search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.25k stars 3.85k forks source link

Update-AzSentinelAlertRule failling to update EntityMapping #21443

Closed AntoineJo closed 1 year ago

AntoineJo commented 1 year ago

Description

I'm trying to update the entity mapping of an analytic rules but I get the below error: PS C:\Users\xxxxxx> update-AzSentinelAlertRule -RuleId $rule.Id -EntityMapping $entityDevice -ResourceGroupName cybersoc -WorkspaceName cybersecuritysoc -NRT WARNING: Get-AzSentinelAlertRule_Get is not found. The most similar Azure PowerShell command is: Get-AzSentinelAlertRule Get-AzSentinelAlertRule_Get: C:\Users\xxxxxx\OneDrive - xxxxxx\Documents\PowerShell\Modules\Az.SecurityInsights\3.0.1\custom\Update-AzSentinelAlertRule.ps1:449 Line | 449 | $AlertRule = Az.SecurityInsights\Get-AzSentinelAlertRule … | ~~~~~~~~~~~~~ | No registered resource provider found for location 'eastus' and API version '2021-09-01-preview' for type 'workspaces'. The supported api-versions are '2015-03-20, 2015-11-01-preview, 2017-01-01-preview, 2017-03-03-preview, 2017-03-15-preview, 2017-04-26-preview, | 2020-03-01-preview, 2020-08-01, 2020-10-01, 2021-06-01, 2021-03-01-privatepreview, 2021-12-01-preview, 2022-10-01'. The supported locations are 'eastus, westeurope, southeastasia, australiasoutheast, westcentralus, japaneast, uksouth, centralindia, canadacentral, westus2, | australiacentral, australiaeast, francecentral, koreacentral, northeurope, centralus, eastasia, eastus2, southcentralus, northcentralus, westus, ukwest, southafricanorth, brazilsouth, switzerlandnorth, switzerlandwest, germanywestcentral, australiacentral2, uaecentral, | uaenorth, japanwest, brazilsoutheast, norwayeast, norwaywest, francesouth, southindia, koreasouth, jioindiacentral, jioindiawest, qatarcentral, canadaeast, westus3, swedencentral'. Update-AzSentinelAlertRule: C:\Users\xxxxxx\OneDrive - xxxxxxx\Documents\PowerShell\Modules\Az.SecurityInsights\3.0.1\custom\Update-AzSentinelAlertRule.ps1:826 Line | 826 | … curityInsights.internal\Update-AzSentinelAlertRule @PSBoundParameters | ~~~~~~ | Cannot bind argument to parameter 'AlertRule' because it is null.

Issue script & Debug output

PS C:\Users\[account]> $DebugPreference='Continue'
PS C:\Users\[account]> New-AzSentinelAlertRule -ResourceGroupName cybersoc -WorkspaceName "CyberSecuritySOC" -Kind NRT -Enabled -DisplayName "Tutu" -Severity Low -Query "SigninLogs | where UserDisplayName == 'toto'"
DEBUG: 4:52:25 PM - GetAzureRMContextCommand end processing.
DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing:
DEBUG: CmdletProcessRecordStart:
DEBUG: CmdletGetPipeline:
DEBUG: CmdletBeforeAPICall:
DEBUG: URLCreated: /subscriptions/[AzureSubID]/resourceGroups/cybersoc/providers/Microsoft.OperationalInsights/workspaces/CyberSecuritySOC/providers/Microsoft.SecurityInsights/alertRules/339d6753-24aa-481f-b834-f4658aaf2c92?api-version=2021-09-01-preview
DEBUG: RequestCreated: /subscriptions/[AzureSubID]/resourceGroups/cybersoc/providers/Microsoft.OperationalInsights/workspaces/CyberSecuritySOC/providers/Microsoft.SecurityInsights/alertRules/339d6753-24aa-481f-b834-f4658aaf2c92?api-version=2021-09-01-preview
DEBUG: HeaderParametersAdded:
DEBUG: BodyContentSet:
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
PUT

Absolute Uri:
https://management.azure.com/subscriptions/[AzureSubID]/resourceGroups/cybersoc/providers/Microsoft.OperationalInsights/workspaces/CyberSecuritySOC/providers/Microsoft.SecurityInsights/alertRules/339d6753-24aa-481f-b834-f4658aaf2c92?api-version=2021-09-01-preview

Headers:
x-ms-unique-id                : 46,47
x-ms-client-request-id        : a897a44a-bff2-40fd-97e1-ac9811d22202
CommandName                   : Az.SecurityInsights.internal\New-AzSentinelAlertRule
FullCommandName               : New-AzSentinelAlertRule_Create
ParameterSetName              : __AllParameterSets
User-Agent                    : AzurePowershell/v9.3.0,PSVersion/v7.3.3,Az.SecurityInsights/3.0.1

