diff --git a/src/SecurityInsights/.gitattributes b/src/SecurityInsights/.gitattributes
new file mode 100644
index 000000000000..2125666142eb
--- /dev/null
+++ b/src/SecurityInsights/.gitattributes
@@ -0,0 +1 @@
+* text=auto
\ No newline at end of file
diff --git a/src/SecurityInsights/.gitignore b/src/SecurityInsights/.gitignore
new file mode 100644
index 000000000000..3c3d57339c8b
--- /dev/null
+++ b/src/SecurityInsights/.gitignore
@@ -0,0 +1,16 @@
+bin
+obj
+.vs
+generated
+internal
+exports
+tools
+custom/*.psm1
+custom/autogen-model-cmdlets
+test/*-TestResults.xml
+/*.ps1
+/*.ps1xml
+/*.psm1
+/*.snk
+/*.csproj
+/*.nuspec
\ No newline at end of file
diff --git a/src/SecurityInsights/Az.SecurityInsights.psd1 b/src/SecurityInsights/Az.SecurityInsights.psd1
new file mode 100644
index 000000000000..4fbafc706d95
--- /dev/null
+++ b/src/SecurityInsights/Az.SecurityInsights.psd1
@@ -0,0 +1,24 @@
+@{
+ GUID = '3a0e09d6-7b89-4078-a565-5db26e7455b8'
+ RootModule = './Az.SecurityInsights.psm1'
+ ModuleVersion = '1.2.0'
+ CompatiblePSEditions = 'Core', 'Desktop'
+ Author = 'Microsoft Corporation'
+ CompanyName = 'Microsoft Corporation'
+ Copyright = 'Microsoft Corporation. All rights reserved.'
+ Description = 'Microsoft Azure PowerShell: SecurityInsights cmdlets'
+ PowerShellVersion = '5.1'
+ DotNetFrameworkVersion = '4.7.2'
+ RequiredAssemblies = './bin/Az.SecurityInsights.private.dll'
+ FormatsToProcess = './Az.SecurityInsights.format.ps1xml'
+ FunctionsToExport = 'Get-AzSentinelAlertRule', 'Get-AzSentinelAlertRuleAction', 'Get-AzSentinelAlertRuleTemplate', 'Get-AzSentinelAutomationRule', 'Get-AzSentinelBookmark', 'Get-AzSentinelBookmarkRelation', 'Get-AzSentinelDataConnector', 'Get-AzSentinelEnrichment', 'Get-AzSentinelEntity', 'Get-AzSentinelEntityActivity', 'Get-AzSentinelEntityInsight', 'Get-AzSentinelEntityQuery', 'Get-AzSentinelEntityQueryTemplate', 'Get-AzSentinelEntityRelation', 'Get-AzSentinelEntityTimeline', 'Get-AzSentinelIncident', 'Get-AzSentinelIncidentAlert', 'Get-AzSentinelIncidentBookmark', 'Get-AzSentinelIncidentComment', 'Get-AzSentinelIncidentEntity', 'Get-AzSentinelIncidentRelation', 'Get-AzSentinelMetadata', 'Get-AzSentinelOnboardingState', 'Get-AzSentinelSetting', 'Get-AzSentinelThreatIntelligenceIndicator', 'Get-AzSentinelThreatIntelligenceIndicatorMetric', 'Invoke-AzSentinelThreatIntelligenceIndicatorQuery', 'New-AzSentinelAlertRule', 'New-AzSentinelAlertRuleAction', 'New-AzSentinelAutomationRule', 'New-AzSentinelBookmark', 'New-AzSentinelBookmarkRelation', 'New-AzSentinelDataConnector', 'New-AzSentinelEntityQuery', 'New-AzSentinelIncident', 'New-AzSentinelIncidentComment', 'New-AzSentinelIncidentRelation', 'New-AzSentinelIncidentTeam', 'New-AzSentinelOnboardingState', 'Remove-AzSentinelAlertRule', 'Remove-AzSentinelAlertRuleAction', 'Remove-AzSentinelAutomationRule', 'Remove-AzSentinelBookmark', 'Remove-AzSentinelBookmarkRelation', 'Remove-AzSentinelDataConnector', 'Remove-AzSentinelEntityQuery', 'Remove-AzSentinelIncident', 'Remove-AzSentinelIncidentComment', 'Remove-AzSentinelIncidentRelation', 'Remove-AzSentinelOnboardingState', 'Test-AzSentinelDataConnectorCheckRequirement', 'Update-AzSentinelAlertRule', 'Update-AzSentinelAlertRuleAction', 'Update-AzSentinelAutomationRule', 'Update-AzSentinelBookmark', 'Update-AzSentinelBookmarkRelation', 'Update-AzSentinelDataConnector', 'Update-AzSentinelEntityQuery', 'Update-AzSentinelIncident', 'Update-AzSentinelIncidentComment', 'Update-AzSentinelIncidentRelation', 'Update-AzSentinelSetting', '*'
+ AliasesToExport = '*'
+ PrivateData = @{
+ PSData = @{
+ Tags = 'Azure', 'ResourceManager', 'ARM', 'PSModule', 'SecurityInsights'
+ LicenseUri = 'https://aka.ms/azps-license'
+ ProjectUri = 'https://github.com/Azure/azure-powershell'
+ ReleaseNotes = ''
+ }
+ }
+}
diff --git a/src/SecurityInsights/README.md b/src/SecurityInsights/README.md
new file mode 100644
index 000000000000..c6b807fa6b06
--- /dev/null
+++ b/src/SecurityInsights/README.md
@@ -0,0 +1,345 @@
+
+# Az.SecurityInsights
+This directory contains the PowerShell module for the SecurityInsights service.
+
+---
+## Status
+[](https://www.powershellgallery.com/packages/Az.SecurityInsights/)
+
+## Info
+- Modifiable: yes
+- Generated: all
+- Committed: yes
+- Packaged: yes
+
+---
+## Detail
+This module was primarily generated via [AutoRest](https://github.com/Azure/autorest) using the [PowerShell](https://github.com/Azure/autorest.powershell) extension.
+
+## Module Requirements
+- [Az.Accounts module](https://www.powershellgallery.com/packages/Az.Accounts/), version 2.7.5 or greater
+
+## Authentication
+AutoRest does not generate authentication code for the module. Authentication is handled via Az.Accounts by altering the HTTP payload before it is sent.
+
+## Development
+For information on how to develop for `Az.SecurityInsights`, see [how-to.md](how-to.md).
+
+
+---
+## Generation Requirements
+Use of the beta version of `autorest.powershell` generator requires the following:
+- [NodeJS LTS](https://nodejs.org) (10.15.x LTS preferred)
+ - **Note**: It *will not work* with Node < 10.x. Using 11.x builds may cause issues as they may introduce instability or breaking changes.
+> If you want an easy way to install and update Node, [NVS - Node Version Switcher](../nodejs/installing-via-nvs.md) or [NVM - Node Version Manager](../nodejs/installing-via-nvm.md) is recommended.
+- [AutoRest](https://aka.ms/autorest) v3 beta
`npm install -g autorest@autorest`
+- PowerShell 6.0 or greater
+ - If you don't have it installed, you can use the cross-platform npm package
`npm install -g pwsh`
+- .NET Core SDK 2.0 or greater
+ - If you don't have it installed, you can use the cross-platform npm package
`npm install -g dotnet-sdk-2.2`
+
+## Run Generation
+In this directory, run AutoRest:
+> `autorest`
+
+---
+### AutoRest Configuration
+> see https://aka.ms/autorest
+
+``` yaml
+require:
+ - $(this-folder)/../readme.azure.noprofile.md
+# lock the commit
+branch: 59eb5a7f1d09d0be2b80b8497785ffa2d784b5b6
+
+input-file:
+ - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/AlertRules.json
+ - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/AutomationRules.json
+ - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Bookmarks.json
+ - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Enrichment.json
+ - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Entities.json
+ - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/EntityQueries.json
+ - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/EntityQueryTemplates.json
+ - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Incidents.json
+ - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Metadata.json
+ - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/OfficeConsents.json
+ - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/OnboardingStates.json
+ - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Settings.json
+ - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/SourceControls.json
+ - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/ThreatIntelligence.json
+ #- $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/Watchlists.json
+ - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/dataConnectors.json
+ - $(repo)/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2021-09-01-preview/operations.json
+
+module-version: 1.2.0
+title: SecurityInsights
+subject-prefix: Sentinel
+
+inlining-threshold: 50
+
+directive:
+ # Fixes/overrides to swaggers
+ # Fix to x-ms-enum when integer (https://github.com/Azure/autorest.powershell/issues/856)
+ - from: dataConnectors.json
+ where: $.definitions.Availability.properties.status
+ transform: >-
+ return {
+ "description": "The connector Availability Status",
+ "format": "int32",
+ "type": "integer",
+ "enum": [
+ 1
+ ]
+ }
+ # Customize
+ # Hide Operation API
+ - where:
+ subject: Operation
+ hide: true
+ # Hide OfficeConsent API
+ - where:
+ subject: OfficeConsent
+ hide: true
+ # Fix Action to be AlertRuleAction
+ - where:
+ subject: Action
+ set:
+ subject: AlertRuleAction
+ # Change Sets to Updates to match current module
+ - where:
+ verb: Set
+ set:
+ verb: Update
+ # fix subject name to encrichment
+ - where:
+ subject: DomainWhois
+ set:
+ subject: Enrichment
+ - where:
+ subject: IPGeodata
+ set:
+ subject: Enrichment
+ # Shorten to just Setting
+ - where:
+ subject: ProductSetting
+ set:
+ subject: Setting
+ # Fix subject Names
+ - where:
+ subject: EntitiesGetTimeline
+ set:
+ subject: EntityTimeline
+ - where:
+ subject: EntitiesRelation
+ set:
+ subject: EntityRelation
+ - where:
+ subject: QueryThreatIntelligenceIndicator
+ set:
+ subject: ThreatIntelligenceIndicatorQuery
+ # Change invoke as this is more a Get operation
+ - where:
+ verb: Invoke
+ subject: QueryEntity
+ set:
+ verb: Get
+ subject: EntityActivity
+ # Fix Update ThreatIntelligenceIndicator
+ - select: command
+ where:
+ verb: New
+ subject: ThreatIntelligenceIndicator
+ variant: CreateExpanded1
+ set:
+ verb: Update
+ variant: UpdateExpanded
+ - select: command
+ where:
+ verb: New
+ subject: ThreatIntelligenceIndicator
+ variant: CreateViaIdentity1
+ set:
+ verb: Update
+ variant: UpdateViaIdentity
+ - select: command
+ where:
+ verb: New
+ subject: ThreatIntelligenceIndicator
+ variant: CreateViaIdentityExpanded1
+ set:
+ verb: Update
+ variant: UpdateViaIdentityExpanded
+ - where:
+ subject: ThreatIntelligenceIndicatorQuery
+ variant: QueryViaIdentityExpanded
+ remove: true
+ # Fix Entity Insights
+ - where:
+ subject: EntityInsight
+ variant: ^Get$|^GetViaIdentity$
+ remove: true
+ # Fix Entity TimeLime
+ - where:
+ subject: EntityTimeline
+ variant: List
+ remove: true
+ # Rename Id for user expierence
+ - where:
+ subject: AlertRuleAction
+ parameter-name: Id
+ set:
+ alias: ActionId
+ - where:
+ subject: AlertRuleTemplate
+ parameter-name: Id
+ set:
+ alias: TemplateId
+ - where:
+ subject: AutomationRule
+ parameter-name: Id
+ set:
+ alias: AutomationRuleId
+ - where:
+ subject: Bookmark
+ parameter-name: Id
+ set:
+ alias: BookmarkId
+ - where:
+ subject: DataConnector
+ parameter-name: Id
+ set:
+ alias: DataConnectorId
+ - where:
+ subject: Entity
+ parameter-name: Id
+ set:
+ alias: EntityId
+ - where:
+ subject: Incident
+ parameter-name: Id
+ set:
+ alias: IncidentId
+ - where:
+ subject: IncidentComment
+ parameter-name: Id
+ set:
+ alias: IncidentCommentId
+ #Remove Enrichment
+ - where:
+ subject: ^Enrichment$
+ variant: ^GetViaIdenity$|^GetViaIdenity1$
+ remove: true
+ # Remove source control (requires OAUTH tokens)
+ - where:
+ subject: SourceControl
+ remove: true
+ #Custom Built Commands
+ - where:
+ verb: Invoke
+ subject: DataConnectorsCheckRequirement
+ hide: true
+ - where:
+ subject: ^AlertRule$|^DataConnector$|^EntityQuery$
+ variant: ^Create$|^CreateExpanded$|^Update$|^UpdateExpanded$|^UpdateViaIdentity$|^UpdateViaIdentityExpanded$
+ hide: true
+ - where:
+ verb: ^Update$|^Remove$
+ subject: Setting
+ hide: true
+ # Hide Etag as it isnt used
+ - where:
+ parameter-name: Etag
+ hide: true
+ # TI API not useful until API changes
+ - where:
+ verb: ^Add$|^New$|^Update$|^Remove$
+ subject: ThreatIntelligenceIndicator
+ hide: true
+ - where:
+ verb: ^Add$|^New$|^Update$|^Remove$
+ subject: ThreatIntelligenceIndicatorTag
+ hide: true
+ # CCP
+ - where:
+ verb: ^Connect$|^Disconnect$
+ subject: DataConnector
+ hide: true
+ # cmdlet review feedback
+ - where:
+ subject: Bookmark
+ parameter-name: Created|^CreatedByObjectId&|^Updated$|^UpdatedByObjectId$
+ hide: true
+ - where:
+ subject: DataConnector
+ parameter-name: SQSURLs
+ set:
+ parameter-name: SQSURL
+ - where:
+ subject: DataConnector
+ parameter-name: CommonDataServiceActivities
+ set:
+ parameter-name: CommonDataServiceActivity
+ - where:
+ verb: Invoke
+ subject: DataConnectorsCheckRequirement
+ set:
+ verb: Test
+ - where:
+ verb: Invoke
+ subject: DataConnectorsCheckRequirement
+ set:
+ subject: DataConnectorCheckRequirement
+ - where:
+ verb: Invoke
+ subject: DataConnectorsCheckRequirement
+ parameter-name: DataConnectorsCheckRequirement
+ set:
+ parameter-name: DataConnectorCheckRequirement
+ - where:
+ verb: New
+ subject: AlertRuleAction
+ variant: Create
+ hide: true
+ - where:
+ verb: New
+ subject: ^AlertRuleAction$|^AutomationRule$|^Bookmark$|^Incident$|^IncidentComment$|
+ parameter-name: Id
+ set:
+ default:
+ script: '(New-Guid).Guid'
+ - where:
+ verb: New
+ subject: ^BookmarkRelation$|^IncidentRelation$
+ parameter-name: RelationName
+ set:
+ default:
+ script: '(New-Guid).Guid'
+ # Hide Expand
+ - where:
+ verb: Expand
+ subject: ^Bookmark$|^Entity$
+ hide: true
+ - where:
+ verb: ^New$|^Update$|^Remove$
+ subject: Metadata
+ hide: true
+ # Hide Source Control
+ - where:
+ verb: Get
+ subject: SourceControlRepository
+ hide: true
+ # Hide UpdateViaId and Update
+ - where:
+ variant: ^Update$|^UpdateViaIdentity$
+ hide: true
+ # Remove the unexpanded parameter set
+ - where:
+ variant: ^Append$|^AppendViaIdentity$|^Connect$|^ConnectViaIdentity$|^CreateViaIdentity$|^CreateViaIdentityExpanded$|^Expand$|^ExpandViaIdentity$|^ExpandViaIdentityExpanded$|^GetViaIdentityExpanded$|^PostViaIdentity$|^Query$|^QueryViaIdentity$|^QueriesViaIdentity$|^Replace$|^ReplaceViaIdentity$
+ remove: true
+ # fix Equals that conflicts with inhertied property
+ - where:
+ enum-name: AutomationRulePropertyConditionSupportedOperator
+ enum-value-name: Equals
+ set:
+ enum-value-name: Equal
+```
diff --git a/src/SecurityInsights/custom/New-AzSentinelAlertRule.ps1 b/src/SecurityInsights/custom/New-AzSentinelAlertRule.ps1
new file mode 100644
index 000000000000..eeb248cf1f2e
--- /dev/null
+++ b/src/SecurityInsights/custom/New-AzSentinelAlertRule.ps1
@@ -0,0 +1,682 @@
+
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+<#
+.Synopsis
+Creates or updates the alert rule.
+.Description
+Creates or updates the alert rule.
+
+.Link
+https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelalertrule
+#>
+function New-AzSentinelAlertRule {
+ [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AlertRule])]
+ [CmdletBinding(DefaultParameterSetName = 'FusionMLTI', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')]
+ param(
+ [Parameter()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')]
+ [System.String]
+ # Gets subscription credentials which uniquely identify Microsoft Azure subscription.
+ # The subscription ID forms part of the URI for every service call.
+ ${SubscriptionId},
+
+ [Parameter(Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [System.String]
+ # The Resource Group Name.
+ ${ResourceGroupName},
+
+ [Parameter(Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [System.String]
+ # The name of the workspace.
+ ${WorkspaceName},
+
+ [Parameter()]
+ #[Alias('RuleId')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(New-Guid).Guid')]
+ [System.String]
+ # The Id of the Rule.
+ ${RuleId},
+
+ [Parameter(Mandatory)]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertRuleKind])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertRuleKind]
+ # Kind of the the data connection
+ ${Kind},
+
+ [Parameter(ParameterSetName = 'FusionMLTI', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${AlertRuleTemplate},
+
+ [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation')]
+ [Parameter(ParameterSetName = 'NRT')]
+ [Parameter(ParameterSetName = 'Scheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${AlertRuleTemplateName},
+
+ [Parameter(ParameterSetName = 'FusionMLTI')]
+ [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation')]
+ [Parameter(ParameterSetName = 'NRT')]
+ [Parameter(ParameterSetName = 'Scheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Switch]
+ ${Enabled},
+
+ [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation')]
+ [Parameter(ParameterSetName = 'NRT')]
+ [Parameter(ParameterSetName = 'Scheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Description},
+
+ [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${DisplayNamesFilter},
+
+ [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${DisplayNamesExcludeFilter},
+
+
+ [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation', Mandatory)]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName]
+ ${ProductFilter},
+
+ [Parameter(ParameterSetName = 'MicrosoftSecurityIncidentCreation')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity[]]
+ #High, Medium, Low, Informational
+ ${SeveritiesFilter},
+
+ [Parameter(ParameterSetName = 'NRT', Mandatory)]
+ [Parameter(ParameterSetName = 'Scheduled', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Query},
+
+ [Parameter(ParameterSetName = 'NRT', Mandatory)]
+ [Parameter(ParameterSetName = 'Scheduled', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${DisplayName},
+
+ [Parameter(ParameterSetName = 'NRT')]
+ [Parameter(ParameterSetName = 'Scheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = 'New-TimeSpan -Hours 5')]
+ [System.TimeSpan]
+ ${SuppressionDuration},
+
+ [Parameter(ParameterSetName = 'NRT')]
+ [Parameter(ParameterSetName = 'Scheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Switch]
+ ${SuppressionEnabled},
+
+ [Parameter(ParameterSetName = 'NRT', Mandatory)]
+ [Parameter(ParameterSetName = 'Scheduled', Mandatory)]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity]
+ ${Severity},
+
+ [Parameter(ParameterSetName = 'NRT')]
+ [Parameter(ParameterSetName = 'Scheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ #[Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AttackTactic]
+ [System.String]
+ #InitialAccess, Execution, Persistence, PrivilegeEscalation, DefenseEvasion, CredentialAccess, Discovery, LateralMovement, Collection, Exfiltration, CommandAndControl, Impact, PreAttack
+ ${Tactic},
+
+ [Parameter(ParameterSetName = 'NRT')]
+ [Parameter(ParameterSetName = 'Scheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Switch]
+ ${CreateIncident},
+
+ [Parameter(ParameterSetName = 'NRT')]
+ [Parameter(ParameterSetName = 'Scheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Switch]
+ ${GroupingConfigurationEnabled},
+
+ [Parameter(ParameterSetName = 'NRT')]
+ [Parameter(ParameterSetName = 'Scheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Switch]
+ ${ReOpenClosedIncident},
+
+ [Parameter(ParameterSetName = 'NRT')]
+ [Parameter(ParameterSetName = 'Scheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = 'New-TimeSpan -Hours 5')]
+ [System.TimeSpan]
+ ${LookbackDuration},
+
+ [Parameter(ParameterSetName = 'NRT')]
+ [Parameter(ParameterSetName = 'Scheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '"AllEntities"')]
+ [ValidateSet('AllEntities', 'AnyAlert', 'Selected')]
+ [System.String]
+ ${MatchingMethod},
+
+
+ [Parameter(ParameterSetName = 'NRT')]
+ [Parameter(ParameterSetName = 'Scheduled')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail]
+ ${GroupByAlertDetail},
+
+ [Parameter(ParameterSetName = 'NRT')]
+ [Parameter(ParameterSetName = 'Scheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [string[]]
+ ${GroupByCustomDetail},
+
+ [Parameter(ParameterSetName = 'NRT')]
+ [Parameter(ParameterSetName = 'Scheduled')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType]
+ ${GroupByEntity},
+
+
+ [Parameter(ParameterSetName = 'NRT')]
+ [Parameter(ParameterSetName = 'Scheduled')]
+ #'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail'
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping]
+ ${EntityMapping},
+
+ [Parameter(ParameterSetName = 'NRT')]
+ [Parameter(ParameterSetName = 'Scheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${AlertDescriptionFormat},
+
+ [Parameter(ParameterSetName = 'NRT')]
+ [Parameter(ParameterSetName = 'Scheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${AlertDisplayNameFormat},
+
+ [Parameter(ParameterSetName = 'NRT')]
+ [Parameter(ParameterSetName = 'Scheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${AlertSeverityColumnName},
+
+ [Parameter(ParameterSetName = 'NRT')]
+ [Parameter(ParameterSetName = 'Scheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${AlertTacticsColumnName},
+
+
+ [Parameter(ParameterSetName = 'Scheduled', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.TimeSpan]
+ ${QueryFrequency},
+
+ [Parameter(ParameterSetName = 'Scheduled', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.TimeSpan]
+ ${QueryPeriod},
+
+ [Parameter(ParameterSetName = 'Scheduled', Mandatory)]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator]
+ ${TriggerOperator},
+
+ [Parameter(ParameterSetName = 'Scheduled', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [int]
+ ${TriggerThreshold},
+
+ [Parameter(ParameterSetName = 'Scheduled')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind]
+ ${EventGroupingSettingAggregationKind},
+
+ [Parameter()]
+ [Alias('AzureRMContext', 'AzureCredential')]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')]
+ [System.Management.Automation.PSObject]
+ # The credentials, account, tenant, and subscription used for communication with Azure.
