterAPICall:
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: CmdletProcessRecordEnd:
DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing:
DEBUG: CmdletProcessRecordStart:
DEBUG: CmdletGetPipeline:
DEBUG: CmdletBeforeAPICall:
DEBUG: URLCreated: /subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxxxx/providers/Microsoft.SecurityInsights/alertRules/xxxxxxxxxx?api-version=2021-09-01-preview
DEBUG: RequestCreated: /subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxxxx/providers/Microsoft.SecurityInsights/alertRules/xxxxxxxxxx?api-version=2021-09-01-preview
DEBUG: HeaderParametersAdded:
DEBUG: BodyContentSet:
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PUT

Absolute Uri:
https://management.azure.com/subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxxxx/providers/Microsoft.SecurityInsights/alertRules/xxxxxxxxxx?api-version=2021-09-01-preview

Headers:
x-ms-unique-id                : 34
x-ms-client-request-id        : 6822c83a-f7b0-4b4a-abad-0c3e73db557d
CommandName                   : Az.SecurityInsights.internal\Update-AzSentinelAlertRule
FullCommandName               : Update-AzSentinelAlertRule_Update
ParameterSetName              : __AllParameterSets
User-Agent                    : AzurePowershell/v10.0.0,PSVersion/v7.3.5,Az.SecurityInsights/3.0.0

Body:
{
  "etag": "\"xxxxxxxxxx\"",
  "kind": "Scheduled",
  "properties": {
    "eventGroupingSettings": {
      "aggregationKind": "SingleAlert"
    },
    "queryFrequency": "xxxxxxxxxx",
    "queryPeriod": "xxxxxxxxxx",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0,
    "incidentConfiguration": {
      "groupingConfiguration": {
        "enabled": false,
        "reopenClosedIncident": false,
        "lookbackDuration": "xxxxxxxxxx",
        "matchingMethod": "AllEntities",
        "groupByEntities": [
          "Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType[]"
        ]
      },
      "createIncident": false
    },
    "alertRuleTemplateName": "xxxxxxxxxx",
    "description": "xxxxxxxxxx",
    "query": "s",
    "displayName": "RDP Nesting",
    "enabled": true,
    "suppressionDuration": "xxxxxx=",
    "suppressionEnabled": false,
    "severity": "Medium",
    "tactics": [
      "LateralMovement"
    ],
    "entityMappings": [
      {
        "entityType": "Account",
        "fieldMappings": [
          {
            "identifier": "FullName",
            "columnName": "AccountCustomEntity"
          }
        ]
      },
      {
        "entityType": "Host",
        "fieldMappings": [
          {
            "identifier": "FullName",
            "columnName": "HostCustomEntity"
          }
        ]
      },
      {
        "entityType": "IP",
        "fieldMappings": [
          {
            "identifier": "Address",
            "columnName": "IPCustomEntity"
          }
        ]
      }
    ]
  }
}


DEBUG: BeforeCall:
DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
BadRequest

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
Server                        : Kestrel
x-ms-ratelimit-remaining-subscription-writes: 1198
x-ms-request-id               : 51771963-1758-406a-88a5-6533ceddc96c
x-ms-correlation-request-id   : 51771963-1758-406a-88a5-6533ceddc96c
x-ms-routing-request-id       : CANADACENTRAL:20230713T145423Z:51771963-1758-406a-88a5-6533ceddc96c
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Date                          : Thu, 13 Jul 2023 14:54:22 GMT

Body:
{
  "error": {
    "code": "BadRequest",
    "message": "Field 'groupByEntities[0]' contains an invalid value 'Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType[]'."
  }
}


DEBUG: ResponseCreated:
DEBUG: BeforeResponseDispatch:
Update-AzSentinelAlertRule_Update: C:\Users\JacobReinhardt\OneDrive - ProArch\Documents\PowerShell\Modules\Az.SecurityInsights\3.0.0\custom\Update-AzSentinelAlertRule.ps1:826
Line |
 826 |              Az.SecurityInsights.internal\Update-AzSentinelAlertRule @ …
     |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Field 'groupByEntities[0]' contains an invalid value
     | 'Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType[]'.
DEBUG: [Finally]: Getting exception 'Microsoft.Azure.Commands.Common.Exceptions.AzPSCloudException: InternalException' from response
DEBUG: Finally:
DEBUG: CmdletAfterAPICall:
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: CmdletProcessRecordEnd:
DEBUG: AzureQoSEvent:  Module: Az.SecurityInsights:3.0.0; CommandName: Update-AzSentinelAlertRule; PSVersion: 7.3.5; IsSuccess: False; Duration: 00:00:00.5097301; Exception: InternalException;

Environment data

Name                           Value
----                           -----
PSVersion                      7.3.5
PSEdition                      Core
GitCommitId                    7.3.5
OS                             Microsoft Windows 10.0.22621
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.12.3                Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzConte…
Script     3.0.0                 Az.SecurityInsights                 {Get-AzSentinelAlertRule, Get-AzSentinelAlertRule

Error output

DEBUG: 10:55:12 AM - ResolveError begin processing with ParameterSet 'LastErrorParameterSet'.
DEBUG: 10:55:12 AM - using account id 'xxxxxxxxxx@xxxxxxxxxx.yyyy'...
DEBUG: 10:55:12 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release.  Please change any scripts that use this alias to use `Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.

   HistoryId: 92

Message        : [BadRequest] : Field 'groupByEntities[0]' contains an invalid value
                 'Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType[]'.
StackTrace     :
Exception      : System.Exception
InvocationInfo : {Update-AzSentinelAlertRule_Update}
Line           :             Az.SecurityInsights.internal\Update-AzSentinelAlertRule @PSBoundParameters

Position       : At C:\Users\JacobReinhardt\OneDrive - ProArch\Documents\PowerShell\Modules\Az.SecurityInsights\3.0.0\c
                 ustom\Update-AzSentinelAlertRule.ps1:826 char:13
                 +             Az.SecurityInsights.internal\Update-AzSentinelAlertRule @ …
                 +             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId      : 92



DEBUG: 10:55:12 AM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent:  Module: Az.Accounts:2.12.3; CommandName: Resolve-AzError; PSVersion: 7.3.5; IsSuccess: True; Duration: 00:00:00.0122799
DEBUG: 10:55:12 AM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 10:55:12 AM - ResolveError end processing.
Author: jreinhardtproarch
Assignees: -
Labels:

Service Attention, bug, customer-reported, SecurityInsights
Milestone: -

@JoyerJin JoyerJin mentioned this issue Aug 31, 2023
Merged
1 task
@BethanyZhou BethanyZhou mentioned this issue Sep 6, 2023
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue requires a change to an existing behavior in the product in order to be resolved. customer-reported SecurityInsights Sentinel Service Attention This issue is responsible by Azure service team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@isra-fel @jreinhardtproarch