Body:
{
  "kind": "NRT",
  "properties": {
    "incidentConfiguration": {
      "groupingConfiguration": {
        "enabled": false,
        "reopenClosedIncident": false,
        "lookbackDuration": "PT5H",
        "matchingMethod": "AllEntities"
      },
      "createIncident": false
    },
    "query": "SigninLogs | where UserDisplayName == 'toto'",
    "displayName": "Tutu",
    "enabled": true,
    "suppressionDuration": "PT5H",
    "suppressionEnabled": false,
    "severity": "Low"
  }
}

DEBUG: BeforeCall:
DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
Created

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
Server                        : Kestrel
x-ms-ratelimit-remaining-subscription-writes: 1197
x-ms-request-id               : b6f49e94-6a02-4c3b-96fb-2ac687468cca
x-ms-correlation-request-id   : b6f49e94-6a02-4c3b-96fb-2ac687468cca
x-ms-routing-request-id       : FRANCECENTRAL:20230404T145226Z:b6f49e94-6a02-4c3b-96fb-2ac687468cca
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Date                          : Tue, 04 Apr 2023 14:52:26 GMT

Body:
{
  "id": "/subscriptions/[AzureSubID]/resourceGroups/cybersoc/providers/Microsoft.OperationalInsights/workspaces/CyberSecuritySOC/providers/Microsoft.SecurityInsights/alertRules/339d6753-24aa-481f-b834-f4658aaf2c92",
  "name": "339d6753-24aa-481f-b834-f4658aaf2c92",
  "etag": "\"3f005790-0000-0100-0000-642c39aa0000\"",
  "type": "Microsoft.SecurityInsights/alertRules",
  "kind": "NRT",
  "properties": {
    "incidentConfiguration": {
      "createIncident": false,
      "groupingConfiguration": {
        "enabled": false,
        "reopenClosedIncident": false,
        "lookbackDuration": "PT5H",
        "matchingMethod": "AllEntities",
        "groupByEntities": null,
        "groupByAlertDetails": null,
        "groupByCustomDetails": null
      }
    },
    "severity": "Low",
    "query": "SigninLogs | where UserDisplayName == 'toto'",
    "suppressionDuration": "PT5H",
    "suppressionEnabled": false,
    "tactics": null,
    "displayName": "Tutu",
    "enabled": true,
    "description": null,
    "alertRuleTemplateName": null,
    "lastModifiedUtc": "2023-04-04T14:52:25.8692506Z"
  }
}

DEBUG: ResponseCreated:
DEBUG: BeforeResponseDispatch:

DEBUG: Finally:
DEBUG: CmdletAfterAPICall:
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: CmdletProcessRecordEnd:
DEBUG: AzureQoSEvent:  Module: Az.SecurityInsights:3.0.1; CommandName: New-AzSentinelAlertRule; PSVersion: 7.3.3; IsSuccess: True; Duration: 00:00:01.0275851
Etag                                   Kind Name                                 SystemDataCreatedAt SystemDataCreatedBy SystemDataCreatedByType SystemDataLastModifiedAt SystemDataLastModifiedBy SystemDataLastModifiedByType
----                                   ---- ----                                 ------------------- ------------------- ----------------------- ------------------------ ------------------------ ----------------------------
"3f005790-0000-0100-0000-642c39aa0000" NRT  339d6753-24aa-481f-b834-f4658aaf2c92

PS C:\Users\[account]> $account = '{
>>   "entityType": "Account",
>>   "fieldMappings": [
>>     {
>>       "identifier": "AadUserId",
>>       "columnName": "UserId"
>>     },
>>     {
>>       "identifier": "DisplayName",
>>       "columnName": "UserDisplayName"
>>     }
>>   ]
>> }'
PS C:\Users\[account]> $entityAccount = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping]::FromJsonString($account)
PS C:\Users\[account]> $rule = get-azsentinelAlertRule -ResourceGroupName cybersoc -WorkspaceName CyberSecuritySOC | where DisplayName -eq 'tutu'
DEBUG: 4:53:45 PM - GetAzureRMContextCommand end processing.
DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing:
DEBUG: CmdletProcessRecordStart:
DEBUG: CmdletGetPipeline:
DEBUG: CmdletBeforeAPICall:
DEBUG: URLCreated: /subscriptions/[AzureSubID]/resourceGroups/cybersoc/providers/Microsoft.OperationalInsights/workspaces/CyberSecuritySOC/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview
DEBUG: RequestCreated: /subscriptions/[AzureSubID]/resourceGroups/cybersoc/providers/Microsoft.OperationalInsights/workspaces/CyberSecuritySOC/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview
DEBUG: HeaderParametersAdded:
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions/[AzureSubID]/resourceGroups/cybersoc/providers/Microsoft.OperationalInsights/workspaces/CyberSecuritySOC/providers/Microsoft.SecurityInsights/alertRules?api-version=2021-09-01-preview

Headers:
x-ms-unique-id                : 48,49
x-ms-client-request-id        : 7825b63a-2b39-4742-9158-6df12db0a93f
CommandName                   : get-azsentinelAlertRule
FullCommandName               : Get-AzSentinelAlertRule_List
ParameterSetName              : __AllParameterSets
User-Agent                    : AzurePowershell/v9.3.0,PSVersion/v7.3.3,Az.SecurityInsights/3.0.1