+ ${DefaultProfile},
+
+ [Parameter()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Run the command as a job
+ ${AsJob},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Wait for .NET debugger to attach
+ ${Break},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]]
+ # SendAsync Pipeline Steps to be appended to the front of the pipeline
+ ${HttpPipelineAppend},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]]
+ # SendAsync Pipeline Steps to be prepended to the front of the pipeline
+ ${HttpPipelinePrepend},
+
+ [Parameter()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Run the command asynchronously
+ ${NoWait},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Uri]
+ # The URI for the proxy server to use
+ ${Proxy},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.PSCredential]
+ # Credentials for a proxy server to use for the remote call
+ ${ProxyCredential},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Use the default credentials for the proxy
+ ${ProxyUseDefaultCredentials}
+ )
+
+ process {
+ try {
+ #Fusion
+ if ($PSBoundParameters['Kind'] -eq 'Fusion'){
+ $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.FusionAlertRule]::new()
+
+ $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplate']
+ $null = $PSBoundParameters.Remove('AlertRuleTemplate')
+
+ If($PSBoundParameters['Enabled']){
+ $AlertRule.Enabled = $true
+ $null = $PSBoundParameters.Remove('Enabled')
+ }
+ else{
+ $AlertRule.Enabled = $false
+ }
+ }
+ #MSIC
+ if($PSBoundParameters['Kind'] -eq 'MicrosoftSecurityIncidentCreation'){
+ $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MicrosoftSecurityIncidentCreationAlertRule]::new()
+
+ If($PSBoundParameters['AlertRuleTemplateName']){
+ $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName']
+ $null = $PSBoundParameters.Remove('AlertRuleTemplateName')
+ }
+
+ If($PSBoundParameters['Enabled']){
+ $AlertRule.Enabled = $true
+ $null = $PSBoundParameters.Remove('Enabled')
+ }
+ else{
+ $AlertRule.Enabled = $false
+ }
+
+ If($PSBoundParameters['Description']){
+ $AlertRule.Enabled = $PSBoundParameters['Description']
+ $null = $PSBoundParameters.Remove('Description')
+ }
+
+ If($PSBoundParameters['DisplayNamesFilter']){
+ $AlertRule.Enabled = $PSBoundParameters['DisplayNamesFilter']
+ $null = $PSBoundParameters.Remove('DisplayNamesFilter')
+ }
+
+ If($PSBoundParameters['DisplayNamesExcludeFilter']){
+ $AlertRule.Enabled = $PSBoundParameters['DisplayNamesExcludeFilter']
+ $null = $PSBoundParameters.Remove('DisplayNamesExcludeFilter')
+ }
+
+ $AlertRule.ProductFilter = $PSBoundParameters['ProductFilter']
+ $null = $PSBoundParameters.Remove('ProductFilter')
+
+ If($PSBoundParameters['SeveritiesFilter']){
+ $AlertRule.Enabled = $PSBoundParameters['SeveritiesFilter']
+ $null = $PSBoundParameters.Remove('SeveritiesFilter')
+ }
+ }
+ #ML
+ if ($PSBoundParameters['Kind'] -eq 'MLBehaviorAnalytics'){
+ $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MlBehaviorAnalyticsAlertRule]::new()
+
+ $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplate']
+ $null = $PSBoundParameters.Remove('AlertRuleTemplate')
+
+ If($PSBoundParameters['Enabled']){
+ $AlertRule.Enabled = $true
+ $null = $PSBoundParameters.Remove('Enabled')
+ }
+ else{
+ $AlertRule.Enabled = $false
+ }
+ }
+
+ #NRT
+ if($PSBoundParameters['Kind'] -eq 'NRT'){
+ $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.NrtAlertRule]::new()
+
+ If($PSBoundParameters['AlertRuleTemplateName']){
+ $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName']
+ $null = $PSBoundParameters.Remove('AlertRuleTemplateName')
+ }
+
+ If($PSBoundParameters['Enabled']){
+ $AlertRule.Enabled = $true
+ $null = $PSBoundParameters.Remove('Enabled')
+ }
+ else{
+ $AlertRule.Enabled = $false
+ }
+
+ If($PSBoundParameters['Description']){
+ $AlertRule.Enabled = $PSBoundParameters['Description']
+ $null = $PSBoundParameters.Remove('Description')
+ }
+
+ $AlertRule.Query = $PSBoundParameters['Query']
+ $null = $PSBoundParameters.Remove('Query')
+
+ $AlertRule.DisplayName = $PSBoundParameters['DisplayName']
+ $null = $PSBoundParameters.Remove('DisplayName')
+
+ $AlertRule.SuppressionDuration = $PSBoundParameters['SuppressionDuration']
+ $null = $PSBoundParameters.Remove('SuppressionDuration')
+
+ If($PSBoundParameters['SuppressionEnabled']){
+ $AlertRule.SuppressionEnabled = $PSBoundParameters['SuppressionEnabled']
+ $null = $PSBoundParameters.Remove('SuppressionEnabled')
+ }
+ else{
+ $AlertRule.SuppressionEnabled = $false
+ }
+
+ $AlertRule.Severity = $PSBoundParameters['Severity']
+ $null = $PSBoundParameters.Remove('Severity')
+
+ If($PSBoundParameters['Tactic']){
+ $AlertRule.Tactic = $PSBoundParameters['Tactic']
+ $null = $PSBoundParameters.Remove('Tactic')
+ }
+
+ If($PSBoundParameters['CreateIncident']){
+ $AlertRule.IncidentConfigurationCreateIncident = $PSBoundParameters['CreateIncident']
+ $null = $PSBoundParameters.Remove('CreateIncident')
+ }
+ else{
+ $AlertRule.IncidentConfigurationCreateIncident = $false
+ }
+
+ If($PSBoundParameters['GroupingConfigurationEnabled']){
+ $AlertRule.GroupingConfigurationEnabled = $PSBoundParameters['GroupingConfigurationEnabled']
+ $null = $PSBoundParameters.Remove('GroupingConfigurationEnabled')
+ }
+ else{
+ $AlertRule.GroupingConfigurationEnabled = $false
+ }
+
+ If($PSBoundParameters['ReOpenClosedIncident']){
+ $AlertRule.GroupingConfigurationReOpenClosedIncident = $PSBoundParameters['ReOpenClosedIncident']
+ $null = $PSBoundParameters.Remove('ReOpenClosedIncident')
+ }
+ else{
+ $AlertRule.GroupingConfigurationReOpenClosedIncident = $false
+ }
+
+ $AlertRule.GroupingConfigurationLookbackDuration = $PSBoundParameters['LookbackDuration']
+ $null = $PSBoundParameters.Remove('LookbackDuration')
+
+ $AlertRule.GroupingConfigurationMatchingMethod = $PSBoundParameters['MatchingMethod']
+ $null = $PSBoundParameters.Remove('MatchingMethod')
+
+ If($PSBoundParameters['GroupByAlertDetail']){
+ $AlertRule.GroupingConfigurationGroupByAlertDetail = $PSBoundParameters['GroupByAlertDetail']
+ $null = $PSBoundParameters.Remove('GroupByAlertDetail')
+ }
+
+ If($PSBoundParameters['GroupByCustomDetail']){
+ $AlertRule.GroupingConfigurationGroupByCustomDetail = $PSBoundParameters['GroupByCustomDetail']
+ $null = $PSBoundParameters.Remove('GroupByCustomDetail')
+ }
+
+ If($PSBoundParameters['GroupByEntity']){
+ $AlertRule.GroupingConfigurationGroupByEntity = $PSBoundParameters['GroupByEntity']
+ $null = $PSBoundParameters.Remove('GroupByEntity')
+ }
+
+ If($PSBoundParameters['EntityMapping']){
+ $AlertRule.EntityMapping = $PSBoundParameters['EntityMapping']
+ $null = $PSBoundParameters.Remove('EntityMapping')
+ }
+
+ If($PSBoundParameters['AlertDescriptionFormat']){
+ $AlertRule.AlertDetailOverrideAlertDescriptionFormat = $PSBoundParameters['AlertDescriptionFormat']
+ $null = $PSBoundParameters.Remove('AlertDescriptionFormat')
+ }
+
+ If($PSBoundParameters['AlertDisplayNameFormat']){
+ $AlertRule.AlertDetailOverrideAlertDisplayNameFormat = $PSBoundParameters['AlertDisplayNameFormat']
+ $null = $PSBoundParameters.Remove('AlertDisplayNameFormat')
+ }
+
+ If($PSBoundParameters['AlertSeverityColumnName']){
+ $AlertRule.AlertDetailOverrideAlertSeverityColumnName = $PSBoundParameters['AlertSeverityColumnName']
+ $null = $PSBoundParameters.Remove('AlertSeverityColumnName')
+ }
+
+ If($PSBoundParameters['AlertTacticsColumnName']){
+ $AlertRule.AlertDetailOverrideAlertTacticsColumnName = $PSBoundParameters['AlertTacticsColumnName']
+ $null = $PSBoundParameters.Remove('AlertTacticsColumnName')
+ }
+
+ }
+ #Scheduled
+ if ($PSBoundParameters['Kind'] -eq 'Scheduled'){
+ $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ScheduledAlertRule]::new()
+
+ If($PSBoundParameters['AlertRuleTemplateName']){
+ $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName']
+ $null = $PSBoundParameters.Remove('AlertRuleTemplateName')
+ }
+
+ If($PSBoundParameters['Enabled']){
+ $AlertRule.Enabled = $true
+ $null = $PSBoundParameters.Remove('Enabled')
+ }
+ else{
+ $AlertRule.Enabled = $false
+ }
+
+ If($PSBoundParameters['Description']){
+ $AlertRule.Description = $PSBoundParameters['Description']
+ $null = $PSBoundParameters.Remove('Description')
+ }
+
+ $AlertRule.Query = $PSBoundParameters['Query']
+ $null = $PSBoundParameters.Remove('Query')
+
+ $AlertRule.DisplayName = $PSBoundParameters['DisplayName']
+ $null = $PSBoundParameters.Remove('DisplayName')
+
+ $AlertRule.SuppressionDuration = $PSBoundParameters['SuppressionDuration']
+ $null = $PSBoundParameters.Remove('SuppressionDuration')
+
+ If($PSBoundParameters['SuppressionEnabled']){
+ $AlertRule.SuppressionEnabled = $PSBoundParameters['SuppressionEnabled']
+ $null = $PSBoundParameters.Remove('SuppressionEnabled')
+ }
+ else{
+ $AlertRule.SuppressionEnabled = $false
+ }
+
+ $AlertRule.Severity = $PSBoundParameters['Severity']
+ $null = $PSBoundParameters.Remove('Severity')
+
+ If($PSBoundParameters['Tactic']){
+ $AlertRule.Tactic = $PSBoundParameters['Tactic']
+ $null = $PSBoundParameters.Remove('Tactic')
+ }
+
+ If($PSBoundParameters['CreateIncident']){
+ $AlertRule.IncidentConfigurationCreateIncident = $PSBoundParameters['CreateIncident']
+ $null = $PSBoundParameters.Remove('CreateIncident')
+ }
+ else{
+ $AlertRule.IncidentConfigurationCreateIncident = $false
+ }
+
+ If($PSBoundParameters['GroupingConfigurationEnabled']){
+ $AlertRule.GroupingConfigurationEnabled = $PSBoundParameters['GroupingConfigurationEnabled']
+ $null = $PSBoundParameters.Remove('GroupingConfigurationEnabled')
+ }
+ else{
+ $AlertRule.GroupingConfigurationEnabled = $false
+ }
+
+ If($PSBoundParameters['ReOpenClosedIncident']){
+ $AlertRule.GroupingConfigurationReOpenClosedIncident = $PSBoundParameters['ReOpenClosedIncident']
+ $null = $PSBoundParameters.Remove('ReOpenClosedIncident')
+ }
+ else{
+ $AlertRule.GroupingConfigurationReOpenClosedIncident = $false
+ }
+
+ $AlertRule.GroupingConfigurationLookbackDuration = $PSBoundParameters['LookbackDuration']
+ $null = $PSBoundParameters.Remove('LookbackDuration')
+
+ $AlertRule.GroupingConfigurationMatchingMethod = $PSBoundParameters['MatchingMethod']
+ $null = $PSBoundParameters.Remove('MatchingMethod')
+
+ If($PSBoundParameters['GroupByAlertDetail']){
+ $AlertRule.GroupingConfigurationGroupByAlertDetail = $PSBoundParameters['GroupByAlertDetail']
+ $null = $PSBoundParameters.Remove('GroupByAlertDetail')
+ }
+
+ If($PSBoundParameters['GroupByCustomDetail']){
+ $AlertRule.GroupingConfigurationGroupByCustomDetail = $PSBoundParameters['GroupByCustomDetail']
+ $null = $PSBoundParameters.Remove('GroupByCustomDetail')
+ }
+
+ If($PSBoundParameters['GroupByEntity']){
+ $AlertRule.GroupingConfigurationGroupByEntity = $PSBoundParameters['GroupByEntity']
+ $null = $PSBoundParameters.Remove('GroupByEntity')
+ }
+
+ If($PSBoundParameters['EntityMapping']){
+ $AlertRule.EntityMapping = $PSBoundParameters['EntityMapping']
+ $null = $PSBoundParameters.Remove('EntityMapping')
+ }
+
+ If($PSBoundParameters['AlertDescriptionFormat']){
+ $AlertRule.AlertDetailOverrideAlertDescriptionFormat = $PSBoundParameters['AlertDescriptionFormat']
+ $null = $PSBoundParameters.Remove('AlertDescriptionFormat')
+ }
+
+ If($PSBoundParameters['AlertDisplayNameFormat']){
+ $AlertRule.AlertDetailOverrideAlertDisplayNameFormat = $PSBoundParameters['AlertDisplayNameFormat']
+ $null = $PSBoundParameters.Remove('AlertDisplayNameFormat')
+ }
+
+ If($PSBoundParameters['AlertSeverityColumnName']){
+ $AlertRule.AlertDetailOverrideAlertSeverityColumnName = $PSBoundParameters['AlertSeverityColumnName']
+ $null = $PSBoundParameters.Remove('AlertSeverityColumnName')
+ }
+
+ If($PSBoundParameters['AlertTacticsColumnName']){
+ $AlertRule.AlertDetailOverrideAlertTacticsColumnName = $PSBoundParameters['AlertTacticsColumnName']
+ $null = $PSBoundParameters.Remove('AlertTacticsColumnName')
+ }
+
+ $AlertRule.QueryFrequency = $PSBoundParameters['QueryFrequency']
+ $null = $PSBoundParameters.Remove('QueryFrequency')
+
+ $AlertRule.QueryPeriod = $PSBoundParameters['QueryPeriod']
+ $null = $PSBoundParameters.Remove('QueryPeriod')
+
+ $AlertRule.TriggerOperator = $PSBoundParameters['TriggerOperator']
+ $null = $PSBoundParameters.Remove('TriggerOperator')
+
+ $AlertRule.TriggerThreshold = $PSBoundParameters['TriggerThreshold']
+ $null = $PSBoundParameters.Remove('TriggerThreshold')
+
+ If($PSBoundParameters['EventGroupingSettingAggregationKind']){
+ $AlertRule.EventGroupingSettingAggregationKind = $PSBoundParameters['EventGroupingSettingAggregationKind']
+ $null = $PSBoundParameters.Remove('EventGroupingSettingAggregationKind')
+ }
+ }
+ #TI
+ if ($PSBoundParameters['Kind'] -eq 'ThreatIntelligence'){
+ $AlertRule = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ThreatIntelligenceAlertRule]::new()
+
+ $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplate']
+ $null = $PSBoundParameters.Remove('AlertRuleTemplate')
+
+ If($PSBoundParameters['Enabled']){
+ $AlertRule.Enabled = $true
+ $null = $PSBoundParameters.Remove('Enabled')
+ }
+ else {
+ $AlertRule.Enabled = $false
+ }
+ }
+
+ $null = $PSBoundParameters.Remove('FusionMLTI')
+
+ $AlertRule.Kind = $PSBoundParameters['Kind']
+ $null = $PSBoundParameters.Remove('Kind')
+
+ $null = $PSBoundParameters.Add('AlertRule', $AlertRule)
+
+ Az.SecurityInsights.internal\New-AzSentinelAlertRule @PSBoundParameters
+ }
+ catch {
+ throw
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1 b/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1
new file mode 100644
index 000000000000..763da72ef0f7
--- /dev/null
+++ b/src/SecurityInsights/custom/New-AzSentinelDataConnector.ps1
@@ -0,0 +1,707 @@
+
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+<#
+.Synopsis
+Creates or updates the data connector.
+.Description
+Creates or updates the data connector.
+
+.Link
+https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentineldataconnector
+#>
+function New-AzSentinelDataConnector {
+ [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.DataConnector])]
+ [CmdletBinding(DefaultParameterSetName = 'AADAATP', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')]
+ param(
+ [Parameter()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')]
+ [System.String]
+ # Gets subscription credentials which uniquely identify Microsoft Azure subscription.
+ # The subscription ID forms part of the URI for every service call.
+ ${SubscriptionId},
+
+ [Parameter(Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [System.String]
+ # The Resource Group Name.
+ ${ResourceGroupName},
+
+ [Parameter(Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [System.String]
+ # The name of the workspace.
+ ${WorkspaceName},
+
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(New-Guid).Guid')]
+ [System.String]
+ # The Id of the Data Connector.
+ ${Id},
+
+ [Parameter(Mandatory)]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind]
+ # Kind of the the data connection
+ ${Kind},
+
+ [Parameter(ParameterSetName = 'AADAATP')]
+ [Parameter(ParameterSetName = 'Dynamics365')]
+ [Parameter(ParameterSetName = 'MicrosoftCloudAppSecurity')]
+ [Parameter(ParameterSetName = 'MicrosoftDefenderAdvancedThreatProtection')]
+ [Parameter(ParameterSetName = 'MicrosoftThreatIntelligence')]
+ [Parameter(ParameterSetName = 'MicrosoftThreatProtection')]
+ [Parameter(ParameterSetName = 'Office365')]
+ [Parameter(ParameterSetName = 'OfficeATP')]
+ [Parameter(ParameterSetName = 'OfficeIRM')]
+ [Parameter(ParameterSetName = 'ThreatIntelligence')]
+ [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Tenant.Id')]
+ [System.String]
+ # The TenantId.
+ ${TenantId},
+
+ [Parameter(ParameterSetName = 'AzureSecurityCenter', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ # ASC Subscription Id.
+ ${ASCSubscriptionId},
+
+ [Parameter(ParameterSetName = 'AADAATP')]
+ [Parameter(ParameterSetName = 'AzureSecurityCenter')]
+ [Parameter(ParameterSetName = 'MicrosoftCloudAppSecurity')]
+ [Parameter(ParameterSetName = 'MicrosoftDefenderAdvancedThreatProtection')]
+ [Parameter(ParameterSetName = 'OfficeATP')]
+ [Parameter(ParameterSetName = 'OfficeIRM')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Alerts},
+
+ [Parameter(ParameterSetName = 'Dynamics365')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${CommonDataServiceActivity},
+
+ [Parameter(ParameterSetName = 'MicrosoftCloudAppSecurity')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${DiscoveryLog},
+
+ [Parameter(ParameterSetName = 'MicrosoftThreatIntelligence')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${BingSafetyPhishingURL},
+
+ [Parameter(ParameterSetName = 'MicrosoftThreatIntelligence')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [ValidateSet('OneDay', 'OneWeek', 'OneMonth', 'All')]
+ [System.String]
+ ${BingSafetyPhishingUrlLookbackPeriod},
+
+ [Parameter(ParameterSetName = 'MicrosoftThreatIntelligence')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${MicrosoftEmergingThreatFeed},
+
+ [Parameter(ParameterSetName = 'MicrosoftThreatIntelligence')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [ValidateSet('OneDay', 'OneWeek', 'OneMonth', 'All')]
+ [System.String]
+ ${MicrosoftEmergingThreatFeedLookbackPeriod},
+
+ [Parameter(ParameterSetName = 'MicrosoftThreatProtection')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Incident},
+
+ [Parameter(ParameterSetName = 'Office365')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Exchange},
+
+ [Parameter(ParameterSetName = 'Office365')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${SharePoint},
+
+ [Parameter(ParameterSetName = 'Office365')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Teams},
+
+ [Parameter(ParameterSetName = 'ThreatIntelligence')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Indicator},
+
+ [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${WorkspaceId},
+
+ [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${FriendlyName},
+
+ [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${APIRootURL},
+
+ [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${CollectionId},
+
+ [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${UserName},
+
+ [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Password},
+
+ [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [ValidateSet('OneDay', 'OneWeek', 'OneMonth', 'All')]
+ [System.String]
+ ${TaxiiLookbackPeriod},
+
+ [Parameter(ParameterSetName = 'ThreatIntelligenceTaxii', Mandatory)]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency]
+ ${PollingFrequency},
+
+ [Parameter(ParameterSetName = 'AmazonWebServicesCloudTrail', Mandatory)]
+ [Parameter(ParameterSetName = 'AmazonWebServicesS3', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${AWSRoleArn},
+
+ [Parameter(ParameterSetName = 'AmazonWebServicesCloudTrail')]
+ [Parameter(ParameterSetName = 'AmazonWebServicesS3', Mandatory)]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Log},
+
+ [Parameter(ParameterSetName = 'AmazonWebServicesS3', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [String[]]
+ ${SQSURL},
+
+ [Parameter(ParameterSetName = 'AmazonWebServicesS3', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${DetinationTable},
+
+ [Parameter(ParameterSetName = 'GenericUI', Mandatory)]
+ #[Parameter(ParameterSetName = 'APIPolling', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${UiConfigTitle},
+
+ [Parameter(ParameterSetName = 'GenericUI', Mandatory)]
+ #[Parameter(ParameterSetName = 'APIPolling', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${UiConfigPublisher},
+
+ [Parameter(ParameterSetName = 'GenericUI', Mandatory)]
+ #[Parameter(ParameterSetName = 'APIPolling', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${UiConfigDescriptionMarkdown},
+
+ [Parameter(ParameterSetName = 'GenericUI')]
+ #[Parameter(ParameterSetName = 'APIPolling')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${UiConfigCustomImage},
+
+ [Parameter(ParameterSetName = 'GenericUI', Mandatory)]
+ #[Parameter(ParameterSetName = 'APIPolling', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${UiConfigGraphQueriesTableName},
+
+ [Parameter(ParameterSetName = 'GenericUI', Mandatory)]
+ #[Parameter(ParameterSetName = 'APIPolling', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.GraphQueries[]]
+ ${UiConfigGraphQuery},
+
+ [Parameter(ParameterSetName = 'GenericUI', Mandatory)]
+ #[Parameter(ParameterSetName = 'APIPolling', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.SampleQueries[]]
+ ${UiConfigSampleQuery},
+
+ [Parameter(ParameterSetName = 'GenericUI', Mandatory)]
+ #[Parameter(ParameterSetName = 'APIPolling', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.LastDataReceivedDataType[]]
+ ${UiConfigDataType},
+
+ [Parameter(ParameterSetName = 'GenericUI', Mandatory)]
+ #[Parameter(ParameterSetName = 'APIPolling', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ConnectivityCriteria[]]
+ ${UiConfigConnectivityCriterion},
+
+ [Parameter(ParameterSetName = 'GenericUI', Mandatory)]
+ #[Parameter(ParameterSetName = 'APIPolling', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Bool]
+ ${AvailabilityIsPreview},
+
+ [Parameter(ParameterSetName = 'GenericUI')]
+ #[Parameter(ParameterSetName = 'APIPolling')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = 1)]
+ [Int]
+ ${AvailabilityStatus},
+
+ [Parameter(ParameterSetName = 'GenericUI')]
+ #[Parameter(ParameterSetName = 'APIPolling')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsResourceProviderItem[]]
+ ${PermissionResourceProvider},
+
+ [Parameter(ParameterSetName = 'GenericUI')]
+ #[Parameter(ParameterSetName = 'APIPolling')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsCustomsItem[]]
+ ${PermissionCustom},
+
+ [Parameter(ParameterSetName = 'GenericUI', Mandatory)]
+ #[Parameter(ParameterSetName = 'APIPolling', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.InstructionSteps[]]
+ ${UiConfigInstructionStep},
+
+ [Parameter()]
+ [Alias('AzureRMContext', 'AzureCredential')]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')]
+ [System.Management.Automation.PSObject]
+ # The credentials, account, tenant, and subscription used for communication with Azure.
