search

Azure / azure-powershell

Microsoft Azure PowerShell
Other
4.21k stars 3.82k forks source link

Get-AzSentinelIncident "-top" switch does not work. #22826

Open kieranwalsh opened 1 year ago

kieranwalsh commented 1 year ago

Description

The Get-AzSentinelIncident switch "-top" does not list the number of incidents requested, but instead, it lists all incidents - which can be in the 1,000s.

Issue script & Debug output

$SubscriptionId = 'abcde-12345-abcde-12345'
$ResourceGroupName = 'my-group'
$WorkspaceName = 'sentinelWS'
Import-Module Az.SecurityInsights
Connect-AzAccount

$Incidents = Get-AzSentinelIncident -SubscriptionId $SubscriptionId -ResourceGroupName $ResourceGroupName -WorkspaceName $WorkspaceName -top 10
$Incidents.count

3,952

Environment data

$PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.3.6
PSEdition                      Core
GitCommitId                    7.3.6
OS                             Microsoft Windows 10.0.19045
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Module versions

Get-Module Az*

ModuleType Version    PreRelease Name                      
---------- -------    ---------- ----                   
Script     2.13.0                Az.Accounts                        
Script     3.0.2                 Az.SecurityInsights

Error output

There are no errors.
isra-fel commented 1 year ago

@JoyerJin do you have updates for this issue?

JoyerJin commented 12 months ago

According to the HTTP traffic, the top parameter was sent to the backed. We will contack Security Insights team for furthur debugging.

isra-fel commented 12 months ago

I'll loop in security insights team to look into the issue why the"top" parameter doesn't work. At the meantime @kieranwalsh it would be great if you could share the debug log (put $DebugPreference = 'Continue' before the Get command) and don't forget to double check for sensitive info before posting.

microsoft-github-policy-service[bot] commented 12 months ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @nazang.

kieranwalsh commented 12 months ago

I'll loop in security insights team to look into the issue why the"top" parameter doesn't work. At the meantime @kieranwalsh it would be great if you could share the debug log (put $DebugPreference = 'Continue' before the Get command) and don't forget to double check for sensitive info before posting.

Hi @isra-fel I did use the $DebugPreference = 'Continue' initially, but as there are 98k incidents there was far too much data to use. Is there anything else I can try to give useful data but also limit the amount?

isra-fel commented 12 months ago

The debug log would have both HTTP request and response. We are more interested in the request (about the beginning 30 lines) because we can narrow down if the issue is in the client or server.