Body:

DEBUG: BeforeCall:
DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
OK

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
Server                        : Kestrel
x-ms-ratelimit-remaining-subscription-reads: 11999
x-ms-request-id               : 9ac144a9-21a2-43ef-89b5-906fc3318d53
x-ms-correlation-request-id   : 9ac144a9-21a2-43ef-89b5-906fc3318d53
x-ms-routing-request-id       : FRANCECENTRAL:20230404T145345Z:9ac144a9-21a2-43ef-89b5-906fc3318d53
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Date                          : Tue, 04 Apr 2023 14:53:45 GMT

Body:
{
  "value": [
    {
      "id": "/subscriptions/[AzureSubID]/resourceGroups/cybersoc/providers/Microsoft.OperationalInsights/workspaces/cybersecuritysoc/providers/Microsoft.SecurityInsights/alertRules/BuiltInFusion",
      "name": "BuiltInFusion",
      "etag": "\"06007d61-0000-0100-0000-63bd43b10000\"",
      "type": "Microsoft.SecurityInsights/alertRules",
      "kind": "Fusion",
      "properties": {
        "displayName": "Advanced Multistage Attack Detection",
        "description": "Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Azure Sentinel generates incidents that would otherwise be very difficult to catch. By design, these incidents are low-volume, high-fidelity, and high-severity, which is why this detection is turned ON by default.\n\nSince Fusion correlates multiple signals from various products to detect advanced multistage attacks, successful Fusion detections are presented as Fusion incidents on the Microsoft Sentinel Incidents page. This rule covers the following detections:\n- Fusion for emerging threats\n- Fusion for ransomware\n- Scenario-based Fusion detections (122 scenarios)\n\nTo enable these detections, we recommend you configure the following data connectors for best results:\n- Out-of-the-box anomaly detections\n- Azure Active Directory Identity Protection\n- Azure Defender\n- Azure Defender for IoT\n- Microsoft 365 Defender\n- Microsoft Cloud App Security    \n- Microsoft Defender for Endpoint\n- Microsoft Defender for Identity\n- Microsoft Defender for Office 365\n- Scheduled analytics rules, both built-in and those created by your security analysts. Analytics rules must contain kill-chain (tactics) and entity mapping information in order to be used by Fusion.\n\nFor the full description of each detection that is supported by Fusion, go to https://aka.ms/SentinelFusion.",
        "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8",
        "tactics": [
          "Collection",
          "CommandAndControl",
          "CredentialAccess",
          "DefenseEvasion",
          "Discovery",
          "Execution",
          "Exfiltration",
          "Impact",
          "InitialAccess",
          "LateralMovement",
          "Persistence",
          "PrivilegeEscalation"
        ],
        "severity": "High",
        "enabled": true,
        "lastModifiedUtc": "2023-01-10T10:53:37.5525908Z"
      }
    },
    {
      "id": "/subscriptions/[AzureSubID]/resourceGroups/cybersoc/providers/Microsoft.OperationalInsights/workspaces/cybersecuritysoc/providers/Microsoft.SecurityInsights/alertRules/0a62dba3-7ded-4225-8174-7dad003f6f44",
      "name": "0a62dba3-7ded-4225-8174-7dad003f6f44",
      "etag": "\"06007e61-0000-0100-0000-63bd43ef0000\"",
      "type": "Microsoft.SecurityInsights/alertRules",
      "kind": "MicrosoftSecurityIncidentCreation",
      "properties": {
        "productFilter": "Azure Security Center",
        "severitiesFilter": [
          "Low",
          "Medium",
          "High"
        ],
        "displayNamesFilter": null,
        "displayNamesExcludeFilter": null,
        "displayName": "Create incidents based on Microsoft Defender for Cloud",
        "enabled": true,
        "description": "Create incidents based on all alerts generated in Microsoft Defender for Cloud",
        "alertRuleTemplateName": null,
        "lastModifiedUtc": "2023-01-10T10:54:39.9418431Z"
      }
    },
    {
      "id": "/subscriptions/[AzureSubID]/resourceGroups/cybersoc/providers/Microsoft.OperationalInsights/workspaces/CyberSecuritySOC/providers/Microsoft.SecurityInsights/alertRules/d7a64bdd-7fb2-440e-a7a2-72af06115201",
      "name": "d7a64bdd-7fb2-440e-a7a2-72af06115201",
      "etag": "\"3f00266a-0000-0100-0000-642c25000000\"",
      "type": "Microsoft.SecurityInsights/alertRules",
      "kind": "NRT",
      "properties": {
        "incidentConfiguration": {
          "createIncident": false,
          "groupingConfiguration": {
            "enabled": false,
            "reopenClosedIncident": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "groupByEntities": null,
            "groupByAlertDetails": null,
            "groupByCustomDetails": null
          }
        },
        "severity": "Low",
        "query": "DeviceEvents | where DeviceName == 'toto'",
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": null,
        "displayName": "Toto",
        "enabled": true,
        "description": null,
        "alertRuleTemplateName": null,
        "lastModifiedUtc": "2023-04-04T13:24:16.1032282Z"
      }
    },
    {
      "id": "/subscriptions/[AzureSubID]/resourceGroups/cybersoc/providers/Microsoft.OperationalInsights/workspaces/cybersecuritysoc/providers/Microsoft.SecurityInsights/alertRules/655a9b29-052b-483f-a157-05a7eb868497",
      "name": "655a9b29-052b-483f-a157-05a7eb868497",
      "etag": "\"3f00d26a-0000-0100-0000-642c255c0000\"",
      "type": "Microsoft.SecurityInsights/alertRules",
      "kind": "NRT",
      "properties": {
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "reopenClosedIncident": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "groupByEntities": [],
            "groupByAlertDetails": [],
            "groupByCustomDetails": []
          }
        },
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "identifier": "HostName",
                "columnName": "DeviceName"
              }
            ]
          }
        ],
        "severity": "Medium",
        "query": "DeviceEvents | where DeviceName == 'toto'",
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": [],
        "displayName": "titi",
        "enabled": true,
        "description": "",
        "alertRuleTemplateName": null,
        "lastModifiedUtc": "2023-04-04T13:25:47.8013556Z"
      }
    },
    {
      "id": "/subscriptions/[AzureSubID]/resourceGroups/cybersoc/providers/Microsoft.OperationalInsights/workspaces/CyberSecuritySOC/providers/Microsoft.SecurityInsights/alertRules/d0d9238a-3e47-4535-a20b-3c66539984fe",
      "name": "d0d9238a-3e47-4535-a20b-3c66539984fe",
      "etag": "\"3f00a085-0000-0100-0000-642c33c90000\"",
      "type": "Microsoft.SecurityInsights/alertRules",
      "kind": "NRT",
      "properties": {
        "incidentConfiguration": {
          "createIncident": false,
          "groupingConfiguration": {
            "enabled": false,
            "reopenClosedIncident": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "groupByEntities": null,
            "groupByAlertDetails": null,
            "groupByCustomDetails": null
          }
        },
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "AadUserId",
                "columnName": "UserId"
              },
              {
                "identifier": "DisplayName",
                "columnName": "UserDisplayName"
              }
            ]
          }
        ],
        "severity": "Low",
        "query": "SigninLogs | where UserDisplayName == 'toto'",
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": null,
        "displayName": "Tata",
        "enabled": true,
        "description": null,
        "alertRuleTemplateName": null,
        "lastModifiedUtc": "2023-04-04T14:27:21.250351Z"
      }
    },
    {
      "id": "/subscriptions/[AzureSubID]/resourceGroups/cybersoc/providers/Microsoft.OperationalInsights/workspaces/CyberSecuritySOC/providers/Microsoft.SecurityInsights/alertRules/339d6753-24aa-481f-b834-f4658aaf2c92",
      "name": "339d6753-24aa-481f-b834-f4658aaf2c92",
      "etag": "\"3f005790-0000-0100-0000-642c39aa0000\"",
      "type": "Microsoft.SecurityInsights/alertRules",
      "kind": "NRT",
      "properties": {
        "incidentConfiguration": {
          "createIncident": false,
          "groupingConfiguration": {
            "enabled": false,
            "reopenClosedIncident": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "groupByEntities": null,
            "groupByAlertDetails": null,
            "groupByCustomDetails": null
          }
        },
        "severity": "Low",
        "query": "SigninLogs | where UserDisplayName == 'toto'",
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": null,
        "displayName": "Tutu",
        "enabled": true,
        "description": null,
        "alertRuleTemplateName": null,
        "lastModifiedUtc": "2023-04-04T14:52:25.8692506Z"
      }
    }
  ]
}