+ ${DefaultProfile},
+
+ [Parameter()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Run the command as a job
+ ${AsJob},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Wait for .NET debugger to attach
+ ${Break},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]]
+ # SendAsync Pipeline Steps to be appended to the front of the pipeline
+ ${HttpPipelineAppend},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]]
+ # SendAsync Pipeline Steps to be prepended to the front of the pipeline
+ ${HttpPipelinePrepend},
+
+ [Parameter()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Run the command asynchronously
+ ${NoWait},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Uri]
+ # The URI for the proxy server to use
+ ${Proxy},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.PSCredential]
+ # Credentials for a proxy server to use for the remote call
+ ${ProxyCredential},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Use the default credentials for the proxy
+ ${ProxyUseDefaultCredentials}
+ )
+
+ process {
+ try {
+ if ($PSBoundParameters['Kind'] -eq 'AzureActiveDirectory'){
+ $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AadDataConnector]::new()
+
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+
+ If($PSBoundParameters['Alerts']){
+ $DataConnector.AlertState = $PSBoundParameters['Alerts']
+ $null = $PSBoundParameters.Remove('Alerts')
+ }
+ }
+ if($PSBoundParameters['Kind'] -eq 'AzureAdvancedThreatProtection'){
+ $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AatpDataConnector]::new()
+
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+
+ If($PSBoundParameters['Alerts']){
+ $DataConnector.AlertState = $PSBoundParameters['Alerts']
+ $null = $PSBoundParameters.Remove('Alerts')
+ }
+ }
+ if($PSBoundParameters['Kind'] -eq 'Dynamics365'){
+ $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.Dynamics365DataConnector]::new()
+
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+
+ If($PSBoundParameters['CommonDataServiceActivity']){
+ $DataConnector.Dynamics365CdActivityState = $PSBoundParameters['CommonDataServiceActivity']
+ $null = $PSBoundParameters.Remove('CommonDataServiceActivity')
+ }
+ }
+ if($PSBoundParameters['Kind'] -eq 'MicrosoftCloudAppSecurity'){
+ $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.McasDataConnector]::new()
+
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+
+ If($PSBoundParameters['Alerts']){
+ $DataConnector.DataTypeAlertState = $PSBoundParameters['Alerts']
+ $null = $PSBoundParameters.Remove('Alerts')
+ }
+
+ If($PSBoundParameters['DiscoveryLog']){
+ $DataConnector.DiscoveryLogState = $PSBoundParameters['DiscoveryLog']
+ $null = $PSBoundParameters.Remove('DiscoveryLog')
+ }
+ }
+ if($PSBoundParameters['Kind'] -eq 'MicrosoftDefenderAdvancedThreatProtection'){
+ $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MdatpDataConnector]::new()
+
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+
+ If($PSBoundParameters['Alerts']){
+ $DataConnector.AlertState = $PSBoundParameters['Alerts']
+ $null = $PSBoundParameters.Remove('Alerts')
+ }
+ }
+ if($PSBoundParameters['Kind'] -eq 'MicrosoftThreatIntelligence'){
+ $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MstiDataConnector]::new()
+
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+
+ If($PSBoundParameters['BingSafetyPhishingURL']){
+ $DataConnector.BingSafetyPhishingUrlState = $PSBoundParameters['BingSafetyPhishingURL']
+ $null = $PSBoundParameters.Remove('BingSafetyPhishingURL')
+ }
+
+ If($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod']){
+ if($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'OneDay'){
+ $DataConnector.BingSafetyPhishingUrlLookbackPeriod = ((Get-Date).AddDays(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString()
+ }
+ elseif ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'OneWeek') {
+ $DataConnector.BingSafetyPhishingUrlLookbackPeriod = ((Get-Date).AddDays(-7).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString()
+ }
+ elseif ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'OneMonth') {
+ $DataConnector.BingSafetyPhishingUrlLookbackPeriod = ((Get-Date).AddMonths(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString()
+ }
+ elseif ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'All') {
+ $DataConnector.BingSafetyPhishingUrlLookbackPeriod = "1970-01-01T00:00:00.000Z"
+ }
+ $null = $PSBoundParameters.Remove('BingSafetyPhishingUrlLookbackPeriod')
+ }
+ else{
+ $DataConnector.BingSafetyPhishingUrlLookbackPeriod = "1970-01-01T00:00:00.000Z"
+ }
+
+ If($PSBoundParameters['MicrosoftEmergingThreatFeed']){
+ $DataConnector.MicrosoftEmergingThreatFeedState = $PSBoundParameters['MicrosoftEmergingThreatFeed']
+ $null = $PSBoundParameters.Remove('MicrosoftEmergingThreatFeed')
+ }
+
+ If($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod']){
+ if($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'OneDay'){
+ $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = ((Get-Date).AddDays(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString()
+ }
+ elseif ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'OneWeek') {
+ $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = ((Get-Date).AddDays(-7).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString()
+ }
+ elseif ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'OneMonth') {
+ $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = ((Get-Date).AddMonths(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString()
+ }
+ elseif ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'All') {
+ $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = "1970-01-01T00:00:00.000Z"
+ }
+ $null = $PSBoundParameters.Remove('MicrosoftEmergingThreatFeedLookbackPeriod')
+ }
+ else{
+ $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = "1970-01-01T00:00:00.000Z"
+ }
+ }
+
+ if($PSBoundParameters['Kind'] -eq 'MicrosoftThreatProtection'){
+ $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MtpDataConnector]::new()
+
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+
+ If($PSBoundParameters['Incident']){
+ $DataConnector.IncidentState = $PSBoundParameters['Incident']
+ $null = $PSBoundParameters.Remove('Incident')
+ }
+ }
+ if($PSBoundParameters['Kind'] -eq 'Office365'){
+ $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.OfficeDataConnector]::new()
+
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+
+ If($PSBoundParameters['Exchange']){
+ $DataConnector.ExchangeState = $PSBoundParameters['Exchange']
+ $null = $PSBoundParameters.Remove('Exchange')
+ }
+
+ If($PSBoundParameters['SharePoint']){
+ $DataConnector.SharePointState = $PSBoundParameters['SharePoint']
+ $null = $PSBoundParameters.Remove('SharePoint')
+ }
+
+ If($PSBoundParameters['Teams']){
+ $DataConnector.TeamState = $PSBoundParameters['Teams']
+ $null = $PSBoundParameters.Remove('Teams')
+ }
+ }
+ if($PSBoundParameters['Kind'] -eq 'OfficeATP'){
+ $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.OfficeAtpDataConnector]::new()
+
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+
+ If($PSBoundParameters['Alerts']){
+ $DataConnector.AlertState = $PSBoundParameters['Alerts']
+ $null = $PSBoundParameters.Remove('Alerts')
+ }
+ }
+ if($PSBoundParameters['Kind'] -eq 'OfficeIRM'){
+ $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.OfficeIrmDataConnector]::new()
+
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+
+ If($PSBoundParameters['Alerts']){
+ $DataConnector.AlertState = $PSBoundParameters['Alerts']
+ $null = $PSBoundParameters.Remove('Alerts')
+ }
+ }
+ if($PSBoundParameters['Kind'] -eq 'ThreatIntelligence'){
+ $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.TiDataConnector]::new()
+
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+
+ $DataConnector.TipLookbackPeriod = "1970-01-01T00:00:00.000Z"
+
+ If($PSBoundParameters['Indicator']){
+ $DataConnector.IndicatorState = $PSBoundParameters['Indicator']
+ $null = $PSBoundParameters.Remove('Indicator')
+ }
+ }
+ if($PSBoundParameters['Kind'] -eq 'ThreatIntelligenceTaxii'){
+ $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.TiTaxiiDataConnector]::new()
+
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+
+ $DataConnector.FriendlyName = $PSBoundParameters['FriendlyName']
+ $null = $PSBoundParameters.Remove('FriendlyName')
+
+ $DataConnector.TaxiiServer = $PSBoundParameters['APIRootURL']
+ $null = $PSBoundParameters.Remove('APIRootURL')
+
+ $DataConnector.CollectionId = $PSBoundParameters['CollectionId']
+ $null = $PSBoundParameters.Remove('CollectionId')
+
+ If($PSBoundParameters['UserName']){
+ $DataConnector.UserName = $PSBoundParameters['UserName']
+ $null = $PSBoundParameters.Remove('UserName')
+ }
+
+ If($PSBoundParameters['Password']){
+ $DataConnector.Password = $PSBoundParameters['Password']
+ $null = $PSBoundParameters.Remove('Password')
+ }
+
+ $DataConnector.WorkspaceId = $PSBoundParameters['WorkspaceId']
+ $null = $PSBoundParameters.Remove('WorkspaceId')
+
+
+ if($PSBoundParameters['PollingFrequency'] -eq 'OnceADay'){
+ $DataConnector.PollingFrequency = "OnceADay"
+ }
+ elseif ($PSBoundParameters['PollingFrequency'] -eq 'OnceAMinute') {
+ $DataConnector.PollingFrequency = "OnceAMinute"
+ }
+ elseif ($PSBoundParameters['PollingFrequency'] -eq 'OnceAnHour') {
+ $DataConnector.PollingFrequency = "OnceAnHour"
+ }
+ $null = $PSBoundParameters.Remove('PollingFrequency')
+
+ }
+
+ if($PSBoundParameters['Kind'] -eq 'AzureSecurityCenter'){
+ $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AscDataConnector]::new()
+
+ $DataConnector.SubscriptionId = $PSBoundParameters['ASCSubscriptionId']
+ $null = $PSBoundParameters.Remove('ASCSubscriptionId')
+
+ If($PSBoundParameters['Alerts']){
+ $DataConnector.AlertState = $PSBoundParameters['Alerts']
+ $null = $PSBoundParameters.Remove('Alerts')
+ }
+ }
+ if($PSBoundParameters['Kind'] -eq 'AmazonWebServicesCloudTrail'){
+ $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AwsCloudTrailDataConnector]::new()
+
+ $DataConnector.AWSRoleArn = $PSBoundParameters['AWSRoleArn']
+ $null = $PSBoundParameters.Remove('AWSRoleArn')
+
+ If($PSBoundParameters['Log']){
+ $DataConnector.LogState = $PSBoundParameters['Log']
+ $null = $PSBoundParameters.Remove('Log')
+ }
+ }
+ if($PSBoundParameters['Kind'] -eq 'AmazonWebServicesS3'){
+ $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AwsCloudTrailDataConnector]::new()
+
+ $DataConnector.RoleArn = $PSBoundParameters['AWSRoleArn']
+ $null = $PSBoundParameters.Remove('AWSRoleArn')
+
+ If($PSBoundParameters['Log']){
+ $DataConnector.LogState = $PSBoundParameters['Log']
+ $null = $PSBoundParameters.Remove('Log')
+ }
+
+ $DataConnector.SqsUrl = $PSBoundParameters['SQSURL']
+ $null = $PSBoundParameters.Remove('SQSURL')
+
+ $DataConnector.DestinationTable = $PSBoundParameters['DetinationTable']
+ $null = $PSBoundParameters.Remove('DetinationTable')
+ }
+ if($PSBoundParameters['Kind'] -eq 'GenericUI'){
+ $DataConnector = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.CodelessUiDataConnector]::new()
+
+ $DataConnector.ConnectorUiConfigTitle = $PSBoundParameters['UiConfigTitle']
+ $null = $PSBoundParameters.Remove('UiConfigTitle')
+
+ $DataConnector.ConnectorUiConfigPublisher = $PSBoundParameters['UiConfigPublisher']
+ $null = $PSBoundParameters.Remove('UiConfigPublisher')
+
+ $DataConnector.ConnectorUiConfigDescriptionMarkdown = $PSBoundParameters['UiConfigDescriptionMarkdown']
+ $null = $PSBoundParameters.Remove('UiConfigDescriptionMarkdown')
+
+ If($PSBoundParameters['UiConfigCustomImage']){
+ $DataConnector.ConnectorUiConfigCustomImage = $PSBoundParameters['UiConfigCustomImage']
+ $null = $PSBoundParameters.Remove('UiConfigCustomImage')
+ }
+
+ $DataConnector.ConnectorUiConfigGraphQueriesTableName = $PSBoundParameters['UiConfigGraphQueriesTableName']
+ $null = $PSBoundParameters.Remove('UiConfigGraphQueriesTableName')
+
+ $DataConnector.ConnectorUiConfigGraphQuery = $PSBoundParameters['UiConfigGraphQuery']
+ $null = $PSBoundParameters.Remove('UiConfigGraphQuery')
+
+ $DataConnector.ConnectorUiConfigSampleQuery = $PSBoundParameters['UiConfigSampleQuery']
+ $null = $PSBoundParameters.Remove('UiConfigSampleQuery')
+
+ $DataConnector.ConnectorUiConfigDataType = $PSBoundParameters['UiConfigDataType']
+ $null = $PSBoundParameters.Remove('UiConfigDataType')
+
+ $DataConnector.ConnectorUiConfigConnectivityCriterion = $PSBoundParameters['UiConfigConnectivityCriterion']
+ $null = $PSBoundParameters.Remove('UiConfigConnectivityCriterion')
+
+ $DataConnector.AvailabilityIsPreview = $PSBoundParameters['AvailabilityIsPreview']
+ $null = $PSBoundParameters.Remove('AvailabilityIsPreview')
+
+ If($PSBoundParameters['AvailabilityStatus']){
+ $DataConnector.AvailabilityStatus = $PSBoundParameters['AvailabilityStatus']
+ $null = $PSBoundParameters.Remove('AvailabilityStatus')
+ }
+
+ If($PSBoundParameters['PermissionResourceProvider']){
+ $DataConnector.AvailabilityStatus = $PSBoundParameters['PermissionResourceProvider']
+ $null = $PSBoundParameters.Remove('PermissionResourceProvider')
+ }
+ ElseIf($PSBoundParameters['PermissionCustom']){
+ $DataConnector.AvailabilityStatus = $PSBoundParameters['PermissionCustom']
+ $null = $PSBoundParameters.Remove('PermissionCustom')
+ }
+ Else {
+ Write-Host -ForegroundColor Red "You must provide either a Resource Provider Permission or Custom Permissions"
+ break
+ }
+
+ $DataConnector.ConnectorUiConfigInstructionStep = $PSBoundParameters['UiConfigInstructionStep']
+ $null = $PSBoundParameters.Remove('UiConfigInstructionStep')
+
+ }
+
+ $DataConnector.Kind = $PSBoundParameters['Kind']
+ $null = $PSBoundParameters.Remove('Kind')
+
+ $null = $PSBoundParameters.Remove('DataConnector')
+ $null = $PSBoundParameters.Add('DataConnector', $DataConnector)
+
+ Az.SecurityInsights.internal\New-AzSentinelDataConnector @PSBoundParameters
+ }
+ catch {
+ throw
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1 b/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1
new file mode 100644
index 000000000000..ea63da0336f0
--- /dev/null
+++ b/src/SecurityInsights/custom/New-AzSentinelEntityQuery.ps1
@@ -0,0 +1,216 @@
+
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+<#
+.Synopsis
+Creates or updates the entity query.
+.Description
+Creates or updates the entity query.
+
+.Link
+https://docs.microsoft.com/powershell/module/az.securityinsights/new-azsentinelentityquery
+#>
+function New-AzSentinelEntityQuery {
+ [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.CustomEntityQuery])]
+ [CmdletBinding(DefaultParameterSetName = 'Activity', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')]
+ param(
+ [Parameter()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')]
+ [System.String]
+ # Gets subscription credentials which uniquely identify Microsoft Azure subscription.
+ # The subscription ID forms part of the URI for every service call.
+ ${SubscriptionId},
+
+ [Parameter(Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [System.String]
+ # The Resource Group Name.
+ ${ResourceGroupName},
+
+ [Parameter(Mandatory)]
+ #[Alias('DataConnectionName')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [System.String]
+ # The name of the workspace.
+ ${WorkspaceName},
+
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(New-Guid).Guid')]
+ [System.String]
+ # The Id of the Entity Query.
+ ${Id},
+
+ [Parameter(Mandatory)]
+ [ArgumentCompleter( { param ( $CommandName, $EntityQueryName, $WordToComplete, $CommandAst, $FakeBoundParameters ) return @('Activity') })]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityQueryKind]
+ # Kind of the the Entity Query
+ ${Kind},
+
+ [Parameter(ParameterSetName = 'Activity', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Title},
+
+ [Parameter(ParameterSetName = 'Activity', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Content},
+
+ [Parameter(ParameterSetName = 'Activity', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Description},
+
+ [Parameter(ParameterSetName = 'Activity', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${QueryDefinitionQuery},
+
+ [Parameter(ParameterSetName = 'Activity', Mandatory)]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType]
+ ${InputEntityType},
+
+ [Parameter(ParameterSetName = 'Activity')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [String[]]
+ ${RequiredInputFieldsSet},
+
+ [Parameter(ParameterSetName = 'Activity')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ActivityEntityQueriesPropertiesEntitiesFilter]
+ ${EntitiesFilter},
+
+ [Parameter(ParameterSetName = 'Activity')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${TemplateName},
+
+ [Parameter()]
+ [Alias('AzureRMContext', 'AzureCredential')]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')]
+ [System.Management.Automation.PSObject]
+ # The credentials, account, tenant, and subscription used for communication with Azure.
+ ${DefaultProfile},
+
+ [Parameter()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Run the command as a job
+ ${AsJob},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Wait for .NET debugger to attach
+ ${Break},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]]
+ # SendAsync Pipeline Steps to be appended to the front of the pipeline
+ ${HttpPipelineAppend},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]]
+ # SendAsync Pipeline Steps to be prepended to the front of the pipeline
+ ${HttpPipelinePrepend},
+
+ [Parameter()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Run the command asynchronously
+ ${NoWait},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Uri]
+ # The URI for the proxy server to use
+ ${Proxy},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.PSCredential]
+ # Credentials for a proxy server to use for the remote call
+ ${ProxyCredential},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Use the default credentials for the proxy
+ ${ProxyUseDefaultCredentials}
+ )
+
+ process {
+ try {
+
+ if ($PSBoundParameters['Kind'] -eq 'Activity'){
+ $EntityQuery = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ActivityCustomEntityQuery]::new()
+
+ $EntityQuery.Title = $PSBoundParameters['Title']
+ $null = $PSBoundParameters.Remove('Title')
+
+ $EntityQuery.Content = $PSBoundParameters['Content']
+ $null = $PSBoundParameters.Remove('Content')
+
+ $EntityQuery.Description = $PSBoundParameters['Description']
+ $null = $PSBoundParameters.Remove('Description')
+
+ $EntityQuery.QueryDefinitionQuery = $PSBoundParameters['QueryDefinitionQuery']
+ $null = $PSBoundParameters.Remove('QueryDefinitionQuery')
+
+ $EntityQuery.InputEntityType = $PSBoundParameters['InputEntityType']
+ $null = $PSBoundParameters.Remove('InputEntityType')
+
+ If($PSBoundParameters['RequiredInputFieldsSet']){
+ $EntityQuery.RequiredInputFieldsSet = $PSBoundParameters['RequiredInputFieldsSet']
+ $null = $PSBoundParameters.Remove('RequiredInputFieldsSet')
+ }
+
+ If($PSBoundParameters['EntitiesFilter']){
+ $EntityQuery.EntitiesFilter = $PSBoundParameters['EntitiesFilter']
+ $null = $PSBoundParameters.Remove('EntitiesFilter')
+ }
+
+ If($PSBoundParameters['TemplateName']){
+ $EntityQuery.TemplateName = $PSBoundParameters['TemplateName']
+ $null = $PSBoundParameters.Remove('TemplateName')
+ }
+ }
+ else {
+ Write-Error "This cmdlet only works with Entity Queries of the Activity kind."
+ break
+ }
+
+ #$EntityQuery.Kind = $PSBoundParameters['Kind']
+ $null = $PSBoundParameters.Remove('Kind')
+
+ $null = $PSBoundParameters.Add('EntityQuery', $EntityQuery)
+
+ Az.SecurityInsights.internal\New-AzSentinelEntityQuery @PSBoundParameters
+ }
+ catch {
+ throw
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/custom/README.md b/src/SecurityInsights/custom/README.md
new file mode 100644
index 000000000000..403330afa28c
--- /dev/null
+++ b/src/SecurityInsights/custom/README.md
@@ -0,0 +1,41 @@
+# Custom
+This directory contains custom implementation for non-generated cmdlets for the `Az.SecurityInsights` module. Both scripts (`.ps1`) and C# files (`.cs`) can be implemented here. They will be used during the build process in `build-module.ps1`, and create cmdlets into the `../exports` folder. The only generated file into this folder is the `Az.SecurityInsights.custom.psm1`. This file should not be modified.
+
+## Info
+- Modifiable: yes
+- Generated: partial
+- Committed: yes
+- Packaged: yes
+
+## Details
+For `Az.SecurityInsights` to use custom cmdlets, it does this two different ways. We **highly recommend** creating script cmdlets, as they are easier to write and allow access to the other exported cmdlets. C# cmdlets *cannot access exported cmdlets*.
+
+For C# cmdlets, they are compiled with the rest of the generated low-level cmdlets into the `./bin/Az.SecurityInsights.private.dll`. The names of the cmdlets (methods) and files must follow the `[cmdletName]_[variantName]` syntax used for generated cmdlets. The `variantName` is used as the `ParameterSetName`, so use something appropriate that doesn't clash with already created variant or parameter set names. You cannot use the `ParameterSetName` property in the `Parameter` attribute on C# cmdlets. Each cmdlet must be separated into variants using the same pattern as seen in the `generated/cmdlets` folder.
+
+For script cmdlets, these are loaded via the `Az.SecurityInsights.custom.psm1`. Then, during the build process, this module is loaded and processed in the same manner as the C# cmdlets. The fundamental difference is the script cmdlets use the `ParameterSetName` attribute and C# cmdlets do not. To create a script cmdlet variant of a generated cmdlet, simply decorate all parameters in the script with the new `ParameterSetName` in the `Parameter` attribute. This will appropriately treat each parameter set as a separate variant when processed to be exported during the build.
