Skip to content

New AzSentinelHuntingRule

Jump to bottom
Pouyan Khabazi edited this page Dec 31, 2020 · 3 revisions

external help file: AzSentinel-help.xml Module Name: AzSentinel online version: schema: 2.0.0

New-AzSentinelHuntingRule

SYNOPSIS

Create Azure Sentinal Hunting Rule

SYNTAX

New-AzSentinelHuntingRule [-SubscriptionId <String>] -WorkspaceName <String> -DisplayName <String>
 -Query <String> -Description <String> -Tactics <Tactics[]> [-WhatIf] [-Confirm] [<CommonParameters>]

DESCRIPTION

Use this function to creates Azure Sentinal Hunting rule

EXAMPLES

EXAMPLE 1

New-AzSentinelHuntingRule -WorkspaceName "" -DisplayName "" -Description "" -Tactics "","" -Query ''
In this example you create a new hunting rule by defining the rule properties from CMDLET

PARAMETERS

-SubscriptionId

Enter the subscription ID, if no subscription ID is provided then current AZContext subscription will be used

Type: String
Parameter Sets: (All)
Aliases:

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-WorkspaceName

Enter the Workspace name

Type: String
Parameter Sets: (All)
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-DisplayName

Enter the Display name for the hunting rule

Type: String
Parameter Sets: (All)
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Query

Enter the querry in KQL format

Type: String
Parameter Sets: (All)
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Description

Enter the Description for the hunting rule

Type: String
Parameter Sets: (All)
Aliases:

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Tactics

Enter the Tactics, valid values: "InitialAccess", "Persistence", "Execution", "PrivilegeEscalation", "DefenseEvasion", "CredentialAccess", "LateralMovement", "Discovery", "Collection", "Exfiltration", "CommandAndControl", "Impact"

Type: Tactics[]
Parameter Sets: (All)
Aliases:
Accepted values: InitialAccess, Persistence, Execution, PrivilegeEscalation, DefenseEvasion, CredentialAccess, LateralMovement, Discovery, Collection, Exfiltration, CommandAndControl, Impact

Required: True
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: wi

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type: SwitchParameter
Parameter Sets: (All)
Aliases: cf

Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

INPUTS

OUTPUTS

NOTES

RELATED LINKS

Clone this wiki locally