DEBUG: ResponseCreated:
DEBUG: BeforeResponseDispatch:
DEBUG: Finally:
DEBUG: CmdletAfterAPICall:
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: CmdletProcessRecordEnd:
DEBUG: AzureQoSEvent:  Module: Az.SecurityInsights:3.0.1; CommandName: Get-AzSentinelAlertRule; PSVersion: 7.3.3; IsSuccess: True; Duration: 00:00:00.3339676
PS C:\Users\[account]> update-AzSentinelAlertRule -RuleId $rule.Id -EntityMapping $entityAccount -ResourceGroupName cybersoc -WorkspaceName cybersecuritysoc -NRT
DEBUG: 4:54:02 PM - GetAzureRMContextCommand end processing.
DEBUG: 4:54:02 PM - GetAzureRMContextCommand end processing.
DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing:
DEBUG: CmdletProcessRecordStart:
DEBUG: CmdletGetPipeline:
DEBUG: CmdletBeforeAPICall:
DEBUG: URLCreated: /subscriptions/[AzureSubID]/resourceGroups/cybersoc/providers/Microsoft.OperationalInsights/workspaces/cybersecuritysoc/providers/Microsoft.SecurityInsights/alertRules/%2Fsubscriptions%2F[AzureSubID]%2FresourceGroups%2Fcybersoc%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2FCyberSecuritySOC%2Fproviders%2FMicrosoft.SecurityInsights%2FalertRules%2F339d6753-24aa-481f-b834-f4658aaf2c92?api-version=2021-09-01-preview
DEBUG: RequestCreated: /subscriptions/[AzureSubID]/resourceGroups/cybersoc/providers/Microsoft.OperationalInsights/workspaces/cybersecuritysoc/providers/Microsoft.SecurityInsights/alertRules/%2Fsubscriptions%2F[AzureSubID]%2FresourceGroups%2Fcybersoc%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2FCyberSecuritySOC%2Fproviders%2FMicrosoft.SecurityInsights%2FalertRules%2F339d6753-24aa-481f-b834-f4658aaf2c92?api-version=2021-09-01-preview
DEBUG: HeaderParametersAdded:
DEBUG: ============================ HTTP REQUEST ============================

