diff --git a/src/SecurityInsights/SecurityInsights/ChangeLog.md b/src/SecurityInsights/SecurityInsights/ChangeLog.md
index a09d2afcfac5..f213b7dfa3fc 100644
--- a/src/SecurityInsights/SecurityInsights/ChangeLog.md
+++ b/src/SecurityInsights/SecurityInsights/ChangeLog.md
@@ -19,6 +19,10 @@
-->
## Upcoming Release
+* Updated to Get-AzSentinelIncident parameters
+ - Added -Filter to support OData filter
+ - Added -OrderBy to suppoert OData ordering
+ - Added -Max to support retrieving more than the default of 1000 incidents.
## Version 1.0.0
* GA release for `Az.SecurityInsights`.
diff --git a/src/SecurityInsights/SecurityInsights/Cmdlets/Incidents/GetIncidents.cs b/src/SecurityInsights/SecurityInsights/Cmdlets/Incidents/GetIncidents.cs
index 9ef147b9954d..21cb5c5e613d 100644
--- a/src/SecurityInsights/SecurityInsights/Cmdlets/Incidents/GetIncidents.cs
+++ b/src/SecurityInsights/SecurityInsights/Cmdlets/Incidents/GetIncidents.cs
@@ -14,7 +14,6 @@
using System;
using System.Management.Automation;
-using Microsoft.Azure.Commands.SecurityInsights;
using Microsoft.Azure.Commands.SecurityInsights.Common;
using Microsoft.Azure.Commands.SecurityInsights.Models.Incidents;
using Microsoft.Azure.Commands.ResourceManager.Common.ArgumentCompleters;
@@ -26,8 +25,6 @@ namespace Microsoft.Azure.Commands.SecurityInsights.Cmdlets.Incidents
[Cmdlet(VerbsCommon.Get, ResourceManager.Common.AzureRMConstants.AzureRMPrefix + "SentinelIncident", DefaultParameterSetName = ParameterSetNames.WorkspaceScope), OutputType(typeof(PSSentinelIncident))]
public class GetIncidents : SecurityInsightsCmdletBase
{
- private const int MaxIncidentsToFetch = 1500;
-
[Parameter(ParameterSetName = ParameterSetNames.WorkspaceScope, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
[Parameter(ParameterSetName = ParameterSetNames.IncidentId, Mandatory = true, HelpMessage = ParameterHelpMessages.ResourceGroupName)]
[ResourceGroupCompleter]
@@ -43,28 +40,38 @@ public class GetIncidents : SecurityInsightsCmdletBase
[ValidateNotNullOrEmpty]
public string IncidentId { get; set; }
+ [Parameter(ParameterSetName = ParameterSetNames.WorkspaceScope, Mandatory = false, ValueFromPipeline = false, HelpMessage = ParameterHelpMessages.Filter)]
+ public string Filter { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.WorkspaceScope, Mandatory = false, ValueFromPipeline = false, HelpMessage = ParameterHelpMessages.OrderBy)]
+ public string OrderBy { get; set; }
+
+ [Parameter(ParameterSetName = ParameterSetNames.WorkspaceScope, Mandatory = false, ValueFromPipeline = false, HelpMessage = ParameterHelpMessages.Max)]
+ [ValidateRange(1, int.MaxValue)]
+ public int Max { get; set; }
+
[Parameter(ParameterSetName = ParameterSetNames.ResourceId, Mandatory = true, ValueFromPipelineByPropertyName = true, HelpMessage = ParameterHelpMessages.ResourceId)]
[ValidateNotNullOrEmpty]
public string ResourceId { get; set; }
public override void ExecuteCmdlet()
{
- int numberOfFetchedIncidents = 0;
string nextLink = null;
switch (ParameterSetName)
{
case ParameterSetNames.WorkspaceScope:
- var incidents = SecurityInsightsClient.Incidents.List(ResourceGroupName, WorkspaceName);
+ string filter = (Filter == default(string)) ? null : Filter;
+ string orderby = (OrderBy == default(string)) ? null : OrderBy;
+ int max = (Max == default(int)) ? 1000 : Max;
+ var incidents = SecurityInsightsClient.Incidents.List(ResourceGroupName, WorkspaceName, filter: filter, orderby: orderby);
var incidentscount = incidents.Count();
