New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update-AzSentinelAlertRule Can't Take More than One GroupByEntity Value Though the API Supports More Than One #22318
Comments
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @nazang. Issue DetailsDescriptionI cannot pass more than one GroupByEntity value to Update-AzSentinelAlertRule in the module Az.SecurityInsights. The module documentation does indicate that only a single value of EntityMappingType can be passed, and not an array. However, this seems to me to be unexpected behavior because the API definition indicates that you can pass an array of strings to the GroupByEntites property. This just doesn't seem to have been translated adequately into the module. I also verified that the Update command does replace all group by entities where more than one was configured before, and that it does not add another one as one would expect. The impact of this is that the module will not be usable as most analytic rules have more than one entity and therefore this cmdlet needs to be able to pass more than one group by entity to it. I will have to attempt my own API call using Invoke-RestMethod or something similar. Thanks for your review! Issue script & Debug outputPS C:\Users\JacobReinhardt> $DebugPreference = 'Continue'
PS C:\Users\JacobReinhardt> [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType]$TestEntityMappingTypeHost = "Host"
PS C:\Users\JacobReinhardt> [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType]$TestEntityMappingTypeIP = "IP"
PS C:\Users\JacobReinhardt> [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType]$TestEntityMappingTypeAccount = "Account"
PS C:\Users\JacobReinhardt> [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType[]]$TestEntityMappingTypeArray = $TestEntityMappingTypeAccount,$TestEntityMappingTypeHost,$TestEntityMappingTypeIP
PS C:\Users\JacobReinhardt> Update-AzSentinelAlertRule -ResourceGroupName $ResourceGroupName -WorkspaceName $WorkspaceName -ruleid $RuleId -GroupByEntity $TestEntityMappingTypeArray -Scheduled
DEBUG: 10:54:23 AM - GetAzureRMContextCommand end processing.
DEBUG: 10:54:23 AM - GetAzureRMContextCommand end processing.
DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing:
DEBUG: CmdletProcessRecordStart:
DEBUG: CmdletGetPipeline:
DEBUG: CmdletBeforeAPICall:
DEBUG: URLCreated: /subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxxxx/providers/Microsoft.SecurityInsights/alertRules/xxxxxxxxxx?api-version=2021-09-01-preview
DEBUG: RequestCreated: /subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxxxx/providers/Microsoft.SecurityInsights/alertRules/xxxxxxxxxx?api-version=2021-09-01-preview
DEBUG: HeaderParametersAdded:
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
GET
Absolute Uri:
https://management.azure.com/subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxxxx/providers/Microsoft.SecurityInsights/alertRules/xxxxxxxxxx?api-version=2021-09-01-preview
Headers:
x-ms-unique-id : 33
x-ms-client-request-id : 4220bc91-ce6f-41eb-b795-10f81099fce5
CommandName : Az.SecurityInsights\Get-AzSentinelAlertRule
FullCommandName : Get-AzSentinelAlertRule_Get
ParameterSetName : __AllParameterSets
User-Agent : AzurePowershell/v10.0.0,PSVersion/v7.3.5,Az.SecurityInsights/3.0.0
Body:
DEBUG: BeforeCall:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
OK
Headers:
Cache-Control : no-cache
Pragma : no-cache
Server : Kestrel
x-ms-ratelimit-remaining-subscription-reads: 11998
x-ms-request-id : e1035bc2-cde8-41ed-bab3-fb7c8acc650f
x-ms-correlation-request-id : e1035bc2-cde8-41ed-bab3-fb7c8acc650f
x-ms-routing-request-id : CANADACENTRAL:20230713T145422Z:e1035bc2-cde8-41ed-bab3-fb7c8acc650f
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
Date : Thu, 13 Jul 2023 14:54:21 GMT
Body:
{
"id": "/subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxxxx/providers/Microsoft.SecurityInsights/alertRules/xxxxxxxxxx",