HTTP Method:
GET

Absolute Uri:
https://management.azure.com/subscriptions/[AzureSubID]/resourceGroups/cybersoc/providers/Microsoft.OperationalInsights/workspaces/cybersecuritysoc/providers/Microsoft.SecurityInsights/alertRules/%2Fsubscriptions%2F[AzureSubID]%2FresourceGroups%2Fcybersoc%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2FCyberSecuritySOC%2Fproviders%2FMicrosoft.SecurityInsights%2FalertRules%2F339d6753-24aa-481f-b834-f4658aaf2c92?api-version=2021-09-01-preview

Headers:
x-ms-unique-id                : 50,51
x-ms-client-request-id        : 98284891-cf75-457a-aaa6-98b462575f6c
CommandName                   : Az.SecurityInsights\Get-AzSentinelAlertRule
FullCommandName               : Get-AzSentinelAlertRule_Get
ParameterSetName              : __AllParameterSets
User-Agent                    : AzurePowershell/v9.3.0,PSVersion/v7.3.3,Az.SecurityInsights/3.0.1

Body:

DEBUG: BeforeCall:
DEBUG: ============================ HTTP RESPONSE ============================

Status Code:
BadRequest

Headers:
Cache-Control                 : no-cache
Pragma                        : no-cache
x-ms-failure-cause            : gateway
x-ms-request-id               : e1fd64ef-fbe0-4c30-8e78-24199ce9028c
x-ms-correlation-request-id   : e1fd64ef-fbe0-4c30-8e78-24199ce9028c
x-ms-routing-request-id       : FRANCECENTRAL:20230404T145403Z:e1fd64ef-fbe0-4c30-8e78-24199ce9028c
Strict-Transport-Security     : max-age=31536000; includeSubDomains
X-Content-Type-Options        : nosniff
Date                          : Tue, 04 Apr 2023 14:54:02 GMT

Body:
{
  "error": {
    "code": "NoRegisteredProviderFound",
    "message": "No registered resource provider found for location 'eastus' and API version '2021-09-01-preview' for type 'workspaces'. The supported api-versions are '2015-03-20, 2015-11-01-preview, 2017-01-01-preview, 2017-03-03-preview, 2017-03-15-preview, 2017-04-26-preview, 2020-03-01-preview, 2020-08-01, 2020-10-01, 2021-06-01, 2021-03-01-privatepreview, 2021-12-01-preview, 2022-10-01'. The supported locations are 'eastus, westeurope, southeastasia, australiasoutheast, westcentralus, japaneast, uksouth, centralindia, canadacentral, westus2, australiacentral, australiaeast, francecentral, koreacentral, northeurope, centralus, eastasia, eastus2, southcentralus, northcentralus, westus, ukwest, southafricanorth, brazilsouth, switzerlandnorth, switzerlandwest, germanywestcentral, australiacentral2, uaecentral, uaenorth, japanwest, brazilsoutheast, norwayeast, norwaywest, francesouth, southindia, koreasouth, jioindiacentral, jioindiawest, qatarcentral, canadaeast, westus3, swedencentral'."
  }
}