WriteObject(incidents.ConvertToPSType(), enumerateCollection: true);
- numberOfFetchedIncidents += incidentscount;
nextLink = incidents?.NextPageLink;
- while (!string.IsNullOrWhiteSpace(nextLink) && numberOfFetchedIncidents < MaxIncidentsToFetch)
+ while (!string.IsNullOrWhiteSpace(nextLink) && incidentscount < max)
{
incidents = SecurityInsightsClient.Incidents.ListNext(incidents.NextPageLink);
- incidentscount = incidents.Count();
WriteObject(incidents.ConvertToPSType(), enumerateCollection: true);
- numberOfFetchedIncidents += incidentscount;
+ incidentscount += incidents.Count();
nextLink = incidents?.NextPageLink;
}
break;
diff --git a/src/SecurityInsights/SecurityInsights/Common/ParameterHelpMessages.cs b/src/SecurityInsights/SecurityInsights/Common/ParameterHelpMessages.cs
index 246f555e097d..a2e13b63275a 100644
--- a/src/SecurityInsights/SecurityInsights/Common/ParameterHelpMessages.cs
+++ b/src/SecurityInsights/SecurityInsights/Common/ParameterHelpMessages.cs
@@ -104,6 +104,9 @@ public static class ParameterHelpMessages
#region Incidents
public const string IncidentId = "Incident Id.";
+ public const string Filter = "Filters the results, based on a Boolean condition.";
+ public const string OrderBy = "Sorts the results";
+ public const string Max = "Maximum number of records to return";
public const string Classificaton = "Incident Classificaiton.";
public const string ClassificationComment = "Incident Classificaiton Comment.";
public const string ClassificationReason = "Incident Classificaiton Reason.";
diff --git a/src/SecurityInsights/SecurityInsights/help/Az.SecurityInsights.md b/src/SecurityInsights/SecurityInsights/help/Az.SecurityInsights.md
index 2093cd6ac39b..506fe7e51971 100644
--- a/src/SecurityInsights/SecurityInsights/help/Az.SecurityInsights.md
+++ b/src/SecurityInsights/SecurityInsights/help/Az.SecurityInsights.md
@@ -2,15 +2,13 @@
Module Name: Az.SecurityInsights
Module Guid: 453d4fb9-65ec-4cf1-8358-6a0fbd995d19
Download Help Link: https://docs.microsoft.com/powershell/module/az.securityinsights
-Help Version: 0.1.0
+Help Version: 1.1.0
Locale: en-US
---
# Az.SecurityInsights Module
## Description
-Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
-The Azure Sentinel PowerShell module (Az.SecurityInsights) allows you to interact with the following components: * Incidents
-* Analytics Rules (Alert Rules)
+Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.
The Azure Sentinel PowerShell module (Az.SecurityInsights) allows you to interact with the following components: * Incidents * Analytics Rules (Alert Rules)
* Analytics Rules Templates
* Analytics Rules Actions (like attaching an Azure Logic Apps Playbooks to your rule)
* Bookmarks
diff --git a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelIncident.md b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelIncident.md
index 7c651b13a325..1e64af6ed229 100644
--- a/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelIncident.md
+++ b/src/SecurityInsights/SecurityInsights/help/Get-AzSentinelIncident.md
@@ -8,14 +8,14 @@ schema: 2.0.0
# Get-AzSentinelIncident
## SYNOPSIS
-Get one or more Azure Sentinel Incidents.
+Gets one or more Azure Sentinel Incidents.
## SYNTAX
### WorkspaceScope (Default)
```
-Get-AzSentinelIncident -ResourceGroupName -WorkspaceName
- [-DefaultProfile ] []
+Get-AzSentinelIncident -ResourceGroupName -WorkspaceName [-Filter ]
+ [-OrderBy ] [-Max ] [-DefaultProfile ] []
```
### IncidentId
@@ -32,7 +32,8 @@ Get-AzSentinelIncident -ResourceId [-DefaultProfile