"name": "xxxxxxxxxx",
"etag": "\"xxxxxxxxxx\"",
"type": "Microsoft.SecurityInsights/alertRules",
"kind": "Scheduled",
"properties": {
"incidentConfiguration": {
"createIncident": false,
"groupingConfiguration": {
"enabled": false,
"reopenClosedIncident": false,
"lookbackDuration": "xxxx",
"matchingMethod": "AllEntities",
"groupByEntities": [
"Host"
],
"groupByAlertDetails": null,
"groupByCustomDetails": null
}
},
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
]
}
],
"queryFrequency": "P1D",
"queryPeriod": "P8D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"severity": "Medium",
"query": "xxxxxxxxxx",
"suppressionDuration": "xxxx",
"suppressionEnabled": false,
"tactics": [
"LateralMovement"
],
"displayName": "RDP Nesting",
"enabled": true,
"description": "xxxxxx",
"alertRuleTemplateName": "xxxxxxxxxx",
"lastModifiedUtc": "2023-07-13T13:48:10.2798364Z"
}
}
DEBUG: ResponseCreated:
DEBUG: BeforeResponseDispatch:
DEBUG: Finally:
DEBUG: CmdletAfterAPICall:
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: CmdletProcessRecordEnd:
DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing:
DEBUG: CmdletProcessRecordStart:
DEBUG: CmdletGetPipeline:
DEBUG: CmdletBeforeAPICall:
DEBUG: URLCreated: /subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxxxx/providers/Microsoft.SecurityInsights/alertRules/xxxxxxxxxx?api-version=2021-09-01-preview
DEBUG: RequestCreated: /subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxxxx/providers/Microsoft.SecurityInsights/alertRules/xxxxxxxxxx?api-version=2021-09-01-preview
DEBUG: HeaderParametersAdded:
DEBUG: BodyContentSet:
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
PUT
Absolute Uri:
https://management.azure.com/subscriptions/xxxxxxxxxx/resourceGroups/xxxxxxxxxx/providers/Microsoft.OperationalInsights/workspaces/xxxxxxxxxx/providers/Microsoft.SecurityInsights/alertRules/xxxxxxxxxx?api-version=2021-09-01-preview
Headers:
x-ms-unique-id : 34
x-ms-client-request-id : 6822c83a-f7b0-4b4a-abad-0c3e73db557d
CommandName : Az.SecurityInsights.internal\Update-AzSentinelAlertRule
FullCommandName : Update-AzSentinelAlertRule_Update
ParameterSetName : __AllParameterSets
User-Agent : AzurePowershell/v10.0.0,PSVersion/v7.3.5,Az.SecurityInsights/3.0.0
Body:
{
"etag": "\"xxxxxxxxxx\"",
"kind": "Scheduled",
"properties": {
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"queryFrequency": "xxxxxxxxxx",
"queryPeriod": "xxxxxxxxxx",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"incidentConfiguration": {
"groupingConfiguration": {
"enabled": false,
"reopenClosedIncident": false,
"lookbackDuration": "xxxxxxxxxx",
"matchingMethod": "AllEntities",
"groupByEntities": [
"Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType[]"
]
},
"createIncident": false
},
"alertRuleTemplateName": "xxxxxxxxxx",
"description": "xxxxxxxxxx",
"query": "s",
"displayName": "RDP Nesting",
"enabled": true,
"suppressionDuration": "xxxxxx=",
"suppressionEnabled": false,
"severity": "Medium",
"tactics": [
"LateralMovement"
],
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
]
},
{
"entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
]
}
]
}
}
DEBUG: BeforeCall:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
BadRequest
Headers:
Cache-Control : no-cache
Pragma : no-cache
Server : Kestrel
x-ms-ratelimit-remaining-subscription-writes: 1198
x-ms-request-id : 51771963-1758-406a-88a5-6533ceddc96c
x-ms-correlation-request-id : 51771963-1758-406a-88a5-6533ceddc96c
x-ms-routing-request-id : CANADACENTRAL:20230713T145423Z:51771963-1758-406a-88a5-6533ceddc96c
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
Date : Thu, 13 Jul 2023 14:54:22 GMT
Body:
{
"error": {
"code": "BadRequest",
"message": "Field 'groupByEntities[0]' contains an invalid value 'Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType[]'."