DEBUG: ResponseCreated:
DEBUG: BeforeResponseDispatch:
WARNING: Get-AzSentinelAlertRule_Get is not found. The most similar Azure PowerShell command is:
        Get-AzSentinelAlertRule
Get-AzSentinelAlertRule_Get: C:\Users\[account]\[OneDrive - chuuutttt]\Documents\PowerShell\Modules\Az.SecurityInsights\3.0.1\custom\Update-AzSentinelAlertRule.ps1:449
Line |
 449 |              $AlertRule = Az.SecurityInsights\Get-AzSentinelAlertRule  …
     |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | No registered resource provider found for location 'eastus' and API version '2021-09-01-preview' for type 'workspaces'. The supported api-versions are '2015-03-20, 2015-11-01-preview, 2017-01-01-preview, 2017-03-03-preview, 2017-03-15-preview, 2017-04-26-preview,
     | 2020-03-01-preview, 2020-08-01, 2020-10-01, 2021-06-01, 2021-03-01-privatepreview, 2021-12-01-preview, 2022-10-01'. The supported locations are 'eastus, westeurope, southeastasia, australiasoutheast, westcentralus, japaneast, uksouth, centralindia, canadacentral, westus2,
     | australiacentral, australiaeast, francecentral, koreacentral, northeurope, centralus, eastasia, eastus2, southcentralus, northcentralus, westus, ukwest, southafricanorth, brazilsouth, switzerlandnorth, switzerlandwest, germanywestcentral, australiacentral2, uaecentral,
     | uaenorth, japanwest, brazilsoutheast, norwayeast, norwaywest, francesouth, southindia, koreasouth, jioindiacentral, jioindiawest, qatarcentral, canadaeast, westus3, swedencentral'.
DEBUG: Finally:
DEBUG: CmdletAfterAPICall:
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: CmdletProcessRecordEnd:
Update-AzSentinelAlertRule: C:\Users\[account]\[OneDrive - chuuutttt]\Documents\PowerShell\Modules\Az.SecurityInsights\3.0.1\custom\Update-AzSentinelAlertRule.ps1:826
Line |
 826 |  … curityInsights.internal\Update-AzSentinelAlertRule @PSBoundParameters
     |                                                       ~~~~~~~~~~~~~~~~~~
     | Cannot bind argument to parameter 'AlertRule' because it is null.
PS C:\Users\[account]>

Environment data

Name                           Value
----                           -----
PSVersion                      7.3.3
PSEdition                      Core
GitCommitId                    7.3.3
OS                             Microsoft Windows 10.0.22621
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

ModuleType Version    PreRelease Name                                ExportedCommands
---------- -------    ---------- ----                                ----------------
Script     2.11.1                Az.Accounts                         {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script     3.0.1                 Az.SecurityInsights                 {Get-AzSentinelAlertRule, Get-AzSentinelAlertRuleAction, Get-AzSentinelAlertRuleTemplate, Get-AzSentinelAutomationRule…}

Error output

HistoryId: 194

Message        : Cannot bind argument to parameter 'AlertRule' because it is null.
StackTrace     :    at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
                    at Microsoft.PowerShell.Executor.ExecuteCommandHelper(Pipeline tempPipeline, Exception& exceptionThrown, ExecutionOptions options)
Exception      : System.Management.Automation.ParameterBindingValidationException
InvocationInfo : {Update-AzSentinelAlertRule}
Line           :             Az.SecurityInsights.internal\Update-AzSentinelAlertRule @PSBoundParameters

Position       : At C:\Users\[useraccount]\[OneDrive - chuuutttt]\Documents\PowerShell\Modules\Az.SecurityInsights\3.0.1\custom\Update-AzSentinelAlertRule.ps1:826 char:69
                 + … curityInsights.internal\Update-AzSentinelAlertRule @PSBoundParameters
                 +                                                      ~~~~~~~~~~~~~~~~~~
HistoryId      : 194

Message        : [NoRegisteredProviderFound] : No registered resource provider found for location 'eastus' and API version '2021-09-01-preview' for type 'workspaces'. The supported api-versions are '2015-03-20, 2015-11-01-preview, 2017-01-01-preview, 2017-03-03-preview,
                 2017-03-15-preview, 2017-04-26-preview, 2020-03-01-preview, 2020-08-01, 2020-10-01, 2021-06-01, 2021-03-01-privatepreview, 2021-12-01-preview, 2022-10-01'. The supported locations are 'eastus, westeurope, southeastasia, australiasoutheast, westcentralus,
                 japaneast, uksouth, centralindia, canadacentral, westus2, australiacentral, australiaeast, francecentral, koreacentral, northeurope, centralus, eastasia, eastus2, southcentralus, northcentralus, westus, ukwest, southafricanorth, brazilsouth, switzerlandnorth,
                 switzerlandwest, germanywestcentral, australiacentral2, uaecentral, uaenorth, japanwest, brazilsoutheast, norwayeast, norwaywest, francesouth, southindia, koreasouth, jioindiacentral, jioindiawest, qatarcentral, canadaeast, westus3, swedencentral'.
StackTrace     :
Exception      : System.Exception
InvocationInfo : {Get-AzSentinelAlertRule_Get}
Line           :             $AlertRule = Az.SecurityInsights\Get-AzSentinelAlertRule @GetPSBoundParameters

Position       : At C:\Users\[useraccount]\[OneDrive - chuuutttt]\Documents\PowerShell\Modules\Az.SecurityInsights\3.0.1\custom\Update-AzSentinelAlertRule.ps1:449 char:13
                 +             $AlertRule = Az.SecurityInsights\Get-AzSentinelAlertRule  …
                 +             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
wyunchi-ms commented 1 year ago

Hi @AntoineJo , please confirm the resource provider is registered successfully. Looks the resource provider is not registered in your location and api version. You can use Get-AzResourceProvider to verify the registerion and use Register-AzResourceProvider to register.

ghost commented 1 year ago

Thank you for your feedback. This has been routed to the support team for assistance.

navba-MSFT commented 1 year ago

@AntoineJo Thanks for reaching out to us and reporting this issue. Could you please check if the below providers are registered for your subscription ?

Connect-AzAccount
Select-AzSubscription -SubscriptionId 'XXXX-XXXX-XXXX-XXX'

Get-AzResourceProvider -ProviderNamespace Microsoft.OperationalInsights Get-AzResourceProvider -ProviderNamespace Microsoft.SecurityInsights

If it is not registered, please run the below command, to register:

Register-AzResourceProvider -ProviderNamespace Microsoft.OperationalInsights
Register-AzResourceProvider -ProviderNamespace Microsoft.SecurityInsights

Awaiting your reply.

wyunchi-ms commented 1 year ago

As talked with AntoineJo, seems only location eastus is not avaiable for Microsoft.SecurityInsights

navba-MSFT commented 1 year ago

@AntoineJo The below command which shows the available location for Microsoft.SecurityInsights resource provider. 

Get-AzLocation | Where-Object {$_.Providers -contains "Microsoft.SecurityInsights"} | Select Location

Location          
--------          
northeurope       
swedencentral     
uksouth           
westeurope        
francecentral     
germanywestcentral
norwayeast        
switzerlandnorth  
francesouth       
norwaywest        
switzerlandwest   
ukwest

Could you please use one of these available locations and test ? Awaiting your reply.

navba-MSFT commented 1 year ago

@AntoineJo I wanted to do quick follow-up to check if you had a chance to look at my above comment. Please let us know if you had any updates on this. Awaiting your reply.

navba-MSFT commented 1 year ago

@AntoineJo The action is pending on you to test the above plan. If you need any further assistance on this issue in future, please feel free to reopen this thread. We would be happy to help.

AntoineJo commented 1 year ago

Hi @navba-MSFT same thing with a workplace in westeurope

PS C:\Users[account]> Get-AzLocation | Where-Object {$_.Providers -contains "Microsoft.SecurityInsights"} | Select Location

Location

northeurope swedencentral uksouth westeurope francecentral germanywestcentral norwayeast switzerlandnorth francesouth norwaywest switzerlandwest ukwest

PS C:\Users[account]> New-AzSentinelAlertRule -ResourceGroupName cybersoc -WorkspaceName "weutest" -Kind NRT -Enabled -DisplayName "Tutu" -Severity Low -Query "SigninLogs | where UserDisplayName == 'toto'"

Etag Kind Name SystemDataCreatedAt SystemDataCreatedBy SystemD ataCrea tedByTy pe

"4f000699-0000-0d00-0000-643d08a40000" NRT 1191bc50-7398-4fb0-aa65-af5da2e676cc

PS C:\Users[account]> $rule = get-azsentinelAlertRule -ResourceGroupName cybersoc -WorkspaceName weutest | where DisplayName -eq 'tutu' PS C:\Users[account]> update-AzSentinelAlertRule -RuleId $rule.Id -EntityMapping $entityAccount -ResourceGroupName cybersoc -WorkspaceName weutest -NRT DEBUG: 10:54:50 AM - GetAzureRMContextCommand end processing. DEBUG: 10:54:50 AM - GetAzureRMContextCommand end processing. DEBUG: [CmdletBeginProcessing]: Starting command DEBUG: CmdletBeginProcessing: DEBUG: CmdletProcessRecordStart: DEBUG: CmdletGetPipeline: DEBUG: CmdletBeforeAPICall: DEBUG: URLCreated: /subscriptions/dfgdfgdf/resourceGroups/cybersoc/providers/Microsoft.OperationalInsights/workspaces/weutest/providers/Microsoft.SecurityInsights/alertRules/%2Fsubscriptions%2Fdfgdfg%2FresourceGroups%2Fcybersoc%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Fweutest%2Fproviders%2FMicrosoft.SecurityInsights%2FalertRules%2F1191bc50-7398-4fb0-aa65-af5da2e676cc?api-version=2021-09-01-preview DEBUG: RequestCreated: /subscriptions/dfgdfgdfg/resourceGroups/cybersoc/providers/Microsoft.OperationalInsights/workspaces/weutest/providers/Microsoft.SecurityInsights/alertRules/%2Fsubscriptions%2Fdfgdfgdfg%2FresourceGroups%2Fcybersoc%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Fweutest%2Fproviders%2FMicrosoft.SecurityInsights%2FalertRules%2F1191bc50-7398-4fb0-aa65-af5da2e676cc?api-version=2021-09-01-preview DEBUG: HeaderParametersAdded: DEBUG: ============================ HTTP REQUEST ============================

HTTP Method: GET

Absolute Uri: https://management.azure.com/subscriptions/dfgdfgdf/resourceGroups/cybersoc/providers/Microsoft.OperationalInsights/workspaces/weutest/providers/Microsoft.SecurityInsights/alertRules/%2Fsubscriptions%2dgdfgdfgd2FresourceGroups%2Fcybersoc%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Fweutest%2Fproviders%2FMicrosoft.SecurityInsights%2FalertRules%2F1191bc50-7398-4fb0-aa65-af5da2e676cc?api-version=2021-09-01-preview