+
+## Purpose
+This allows the modules to have cmdlets that were not defined in the REST specification. It also allows combining logic using generated cmdlets. This is a level of customization beyond what can be done using the [readme configuration options](https://github.com/Azure/autorest/blob/master/docs/powershell/options.md) that are currently available. These custom cmdlets are then referenced by the cmdlets created at build-time in the `../exports` folder.
+
+## Usage
+The easiest way currently to start developing custom cmdlets is to copy an existing cmdlet. For C# cmdlets, copy one from the `generated/cmdlets` folder. For script cmdlets, build the project using `build-module.ps1` and copy one of the scripts from the `../exports` folder. After that, if you want to add new parameter sets, follow the guidelines in the `Details` section above. For implementing a new cmdlets, at minimum, please keep these parameters:
+- Break
+- DefaultProfile
+- HttpPipelineAppend
+- HttpPipelinePrepend
+- Proxy
+- ProxyCredential
+- ProxyUseDefaultCredentials
+
+These provide functionality to our HTTP pipeline and other useful features. In script, you can forward these parameters using `$PSBoundParameters` to the other cmdlets you're calling within `Az.SecurityInsights`. For C#, follow the usage seen in the `ProcessRecordAsync` method.
+
+### Attributes
+For processing the cmdlets, we've created some additional attributes:
+- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.DescriptionAttribute`
+ - Used in C# cmdlets to provide a high-level description of the cmdlet. This is propagated to reference documentation via [help comments](https://docs.microsoft.com/powershell/module/microsoft.powershell.core/about/about_comment_based_help) in the exported scripts.
+- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.DoNotExportAttribute`
+ - Used in C# and script cmdlets to suppress creating an exported cmdlet at build-time. These cmdlets will *not be exposed* by `Az.SecurityInsights`.
+- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.InternalExportAttribute`
+ - Used in C# cmdlets to route exported cmdlets to the `../internal`, which are *not exposed* by `Az.SecurityInsights`. For more information, see [README.md](../internal/README.md) in the `../internal` folder.
+- `Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.ProfileAttribute`
+ - Used in C# and script cmdlets to define which Azure profiles the cmdlet supports. This is only supported for Azure (`--azure`) modules.
\ No newline at end of file
diff --git a/src/SecurityInsights/custom/Test-AzSentinelDataConnectorCheckRequirement.ps1 b/src/SecurityInsights/custom/Test-AzSentinelDataConnectorCheckRequirement.ps1
new file mode 100644
index 000000000000..97e1b698a2d2
--- /dev/null
+++ b/src/SecurityInsights/custom/Test-AzSentinelDataConnectorCheckRequirement.ps1
@@ -0,0 +1,219 @@
+
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+<#
+.Synopsis
+Get requirements state for a data connector type.
+.Description
+Get requirements state for a data connector type.
+
+.Link
+https://docs.microsoft.com/powershell/module/az.securityinsights/test-azsentineldataconnectorcheckrequirement
+#>
+function Test-AzSentinelDataConnectorCheckRequirement {
+ [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.DataConnectorsCheckRequirements])]
+ [CmdletBinding(DefaultParameterSetName = 'AADTenant', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')]
+ param(
+ [Parameter()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')]
+ [System.String]
+ # Gets subscription credentials which uniquely identify Microsoft Azure subscription.
+ # The subscription ID forms part of the URI for every service call.
+ ${SubscriptionId},
+
+ [Parameter(Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [System.String]
+ # The Resource Group Name.
+ ${ResourceGroupName},
+
+ [Parameter(Mandatory)]
+ #[Alias('DataConnectionName')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [System.String]
+ # The name of the workspace.
+ ${WorkspaceName},
+
+ [Parameter(Mandatory)]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataConnectorKind]
+ # Kind of the the data connection
+ ${Kind},
+
+
+ [Parameter(ParameterSetName = 'AADTenant')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Tenant.Id')]
+ [System.String]
+ # The TenantId.
+ ${TenantId},
+
+ [Parameter(ParameterSetName = 'AzureSecurityCenter', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ # ASC Subscription Id.
+ ${ASCSubscriptionId},
+
+ #[Parameter(ParameterSetName = 'AmazonWebServicesCloudTrail', Mandatory)]
+ #[Parameter(ParameterSetName = 'AmazonWebServicesS3', Mandatory)]
+ #[Parameter(ParameterSetName = 'GenericUI', Mandatory)]
+
+ [Parameter()]
+ [Alias('AzureRMContext', 'AzureCredential')]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')]
+ [System.Management.Automation.PSObject]
+ # The credentials, account, tenant, and subscription used for communication with Azure.
+ ${DefaultProfile},
+
+ [Parameter()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Run the command as a job
+ ${AsJob},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Wait for .NET debugger to attach
+ ${Break},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]]
+ # SendAsync Pipeline Steps to be appended to the front of the pipeline
+ ${HttpPipelineAppend},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]]
+ # SendAsync Pipeline Steps to be prepended to the front of the pipeline
+ ${HttpPipelinePrepend},
+
+ [Parameter()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Run the command asynchronously
+ ${NoWait},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Uri]
+ # The URI for the proxy server to use
+ ${Proxy},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.PSCredential]
+ # Credentials for a proxy server to use for the remote call
+ ${ProxyCredential},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Use the default credentials for the proxy
+ ${ProxyUseDefaultCredentials}
+ )
+
+ process {
+ try {
+
+ if ($PSBoundParameters['Kind'] -eq 'AzureActiveDirectory'){
+ $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AadCheckRequirements]::new()
+ $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+ if($PSBoundParameters['Kind'] -eq 'AzureAdvancedThreatProtection'){
+ $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AatpCheckRequirements]::new()
+ $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+ if($PSBoundParameters['Kind'] -eq 'Dynamics365'){
+ $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.Dynamics365CheckRequirements]::new()
+ $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+ if($PSBoundParameters['Kind'] -eq 'MicrosoftCloudAppSecurity'){
+ $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MCASCheckRequirements]::new()
+ $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+ if($PSBoundParameters['Kind'] -eq 'MicrosoftDefenderAdvancedThreatProtection'){
+ $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MDATPCheckRequirements]::new()
+ $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+ if($PSBoundParameters['Kind'] -eq 'MicrosoftThreatIntelligence'){
+ $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MSTICheckRequirements]::new()
+ $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+ if($PSBoundParameters['Kind'] -eq 'MicrosoftThreatProtection'){
+ $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.MtpCheckRequirements]::new()
+ $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+ #if($PSBoundParameters['Kind'] -eq 'Office365'){
+ # $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.Office365CheckRequirements]::new()
+ # $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId']
+ # $null = $PSBoundParameters.Remove('TenantId')
+ #}
+ if($PSBoundParameters['Kind'] -eq 'OfficeATP'){
+ $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.OfficeATPCheckRequirements]::new()
+ $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+ if($PSBoundParameters['Kind'] -eq 'OfficeIRM'){
+ $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.OfficeIrmCheckRequirements]::new()
+ $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+ if($PSBoundParameters['Kind'] -eq 'ThreatIntelligence'){
+ $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.TICheckRequirements]::new()
+ $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+ if($PSBoundParameters['Kind'] -eq 'ThreatIntelligenceTaxii'){
+ $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.TiTaxiiCheckRequirements]::new()
+ $DataConnectorCheckRequirement.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+
+ if($PSBoundParameters['Kind'] -eq 'AzureSecurityCenter'){
+ $DataConnectorCheckRequirement = [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ASCCheckRequirements]::new()
+ $DataConnectorCheckRequirement.SubscriptionId = $PSBoundParameters['ASCSubscriptionId']
+ $null = $PSBoundParameters.Remove('ASCSubscriptionId')
+ }
+ #if($PSBoundParameters['Kind'] -eq 'AmazonWebServicesCloudTrail'){}
+ #if($PSBoundParameters['Kind'] -eq 'AmazonWebServicesS3'){}
+ #if($PSBoundParameters['Kind'] -eq 'GenericUI'){}
+
+ $DataConnectorCheckRequirement.Kind = $PSBoundParameters['Kind']
+ $null = $PSBoundParameters.Remove('Kind')
+
+ $null = $PSBoundParameters.Add('DataConnectorCheckRequirement', $DataConnectorCheckRequirement)
+
+ Az.SecurityInsights.internal\Test-AzSentinelDataConnectorCheckRequirement @PSBoundParameters
+ }
+ catch {
+ throw
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/custom/Update-AzSentinelAlertRule.ps1 b/src/SecurityInsights/custom/Update-AzSentinelAlertRule.ps1
new file mode 100644
index 000000000000..7f7f7334efef
--- /dev/null
+++ b/src/SecurityInsights/custom/Update-AzSentinelAlertRule.ps1
@@ -0,0 +1,832 @@
+
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+<#
+.Synopsis
+Updates the alert rule.
+.Description
+Updates the alert rule.
+
+.Link
+https://docs.microsoft.com/powershell/module/az.securityinsights/Update-azsentinelalertrule
+#>
+function Update-AzSentinelAlertRule {
+ [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.AlertRule])]
+ [CmdletBinding(DefaultParameterSetName = 'UpdateScheduled', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')]
+ param(
+ [Parameter(ParameterSetName = 'UpdateFusionMLTI')]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')]
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')]
+ [System.String]
+ # Gets subscription credentials which uniquely identify Microsoft Azure subscription.
+ # The subscription ID forms part of the URI for every service call.
+ ${SubscriptionId},
+
+ [Parameter(ParameterSetName = 'UpdateFusionMLTI', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateNRT', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateScheduled', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [System.String]
+ # The Resource Group Name.
+ ${ResourceGroupName},
+
+ [Parameter(ParameterSetName = 'UpdateFusionMLTI', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateNRT', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateScheduled', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [System.String]
+ # The name of the workspace.
+ ${WorkspaceName},
+
+ [Parameter(ParameterSetName = 'UpdateFusionMLTI', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateNRT', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateScheduled', Mandatory)]
+ #[Alias('RuleId')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [System.String]
+ # The name of Operational Insights Resource Provider.
+ ${RuleId},
+
+ [Parameter(ParameterSetName = 'UpdateViaIdentityFusionMLTI', Mandatory, ValueFromPipeline)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation', Mandatory, ValueFromPipeline)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT', Mandatory, ValueFromPipeline)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled', Mandatory, ValueFromPipeline)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity]
+ # Identity Parameter
+ # To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
+ ${InputObject},
+
+ [Parameter(ParameterSetName = 'UpdateFusionMLTI', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityFusionMLTI', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ ${FusionMLorTI},
+
+ [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ ${MicrosoftSecurityIncidentCreation},
+
+ [Parameter(ParameterSetName = 'UpdateNRT', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ ${NRT},
+
+ [Parameter(ParameterSetName = 'UpdateScheduled', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ ${Scheduled},
+
+ [Parameter(ParameterSetName = 'UpdateFusionMLTI')]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')]
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityFusionMLTI')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${AlertRuleTemplateName},
+
+ [Parameter(ParameterSetName = 'UpdateFusionMLTI')]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')]
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityFusionMLTI')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Switch]
+ ${Enabled},
+
+ [Parameter(ParameterSetName = 'UpdateFusionMLTI')]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')]
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityFusionMLTI')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Switch]
+ ${Disabled},
+
+ [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')]
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Description},
+
+ [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${DisplayNamesFilter},
+
+ [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${DisplayNamesExcludeFilter},
+
+
+ [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.MicrosoftSecurityProductName]
+ ${ProductFilter},
+
+ [Parameter(ParameterSetName = 'UpdateMicrosoftSecurityIncidentCreation')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftSecurityIncidentCreation')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity[]]
+ #High, Medium, Low, Informational
+ ${SeveritiesFilter},
+
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Query},
+
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${DisplayName},
+
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = 'New-TimeSpan -Hours 5')]
+ [System.TimeSpan]
+ ${SuppressionDuration},
+
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Switch]
+ ${SuppressionEnabled},
+
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertSeverity]
+ ${Severity},
+
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AttackTactic])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AttackTactic]
+ [System.String]
+ ${Tactic},
+
+
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Switch]
+ ${CreateIncident},
+
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Switch]
+ ${GroupingConfigurationEnabled},
+
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Switch]
+ ${ReOpenClosedIncident},
+
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = 'New-TimeSpan -Hours 5')]
+ [System.TimeSpan]
+ ${LookbackDuration},
+
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '"AllEntities"')]
+ [ValidateSet('AllEntities', 'AnyAlert', 'Selected')]
+ [System.String]
+ ${MatchingMethod},
+
+
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.AlertDetail]
+ ${GroupByAlertDetail},
+
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [string[]]
+ ${GroupByCustomDetail},
+
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityMappingType]
+ ${GroupByEntity},
+
+
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ #'Account', 'Host', 'IP', 'Malware', 'File', 'Process', 'CloudApplication', 'DNS', 'AzureResource', 'FileHash', 'RegistryKey', 'RegistryValue', 'SecurityGroup', 'URL', 'Mailbox', 'MailCluster', 'MailMessage', 'SubmissionMail'
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.EntityMapping]
+ ${EntityMapping},
+
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${AlertDescriptionFormat},
+
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${AlertDisplayNameFormat},
+
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${AlertSeverityColumnName},
+
+ [Parameter(ParameterSetName = 'UpdateNRT')]
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityNRT')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${AlertTacticsColumnName},
+
+
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.TimeSpan]
+ ${QueryFrequency},
+
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.TimeSpan]
+ ${QueryPeriod},
+
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.TriggerOperator]
+ ${TriggerOperator},
+
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [int]
+ ${TriggerThreshold},
+
+ [Parameter(ParameterSetName = 'UpdateScheduled')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityUpdateScheduled')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EventGroupingAggregationKind]
+ ${EventGroupingSettingAggregationKind},
+
+ [Parameter()]
+ [Alias('AzureRMContext', 'AzureCredential')]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')]
+ [System.Management.Automation.PSObject]
+ # The credentials, account, tenant, and subscription used for communication with Azure.
+ ${DefaultProfile},
+
+ [Parameter()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Run the command as a job
+ ${AsJob},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Wait for .NET debugger to attach
+ ${Break},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]]
+ # SendAsync Pipeline Steps to be appended to the front of the pipeline
+ ${HttpPipelineAppend},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]]
+ # SendAsync Pipeline Steps to be prepended to the front of the pipeline
+ ${HttpPipelinePrepend},
+
+ [Parameter()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Run the command asynchronously
+ ${NoWait},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Uri]
+ # The URI for the proxy server to use
+ ${Proxy},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.PSCredential]
+ # Credentials for a proxy server to use for the remote call
+ ${ProxyCredential},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Use the default credentials for the proxy
+ ${ProxyUseDefaultCredentials}
+ )
+
+ process {
+ try {
+ $null = $PSBoundParameters.Remove('FusionMLorTI')
+ $null = $PSBoundParameters.Remove('MicrosoftSecurityIncidentCreation')
+ $null = $PSBoundParameters.Remove('NRT')
+ $null = $PSBoundParameters.Remove('Scheduled')
+ #Handle Get
+ $GetPSBoundParameters = @{}
+ if($PSBoundParameters['InputObject']){
+ $GetPSBoundParameters.Add('InputObject', $PSBoundParameters['InputObject'])
+ }
+ else {
+ $GetPSBoundParameters.Add('ResourceGroupName', $PSBoundParameters['ResourceGroupName'])
+ $GetPSBoundParameters.Add('WorkspaceName', $PSBoundParameters['WorkspaceName'])
+ $GetPSBoundParameters.Add('RuleId', $PSBoundParameters['RuleId'])
+ }
+ $AlertRule = Az.SecurityInsights\Get-AzSentinelAlertRule @GetPSBoundParameters
+
+ #Fusion
+ if ($AlertRule.Kind -eq 'Fusion'){
+ If($PSBoundParameters['AlertTemplateName']){
+ $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName']
+ $null = $PSBoundParameters.Remove('AlertRuleTemplateName')
+ }
+
+ If($PSBoundParameters['Enabled']){
+ $AlertRule.Enabled = $true
+ $null = $PSBoundParameters.Remove('Enabled')
+ }
+ if($PSBoundParameters['Disabled']) {
+ $AlertRule.Enabled = $false
+ $null = $PSBoundParameters.Remove('Disabled')
+ }
+ }
+ #MSIC
+ if($AlertRule.Kind -eq 'MicrosoftSecurityIncidentCreation'){
+ If($PSBoundParameters['AlertRuleTemplateName']){
+ $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName']
+ $null = $PSBoundParameters.Remove('AlertRuleTemplateName')
+ }
+
+ If($PSBoundParameters['Enabled']){
+ $AlertRule.Enabled = $true
+ $null = $PSBoundParameters.Remove('Enabled')
+ }
+ if($PSBoundParameters['Disabled']) {
+ $AlertRule.Enabled = $false
+ $null = $PSBoundParameters.Remove('Disabled')
+ }
+
+ If($PSBoundParameters['Description']){
+ $AlertRule.Enabled = $PSBoundParameters['Description']
+ $null = $PSBoundParameters.Remove('Description')
+ }
+
+ If($PSBoundParameters['DisplayNamesFilter']){
+ $AlertRule.Enabled = $PSBoundParameters['DisplayNamesFilter']
+ $null = $PSBoundParameters.Remove('DisplayNamesFilter')
+ }
+
+ If($PSBoundParameters['DisplayNamesExcludeFilter']){
+ $AlertRule.Enabled = $PSBoundParameters['DisplayNamesExcludeFilter']
+ $null = $PSBoundParameters.Remove('DisplayNamesExcludeFilter')
+ }
+
+ If($PSBoundParameters['ProductFilter']){
+ $AlertRule.ProductFilter = $PSBoundParameters['ProductFilter']
+ $null = $PSBoundParameters.Remove('ProductFilter')
+ }
+
+ If($PSBoundParameters['SeveritiesFilter']){
+ $Parameter.Enabled = $PSBoundParameters['SeveritiesFilter']
+ $null = $PSBoundParameters.Remove('SeveritiesFilter')
+ }
+ }
+ #ML
+ if ($AlertRule.Kind -eq 'MLBehaviorAnalytics'){
+ If($PSBoundParameters['AlertRuleTemplateName']){
+ $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName']
+ $null = $PSBoundParameters.Remove('AlertRuleTemplateName')
+ }
+
+ If($PSBoundParameters['Enabled']){
+ $AlertRule.Enabled = $true
+ $null = $PSBoundParameters.Remove('Enabled')
+ }
+ if($PSBoundParameters['Disabled']) {
+ $AlertRule.Enabled = $false
+ $null = $PSBoundParameters.Remove('Disabled')
+ }
+ }
+
+ #NRT
+ if($AlertRule.Kind -eq 'NRT'){
+ If($PSBoundParameters['AlertRuleTemplateName']){
+ $AlertRule.Enabled = $PSBoundParameters['AlertRuleTemplateName']
+ $null = $PSBoundParameters.Remove('AlertRuleTemplateName')
+ }
+
+ If($PSBoundParameters['Enabled']){
+ $AlertRule.Enabled = $true
+ $null = $PSBoundParameters.Remove('Enabled')
+ }
+ if($PSBoundParameters['Disabled']) {
+ $AlertRule.Enabled = $false
+ $null = $PSBoundParameters.Remove('Disabled')
+ }
+
+ If($PSBoundParameters['Description']){
+ $AlertRule.Enabled = $PSBoundParameters['Description']
+ $null = $PSBoundParameters.Remove('Description')
+ }
+
+ If($PSBoundParameters['Query']){
+ $AlertRule.Query = $PSBoundParameters['Query']
+ $null = $PSBoundParameters.Remove('Query')
+ }
+
+ If($PSBoundParameters['DisplayName']){
+ $AlertRule.DisplayName = $PSBoundParameters['DisplayName']
+ $null = $PSBoundParameters.Remove('DisplayName')
+ }
+
+ If($PSBoundParameters['SuppressionDuration']){
+ $AlertRule.SuppressionDuration = $PSBoundParameters['SuppressionDuration']
+ $null = $PSBoundParameters.Remove('SuppressionDuration')
+ }
+
+ If($PSBoundParameters['SuppressionEnabled']){
+ $AlertRule.SuppressionEnabled = $true
+ $null = $PSBoundParameters.Remove('SuppressionEnabled')
+ }
+ else{
+ $AlertRule.SuppressionEnabled = $false
+ }
+
+ If($PSBoundParameters['Severity']){
+ $AlertRule.Severity = $PSBoundParameters['Severity']
+ $null = $PSBoundParameters.Remove('Severity')
+ }
+
+ If($PSBoundParameters['Tactic']){
+ $AlertRule.Tactic = $PSBoundParameters['Tactic']
+ $null = $PSBoundParameters.Remove('Tactic')
+ }
+
+ If($PSBoundParameters['IncidentConfigurationCreateIncident']){
+ $AlertRule.IncidentConfigurationCreateIncident = $true
+ $null = $PSBoundParameters.Remove('IncidentConfigurationCreateIncident')
+ }
+ else{
+ $AlertRule.IncidentConfigurationCreateIncident = $false
+ }
+
+ If($PSBoundParameters['Enabled']){
+ $AlertRule.GroupingConfigurationEnabled = $true
+ $null = $PSBoundParameters.Remove('Enabled')
+ }
+ else{
+ $AlertRule.GroupingConfigurationEnabled = $false
+ }
+
+ If($PSBoundParameters['ReOpenClosedIncident']){
+ $AlertRule.GroupingConfigurationReOpenClosedIncident = $true
+ $null = $PSBoundParameters.Remove('ReOpenClosedIncident')
+ }
+ else{
+ $AlertRule.GroupingConfigurationReOpenClosedIncident = $false
+ }
+
+ If($PSBoundParameters['LookbackDuration']){
+ $AlertRule.GroupingConfigurationLookbackDuration = $PSBoundParameters['LookbackDuration']
+ $null = $PSBoundParameters.Remove('LookbackDuration')
+ }
+
+ If($PSBoundParameters['LookbackDuration']){
+ $AlertRule.GroupingConfigurationMatchingMethod = $PSBoundParameters['MatchingMethod']
+ $null = $PSBoundParameters.Remove('MatchingMethod')
+ }
+
+ If($PSBoundParameters['GroupByAlertDetail']){
+ $AlertRule.GroupingConfigurationGroupByAlertDetail = $PSBoundParameters['GroupByAlertDetail']
+ $null = $PSBoundParameters.Remove('GroupByAlertDetail')
+ }
+
+ If($PSBoundParameters['GroupByCustomDetail']){
+ $AlertRule.GroupingConfigurationGroupByCustomDetail = $PSBoundParameters['GroupByCustomDetail']