}
}
DEBUG: ResponseCreated:
DEBUG: BeforeResponseDispatch:
Update-AzSentinelAlertRule_Update: C:\Users\JacobReinhardt\OneDrive - ProArch\Documents\PowerShell\Modules\Az.SecurityInsights\3.0.0\custom\Update-AzSentinelAlertRule.ps1:826
Line |
826 | Az.SecurityInsights.internal\Update-AzSentinelAlertRule @ …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Field 'groupByEntities[0]' contains an invalid value
| 'Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType[]'.
DEBUG: [Finally]: Getting exception 'Microsoft.Azure.Commands.Common.Exceptions.AzPSCloudException: InternalException' from response
DEBUG: Finally:
DEBUG: CmdletAfterAPICall:
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: CmdletProcessRecordEnd:
DEBUG: AzureQoSEvent: Module: Az.SecurityInsights:3.0.0; CommandName: Update-AzSentinelAlertRule; PSVersion: 7.3.5; IsSuccess: False; Duration: 00:00:00.5097301; Exception: InternalException; Environment dataName Value
---- -----
PSVersion 7.3.5
PSEdition Core
GitCommitId 7.3.5
OS Microsoft Windows 10.0.22621
Platform Win32NT
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0 Module versionsModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 2.12.3 Az.Accounts {Add-AzEnvironment, Clear-AzConfig, Clear-AzConte…
Script 3.0.0 Az.SecurityInsights {Get-AzSentinelAlertRule, Get-AzSentinelAlertRule… Error outputDEBUG: 10:55:12 AM - ResolveError begin processing with ParameterSet 'LastErrorParameterSet'.
DEBUG: 10:55:12 AM - using account id 'xxxxxxxxxx@xxxxxxxxxx.yyyy'...
DEBUG: 10:55:12 AM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
WARNING: Upcoming breaking changes in the cmdlet 'Resolve-AzError' :
The `Resolve-Error` alias will be removed in a future release. Please change any scripts that use this alias to use `Resolve-AzError` instead.
Note : Go to https://aka.ms/azps-changewarnings for steps to suppress this breaking change warning, and other information on breaking changes in Azure PowerShell.
HistoryId: 92
Message : [BadRequest] : Field 'groupByEntities[0]' contains an invalid value
'Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType[]'.
StackTrace :
Exception : System.Exception
InvocationInfo : {Update-AzSentinelAlertRule_Update}
Line : Az.SecurityInsights.internal\Update-AzSentinelAlertRule @PSBoundParameters
Position : At C:\Users\JacobReinhardt\OneDrive - ProArch\Documents\PowerShell\Modules\Az.SecurityInsights\3.0.0\c
ustom\Update-AzSentinelAlertRule.ps1:826 char:13
+ Az.SecurityInsights.internal\Update-AzSentinelAlertRule @ …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
HistoryId : 92
DEBUG: 10:55:12 AM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: AzureQoSEvent: Module: Az.Accounts:2.12.3; CommandName: Resolve-AzError; PSVersion: 7.3.5; IsSuccess: True; Duration: 00:00:00.0122799
DEBUG: 10:55:12 AM - [ConfigManager] Got nothing from [EnableDataCollection], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 10:55:12 AM - ResolveError end processing.
|
Description
I cannot pass more than one GroupByEntity value to Update-AzSentinelAlertRule in the module Az.SecurityInsights. The module documentation does indicate that only a single value of EntityMappingType can be passed, and not an array. However, this seems to me to be unexpected behavior because the API definition indicates that you can pass an array of strings to the GroupByEntites property. This just doesn't seem to have been translated adequately into the module. I also verified that the Update command does replace all group by entities where more than one was configured before, and that it does not add another one as one would expect.
The impact of this is that the module will not be usable as most analytic rules have more than one entity and therefore this cmdlet needs to be able to pass more than one group by entity to it. I will have to attempt my own API call using Invoke-RestMethod or something similar. Thanks for your review!
Issue script & Debug output
Environment data
Module versions
Error output
The text was updated successfully, but these errors were encountered: