search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.26k stars 3.86k forks source link

Security insights module New-AzSentinelAlertRule EntityMapping Parameter wrong Type #21217

Open hiba-farhat opened 1 year ago

hiba-farhat commented 1 year ago

Description

I'm working on deploying analytic rules using powershell i have more that one entity type in some rules and more than field mapping in other. The problem is that it accept only HashTables with one Type and one Field mapping.

Issue script & Debug output

EntityMapping    = @(
            @{
                EntityType   = "Account"
                FieldMapping = @(
                    @{
                        Identifier = "FullName"
                        ColumnName = "AccountDisplayName"
                    },
                    @{
                        Identifier = "AadUserId"
                        ColumnName = "AccountObjectId"
                    }
                )
            }
        )

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.22000.1335
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.22000.1335
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

Script     3.0.1      Az.SecurityInsights                 {Get-AzSentinelAlertRule, Get-AzSentinelAlertRuleAction, Get-AzSentinelAlertRuleTemplate, Get-AzSentinelAutomationRule...}

Error output

Message        : An error occurred while creating the Azure Sentinel alert rule: Cannot process argument
                 transformation on parameter 'EntityMapping'. Cannot convert the "System.Object[]" value of type
                 "System.Object[]" to type
                 "Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping".
StackTrace     :
Exception      : Microsoft.PowerShell.Commands.WriteErrorException
InvocationInfo : {rules.ps1}
Line           : .\rules.ps1
Position       : At line:1 char:1
                 + .\rules.ps1
                 + ~~~~~~~~~~~
HistoryId      : 2

Message        : Cannot process argument transformation on parameter 'EntityMapping'. Cannot convert the
                 "System.Object[]" value of type "System.Object[]" to type
                 "Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping".
StackTrace     :    at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext
                 funcContext, Exception exception)
                    at lambda_method(Closure , Object[] , StrongBox`1[] , InterpretedFrame )
Exception      : System.Management.Automation.ParameterBindingArgumentTransformationException
InvocationInfo : {New-AzSentinelAlertRule}
Line           :         New-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo @AnalyticsRuleData

Position       : At C:\Users\adminuser\Desktop\rules.ps1:769 char:61
                 + ... ew-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo @AnalyticsRuleData
                 +                                                        ~~~~~~~~~~~~~~~~~~
HistoryId      : 2

Message        : Cannot convert the "System.Object[]" value of type "System.Object[]" to type
                 "Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping".
StackTrace     :    at System.Management.Automation.ArgumentTypeConverterAttribute.Transform(EngineIntrinsics
                 engineIntrinsics, Object inputData, Boolean bindingParameters, Boolean bindingScriptCmdlet)
                    at System.Management.Automation.ParameterBinderBase.BindParameter(CommandParameterInternal
                 parameter, CompiledCommandParameter parameterMetadata, ParameterBindingFlags flags)
Exception      : System.Management.Automation.ArgumentTransformationMetadataException
InvocationInfo : {New-AzSentinelAlertRule}
Line           :         New-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo @AnalyticsRuleData

Position       : At C:\Users\adminuser\Desktop\rules.ps1:769 char:61
                 + ... ew-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo @AnalyticsRuleData
                 +                                                        ~~~~~~~~~~~~~~~~~~
HistoryId      : 2

Message        : Cannot convert the "System.Object[]" value of type "System.Object[]" to type
                 "Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping".
StackTrace     :    at
                 System.Management.Automation.LanguagePrimitives.ConvertCheckingForCustomConverter.Convert(Object
                 valueToConvert, Type resultType, Boolean recursion, PSObject originalValueToConvert, IFormatProvider
                 formatProvider, TypeTable backupTable)
                    at System.Management.Automation.LanguagePrimitives.ConversionData`1.Invoke(Object valueToConvert,
                 Type resultType, Boolean recurse, PSObject originalValueToConvert, IFormatProvider formatProvider,
                 TypeTable backupTable)
                    at System.Management.Automation.LanguagePrimitives.ConvertTo(Object valueToConvert, Type
                 resultType, Boolean recursion, IFormatProvider formatProvider, TypeTable backupTypeTable)
                    at System.Management.Automation.ArgumentTypeConverterAttribute.Transform(EngineIntrinsics
                 engineIntrinsics, Object inputData, Boolean bindingParameters, Boolean bindingScriptCmdlet)
Exception      : System.Management.Automation.PSInvalidCastException
InvocationInfo : {New-AzSentinelAlertRule}
Line           :         New-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo @AnalyticsRuleData

Position       : At C:\Users\adminuser\Desktop\rules.ps1:769 char:61
                 + ... ew-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo @AnalyticsRuleData
                 +                                                        ~~~~~~~~~~~~~~~~~~
HistoryId      : 2
isra-fel commented 1 year ago

Thanks for reporting 👍 Let me route this to the security insights team.

ghost commented 1 year ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @amirke.

Issue Details
### Description I'm working on deploying analytic rules using powershell i have more that one entity type in some rules and more than field mapping in other. The problem is that it accept only HashTables with one Type and one Field mapping. ### Issue script & Debug output ```PowerShell EntityMapping = @( @{ EntityType = "Account" FieldMapping = @( @{ Identifier = "FullName" ColumnName = "AccountDisplayName" }, @{ Identifier = "AadUserId" ColumnName = "AccountObjectId" } ) } ) ``` ### Environment data ```PowerShell Name Value ---- ----- PSVersion 5.1.22000.1335 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.22000.1335 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 ``` ### Module versions ```PowerShell Script 3.0.1 Az.SecurityInsights {Get-AzSentinelAlertRule, Get-AzSentinelAlertRuleAction, Get-AzSentinelAlertRuleTemplate, Get-AzSentinelAutomationRule...} ``` ### Error output ```PowerShell Message : An error occurred while creating the Azure Sentinel alert rule: Cannot process argument transformation on parameter 'EntityMapping'. Cannot convert the "System.Object[]" value of type "System.Object[]" to type "Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping". StackTrace : Exception : Microsoft.PowerShell.Commands.WriteErrorException InvocationInfo : {rules.ps1} Line : .\rules.ps1 Position : At line:1 char:1 + .\rules.ps1 + ~~~~~~~~~~~ HistoryId : 2 Message : Cannot process argument transformation on parameter 'EntityMapping'. Cannot convert the "System.Object[]" value of type "System.Object[]" to type "Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping". StackTrace : at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception) at lambda_method(Closure , Object[] , StrongBox`1[] , InterpretedFrame ) Exception : System.Management.Automation.ParameterBindingArgumentTransformationException InvocationInfo : {New-AzSentinelAlertRule} Line : New-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo @AnalyticsRuleData Position : At C:\Users\adminuser\Desktop\rules.ps1:769 char:61 + ... ew-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo @AnalyticsRuleData + ~~~~~~~~~~~~~~~~~~ HistoryId : 2 Message : Cannot convert the "System.Object[]" value of type "System.Object[]" to type "Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping". StackTrace : at System.Management.Automation.ArgumentTypeConverterAttribute.Transform(EngineIntrinsics engineIntrinsics, Object inputData, Boolean bindingParameters, Boolean bindingScriptCmdlet) at System.Management.Automation.ParameterBinderBase.BindParameter(CommandParameterInternal parameter, CompiledCommandParameter parameterMetadata, ParameterBindingFlags flags) Exception : System.Management.Automation.ArgumentTransformationMetadataException InvocationInfo : {New-AzSentinelAlertRule} Line : New-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo @AnalyticsRuleData Position : At C:\Users\adminuser\Desktop\rules.ps1:769 char:61 + ... ew-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo @AnalyticsRuleData + ~~~~~~~~~~~~~~~~~~ HistoryId : 2 Message : Cannot convert the "System.Object[]" value of type "System.Object[]" to type "Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping". StackTrace : at System.Management.Automation.LanguagePrimitives.ConvertCheckingForCustomConverter.Convert(Object valueToConvert, Type resultType, Boolean recursion, PSObject originalValueToConvert, IFormatProvider formatProvider, TypeTable backupTable) at System.Management.Automation.LanguagePrimitives.ConversionData`1.Invoke(Object valueToConvert, Type resultType, Boolean recurse, PSObject originalValueToConvert, IFormatProvider formatProvider, TypeTable backupTable) at System.Management.Automation.LanguagePrimitives.ConvertTo(Object valueToConvert, Type resultType, Boolean recursion, IFormatProvider formatProvider, TypeTable backupTypeTable) at System.Management.Automation.ArgumentTypeConverterAttribute.Transform(EngineIntrinsics engineIntrinsics, Object inputData, Boolean bindingParameters, Boolean bindingScriptCmdlet) Exception : System.Management.Automation.PSInvalidCastException InvocationInfo : {New-AzSentinelAlertRule} Line : New-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo @AnalyticsRuleData Position : At C:\Users\adminuser\Desktop\rules.ps1:769 char:61 + ... ew-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo @AnalyticsRuleData + ~~~~~~~~~~~~~~~~~~ HistoryId : 2 ```
Author: hiba-farhat
Assignees: -
Labels: `Service Attention`, `bug`, `customer-reported`, `SecurityInsights`
Milestone: -
ghost commented 1 year ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @amirke.

Issue Details
### Description I'm working on deploying analytic rules using powershell i have more that one entity type in some rules and more than field mapping in other. The problem is that it accept only HashTables with one Type and one Field mapping. ### Issue script & Debug output ```PowerShell EntityMapping = @( @{ EntityType = "Account" FieldMapping = @( @{ Identifier = "FullName" ColumnName = "AccountDisplayName" }, @{ Identifier = "AadUserId" ColumnName = "AccountObjectId" } ) } ) ``` ### Environment data ```PowerShell Name Value ---- ----- PSVersion 5.1.22000.1335 PSEdition Desktop PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...} BuildVersion 10.0.22000.1335 CLRVersion 4.0.30319.42000 WSManStackVersion 3.0 PSRemotingProtocolVersion 2.3 SerializationVersion 1.1.0.1 ``` ### Module versions ```PowerShell Script 3.0.1 Az.SecurityInsights {Get-AzSentinelAlertRule, Get-AzSentinelAlertRuleAction, Get-AzSentinelAlertRuleTemplate, Get-AzSentinelAutomationRule...} ``` ### Error output ```PowerShell Message : An error occurred while creating the Azure Sentinel alert rule: Cannot process argument transformation on parameter 'EntityMapping'. Cannot convert the "System.Object[]" value of type "System.Object[]" to type "Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping". StackTrace : Exception : Microsoft.PowerShell.Commands.WriteErrorException InvocationInfo : {rules.ps1} Line : .\rules.ps1 Position : At line:1 char:1 + .\rules.ps1 + ~~~~~~~~~~~ HistoryId : 2 Message : Cannot process argument transformation on parameter 'EntityMapping'. Cannot convert the "System.Object[]" value of type "System.Object[]" to type "Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping". StackTrace : at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception) at lambda_method(Closure , Object[] , StrongBox`1[] , InterpretedFrame ) Exception : System.Management.Automation.ParameterBindingArgumentTransformationException InvocationInfo : {New-AzSentinelAlertRule} Line : New-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo @AnalyticsRuleData Position : At C:\Users\adminuser\Desktop\rules.ps1:769 char:61 + ... ew-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo @AnalyticsRuleData + ~~~~~~~~~~~~~~~~~~ HistoryId : 2 Message : Cannot convert the "System.Object[]" value of type "System.Object[]" to type "Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping". StackTrace : at System.Management.Automation.ArgumentTypeConverterAttribute.Transform(EngineIntrinsics engineIntrinsics, Object inputData, Boolean bindingParameters, Boolean bindingScriptCmdlet) at System.Management.Automation.ParameterBinderBase.BindParameter(CommandParameterInternal parameter, CompiledCommandParameter parameterMetadata, ParameterBindingFlags flags) Exception : System.Management.Automation.ArgumentTransformationMetadataException InvocationInfo : {New-AzSentinelAlertRule} Line : New-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo @AnalyticsRuleData Position : At C:\Users\adminuser\Desktop\rules.ps1:769 char:61 + ... ew-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo @AnalyticsRuleData + ~~~~~~~~~~~~~~~~~~ HistoryId : 2 Message : Cannot convert the "System.Object[]" value of type "System.Object[]" to type "Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping". StackTrace : at System.Management.Automation.LanguagePrimitives.ConvertCheckingForCustomConverter.Convert(Object valueToConvert, Type resultType, Boolean recursion, PSObject originalValueToConvert, IFormatProvider formatProvider, TypeTable backupTable) at System.Management.Automation.LanguagePrimitives.ConversionData`1.Invoke(Object valueToConvert, Type resultType, Boolean recurse, PSObject originalValueToConvert, IFormatProvider formatProvider, TypeTable backupTable) at System.Management.Automation.LanguagePrimitives.ConvertTo(Object valueToConvert, Type resultType, Boolean recursion, IFormatProvider formatProvider, TypeTable backupTypeTable) at System.Management.Automation.ArgumentTypeConverterAttribute.Transform(EngineIntrinsics engineIntrinsics, Object inputData, Boolean bindingParameters, Boolean bindingScriptCmdlet) Exception : System.Management.Automation.PSInvalidCastException InvocationInfo : {New-AzSentinelAlertRule} Line : New-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo @AnalyticsRuleData Position : At C:\Users\adminuser\Desktop\rules.ps1:769 char:61 + ... ew-AzSentinelAlertRule @AzureSentinelWorkSpaceInfo @AnalyticsRuleData + ~~~~~~~~~~~~~~~~~~ HistoryId : 2 ```
Author: hiba-farhat
Assignees: -
Labels: `Service Attention`, `bug`, `customer-reported`, `SecurityInsights`
Milestone: -
Dalbrink commented 1 year ago

Any updates on this? I'm having the same issue with the New-AzSentinelAlertRule and Update-AzSentinelAlertRule Function.