Headers: x-ms-unique-id : 9 x-ms-client-request-id : b4b5dbdb-9cb1-4812-927f-464f6be4b16e CommandName : Az.SecurityInsights\Get-AzSentinelAlertRule FullCommandName : Get-AzSentinelAlertRule_Get ParameterSetName : __AllParameterSets User-Agent : AzurePowershell/v9.6.0,PSVersion/v7.3.3,Az.SecurityInsights/3.0.1

Body:

DEBUG: BeforeCall: DEBUG: ============================ HTTP RESPONSE ============================

Status Code: BadRequest

Headers: Cache-Control : no-cache Pragma : no-cache x-ms-failure-cause : gateway x-ms-request-id : a69a04f7-7916-4925-a8a7-d256e2908022 x-ms-correlation-request-id : a69a04f7-7916-4925-a8a7-d256e2908022 x-ms-routing-request-id : FRANCECENTRAL:20230417T085449Z:a69a04f7-7916-4925-a8a7-d256e2908022 Strict-Transport-Security : max-age=31536000; includeSubDomains X-Content-Type-Options : nosniff Date : Mon, 17 Apr 2023 08:54:48 GMT

Body: { "error": { "code": "NoRegisteredProviderFound", "message": "No registered resource provider found for location 'westeurope' and API version '2021-09-01-preview' for type 'workspaces'. The supported api-versions are '2015-03-20, 2015-11-01-preview, 2017-01-01-preview, 2017-03-03-preview, 2017-03-15-preview, 2017-04-26-preview, 2020-03-01-preview, 2020-08-01, 2020-10-01, 2021-06-01, 2021-03-01-privatepreview, 2021-12-01-preview, 2022-10-01'. The supported locations are 'eastus, westeurope, southeastasia, australiasoutheast, westcentralus, japaneast, uksouth, centralindia, canadacentral, westus2, australiacentral, australiaeast, francecentral, koreacentral, northeurope, centralus, eastasia, eastus2, southcentralus, northcentralus, westus, ukwest, southafricanorth, brazilsouth, switzerlandnorth, switzerlandwest, germanywestcentral, australiacentral2, uaecentral, uaenorth, japanwest, brazilsoutheast, norwayeast, norwaywest, francesouth, southindia, koreasouth, jioindiacentral, jioindiawest, qatarcentral, canadaeast, westus3, swedencentral'." } }

DEBUG: ResponseCreated: DEBUG: BeforeResponseDispatch: Get-AzSentinelAlertRule_Get: C:\Users[account]\OneDrive - WXXXX\Documents\PowerShell\Modules\Az.SecurityInsights\3.0.1\custom\Update-AzSentinelAlertRule.ps1:449 Line | 449 | $AlertRule = Az.SecurityInsights\Get-AzSentinelAlertRule … | ~~~~~~~~~~~~~ | No registered resource provider found for location 'westeurope' and API version '2021-09-01-preview' for type | 'workspaces'. The supported api-versions are '2015-03-20, 2015-11-01-preview, 2017-01-01-preview, 2017-03-03-preview, | 2017-03-15-preview, 2017-04-26-preview, 2020-03-01-preview, 2020-08-01, 2020-10-01, 2021-06-01, | 2021-03-01-privatepreview, 2021-12-01-preview, 2022-10-01'. The supported locations are 'eastus, westeurope, | southeastasia, australiasoutheast, westcentralus, japaneast, uksouth, centralindia, canadacentral, westus2, | australiacentral, australiaeast, francecentral, koreacentral, northeurope, centralus, eastasia, eastus2, southcentralus, | northcentralus, westus, ukwest, southafricanorth, brazilsouth, switzerlandnorth, switzerlandwest, germanywestcentral, | australiacentral2, uaecentral, uaenorth, japanwest, brazilsoutheast, norwayeast, norwaywest, francesouth, southindia, | koreasouth, jioindiacentral, jioindiawest, qatarcentral, canadaeast, westus3, swedencentral'. DEBUG: Finally: DEBUG: CmdletAfterAPICall: DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process DEBUG: CmdletProcessRecordAsyncEnd: DEBUG: CmdletProcessRecordEnd: Update-AzSentinelAlertRule: C:\Users[account]\OneDrive - WWXXXXX\Documents\PowerShell\Modules\Az.SecurityInsights\3.0.1\custom\Update-AzSentinelAlertRule.ps1:826 Line | 826 | … curityInsights.internal\Update-AzSentinelAlertRule @PSBoundParameters | ~~~~~~ | Cannot bind argument to parameter 'AlertRule' because it is null.

AndreasRogge commented 1 month ago

Hi, how come that this has been closed? I still have the same problem as creator of this issue: image Resource Provider Microsoft.SecurityInsights and Microsoft.OperationalInsights are registered. When I check the API versions on SecurityInsights I can see that "2021-09-01-preview" is available but on OperationalInsights it is unavailable on resource type "workspaces" like mentioned in the picture.