+ $null = $PSBoundParameters.Remove('GroupByCustomDetail')
+ }
+
+ If($PSBoundParameters['GroupByEntity']){
+ $AlertRule.GroupingConfigurationGroupByEntity = $PSBoundParameters['GroupByEntity']
+ $null = $PSBoundParameters.Remove('GroupByEntity')
+ }
+
+ If($PSBoundParameters['EntityMapping']){
+ $AlertRule.EntityMapping = $PSBoundParameters['EntityMapping']
+ $null = $PSBoundParameters.Remove('EntityMapping')
+ }
+
+ If($PSBoundParameters['AlertDescriptionFormat']){
+ $AlertRule.AlertDetailOverrideAlertDescriptionFormat = $PSBoundParameters['AlertDescriptionFormat']
+ $null = $PSBoundParameters.Remove('AlertDescriptionFormat')
+ }
+
+ If($PSBoundParameters['AlertDisplayNameFormat']){
+ $AlertRule.AlertDetailOverrideAlertDisplayNameFormat = $PSBoundParameters['AlertDisplayNameFormat']
+ $null = $PSBoundParameters.Remove('AlertDisplayNameFormat')
+ }
+
+ If($PSBoundParameters['AlertSeverityColumnName']){
+ $AlertRule.AlertDetailOverrideAlertSeverityColumnName = $PSBoundParameters['AlertSeverityColumnName']
+ $null = $PSBoundParameters.Remove('AlertSeverityColumnName')
+ }
+
+ If($PSBoundParameters['AlertTacticsColumnName']){
+ $AlertRule.AlertDetailOverrideAlertTacticsColumnName = $PSBoundParameters['AlertTacticsColumnName']
+ $null = $PSBoundParameters.Remove('AlertTacticsColumnName')
+ }
+
+ }
+ #Scheduled
+ if ($AlertRule.Kind -eq 'Scheduled'){
+ If($PSBoundParameters['AlertRuleTemplateName']){
+ $AlertRule.Enabled = $PSBoundParameters['AlertRuleTemplateName']
+ $null = $PSBoundParameters.Remove('AlertRuleTemplateName')
+ }
+
+ If($PSBoundParameters['Enabled']){
+ $AlertRule.Enabled = $true
+ $null = $PSBoundParameters.Remove('Enabled')
+ }
+ if($PSBoundParameters['Disabled']) {
+ $AlertRule.Enabled = $false
+ $null = $PSBoundParameters.Remove('Disabled')
+ }
+
+ If($PSBoundParameters['Description']){
+ $AlertRule.Enabled = $PSBoundParameters['Description']
+ $null = $PSBoundParameters.Remove('Description')
+ }
+
+ If($PSBoundParameters['Query']){
+ $AlertRule.Query = $PSBoundParameters['Query']
+ $null = $PSBoundParameters.Remove('Query')
+ }
+
+ If($PSBoundParameters['DisplayName']){
+ $AlertRule.DisplayName = $PSBoundParameters['DisplayName']
+ $null = $PSBoundParameters.Remove('DisplayName')
+ }
+
+ If($PSBoundParameters['SuppressionDuration']){
+ $AlertRule.SuppressionDuration = $PSBoundParameters['SuppressionDuration']
+ $null = $PSBoundParameters.Remove('SuppressionDuration')
+ }
+
+ If($PSBoundParameters['SuppressionEnabled']){
+ $AlertRule.SuppressionEnabled = $true
+ $null = $PSBoundParameters.Remove('SuppressionEnabled')
+ }
+ else{
+ $AlertRule.SuppressionEnabled = $false
+ }
+
+ If($PSBoundParameters['Severity']){
+ $AlertRule.Severity = $PSBoundParameters['Severity']
+ $null = $PSBoundParameters.Remove('Severity')
+ }
+
+ If($PSBoundParameters['Tactic']){
+ $AlertRule.Tactic = $PSBoundParameters['Tactic']
+ $null = $PSBoundParameters.Remove('Tactic')
+ }
+
+ If($PSBoundParameters['CreateIncident']){
+ $AlertRule.IncidentConfigurationCreateIncident = $true
+ $null = $PSBoundParameters.Remove('CreateIncident')
+ }
+ else{
+ $AlertRule.IncidentConfigurationCreateIncident = $false
+ }
+
+ If($PSBoundParameters['GroupingConfigurationEnabled']){
+ $AlertRule.GroupingConfigurationEnabled = $true
+ $null = $PSBoundParameters.Remove('GroupingConfigurationEnabled')
+ }
+ else{
+ $AlertRule.GroupingConfigurationEnabled = $false
+ }
+
+ If($PSBoundParameters['ReOpenClosedIncident']){
+ $AlertRule.GroupingConfigurationReOpenClosedIncident = $PSBoundParameters['ReOpenClosedIncident']
+ $null = $PSBoundParameters.Remove('ReOpenClosedIncident')
+ }
+ else{
+ $AlertRule.GroupingConfigurationReOpenClosedIncident = $false
+ }
+
+ If($PSBoundParameters['LookbackDuration']){
+ $AlertRule.GroupingConfigurationLookbackDuration = $PSBoundParameters['LookbackDuration']
+ $null = $PSBoundParameters.Remove('LookbackDuration')
+ }
+
+ If($PSBoundParameters['MatchingMethod']){
+ $AlertRule.GroupingConfigurationMatchingMethod = $PSBoundParameters['MatchingMethod']
+ $null = $PSBoundParameters.Remove('MatchingMethod')
+ }
+
+ If($PSBoundParameters['GroupByAlertDetail']){
+ $AlertRule.GroupingConfigurationGroupByAlertDetail = $PSBoundParameters['GroupByAlertDetail']
+ $null = $PSBoundParameters.Remove('GroupByAlertDetail')
+ }
+
+ If($PSBoundParameters['GroupByCustomDetail']){
+ $AlertRule.GroupingConfigurationGroupByCustomDetail = $PSBoundParameters['GroupByCustomDetail']
+ $null = $PSBoundParameters.Remove('GroupByCustomDetail')
+ }
+
+ If($PSBoundParameters['GroupByEntity']){
+ $AlertRule.GroupingConfigurationGroupByEntity = $PSBoundParameters['GroupByEntity']
+ $null = $PSBoundParameters.Remove('GroupByEntity')
+ }
+
+ If($PSBoundParameters['EntityMapping']){
+ $AlertRule.EntityMapping = $PSBoundParameters['EntityMapping']
+ $null = $PSBoundParameters.Remove('EntityMapping')
+ }
+
+ If($PSBoundParameters['AlertDescriptionFormat']){
+ $AlertRule.AlertDetailOverrideAlertDescriptionFormat = $PSBoundParameters['AlertDescriptionFormat']
+ $null = $PSBoundParameters.Remove('AlertDescriptionFormat')
+ }
+
+ If($PSBoundParameters['AlertDisplayNameFormat']){
+ $AlertRule.AlertDetailOverrideAlertDisplayNameFormat = $PSBoundParameters['AlertDisplayNameFormat']
+ $null = $PSBoundParameters.Remove('AlertDisplayNameFormat')
+ }
+
+ If($PSBoundParameters['AlertSeverityColumnName']){
+ $AlertRule.AlertDetailOverrideAlertSeverityColumnName = $PSBoundParameters['AlertSeverityColumnName']
+ $null = $PSBoundParameters.Remove('AlertSeverityColumnName')
+ }
+
+ If($PSBoundParameters['AlertTacticsColumnName']){
+ $AlertRule.AlertDetailOverrideAlertTacticsColumnName = $PSBoundParameters['AlertTacticsColumnName']
+ $null = $PSBoundParameters.Remove('AlertTacticsColumnName')
+ }
+
+ If($PSBoundParameters['QueryFrequency']){
+ $AlertRule.QueryFrequency = $PSBoundParameters['QueryFrequency']
+ $null = $PSBoundParameters.Remove('QueryFrequency')
+ }
+
+ If($PSBoundParameters['QueryPeriod']){
+ $AlertRule.QueryPeriod = $PSBoundParameters['QueryPeriod']
+ $null = $PSBoundParameters.Remove('QueryPeriod')
+ }
+
+ If($PSBoundParameters['TriggerOperator']){
+ $AlertRule.TriggerOperator = $PSBoundParameters['TriggerOperator']
+ $null = $PSBoundParameters.Remove('TriggerOperator')
+ }
+
+ If($PSBoundParameters['TriggerThreshold']){
+ $AlertRule.TriggerThreshold = $PSBoundParameters['TriggerThreshold']
+ $null = $PSBoundParameters.Remove('TriggerThreshold')
+ }
+
+ If($PSBoundParameters['EventGroupingSettingAggregationKind']){
+ $AlertRule.EventGroupingSettingAggregationKind = $PSBoundParameters['EventGroupingSettingAggregationKind']
+ $null = $PSBoundParameters.Remove('EventGroupingSettingAggregationKind')
+ }
+ }
+ #TI
+ if ($AlertRule.Kind -eq 'ThreatIntelligence'){
+ If($PSBoundParameters['AlertRuleTemplateName']){
+ $AlertRule.AlertRuleTemplateName = $PSBoundParameters['AlertRuleTemplateName']
+ $null = $PSBoundParameters.Remove('AlertRuleTemplateName')
+ }
+
+ If($PSBoundParameters['Enabled']){
+ $AlertRule.Enabled = $true
+ $null = $PSBoundParameters.Remove('Enabled')
+ }
+ if($PSBoundParameters['Disabled']) {
+ $AlertRule.Enabled = $false
+ $null = $PSBoundParameters.Remove('Disabled')
+ }
+ }
+
+ $null = $PSBoundParameters.Add('AlertRule', $AlertRule)
+
+ Az.SecurityInsights.internal\Update-AzSentinelAlertRule @PSBoundParameters
+ }
+ catch {
+ throw
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1 b/src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1
new file mode 100644
index 000000000000..4122e19545bb
--- /dev/null
+++ b/src/SecurityInsights/custom/Update-AzSentinelDataConnector.ps1
@@ -0,0 +1,937 @@
+
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+<#
+.Synopsis
+Updates the data connector.
+.Description
+Updates the data connector.
+
+.Link
+https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentineldataconnector
+#>
+function Update-AzSentinelDataConnector {
+ [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.DataConnector])]
+ [CmdletBinding(DefaultParameterSetName = 'UpdateAADAATP', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')]
+ param(
+ [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail')]
+ [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3')]
+ [Parameter(ParameterSetName = 'UpdateAADAATP')]
+ [Parameter(ParameterSetName = 'UpdateAzureSecurityCenter')]
+ [Parameter(ParameterSetName = 'UpdateDynamics365')]
+ #[Parameter(ParameterSetName = 'UpdateGenericUI')]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity')]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftDefenderAdvancedThreatProtection')]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence')]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftThreatProtection')]
+ [Parameter(ParameterSetName = 'UpdateOffice365')]
+ [Parameter(ParameterSetName = 'UpdateOfficeATP')]
+ [Parameter(ParameterSetName = 'UpdateOfficeIRM')]
+ [Parameter(ParameterSetName = 'UpdateThreatIntelligence')]
+ [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')]
+ [System.String]
+ # Gets subscription credentials which uniquely identify Microsoft Azure subscription.
+ # The subscription ID forms part of the URI for every service call.
+ ${SubscriptionId},
+
+ [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateAADAATP', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateAzureSecurityCenter', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateDynamics365', Mandatory)]
+ #[Parameter(ParameterSetName = 'UpdateGenericUI', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftDefenderAdvancedThreatProtection', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftThreatProtection', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateOffice365', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateOfficeATP', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateOfficeIRM', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateThreatIntelligence', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [System.String]
+ # The Resource Group Name.
+ ${ResourceGroupName},
+
+ [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateAADAATP', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateAzureSecurityCenter', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateDynamics365', Mandatory)]
+ #[Parameter(ParameterSetName = 'UpdateGenericUI', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftDefenderAdvancedThreatProtection', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftThreatProtection', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateOffice365', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateOfficeATP', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateOfficeIRM', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateThreatIntelligence', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [System.String]
+ # The name of the workspace.
+ ${WorkspaceName},
+
+ [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateAADAATP', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateAzureSecurityCenter', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateDynamics365', Mandatory)]
+ #[Parameter(ParameterSetName = 'UpdateGenericUI', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftDefenderAdvancedThreatProtection', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftThreatProtection', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateOffice365', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateOfficeATP', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateOfficeIRM', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateThreatIntelligence', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [System.String]
+ # The Id of the Data Connector.
+ ${Id},
+
+ [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesCloudTrail', Mandatory, ValueFromPipeline)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3', Mandatory, ValueFromPipeline)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityAADAATP', Mandatory, ValueFromPipeline)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityAzureSecurityCenter', Mandatory, ValueFromPipeline)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityDynamics365', Mandatory, ValueFromPipeline)]
+ #[Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI', Mandatory, ValueFromPipeline)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftCloudAppSecurity', Mandatory, ValueFromPipeline)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection', Mandatory, ValueFromPipeline)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence', Mandatory, ValueFromPipeline)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatProtection', Mandatory, ValueFromPipeline)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityOffice365', Mandatory, ValueFromPipeline)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeATP', Mandatory, ValueFromPipeline)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeIRM', Mandatory, ValueFromPipeline)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligence', Mandatory, ValueFromPipeline)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii', Mandatory, ValueFromPipeline)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity]
+ # Identity Parameter
+ # To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
+ ${InputObject},
+
+ [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesCloudTrail', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ ${AWSCloudTrail},
+
+ [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ ${AWSS3},
+
+ [Parameter(ParameterSetName = 'UpdateAADAATP', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityAADAATP', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ ${AzureADorAATP},
+
+ [Parameter(ParameterSetName = 'UpdateAzureSecurityCenter', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityAzureSecurityCenter', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ ${AzureSecurityCenter},
+
+ [Parameter(ParameterSetName = 'UpdateDynamics365', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityDynamics365', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ ${Dynamics365},
+
+ #[Parameter(ParameterSetName = 'UpdateGenericUI', Mandatory)]
+ #[Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI', Mandatory)]
+ #[Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ #[System.Management.Automation.SwitchParameter]
+ #${GenericUI},
+
+ [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftCloudAppSecurity', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ ${CloudAppSecurity},
+
+ [Parameter(ParameterSetName = 'UpdateMicrosoftDefenderAdvancedThreatProtection', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ ${DefenderATP},
+
+ [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ ${MicrosoftTI},
+
+ [Parameter(ParameterSetName = 'UpdateMicrosoftThreatProtection', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatProtection', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ ${MicrosoftThreatProtection},
+
+ [Parameter(ParameterSetName = 'UpdateOffice365', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityOffice365', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ ${Office365},
+
+ [Parameter(ParameterSetName = 'UpdateOfficeATP', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeATP', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ ${OfficeATP},
+
+ [Parameter(ParameterSetName = 'UpdateOfficeIRM', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeIRM', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ ${OfficeIRM},
+
+ [Parameter(ParameterSetName = 'UpdateThreatIntelligence', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligence', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ ${ThreatIntelligence},
+
+ [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ ${ThreatIntelligenceTaxii},
+
+ [Parameter(ParameterSetName = 'UpdateAADAATP')]
+ [Parameter(ParameterSetName = 'UpdateDynamics365')]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity')]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftDefenderAdvancedThreatProtection')]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence')]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftThreatProtection')]
+ [Parameter(ParameterSetName = 'UpdateOffice365')]
+ [Parameter(ParameterSetName = 'UpdateOfficeATP')]
+ [Parameter(ParameterSetName = 'UpdateOfficeIRM')]
+ [Parameter(ParameterSetName = 'UpdateThreatIntelligence')]
+ [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesCloudTrail')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityAADAATP')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityAzureSecurityCenter')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityDynamics365')]
+ #[Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftCloudAppSecurity')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatProtection')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityOffice365')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeATP')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeIRM')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligence')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Tenant.Id')]
+ [System.String]
+ # The TenantId.
+ ${TenantId},
+
+ [Parameter(ParameterSetName = 'UpdateAzureSecurityCenter')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityAzureSecurityCenter')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ # ASC Subscription Id.
+ ${ASCSubscriptionId},
+
+ [Parameter(ParameterSetName = 'UpdateAADAATP')]
+ [Parameter(ParameterSetName = 'UpdateAzureSecurityCenter')]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity')]
+ [Parameter(ParameterSetName = 'UpdateMicrosoftDefenderAdvancedThreatProtection')]
+ [Parameter(ParameterSetName = 'UpdateOfficeATP')]
+ [Parameter(ParameterSetName = 'UpdateOfficeIRM')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityAADAATP')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityAzureSecurityCenter')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftCloudAppSecurity')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftDefenderAdvancedThreatProtection')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeATP')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityOfficeIRM')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Alerts},
+
+ [Parameter(ParameterSetName = 'UpdateDynamics365')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityDynamics365')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${CommonDataServiceActivity},
+
+ [Parameter(ParameterSetName = 'UpdateMicrosoftCloudAppSecurity')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftCloudAppSecurity')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${DiscoveryLog},
+
+ [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${BingSafetyPhishinURL},
+
+ [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [ValidateSet('OneDay', 'OneWeek', 'OneMonth', 'All')]
+ [System.String]
+ ${BingSafetyPhishingUrlLookbackPeriod},
+
+ [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${MicrosoftEmergingThreatFeed},
+
+ [Parameter(ParameterSetName = 'UpdateMicrosoftThreatIntelligence')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatIntelligence')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [ValidateSet('OneDay', 'OneWeek', 'OneMonth', 'All')]
+ [System.String]
+ ${MicrosoftEmergingThreatFeedLookbackPeriod},
+
+ [Parameter(ParameterSetName = 'UpdateMicrosoftThreatProtection')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityMicrosoftThreatProtection')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Incident},
+
+ [Parameter(ParameterSetName = 'UpdateOffice365')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityOffice365')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Exchange},
+
+ [Parameter(ParameterSetName = 'UpdateOffice365')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityOffice365')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${SharePoint},
+
+ [Parameter(ParameterSetName = 'UpdateOffice365')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityOffice365')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Teams},
+
+ [Parameter(ParameterSetName = 'UpdateThreatIntelligence')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligence')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Indicator},
+
+ [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${WorkspaceId},
+
+ [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${FriendlyName},
+
+ [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${APIRootURL},
+
+ [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${CollectionId},
+
+ [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${UserName},
+
+ [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Password},
+
+ [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [ValidateSet('OneDay', 'OneWeek', 'OneMonth', 'All')]
+ [System.String]
+ ${TaxiiLookbackPeriod},
+
+ [Parameter(ParameterSetName = 'UpdateThreatIntelligenceTaxii')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityThreatIntelligenceTaxii')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.PollingFrequency]
+ ${PollingFrequency},
+
+ [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail')]
+ [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesCloudTrail')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${AWSRoleArn},
+
+ [Parameter(ParameterSetName = 'UpdateAmazonWebServicesCloudTrail')]
+ [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesCloudTrail')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.DataTypeState])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Log},
+
+ [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [String[]]
+ ${SQSURL},
+
+ [Parameter(ParameterSetName = 'UpdateAmazonWebServicesS3')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityAmazonWebServicesS3')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${DetinationTable},
+
+ [Parameter(ParameterSetName = 'UpdateGenericUI')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${UiConfigTitle},
+
+ [Parameter(ParameterSetName = 'UpdateGenericUI')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${UiConfigPublisher},
+
+ [Parameter(ParameterSetName = 'UpdateGenericUI')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${UiConfigDescriptionMarkdown},
+
+ [Parameter(ParameterSetName = 'UpdateGenericUI')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${UiConfigCustomImage},
+
+ [Parameter(ParameterSetName = 'UpdateGenericUI')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${UiConfigGraphQueriesTableName},
+
+ [Parameter(ParameterSetName = 'UpdateGenericUI')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.GraphQueries[]]
+ ${UiConfigGraphQuery},
+
+ [Parameter(ParameterSetName = 'UpdateGenericUI')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.SampleQueries[]]
+ ${UiConfigSampleQuery},
+
+ [Parameter(ParameterSetName = 'UpdateGenericUI')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.LastDataReceivedDataType[]]
+ ${UiConfigDataType},
+
+ [Parameter(ParameterSetName = 'UpdateGenericUI')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ConnectivityCriteria[]]
+ ${UiConfigConnectivityCriterion},
+
+ [Parameter(ParameterSetName = 'UpdateGenericUI')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Bool]
+ ${AvailabilityIsPreview},
+
+ [Parameter(ParameterSetName = 'UpdateGenericUI')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = 1)]
+ [Int]
+ ${AvailabilityStatus},
+
+ [Parameter(ParameterSetName = 'UpdateGenericUI')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsResourceProviderItem[]]
+ ${PermissionResourceProvider},
+
+ [Parameter(ParameterSetName = 'UpdateGenericUI')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.PermissionsCustomsItem[]]
+ ${PermissionCustom},
+
+ [Parameter(ParameterSetName = 'UpdateGenericUI')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityGenericUI')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.InstructionSteps[]]
+ ${UiConfigInstructionStep},
+
+ [Parameter()]
+ [Alias('AzureRMContext', 'AzureCredential')]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')]
+ [System.Management.Automation.PSObject]
+ # The credentials, account, tenant, and subscription used for communication with Azure.
+ ${DefaultProfile},
+
+ [Parameter()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Run the command as a job
+ ${AsJob},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Wait for .NET debugger to attach
+ ${Break},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]]
+ # SendAsync Pipeline Steps to be appended to the front of the pipeline
+ ${HttpPipelineAppend},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]]
+ # SendAsync Pipeline Steps to be prepended to the front of the pipeline
+ ${HttpPipelinePrepend},
+
+ [Parameter()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Run the command asynchronously
+ ${NoWait},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Uri]
+ # The URI for the proxy server to use
+ ${Proxy},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.PSCredential]
+ # Credentials for a proxy server to use for the remote call
+ ${ProxyCredential},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Use the default credentials for the proxy
+ ${ProxyUseDefaultCredentials}
+ )
+
+ process {
+ try {
+ #Handle Get
+ $GetPSBoundParameters = @{}
+ if ($PSBoundParameters['InputObject']) {
+ $GetPSBoundParameters.Add('InputObject', $PSBoundParameters['InputObject'])
+ }
+ else {
+ $GetPSBoundParameters.Add('ResourceGroupName', $PSBoundParameters['ResourceGroupName'])
+ $GetPSBoundParameters.Add('WorkspaceName', $PSBoundParameters['WorkspaceName'])
+ $GetPSBoundParameters.Add('Id', $PSBoundParameters['Id'])
+ }
+ $DataConnector = Az.SecurityInsights\Get-AzSentinelDataConnector @GetPSBoundParameters
+
+
+ if ($DataConnector.Kind -eq 'AzureActiveDirectory') {
+ If ($PSBoundParameters['TenantId']) {
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+ If ($PSBoundParameters['Alerts']) {
+ $DataConnector.AlertState = $PSBoundParameters['Alerts']
+ $null = $PSBoundParameters.Remove('Alerts')
+ }
+
+ $null = $PSBoundParameters.Remove('AzureADorAATP')
+ }
+ if ($DataConnector.Kind -eq 'AzureAdvancedThreatProtection') {
+ If ($PSBoundParameters['TenantId']) {
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+ If ($PSBoundParameters['Alerts']) {
+ $DataConnector.AlertState = $PSBoundParameters['Alerts']
+ $null = $PSBoundParameters.Remove('Alerts')
+ }
+ $null = $PSBoundParameters.Remove('AzureADorAATP')
+ }
+ if ($DataConnector.Kind -eq 'Dynamics365') {
+ If ($PSBoundParameters['TenantId']) {
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+
+ If ($PSBoundParameters['CommonDataServiceActivity']) {
+ $DataConnector.Dynamics365CdActivityState = $PSBoundParameters['CommonDataServiceActivity']
+ $null = $PSBoundParameters.Remove('CommonDataServiceActivity')
+ }
+ $null = $PSBoundParameters.Remove('Dynamics365')
+ }
+ if ($DataConnector.Kind -eq 'MicrosoftCloudAppSecurity') {
+ If ($PSBoundParameters['TenantId']) {
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+
+ If ($PSBoundParameters['Alerts']) {
+ $DataConnector.DataTypeAlertState = $PSBoundParameters['Alerts']
+ $null = $PSBoundParameters.Remove('Alerts')
+ }
+
+ If ($PSBoundParameters['DiscoveryLog']) {
+ $DataConnector.DiscoveryLogState = $PSBoundParameters['DiscoveryLog']
+ $null = $PSBoundParameters.Remove('DiscoveryLog')
+ }
+ $null = $PSBoundParameters.Remove('CloudAppSecurity')
+ }
+ if ($DataConnector.Kind -eq 'MicrosoftDefenderAdvancedThreatProtection') {
+ If ($PSBoundParameters['TenantId']) {
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+
+ If ($PSBoundParameters['Alerts']) {
+ $DataConnector.AlertState = $PSBoundParameters['Alerts']
+ $null = $PSBoundParameters.Remove('Alerts')
+ }
+ $null = $PSBoundParameters.Remove('DefenderATP')
+ }
+ if ($DataConnector.Kind -eq 'MicrosoftThreatIntelligence') {
+ If ($PSBoundParameters['TenantId']) {
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+
+ If ($PSBoundParameters['BingSafetyPhishinURL']) {
+ $DataConnector.BingSafetyPhishingUrlState = $PSBoundParameters['BingSafetyPhishinURL']
+ $null = $PSBoundParameters.Remove('BingSafetyPhishinURL')
+ }
+
+ If ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod']) {
+ if ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'OneDay') {
+ $DataConnector.BingSafetyPhishingUrlLookbackPeriod = ((Get-Date).AddDays(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString()
+ }
+ elseif ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'OneWeek') {
+ $DataConnector.BingSafetyPhishingUrlLookbackPeriod = ((Get-Date).AddDays(-7).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString()
+ }
+ elseif ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'OneMonth') {
+ $DataConnector.BingSafetyPhishingUrlLookbackPeriod = ((Get-Date).AddMonths(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString()
+ }
+ elseif ($PSBoundParameters['BingSafetyPhishingUrlLookbackPeriod'] -eq 'All') {
+ $DataConnector.BingSafetyPhishingUrlLookbackPeriod = "1970-01-01T00:00:00.000Z"
+ }
+ $null = $PSBoundParameters.Remove('BingSafetyPhishingUrlLookbackPeriod')
+ }
+
+ If ($PSBoundParameters['MicrosoftEmergingThreatFeed']) {
+ $DataConnector.MicrosoftEmergingThreatFeedState = $PSBoundParameters['MicrosoftEmergingThreatFeed']
+ $null = $PSBoundParameters.Remove('MicrosoftEmergingThreatFeed')
+ }
+
+ If ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod']) {
+ if ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'OneDay') {
+ $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = ((Get-Date).AddDays(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString()
+ }
+ elseif ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'OneWeek') {
+ $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = ((Get-Date).AddDays(-7).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString()
+ }
+ elseif ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'OneMonth') {
+ $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = ((Get-Date).AddMonths(-1).ToUniversalTime() | Get-DAte -Format yyyy-MM-ddTHH:mm:ss.fffZ).ToString()
+ }
+ elseif ($PSBoundParameters['MicrosoftEmergingThreatFeedLookbackPeriod'] -eq 'All') {
+ $DataConnector.MicrosoftEmergingThreatFeedLookbackPeriod = "1970-01-01T00:00:00.000Z"
+ }
+ $null = $PSBoundParameters.Remove('MicrosoftEmergingThreatFeedLookbackPeriod')
+ }
+ $null = $PSBoundParameters.Remove('MicrosoftTI')
+ }
+ if ($DataConnector.Kind -eq 'MicrosoftThreatProtection') {
+ If ($PSBoundParameters['TenantId']) {
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+
+ If ($PSBoundParameters['Incident']) {
+ $DataConnector.IncidentState = $PSBoundParameters['Incident']
+ $null = $PSBoundParameters.Remove('Incident')
+ }
+ $null = $PSBoundParameters.Remove('MicrosoftThreatProtection')
+ }
+ if ($DataConnector.Kind -eq 'Office365') {
+ If ($PSBoundParameters['TenantId']) {
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+
+ If ($PSBoundParameters['Exchange']) {
+ $DataConnector.ExchangeState = $PSBoundParameters['Exchange']
+ $null = $PSBoundParameters.Remove('Exchange')
+ }
+
+ If ($PSBoundParameters['SharePoint']) {
+ $DataConnector.SharePointState = $PSBoundParameters['SharePoint']
+ $null = $PSBoundParameters.Remove('SharePoint')
+ }
+
+ If ($PSBoundParameters['Teams']) {
+ $DataConnector.TeamState = $PSBoundParameters['Teams']
+ $null = $PSBoundParameters.Remove('Teams')
+ }
+ $null = $PSBoundParameters.Remove('Office365')
+ }
+ if ($DataConnector.Kind -eq 'OfficeATP') {
+ If ($PSBoundParameters['TenantId']) {
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+
+ If ($PSBoundParameters['Alerts']) {
+ $DataConnector.AlertState = $PSBoundParameters['Alerts']
+ $null = $PSBoundParameters.Remove('Alerts')
+ }
+ $null = $PSBoundParameters.Remove('OfficeATP')
+ }
+ if ($DataConnector.Kind -eq 'OfficeIRM') {
+ If ($PSBoundParameters['TenantId']) {
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+
+ If ($PSBoundParameters['Alerts']) {
+ $DataConnector.AlertState = $PSBoundParameters['Alerts']
+ $null = $PSBoundParameters.Remove('Alerts')
+ }
+ $null = $PSBoundParameters.Remove('OfficeIRM')
+ }
+ if ($DataConnector.Kind -eq 'ThreatIntelligence') {
+ If ($PSBoundParameters['TenantId']) {
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+
+ If ($PSBoundParameters['Indicator']) {
+ $DataConnector.IndicatorState = $PSBoundParameters['Indicator']
+ $null = $PSBoundParameters.Remove('Indicator')
+ }
+ $null = $PSBoundParameters.Remove('ThreatIntelligence')
+ }
+ if ($DataConnector.Kind -eq 'ThreatIntelligenceTaxii') {
+ If ($PSBoundParameters['TenantId']) {
+ $DataConnector.TenantId = $PSBoundParameters['TenantId']
+ $null = $PSBoundParameters.Remove('TenantId')
+ }
+
+ If ($PSBoundParameters['FriendlyName']) {
+ $DataConnector.FriendlyName = $PSBoundParameters['FriendlyName']
+ $null = $PSBoundParameters.Remove('FriendlyName')
+ }
+
+ If ($PSBoundParameters['APIRootURL']) {
+ $DataConnector.TaxiiServer = $PSBoundParameters['APIRootURL']
+ $null = $PSBoundParameters.Remove('APIRootURL')
+ }
+
+ If ($PSBoundParameters['CollectionId']) {
+ $DataConnector.CollectionId = $PSBoundParameters['CollectionId']
+ $null = $PSBoundParameters.Remove('CollectionId')
+ }
+
+ If ($PSBoundParameters['UserName']) {
+ $DataConnector.UserName = $PSBoundParameters['UserName']
+ $null = $PSBoundParameters.Remove('UserName')
+ }
+
+ If ($PSBoundParameters['Password']) {
+ $DataConnector.Password = $PSBoundParameters['Password']
+ $null = $PSBoundParameters.Remove('Password')
+ }
+
+ If ($PSBoundParameters['WorkspaceId']) {
+ $DataConnector.WorkspaceId = $PSBoundParameters['WorkspaceId']
+ $null = $PSBoundParameters.Remove('WorkspaceId')
+ }
+
+ if ($PSBoundParameters['PollingFrequency']) {
+ if ($PSBoundParameters['PollingFrequency'] -eq 'OnceADay') {
+ $DataConnector.PollingFrequency = "OnceADay"
+ }
+ elseif ($PSBoundParameters['PollingFrequency'] -eq 'OnceAMinute') {
+ $DataConnector.PollingFrequency = "OnceAMinute"
+ }
+ elseif ($PSBoundParameters['PollingFrequency'] -eq 'OnceAnHour') {
+ $DataConnector.PollingFrequency = "OnceAnHour"
+ }
+ $null = $PSBoundParameters.Remove('PollingFrequency')
+ }
+ $null = $PSBoundParameters.Remove('ThreatIntelligenceTaxii')
+ }
+ if ($DataConnector.Kind -eq 'AzureSecurityCenter') {
+ If ($PSBoundParameters['ASCSubscriptionId']) {
+ $DataConnector.SubscriptionId = $PSBoundParameters['ASCSubscriptionId']
+ $null = $PSBoundParameters.Remove('ASCSubscriptionId')
+ }
+
+ If ($PSBoundParameters['Alerts']) {
+ $DataConnector.AlertState = $PSBoundParameters['Alerts']
+ $null = $PSBoundParameters.Remove('Alerts')
+ }
+ $null = $PSBoundParameters.Remove('AzureSecurityCenter')
+ }
+ if ($DataConnector.Kind -eq 'AmazonWebServicesCloudTrail') {
+ If ($PSBoundParameters['AWSRoleArn']) {
+ $DataConnector.AWSRoleArn = $PSBoundParameters['AWSRoleArn']
+ $null = $PSBoundParameters.Remove('AWSRoleArn')
+ }
+
+ If ($PSBoundParameters['Log']) {
+ $DataConnector.LogState = $PSBoundParameters['Log']
+ $null = $PSBoundParameters.Remove('Log')
+ }
+ $null = $PSBoundParameters.Remove('AWSCloudTrail')
+ }
+ if ($DataConnector.Kind -eq 'AmazonWebServicesS3') {
+ If ($PSBoundParameters['AWSRoleArn']) {
+ $DataConnector.AWSRoleArn = $PSBoundParameters['AWSRoleArn']
+ $null = $PSBoundParameters.Remove('AWSRoleArn')
+ }
+
+ If ($PSBoundParameters['Log']) {
+ $DataConnector.LogState = $PSBoundParameters['Log']
+ $null = $PSBoundParameters.Remove('Log')
+ }
+
+ If ($PSBoundParameters['SQSURL']) {
+ $DataConnector.SqsUrl = $PSBoundParameters['SQSURL']
+ $null = $PSBoundParameters.Remove('SQSURL')
+ }
+ If ($PSBoundParameters['DetinationTable']) {
+ $DataConnector.DestinationTable = $PSBoundParameters['DetinationTable']
+ $null = $PSBoundParameters.Remove('DetinationTable')
+ }
+ $null = $PSBoundParameters.Remove('AWSS3')
+ }
+ if ($DataConnector.Kind -eq 'GenericUI') {
+ If ($PSBoundParameters['UiConfigTitle']) {
+ $DataConnector.ConnectorUiConfigTitle = $PSBoundParameters['UiConfigTitle']
+ $null = $PSBoundParameters.Remove('UiConfigTitle')
+ }
+ If ($PSBoundParameters['UiConfigPublisher']) {
+ $DataConnector.ConnectorUiConfigPublisher = $PSBoundParameters['UiConfigPublisher']
+ $null = $PSBoundParameters.Remove('UiConfigPublisher')
+ }
+ If ($PSBoundParameters['UiConfigDescriptionMarkdown']) {
+ $DataConnector.ConnectorUiConfigDescriptionMarkdown = $PSBoundParameters['UiConfigDescriptionMarkdown']
+ $null = $PSBoundParameters.Remove('UiConfigDescriptionMarkdown')
+ }
+ If ($PSBoundParameters['UiConfigCustomImage']) {
+ $DataConnector.ConnectorUiConfigCustomImage = $PSBoundParameters['UiConfigCustomImage']
+ $null = $PSBoundParameters.Remove('UiConfigCustomImage')
+ }
+ If ($PSBoundParameters['UiConfigGraphQueriesTableName']) {
+ $DataConnector.ConnectorUiConfigGraphQueriesTableName = $PSBoundParameters['UiConfigGraphQueriesTableName']
+ $null = $PSBoundParameters.Remove('UiConfigGraphQueriesTableName')
+ }
+ If ($PSBoundParameters['UiConfigGraphQuery']) {
+ $DataConnector.ConnectorUiConfigGraphQuery = $PSBoundParameters['UiConfigGraphQuery']
+ $null = $PSBoundParameters.Remove('UiConfigGraphQuery')
+ }
+ If ($PSBoundParameters['UiConfigSampleQuery']) {
+ $DataConnector.ConnectorUiConfigSampleQuery = $PSBoundParameters['UiConfigSampleQuery']
+ $null = $PSBoundParameters.Remove('UiConfigSampleQuery')
+ }
+ If ($PSBoundParameters['UiConfigDataType']) {
+ $DataConnector.ConnectorUiConfigDataType = $PSBoundParameters['UiConfigDataType']
+ $null = $PSBoundParameters.Remove('UiConfigDataType')
+ }
+ If ($PSBoundParameters['UiConfigConnectivityCriterion']) {
+ $DataConnector.ConnectorUiConfigConnectivityCriterion = $PSBoundParameters['UiConfigConnectivityCriterion']
+ $null = $PSBoundParameters.Remove('UiConfigConnectivityCriterion')
+ }
+ If ($PSBoundParameters['AvailabilityIsPreview']) {
+ $DataConnector.AvailabilityIsPreview = $PSBoundParameters['AvailabilityIsPreview']
+ $null = $PSBoundParameters.Remove('AvailabilityIsPreview')
+ }
+ If ($PSBoundParameters['AvailabilityStatus']) {
+ $DataConnector.AvailabilityStatus = $PSBoundParameters['AvailabilityStatus']
+ $null = $PSBoundParameters.Remove('AvailabilityStatus')
+ }
+ If ($PSBoundParameters['PermissionResourceProvider']) {
+ $DataConnector.PermissionResourceProvider = $PSBoundParameters['PermissionResourceProvider']
+ $null = $PSBoundParameters.Remove('PermissionResourceProvider')
+ }
+ If ($PSBoundParameters['PermissionCustom']) {
+ $DataConnector.DestinationTable = $PSBoundParameters['PermissionCustom']
+ $null = $PSBoundParameters.Remove('PermissionCustom')
+ }
+ If ($PSBoundParameters['UiConfigInstructionStep']) {
+ $DataConnector.ConnectorUiConfigInstructionStep = $PSBoundParameters['UiConfigInstructionStep']
+ $null = $PSBoundParameters.Remove('UiConfigInstructionStep')
+ }
+ }
+
+ $null = $PSBoundParameters.Add('DataConnector', $DataConnector)
+ Az.SecurityInsights.internal\Update-AzSentinelDataConnector @PSBoundParameters
+ }
+ catch {
+ throw
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/custom/Update-AzSentinelEntityQuery.ps1 b/src/SecurityInsights/custom/Update-AzSentinelEntityQuery.ps1
new file mode 100644
index 000000000000..9ba61bf4ccac
--- /dev/null
+++ b/src/SecurityInsights/custom/Update-AzSentinelEntityQuery.ps1
@@ -0,0 +1,262 @@
+
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+<#
+.Synopsis
+Updates the entity query.
+.Description
+Updates the entity query.
+
+.Link
+https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelentityquery
+#>
+function Update-AzSentinelEntityQuery {
+ [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.CustomEntityQuery])]
+ [CmdletBinding(DefaultParameterSetName = 'UpdateActivity', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')]
+ param(
+ [Parameter(ParameterSetName = 'UpdateActivity')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')]
+ [System.String]
+ # Gets subscription credentials which uniquely identify Microsoft Azure subscription.
+ # The subscription ID forms part of the URI for every service call.
+ ${SubscriptionId},
+
+ [Parameter(ParameterSetName = 'UpdateActivity', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [System.String]
+ # The Resource Group Name.
+ ${ResourceGroupName},
+
+ [Parameter(ParameterSetName = 'UpdateActivity', Mandatory)]
+ #[Alias('DataConnectionName')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [System.String]
+ # The name of the workspace.
+ ${WorkspaceName},
+
+ [Parameter(ParameterSetName = 'UpdateActivity', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [System.String]
+ # The Id of the Entity Query.
+ ${EntityQueryId},
+
+ [Parameter(ParameterSetName = 'UpdateViaIdentityActivity', Mandatory, ValueFromPipeline)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity]
+ # Identity Parameter
+ # To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
+ ${InputObject},
+
+ [Parameter(ParameterSetName = 'UpdateActivity')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Title},
+
+ [Parameter(ParameterSetName = 'UpdateActivity')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Content},
+
+ [Parameter(ParameterSetName = 'UpdateActivity')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${Description},
+
+ [Parameter(ParameterSetName = 'UpdateActivity')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${QueryDefinitionQuery},
+
+ [Parameter(ParameterSetName = 'UpdateActivity')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.EntityType]
+ ${InputEntityType},
+
+ [Parameter(ParameterSetName = 'UpdateActivity')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [String[]]
+ ${RequiredInputFieldsSet},
+
+ [Parameter(ParameterSetName = 'UpdateActivity')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.ActivityEntityQueriesPropertiesEntitiesFilter]
+ ${EntitiesFilter},
+
+ [Parameter(ParameterSetName = 'UpdateActivity')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ ${TemplateName},
+
+ [Parameter(ParameterSetName = 'UpdateActivity')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Switch]
+ ${Enabled},
+
+ [Parameter(ParameterSetName = 'UpdateActivity')]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityActivity')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Switch]
+ ${Disabled},
+
+ [Parameter()]
+ [Alias('AzureRMContext', 'AzureCredential')]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')]
+ [System.Management.Automation.PSObject]
+ # The credentials, account, tenant, and subscription used for communication with Azure.
+ ${DefaultProfile},
+
+ [Parameter()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Run the command as a job
+ ${AsJob},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Wait for .NET debugger to attach
+ ${Break},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]]
+ # SendAsync Pipeline Steps to be appended to the front of the pipeline
+ ${HttpPipelineAppend},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]]
+ # SendAsync Pipeline Steps to be prepended to the front of the pipeline
+ ${HttpPipelinePrepend},
+
+ [Parameter()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Run the command asynchronously
+ ${NoWait},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Uri]
+ # The URI for the proxy server to use
+ ${Proxy},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.PSCredential]
+ # Credentials for a proxy server to use for the remote call
+ ${ProxyCredential},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Use the default credentials for the proxy
+ ${ProxyUseDefaultCredentials}
+ )
+
+ process {
+ try {
+ #Handle Get
+ $GetPSBoundParameters = @{}
+ if($PSBoundParameters['InputObject']){
+ $GetPSBoundParameters.Add('InputObject', $PSBoundParameters['InputObject'])
+ }
+ else {
+ $GetPSBoundParameters.Add('ResourceGroupName', $PSBoundParameters['ResourceGroupName'])
+ $GetPSBoundParameters.Add('WorkspaceName', $PSBoundParameters['WorkspaceName'])
+ $GetPSBoundParameters.Add('EntityQueryId', $PSBoundParameters['EntityQueryId'])
+ }
+ $EntityQuery = Az.SecurityInsights\Get-AzSentinelEntityQuery @GetPSBoundParameters
+
+ if ($EntityQuery.Kind -eq 'Activity'){
+ If($PSBoundParameters['Title']){
+ $EntityQuery.Title = $PSBoundParameters['Title']
+ $null = $PSBoundParameters.Remove('Title')
+ }
+
+ If($PSBoundParameters['Content']){
+ $EntityQuery.Content = $PSBoundParameters['Content']
+ $null = $PSBoundParameters.Remove('Content')
+ }
+
+ If($PSBoundParameters['Description']){
+ $EntityQuery.Description = $PSBoundParameters['Description']
+ $null = $PSBoundParameters.Remove('Description')
+ }
+
+ If($PSBoundParameters['QueryDefinitionQuery']){
+ $EntityQuery.QueryDefinitionQuery = $PSBoundParameters['QueryDefinitionQuery']
+ $null = $PSBoundParameters.Remove('QueryDefinitionQuery')
+ }
+
+ If($PSBoundParameters['InputEntityType']){
+ $EntityQuery.InputEntityType = $PSBoundParameters['InputEntityType']
+ $null = $PSBoundParameters.Remove('InputEntityType')
+ }
+
+ If($PSBoundParameters['RequiredInputFieldsSet']){
+ $EntityQuery.RequiredInputFieldsSet = $PSBoundParameters['RequiredInputFieldsSet']
+ $null = $PSBoundParameters.Remove('RequiredInputFieldsSet')
+ }
+
+ If($PSBoundParameters['EntitiesFilter']){
+ $EntityQuery.EntitiesFilter = $PSBoundParameters['EntitiesFilter']
+ $null = $PSBoundParameters.Remove('EntitiesFilter')
+ }
+
+ If($PSBoundParameters['TemplateName']){
+ $EntityQuery.TemplateName = $PSBoundParameters['TemplateName']
+ $null = $PSBoundParameters.Remove('TemplateName')
+ }
+
+ If($PSBoundParameters['Enabled']){
+ $EntityQuery.Enabled = $true
+ $null = $PSBoundParameters.Remove('Enabled')
+ }
+
+ If($PSBoundParameters['Disabled']){
+ $EntityQuery.Enabled = $false
+ $null = $PSBoundParameters.Remove('Disabled')
+ }
+ }
+ else {
+ Write-Error "This cmdlet only works with Entity Queries of the Activity kind."
+ break
+ }
+
+ $null = $PSBoundParameters.Add('EntityQuery', $EntityQuery)
+
+ Az.SecurityInsights.internal\Update-AzSentinelEntityQuery @PSBoundParameters
+ }
+ catch {
+ throw
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/custom/Update-AzSentinelSetting.ps1 b/src/SecurityInsights/custom/Update-AzSentinelSetting.ps1
new file mode 100644
index 000000000000..2724d945c7a3
--- /dev/null
+++ b/src/SecurityInsights/custom/Update-AzSentinelSetting.ps1
@@ -0,0 +1,240 @@
+
+# ----------------------------------------------------------------------------------
+#
+# Copyright Microsoft Corporation
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# http://www.apache.org/licenses/LICENSE-2.0
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+# ----------------------------------------------------------------------------------
+
+<#
+.Synopsis
+Updates setting.
+.Description
+Updates setting.
+
+.Link
+https://docs.microsoft.com/powershell/module/az.securityinsights/update-azsentinelsetting
+#>
+function Update-AzSentinelSetting {
+ [OutputType([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.Settings])]
+ [CmdletBinding(DefaultParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics', PositionalBinding = $false, SupportsShouldProcess, ConfirmImpact = 'Medium')]
+ param(
+ [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics')]
+ [Parameter(ParameterSetName = 'UpdateExpandedUeba')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.DefaultInfo(Script = '(Get-AzContext).Subscription.Id')]
+ [System.String]
+ # Gets subscription credentials which uniquely identify Microsoft Azure subscription.
+ # The subscription ID forms part of the URI for every service call.
+ ${SubscriptionId},
+
+ [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateExpandedUeba', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [System.String]
+ # The Resource Group Name.
+ ${ResourceGroupName},
+
+ [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateExpandedUeba', Mandatory)]
+ #[Alias('DataConnectionName')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [System.String]
+ # The name of the workspace.
+ ${WorkspaceName},
+
+ [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateExpandedUeba', Mandatory)]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.SettingKind])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.String]
+ # The setting Name
+ ${SettingsName},
+
+ [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics', Mandatory, ValueFromPipeline)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedUeba', Mandatory, ValueFromPipeline)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Path')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity]
+ # Identity Parameter
+ # To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
+ ${InputObject},
+
+ #Anomalies
+ #.EyesOn
+ #.EntityAnalytics
+ [Parameter(ParameterSetName = 'UpdateExpandedAnomaliesEyesOnEntityAnalytics', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedAnomaliesEyesOnEntityAnalytics', Mandatory)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [System.Boolean]
+ ${Enabled},
+
+ #.Ueba
+ [Parameter(ParameterSetName = 'UpdateExpandedUeba', Mandatory)]
+ [Parameter(ParameterSetName = 'UpdateViaIdentityExpandedUeba', Mandatory)]
+ [ArgumentCompleter([Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.UebaDataSources])]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Body')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Support.UebaDataSources[]]
+ ${DataSource},
+
+ [Parameter()]
+ [Alias('AzureRMContext', 'AzureCredential')]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Azure')]
+ [System.Management.Automation.PSObject]
+ # The credentials, account, tenant, and subscription used for communication with Azure.
+ ${DefaultProfile},
+
+ [Parameter()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Run the command as a job
+ ${AsJob},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Wait for .NET debugger to attach
+ ${Break},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]]
+ # SendAsync Pipeline Steps to be appended to the front of the pipeline
+ ${HttpPipelineAppend},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Runtime.SendAsyncStep[]]
+ # SendAsync Pipeline Steps to be prepended to the front of the pipeline
+ ${HttpPipelinePrepend},
+
+ [Parameter()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Run the command asynchronously
+ ${NoWait},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Uri]
+ # The URI for the proxy server to use
+ ${Proxy},
+
+ [Parameter(DontShow)]
+ [ValidateNotNull()]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.PSCredential]
+ # Credentials for a proxy server to use for the remote call
+ ${ProxyCredential},
+
+ [Parameter(DontShow)]
+ [Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Category('Runtime')]
+ [System.Management.Automation.SwitchParameter]
+ # Use the default credentials for the proxy
+ ${ProxyUseDefaultCredentials}
+ )
+
+ process {
+ try {
+ #Handle Get
+ $GetPSBoundParameters = @{}
+ if($PSBoundParameters['InputObject']){
+ $GetPSBoundParameters.Add('ResourceGroupName', ($PSBoundParameters['InputObject']).Id.Split('/')[4])
+ $GetPSBoundParameters.Add('WorkspaceName', ($PSBoundParameters['InputObject']).Id.Split('/')[8])
+ $Name = ($PSBoundParameters['InputObject']).Name
+ }
+ else {
+ $GetPSBoundParameters.Add('ResourceGroupName', $PSBoundParameters['ResourceGroupName'])
+ $GetPSBoundParameters.Add('WorkspaceName', $PSBoundParameters['WorkspaceName'])
+ $Name = $PSBoundParameters['SettingsName']
+ }
+ if($Name -eq 'Ueba'){
+ $GetPSBoundParameters.Add('SettingsName', 'Ueba')
+ $ueba = Az.SecurityInsights\Get-AzSentinelSetting @GetPSBoundParameters
+ }
+ else{
+ $Settings = Az.SecurityInsights\Get-AzSentinelSetting @GetPSBoundParameters
+ }
+
+
+ if ($Name -eq 'Anomalies'){
+ If($PSBoundParameters['Enabled'] -eq $true){
+ if($Settings.Name -contains 'Anomalies'){
+ Write-Host "$Name is already Enabled!" -ForegroundColor Green
+ }
+ else{
+ Az.SecurityInsights.internal\Update-AzSentinelSetting -ResourceGroupName $GetPSBoundParameters['ResourceGroupName'] -WorkspaceName $GetPSBoundParameters['WorkspaceName'] -SettingsName $Name -Kind $Name
+ }
+ }
+
+ If($PSBoundParameters['Enabled'] -eq $false){
+ if($Settings.Name -contains 'Anomalies'){
+ Az.SecurityInsights.internal\Remove-AzSentinelSetting -ResourceGroupName $GetPSBoundParameters['ResourceGroupName'] -WorkspaceName $GetPSBoundParameters['WorkspaceName'] -SettingsName $Name
+ }
+ else{
+ Write-Host "$Name is already Disabled!" -ForegroundColor Green
+ }
+ }
+ }
+ if ($Name -eq 'EyesOn'){
+ If($PSBoundParameters['Enabled'] -eq $true){
+ if($Settings.Name -contains 'EyesOn'){
+ Write-Host "$Name is already Enabled!" -ForegroundColor Green
+ }
+ else{
+ Az.SecurityInsights.internal\Update-AzSentinelSetting -ResourceGroupName $GetPSBoundParameters['ResourceGroupName'] -WorkspaceName $GetPSBoundParameters['WorkspaceName'] -SettingsName $Name -Kind $Name
+ }
+ }
+
+ If($PSBoundParameters['Enabled'] -eq $false){
+ if($Settings.Name -contains 'EyesOn'){
+ Az.SecurityInsights.internal\Remove-AzSentinelSetting -ResourceGroupName $GetPSBoundParameters['ResourceGroupName'] -WorkspaceName $GetPSBoundParameters['WorkspaceName'] -SettingsName $Name
+ }
+ else{
+ Write-Host "$Name is already Disabled!" -ForegroundColor Green
+ }
+ }
+ }
+ if ($Name -eq 'EntityAnalytics'){
+ If($PSBoundParameters['Enabled'] -eq $true){
+ if($Settings.Name -contains 'EntityAnalytics'){
+ Write-Host "$Name is already Enabled!" -ForegroundColor Green
+ }
+ else{
+ Az.SecurityInsights.internal\Update-AzSentinelSetting -ResourceGroupName $GetPSBoundParameters['ResourceGroupName'] -WorkspaceName $GetPSBoundParameters['WorkspaceName'] -SettingsName $Name -Kind $Name
+ }
+ }
+
+ If($PSBoundParameters['Enabled'] -eq $false){
+ if($Settings.Name -contains 'EntityAnalytics'){
+ Az.SecurityInsights.internal\Remove-AzSentinelSetting -ResourceGroupName $GetPSBoundParameters['ResourceGroupName'] -WorkspaceName $GetPSBoundParameters['WorkspaceName'] -SettingsName $Name
+ }
+ else{
+ Write-Host "$Name is already Disabled!" -ForegroundColor Green
+ }
+ }
+ }
+
+ if ($Name -eq 'Ueba'){
+ If($PSBoundParameters['DataSource']){
+ $ueba.DataSource = $PSBoundParameters['DataSource']
+ $null = $PSBoundParameters.Remove('DataSource')
+ }
+ $null = $PSBoundParameters.Add('Setting', $Setting)
+ Az.SecurityInsights.internal\Update-AzSentinelSetting @PSBoundParameters
+ }
+ }
+ catch {
+ throw
+ }
+ }
+}
\ No newline at end of file
diff --git a/src/SecurityInsights/docs/Az.SecurityInsights.md b/src/SecurityInsights/docs/Az.SecurityInsights.md
new file mode 100644
index 000000000000..136272a12bf0
--- /dev/null
+++ b/src/SecurityInsights/docs/Az.SecurityInsights.md
@@ -0,0 +1,199 @@
+---
+Module Name: Az.SecurityInsights
+Module Guid: 3a0e09d6-7b89-4078-a565-5db26e7455b8
+Download Help Link: https://docs.microsoft.com/powershell/module/az.securityinsights
+Help Version: 1.0.0.0
+Locale: en-US
+---
+
+# Az.SecurityInsights Module
+## Description
+Microsoft Azure PowerShell: SecurityInsights cmdlets
+
+## Az.SecurityInsights Cmdlets
+### [Get-AzSentinelAlertRule](Get-AzSentinelAlertRule.md)
+Gets the alert rule.
+
+### [Get-AzSentinelAlertRuleAction](Get-AzSentinelAlertRuleAction.md)
+Gets the action of alert rule.
+
+### [Get-AzSentinelAlertRuleTemplate](Get-AzSentinelAlertRuleTemplate.md)
+Gets the alert rule template.
+
+### [Get-AzSentinelAutomationRule](Get-AzSentinelAutomationRule.md)
+Gets the automation rule.
+
+### [Get-AzSentinelBookmark](Get-AzSentinelBookmark.md)
+Gets a bookmark.
+
+### [Get-AzSentinelBookmarkRelation](Get-AzSentinelBookmarkRelation.md)
+Gets a bookmark relation.
+
+### [Get-AzSentinelDataConnector](Get-AzSentinelDataConnector.md)
+Gets a data connector.
+
+### [Get-AzSentinelEnrichment](Get-AzSentinelEnrichment.md)
+Get geodata for a single IP address
+
+### [Get-AzSentinelEntity](Get-AzSentinelEntity.md)
+Gets an entity.
+
+### [Get-AzSentinelEntityActivity](Get-AzSentinelEntityActivity.md)
+Get Insights and Activities for an entity.
+
+### [Get-AzSentinelEntityInsight](Get-AzSentinelEntityInsight.md)
+Execute Insights for an entity.
+
+### [Get-AzSentinelEntityQuery](Get-AzSentinelEntityQuery.md)
+Gets an entity query.
+
+### [Get-AzSentinelEntityQueryTemplate](Get-AzSentinelEntityQueryTemplate.md)
+Gets an entity query.
+
+### [Get-AzSentinelEntityRelation](Get-AzSentinelEntityRelation.md)
+Gets an entity relation.
+
+### [Get-AzSentinelEntityTimeline](Get-AzSentinelEntityTimeline.md)
+Timeline for an entity.
+
+### [Get-AzSentinelIncident](Get-AzSentinelIncident.md)
+Gets an incident.
+
+### [Get-AzSentinelIncidentAlert](Get-AzSentinelIncidentAlert.md)
+Gets all incident alerts.
+
+### [Get-AzSentinelIncidentBookmark](Get-AzSentinelIncidentBookmark.md)
+Gets all incident bookmarks.
+
+### [Get-AzSentinelIncidentComment](Get-AzSentinelIncidentComment.md)
+Gets an incident comment.
+
+### [Get-AzSentinelIncidentEntity](Get-AzSentinelIncidentEntity.md)
+Gets all incident related entities.
+
+### [Get-AzSentinelIncidentRelation](Get-AzSentinelIncidentRelation.md)
+Gets an incident relation.
+
+### [Get-AzSentinelMetadata](Get-AzSentinelMetadata.md)
+Get a Metadata.
+
+### [Get-AzSentinelOnboardingState](Get-AzSentinelOnboardingState.md)
+Get Sentinel onboarding state
+
+### [Get-AzSentinelSetting](Get-AzSentinelSetting.md)
+Gets a setting.
+
+### [Get-AzSentinelThreatIntelligenceIndicator](Get-AzSentinelThreatIntelligenceIndicator.md)
+View a threat intelligence indicator by name.
+
+### [Get-AzSentinelThreatIntelligenceIndicatorMetric](Get-AzSentinelThreatIntelligenceIndicatorMetric.md)
+Get threat intelligence indicators metrics (Indicators counts by Type, Threat Type, Source).
+
+### [Invoke-AzSentinelThreatIntelligenceIndicatorQuery](Invoke-AzSentinelThreatIntelligenceIndicatorQuery.md)
+Query threat intelligence indicators as per filtering criteria.
+
+### [New-AzSentinelAlertRule](New-AzSentinelAlertRule.md)
+Creates or updates the alert rule.
+
+### [New-AzSentinelAlertRuleAction](New-AzSentinelAlertRuleAction.md)
+Creates or updates the action of alert rule.
+
+### [New-AzSentinelAutomationRule](New-AzSentinelAutomationRule.md)
+Creates or updates the automation rule.
+
+### [New-AzSentinelBookmark](New-AzSentinelBookmark.md)
+Creates or updates the bookmark.
+
+### [New-AzSentinelBookmarkRelation](New-AzSentinelBookmarkRelation.md)
+Creates the bookmark relation.
+
+### [New-AzSentinelDataConnector](New-AzSentinelDataConnector.md)
+Creates or updates the data connector.
+
+### [New-AzSentinelEntityQuery](New-AzSentinelEntityQuery.md)
+Creates or updates the entity query.
+
+### [New-AzSentinelIncident](New-AzSentinelIncident.md)
+Creates or updates the incident.
+
+### [New-AzSentinelIncidentComment](New-AzSentinelIncidentComment.md)
+Creates or updates the incident comment.
+
+### [New-AzSentinelIncidentRelation](New-AzSentinelIncidentRelation.md)
+Creates or updates the incident relation.
+
+### [New-AzSentinelIncidentTeam](New-AzSentinelIncidentTeam.md)
+Creates a Microsoft team to investigate the incident by sharing information and insights between participants.
+
+### [New-AzSentinelOnboardingState](New-AzSentinelOnboardingState.md)
+Create Sentinel onboarding state
+
+### [Remove-AzSentinelAlertRule](Remove-AzSentinelAlertRule.md)
+Delete the alert rule.
+
+### [Remove-AzSentinelAlertRuleAction](Remove-AzSentinelAlertRuleAction.md)
+Delete the action of alert rule.
+
+### [Remove-AzSentinelAutomationRule](Remove-AzSentinelAutomationRule.md)
+Delete the automation rule.
+
+### [Remove-AzSentinelBookmark](Remove-AzSentinelBookmark.md)
+Delete the bookmark.
+
+### [Remove-AzSentinelBookmarkRelation](Remove-AzSentinelBookmarkRelation.md)
+Delete the bookmark relation.
+
+### [Remove-AzSentinelDataConnector](Remove-AzSentinelDataConnector.md)
+Delete the data connector.
+
+### [Remove-AzSentinelEntityQuery](Remove-AzSentinelEntityQuery.md)
+Delete the entity query.
+
+### [Remove-AzSentinelIncident](Remove-AzSentinelIncident.md)
+Delete the incident.
+
+### [Remove-AzSentinelIncidentComment](Remove-AzSentinelIncidentComment.md)
+Delete the incident comment.
+
+### [Remove-AzSentinelIncidentRelation](Remove-AzSentinelIncidentRelation.md)
+Delete the incident relation.
+
+### [Remove-AzSentinelOnboardingState](Remove-AzSentinelOnboardingState.md)
+Delete Sentinel onboarding state
+
+### [Test-AzSentinelDataConnectorCheckRequirement](Test-AzSentinelDataConnectorCheckRequirement.md)
+Get requirements state for a data connector type.
+
+### [Update-AzSentinelAlertRule](Update-AzSentinelAlertRule.md)
+Updates the alert rule.
+
+### [Update-AzSentinelAlertRuleAction](Update-AzSentinelAlertRuleAction.md)
+Creates or updates the action of alert rule.
+
+### [Update-AzSentinelAutomationRule](Update-AzSentinelAutomationRule.md)
+Creates or updates the automation rule.
+
+### [Update-AzSentinelBookmark](Update-AzSentinelBookmark.md)
+Creates or updates the bookmark.
+
+### [Update-AzSentinelBookmarkRelation](Update-AzSentinelBookmarkRelation.md)
+Creates the bookmark relation.
+
+### [Update-AzSentinelDataConnector](Update-AzSentinelDataConnector.md)
+Updates the data connector.
+
+### [Update-AzSentinelEntityQuery](Update-AzSentinelEntityQuery.md)
+Updates the entity query.
+
+### [Update-AzSentinelIncident](Update-AzSentinelIncident.md)
+Creates or updates the incident.
+
+### [Update-AzSentinelIncidentComment](Update-AzSentinelIncidentComment.md)
+Creates or updates the incident comment.
+
+### [Update-AzSentinelIncidentRelation](Update-AzSentinelIncidentRelation.md)
+Creates or updates the incident relation.
+
+### [Update-AzSentinelSetting](Update-AzSentinelSetting.md)
+Updates setting.
+
diff --git a/src/SecurityInsights/docs/Get-AzSentinelAlertRule.md b/src/SecurityInsights/docs/Get-AzSentinelAlertRule.md
new file mode 100644
index 000000000000..90779dae796f
--- /dev/null
+++ b/src/SecurityInsights/docs/Get-AzSentinelAlertRule.md
@@ -0,0 +1,235 @@
+---
+external help file:
+Module Name: Az.SecurityInsights
+online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelalertrule
+schema: 2.0.0
+---
+
+# Get-AzSentinelAlertRule
+
+## SYNOPSIS
+Gets the alert rule.
+
+## SYNTAX
+
+### List (Default)
+```
+Get-AzSentinelAlertRule -ResourceGroupName -WorkspaceName [-SubscriptionId ]
+ [-DefaultProfile ] []
+```
+
+### Get
+```
+Get-AzSentinelAlertRule -ResourceGroupName -RuleId -WorkspaceName
+ [-SubscriptionId ] [-DefaultProfile ] []
+```
+
+### GetViaIdentity
+```
+Get-AzSentinelAlertRule -InputObject [-DefaultProfile ]
+ []
+```
+
+## DESCRIPTION
+Gets the alert rule.
+
+## EXAMPLES
+
+### Example 1: List all Alert Rules
+```powershell
+ Get-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName"
+```
+
+```output
+AlertDisplayName : (Preview) TI map IP entity to SigninLogs
+FriendlyName : (Preview) TI map IP entity to SigninLogs
+Description : Identifies a match in SigninLogs from any IP IOC from TI
+Kind : SecurityAlert
+Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244
+ProductName : Azure Sentinel
+Status : New
+ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181
+Tactic : {Impact}
+```
+
+This command lists all Alert Rules under a Microsoft Sentinel workspace.
+
+### Example 2: Get an Alert Rule
+```powershell
+ Get-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "d6c7a42b-c0da-41ef-9629-b3d2d407b181"
+```
+
+```output
+AlertDisplayName : (Preview) TI map IP entity to SigninLogs
+FriendlyName : (Preview) TI map IP entity to SigninLogs
+Description : Identifies a match in SigninLogs from any IP IOC from TI
+Kind : SecurityAlert
+Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244
+ProductName : Azure Sentinel
+Status : New
+ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181
+Tactic : {Impact}
+```
+
+This command gets an Alert Rule.
+
+### Example 3: Get an Alert Rule by object Id
+```powershell
+ $rules = Get-AzSentinelAlertRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName"
+ $rules[0] | Get-AzSentinelAlertRule
+```
+
+```output
+AlertDisplayName : (Preview) TI map IP entity to SigninLogs
+FriendlyName : (Preview) TI map IP entity to SigninLogs
+Description : Identifies a match in SigninLogs from any IP IOC from TI
+Kind : SecurityAlert
+Name : d1e4d1dd-8d16-1aed-59bd-a256266d7244
+ProductName : Azure Sentinel
+Status : New
+ProviderAlertId : d6c7a42b-c0da-41ef-9629-b3d2d407b181
+Tactic : {Impact}
+```
+
+This command gets an Alert Rule by object
+
+## PARAMETERS
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: System.Management.Automation.PSObject
+Parameter Sets: (All)
+Aliases: AzureRMContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -InputObject
+Identity Parameter
+To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
+
+```yaml
+Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity
+Parameter Sets: GetViaIdentity
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -ResourceGroupName
+The name of the resource group.
+The name is case insensitive.
+
+```yaml
+Type: System.String
+Parameter Sets: Get, List
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RuleId
+Alert rule ID
+
+```yaml
+Type: System.String
+Parameter Sets: Get
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SubscriptionId
+The ID of the target subscription.
+
+```yaml
+Type: System.String[]
+Parameter Sets: Get, List
+Aliases:
+
+Required: False
+Position: Named
+Default value: (Get-AzContext).Subscription.Id
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WorkspaceName
+The name of the workspace.
+
+```yaml
+Type: System.String
+Parameter Sets: Get, List
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity
+
+## OUTPUTS
+
+### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAlertRule
+
+## NOTES
+
+ALIASES
+
+COMPLEX PARAMETER PROPERTIES
+
+To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
+
+
+INPUTOBJECT : Identity Parameter
+ - `[ActionId ]`: Action ID
+ - `[AlertRuleTemplateId ]`: Alert rule template ID
+ - `[AutomationRuleId ]`: Automation rule ID
+ - `[BookmarkId ]`: Bookmark ID
+ - `[ConsentId ]`: consent ID
+ - `[DataConnectorId ]`: Connector ID
+ - `[EntityId ]`: entity ID
+ - `[EntityQueryId ]`: entity query ID
+ - `[EntityQueryTemplateId ]`: entity query template ID
+ - `[Id ]`: Resource identity path
+ - `[IncidentCommentId ]`: Incident comment ID
+ - `[IncidentId ]`: Incident ID
+ - `[MetadataName ]`: The Metadata name.
+ - `[Name ]`: Threat intelligence indicator name field.
+ - `[RelationName ]`: Relation Name
+ - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive.
+ - `[RuleId ]`: Alert rule ID
+ - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default
+ - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba
+ - `[SourceControlId ]`: Source control Id
+ - `[SubscriptionId ]`: The ID of the target subscription.
+ - `[WorkspaceName ]`: The name of the workspace.
+
+## RELATED LINKS
+
diff --git a/src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md
new file mode 100644
index 000000000000..0cf1d83aeb61
--- /dev/null
+++ b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleAction.md
@@ -0,0 +1,209 @@
+---
+external help file:
+Module Name: Az.SecurityInsights
+online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelalertruleaction
+schema: 2.0.0
+---
+
+# Get-AzSentinelAlertRuleAction
+
+## SYNOPSIS
+Gets the action of alert rule.
+
+## SYNTAX
+
+### List (Default)
+```
+Get-AzSentinelAlertRuleAction -ResourceGroupName -RuleId -WorkspaceName
+ [-SubscriptionId ] [-DefaultProfile ] []
+```
+
+### Get
+```
+Get-AzSentinelAlertRuleAction -Id -ResourceGroupName -RuleId
+ -WorkspaceName [-SubscriptionId ] [-DefaultProfile ] []
+```
+
+### GetViaIdentity
+```
+Get-AzSentinelAlertRuleAction -InputObject [-DefaultProfile ]
+ []
+```
+
+## DESCRIPTION
+Gets the action of alert rule.
+
+## EXAMPLES
+
+### Example 1: List all Actions for a given Alert Rule
+```powershell
+ Get-AzSentinelAlertRuleAction -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -RuleId "myRuleId"
+```
+
+```output
+LogicAppResourceId : /subscriptions/174b1a81-c53c-4092-8d4a-7210f6a44a0c/resourceGroups/myResourceGroup/providers/Microsoft.Logic/workflows/A-Demo-1
+Name : f32239c5-cb9c-48da-a3f6-bd5bd3d924a4
+WorkflowId : 3c73d72560fa4cb6a72a0f10d3a80940
+
+LogicAppResourceId : /subscriptions/274b1a41-c53c-4092-8d4a-7210f6a44a0c/resourceGroups/myResourceGroup/providers/Microsoft.Logic/workflows/EmptyPlaybook
+Name : cf815c77-bc65-4c02-946f-d81e15e9a100
+WorkflowId : 1ac8ccb8bd134253b4baf0c75fe3ecc6
+```
+
+This command lists all Actions for a given Alert Rule.
+
+## PARAMETERS
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: System.Management.Automation.PSObject
+Parameter Sets: (All)
+Aliases: AzureRMContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Id
+Action ID
+
+```yaml
+Type: System.String
+Parameter Sets: Get
+Aliases: ActionId
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -InputObject
+Identity Parameter
+To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
+
+```yaml
+Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity
+Parameter Sets: GetViaIdentity
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -ResourceGroupName
+The name of the resource group.
+The name is case insensitive.
+
+```yaml
+Type: System.String
+Parameter Sets: Get, List
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RuleId
+Alert rule ID
+
+```yaml
+Type: System.String
+Parameter Sets: Get, List
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SubscriptionId
+The ID of the target subscription.
+
+```yaml
+Type: System.String[]
+Parameter Sets: Get, List
+Aliases:
+
+Required: False
+Position: Named
+Default value: (Get-AzContext).Subscription.Id
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WorkspaceName
+The name of the workspace.
+
+```yaml
+Type: System.String
+Parameter Sets: Get, List
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity
+
+## OUTPUTS
+
+### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IActionResponse
+
+## NOTES
+
+ALIASES
+
+COMPLEX PARAMETER PROPERTIES
+
+To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
+
+
+INPUTOBJECT : Identity Parameter
+ - `[ActionId ]`: Action ID
+ - `[AlertRuleTemplateId ]`: Alert rule template ID
+ - `[AutomationRuleId ]`: Automation rule ID
+ - `[BookmarkId ]`: Bookmark ID
+ - `[ConsentId ]`: consent ID
+ - `[DataConnectorId ]`: Connector ID
+ - `[EntityId ]`: entity ID
+ - `[EntityQueryId ]`: entity query ID
+ - `[EntityQueryTemplateId ]`: entity query template ID
+ - `[Id ]`: Resource identity path
+ - `[IncidentCommentId ]`: Incident comment ID
+ - `[IncidentId ]`: Incident ID
+ - `[MetadataName ]`: The Metadata name.
+ - `[Name ]`: Threat intelligence indicator name field.
+ - `[RelationName ]`: Relation Name
+ - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive.
+ - `[RuleId ]`: Alert rule ID
+ - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default
+ - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba
+ - `[SourceControlId ]`: Source control Id
+ - `[SubscriptionId ]`: The ID of the target subscription.
+ - `[WorkspaceName ]`: The name of the workspace.
+
+## RELATED LINKS
+
diff --git a/src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md
new file mode 100644
index 000000000000..8f535b50f9d5
--- /dev/null
+++ b/src/SecurityInsights/docs/Get-AzSentinelAlertRuleTemplate.md
@@ -0,0 +1,221 @@
+---
+external help file:
+Module Name: Az.SecurityInsights
+online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelalertruletemplate
+schema: 2.0.0
+---
+
+# Get-AzSentinelAlertRuleTemplate
+
+## SYNOPSIS
+Gets the alert rule template.
+
+## SYNTAX
+
+### List (Default)
+```
+Get-AzSentinelAlertRuleTemplate -ResourceGroupName -WorkspaceName
+ [-SubscriptionId ] [-DefaultProfile ] []
+```
+
+### Get
+```
+Get-AzSentinelAlertRuleTemplate -Id -ResourceGroupName -WorkspaceName
+ [-SubscriptionId ] [-DefaultProfile ] []
+```
+
+### GetViaIdentity
+```
+Get-AzSentinelAlertRuleTemplate -InputObject [-DefaultProfile ]
+ []
+```
+
+## DESCRIPTION
+Gets the alert rule template.
+
+## EXAMPLES
+
+### Example 1: List all Alert Rule Templates
+```powershell
+ Get-AzSentinelAlertRuleTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName"
+```
+
+```output
+DisplayName : TI map IP entity to GitHub_CL
+Description : Identifies a match in GitHub_CL table from any IP IOC from TI
+CreatedDateUtc : 8/27/2019 12:00:00 AM
+LastUpdatedDateUtc : 10/19/2021 12:00:00 AM
+Kind : Scheduled
+Severity : Medium
+Name : aac495a9-feb1-446d-b08e-a1164a539452
+
+DisplayName : Accessed files shared by temporary external user
+Description : This detection identifies an external user is added to a Team or Teams chat
+ and shares a files which is accessed by many users (>10) and the users is removed within short period of time. This might be
+ an indicator of suspicious activity.
+CreatedDateUtc : 8/18/2020 12:00:00 AM
+LastUpdatedDateUtc : 1/3/2022 12:00:00 AM
+Kind : Scheduled
+Severity : Low
+Name : bff058b2-500e-4ae5-bb49-a5b1423cbd5b
+```
+
+This command lists all Alert Rule Templates under a Microsoft Sentinel workspace.
+
+### Example 2: Get an Alert Rule Template
+```powershell
+ Get-AzSentinelAlertRuleTemplate -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "myRuaac495a9-feb1-446d-b08e-a1164a539452leTemplateId"
+```
+
+```output
+DisplayName : TI map IP entity to GitHub_CL
+Description : Identifies a match in GitHub_CL table from any IP IOC from TI
+CreatedDateUtc : 8/27/2019 12:00:00 AM
+LastUpdatedDateUtc : 10/19/2021 12:00:00 AM
+Kind : Scheduled
+Severity : Medium
+Name : aac495a9-feb1-446d-b08e-a1164a539452
+```
+
+This command gets an Alert Rule Template.
+
+## PARAMETERS
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: System.Management.Automation.PSObject
+Parameter Sets: (All)
+Aliases: AzureRMContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Id
+Alert rule template ID
+
+```yaml
+Type: System.String
+Parameter Sets: Get
+Aliases: AlertRuleTemplateId, TemplateId
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -InputObject
+Identity Parameter
+To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
+
+```yaml
+Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity
+Parameter Sets: GetViaIdentity
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -ResourceGroupName
+The name of the resource group.
+The name is case insensitive.
+
+```yaml
+Type: System.String
+Parameter Sets: Get, List
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SubscriptionId
+The ID of the target subscription.
+
+```yaml
+Type: System.String[]
+Parameter Sets: Get, List
+Aliases:
+
+Required: False
+Position: Named
+Default value: (Get-AzContext).Subscription.Id
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WorkspaceName
+The name of the workspace.
+
+```yaml
+Type: System.String
+Parameter Sets: Get, List
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity
+
+## OUTPUTS
+
+### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAlertRuleTemplate
+
+## NOTES
+
+ALIASES
+
+COMPLEX PARAMETER PROPERTIES
+
+To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
+
+
+INPUTOBJECT : Identity Parameter
+ - `[ActionId ]`: Action ID
+ - `[AlertRuleTemplateId ]`: Alert rule template ID
+ - `[AutomationRuleId ]`: Automation rule ID
+ - `[BookmarkId ]`: Bookmark ID
+ - `[ConsentId ]`: consent ID
+ - `[DataConnectorId ]`: Connector ID
+ - `[EntityId ]`: entity ID
+ - `[EntityQueryId ]`: entity query ID
+ - `[EntityQueryTemplateId ]`: entity query template ID
+ - `[Id ]`: Resource identity path
+ - `[IncidentCommentId ]`: Incident comment ID
+ - `[IncidentId ]`: Incident ID
+ - `[MetadataName ]`: The Metadata name.
+ - `[Name ]`: Threat intelligence indicator name field.
+ - `[RelationName ]`: Relation Name
+ - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive.
+ - `[RuleId ]`: Alert rule ID
+ - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default
+ - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba
+ - `[SourceControlId ]`: Source control Id
+ - `[SubscriptionId ]`: The ID of the target subscription.
+ - `[WorkspaceName ]`: The name of the workspace.
+
+## RELATED LINKS
+
diff --git a/src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md b/src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md
new file mode 100644
index 000000000000..f4b76814a7f9
--- /dev/null
+++ b/src/SecurityInsights/docs/Get-AzSentinelAutomationRule.md
@@ -0,0 +1,212 @@
+---
+external help file:
+Module Name: Az.SecurityInsights
+online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelautomationrule
+schema: 2.0.0
+---
+
+# Get-AzSentinelAutomationRule
+
+## SYNOPSIS
+Gets the automation rule.
+
+## SYNTAX
+
+### List (Default)
+```
+Get-AzSentinelAutomationRule -ResourceGroupName -WorkspaceName [-SubscriptionId ]
+ [-DefaultProfile ] []
+```
+
+### Get
+```
+Get-AzSentinelAutomationRule -Id -ResourceGroupName -WorkspaceName
+ [-SubscriptionId ] [-DefaultProfile ] []
+```
+
+### GetViaIdentity
+```
+Get-AzSentinelAutomationRule -InputObject [-DefaultProfile ]
+ []
+```
+
+## DESCRIPTION
+Gets the automation rule.
+
+## EXAMPLES
+
+### Example 1: List all Automation Rules
+```powershell
+ Get-AzSentinelAutomationRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName"
+```
+
+```output
+DisplayName : VIP automation rule
+CreatedByEmail : luke@contoso.com
+CreatedByUserPrincipalName : luke@contoso.com
+TriggeringLogicIsEnabled : True
+TriggeringLogicTriggersOn : Incidents
+TriggeringLogicTriggersWhen : Created
+Name : 2f32af32-ad13-4fbb-9fbc-e19e0e7ff767
+
+```
+
+This command lists all Automation Rules under a Microsoft Sentinel workspace.
+
+### Example 2: Get an Automation Rule
+```powershell
+ Get-AzSentinelAutomationRule -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "2f32af32-ad13-4fbb-9fbc-e19e0e7ff767"
+```
+
+```output
+DisplayName : VIP automation rule
+CreatedByEmail : luke@contoso.com
+CreatedByUserPrincipalName : luke@contoso.com
+TriggeringLogicIsEnabled : True
+TriggeringLogicTriggersOn : Incidents
+TriggeringLogicTriggersWhen : Created
+Name : 2f32af32-ad13-4fbb-9fbc-e19e0e7ff767
+```
+
+This command gets an Automation Rule.
+
+## PARAMETERS
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: System.Management.Automation.PSObject
+Parameter Sets: (All)
+Aliases: AzureRMContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Id
+Automation rule ID
+
+```yaml
+Type: System.String
+Parameter Sets: Get
+Aliases: AutomationRuleId
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -InputObject
+Identity Parameter
+To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
+
+```yaml
+Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity
+Parameter Sets: GetViaIdentity
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -ResourceGroupName
+The name of the resource group.
+The name is case insensitive.
+
+```yaml
+Type: System.String
+Parameter Sets: Get, List
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SubscriptionId
+The ID of the target subscription.
+
+```yaml
+Type: System.String[]
+Parameter Sets: Get, List
+Aliases:
+
+Required: False
+Position: Named
+Default value: (Get-AzContext).Subscription.Id
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WorkspaceName
+The name of the workspace.
+
+```yaml
+Type: System.String
+Parameter Sets: Get, List
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity
+
+## OUTPUTS
+
+### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IAutomationRule
+
+## NOTES
+
+ALIASES
+
+COMPLEX PARAMETER PROPERTIES
+
+To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
+
+
+INPUTOBJECT : Identity Parameter
+ - `[ActionId ]`: Action ID
+ - `[AlertRuleTemplateId ]`: Alert rule template ID
+ - `[AutomationRuleId ]`: Automation rule ID
+ - `[BookmarkId ]`: Bookmark ID
+ - `[ConsentId ]`: consent ID
+ - `[DataConnectorId ]`: Connector ID
+ - `[EntityId ]`: entity ID
+ - `[EntityQueryId ]`: entity query ID
+ - `[EntityQueryTemplateId ]`: entity query template ID
+ - `[Id ]`: Resource identity path
+ - `[IncidentCommentId ]`: Incident comment ID
+ - `[IncidentId ]`: Incident ID
+ - `[MetadataName ]`: The Metadata name.
+ - `[Name ]`: Threat intelligence indicator name field.
+ - `[RelationName ]`: Relation Name
+ - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive.
+ - `[RuleId ]`: Alert rule ID
+ - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default
+ - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba
+ - `[SourceControlId ]`: Source control Id
+ - `[SubscriptionId ]`: The ID of the target subscription.
+ - `[WorkspaceName ]`: The name of the workspace.
+
+## RELATED LINKS
+
diff --git a/src/SecurityInsights/docs/Get-AzSentinelBookmark.md b/src/SecurityInsights/docs/Get-AzSentinelBookmark.md
new file mode 100644
index 000000000000..01fe1836136e
--- /dev/null
+++ b/src/SecurityInsights/docs/Get-AzSentinelBookmark.md
@@ -0,0 +1,210 @@
+---
+external help file:
+Module Name: Az.SecurityInsights
+online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelbookmark
+schema: 2.0.0
+---
+
+# Get-AzSentinelBookmark
+
+## SYNOPSIS
+Gets a bookmark.
+
+## SYNTAX
+
+### List (Default)
+```
+Get-AzSentinelBookmark -ResourceGroupName -WorkspaceName [-SubscriptionId ]
+ [-DefaultProfile ] []
+```
+
+### Get
+```
+Get-AzSentinelBookmark -Id -ResourceGroupName -WorkspaceName
+ [-SubscriptionId ] [-DefaultProfile ] []
+```
+
+### GetViaIdentity
+```
+Get-AzSentinelBookmark -InputObject [-DefaultProfile ]
+ []
+```
+
+## DESCRIPTION
+Gets a bookmark.
+
+## EXAMPLES
+
+### Example 1: List all Bookmarks
+```powershell
+ Get-AzSentinelBookmark -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName"
+```
+
+```output
+DisplayName : SecurityAlert - 28b401e1e0c9
+CreatedByEmail : john@contoso.com
+CreatedByName : John Contoso
+Label : {}
+Note : This needs further investigation
+Name : 515fc035-2ed8-4fa1-ad7d-28b401e1e0c9
+
+```
+
+This command lists all Bookmarks under a Microsoft Sentinel workspace.
+
+### Example 2: Get a Bookmark
+```powershell
+ Get-AzSentinelBookmark -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -Id "515fc035-2ed8-4fa1-ad7d-28b401e1e0c9"
+```
+
+```output
+DisplayName : SecurityAlert - 28b401e1e0c9
+CreatedByEmail : john@contoso.com
+CreatedByName : John Contoso
+Label : {}
+Note : This needs further investigation
+Name : 515fc035-2ed8-4fa1-ad7d-28b401e1e0c9
+```
+
+This command gets a Bookmark.
+
+## PARAMETERS
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: System.Management.Automation.PSObject
+Parameter Sets: (All)
+Aliases: AzureRMContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Id
+Bookmark ID
+
+```yaml
+Type: System.String
+Parameter Sets: Get
+Aliases: BookmarkId
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -InputObject
+Identity Parameter
+To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
+
+```yaml
+Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity
+Parameter Sets: GetViaIdentity
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -ResourceGroupName
+The name of the resource group.
+The name is case insensitive.
+
+```yaml
+Type: System.String
+Parameter Sets: Get, List
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SubscriptionId
+The ID of the target subscription.
+
+```yaml
+Type: System.String[]
+Parameter Sets: Get, List
+Aliases:
+
+Required: False
+Position: Named
+Default value: (Get-AzContext).Subscription.Id
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WorkspaceName
+The name of the workspace.
+
+```yaml
+Type: System.String
+Parameter Sets: Get, List
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity
+
+## OUTPUTS
+
+### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IBookmark
+
+## NOTES
+
+ALIASES
+
+COMPLEX PARAMETER PROPERTIES
+
+To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
+
+
+INPUTOBJECT : Identity Parameter
+ - `[ActionId ]`: Action ID
+ - `[AlertRuleTemplateId ]`: Alert rule template ID
+ - `[AutomationRuleId ]`: Automation rule ID
+ - `[BookmarkId ]`: Bookmark ID
+ - `[ConsentId ]`: consent ID
+ - `[DataConnectorId ]`: Connector ID
+ - `[EntityId ]`: entity ID
+ - `[EntityQueryId ]`: entity query ID
+ - `[EntityQueryTemplateId ]`: entity query template ID
+ - `[Id ]`: Resource identity path
+ - `[IncidentCommentId ]`: Incident comment ID
+ - `[IncidentId ]`: Incident ID
+ - `[MetadataName ]`: The Metadata name.
+ - `[Name ]`: Threat intelligence indicator name field.
+ - `[RelationName ]`: Relation Name
+ - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive.
+ - `[RuleId ]`: Alert rule ID
+ - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default
+ - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba
+ - `[SourceControlId ]`: Source control Id
+ - `[SubscriptionId ]`: The ID of the target subscription.
+ - `[WorkspaceName ]`: The name of the workspace.
+
+## RELATED LINKS
+
diff --git a/src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md b/src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md
new file mode 100644
index 000000000000..6f22d30642c1
--- /dev/null
+++ b/src/SecurityInsights/docs/Get-AzSentinelBookmarkRelation.md
@@ -0,0 +1,298 @@
+---
+external help file:
+Module Name: Az.SecurityInsights
+online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentinelbookmarkrelation
+schema: 2.0.0
+---
+
+# Get-AzSentinelBookmarkRelation
+
+## SYNOPSIS
+Gets a bookmark relation.
+
+## SYNTAX
+
+### List (Default)
+```
+Get-AzSentinelBookmarkRelation -BookmarkId -ResourceGroupName -WorkspaceName
+ [-SubscriptionId ] [-Filter ] [-Orderby ] [-SkipToken ] [-Top ]
+ [-DefaultProfile ] []
+```
+
+### Get
+```
+Get-AzSentinelBookmarkRelation -BookmarkId -RelationName -ResourceGroupName
+ -WorkspaceName [-SubscriptionId ] [-DefaultProfile ] []
+```
+
+### GetViaIdentity
+```
+Get-AzSentinelBookmarkRelation -InputObject [-DefaultProfile ]
+ []
+```
+
+## DESCRIPTION
+Gets a bookmark relation.
+
+## EXAMPLES
+
+### Example 1: List all Bookmark Relations for a given Bookmark
+```powershell
+ Get-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId "myBookmarkId"
+```
+
+```output
+Name : 83846045-d8dc-4d6b-abbe-7588219c474e
+RelatedResourceName : 7cc984fe-61a2-43c2-a1a4-3583c8a89da2
+RelatedResourceType : Microsoft.SecurityInsights/Incidents
+```
+
+This command lists all Bookmark Relations for a given Bookmark.
+
+### Example 2: Get a Bookmark Relation
+```powershell
+ Get-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId "myBookmarkId"
+```
+
+```output
+Name : 83846045-d8dc-4d6b-abbe-7588219c474e
+RelatedResourceName : 7cc984fe-61a2-43c2-a1a4-3583c8a89da2
+RelatedResourceType : Microsoft.SecurityInsights/Incidents
+```
+
+This command gets a Bookmark Relation.
+
+### Example 3: Get a Bookmark Relation by object Id
+```powershell
+ $Bookmarkrelations = Get-AzSentinelBookmarkRelation -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" -BookmarkId "myBookmarkId"
+ $Bookmarkrelations[0] | Get-AzSentinelBookmarkRelation
+```
+
+```output
+Name : 83846045-d8dc-4d6b-abbe-7588219c474e
+RelatedResourceName : 7cc984fe-61a2-43c2-a1a4-3583c8a89da2
+RelatedResourceType : Microsoft.SecurityInsights/Incidents
+```
+
+This command gets a Bookmark by object
+
+## PARAMETERS
+
+### -BookmarkId
+Bookmark ID
+
+```yaml
+Type: System.String
+Parameter Sets: Get, List
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: System.Management.Automation.PSObject
+Parameter Sets: (All)
+Aliases: AzureRMContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Filter
+Filters the results, based on a Boolean condition.
+Optional.
+
+```yaml
+Type: System.String
+Parameter Sets: List
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -InputObject
+Identity Parameter
+To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
+
+```yaml
+Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity
+Parameter Sets: GetViaIdentity
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -Orderby
+Sorts the results.
+Optional.
+
+```yaml
+Type: System.String
+Parameter Sets: List
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -RelationName
+Relation Name
+
+```yaml
+Type: System.String
+Parameter Sets: Get
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -ResourceGroupName
+The name of the resource group.
+The name is case insensitive.
+
+```yaml
+Type: System.String
+Parameter Sets: Get, List
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SkipToken
+Skiptoken is only used if a previous operation returned a partial result.
+If a previous response contains a nextLink element, the value of the nextLink element will include a skiptoken parameter that specifies a starting point to use for subsequent calls.
+Optional.
+
+```yaml
+Type: System.String
+Parameter Sets: List
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SubscriptionId
+The ID of the target subscription.
+
+```yaml
+Type: System.String[]
+Parameter Sets: Get, List
+Aliases:
+
+Required: False
+Position: Named
+Default value: (Get-AzContext).Subscription.Id
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Top
+Returns only the first n results.
+Optional.
+
+```yaml
+Type: System.Int32
+Parameter Sets: List
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WorkspaceName
+The name of the workspace.
+
+```yaml
+Type: System.String
+Parameter Sets: Get, List
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity
+
+## OUTPUTS
+
+### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IRelation
+
+## NOTES
+
+ALIASES
+
+COMPLEX PARAMETER PROPERTIES
+
+To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
+
+
+INPUTOBJECT : Identity Parameter
+ - `[ActionId ]`: Action ID
+ - `[AlertRuleTemplateId ]`: Alert rule template ID
+ - `[AutomationRuleId ]`: Automation rule ID
+ - `[BookmarkId ]`: Bookmark ID
+ - `[ConsentId ]`: consent ID
+ - `[DataConnectorId ]`: Connector ID
+ - `[EntityId ]`: entity ID
+ - `[EntityQueryId ]`: entity query ID
+ - `[EntityQueryTemplateId ]`: entity query template ID
+ - `[Id ]`: Resource identity path
+ - `[IncidentCommentId ]`: Incident comment ID
+ - `[IncidentId ]`: Incident ID
+ - `[MetadataName ]`: The Metadata name.
+ - `[Name ]`: Threat intelligence indicator name field.
+ - `[RelationName ]`: Relation Name
+ - `[ResourceGroupName ]`: The name of the resource group. The name is case insensitive.
+ - `[RuleId ]`: Alert rule ID
+ - `[SentinelOnboardingStateName ]`: The Sentinel onboarding state name. Supports - default
+ - `[SettingsName ]`: The setting name. Supports - Anomalies, EyesOn, EntityAnalytics, Ueba
+ - `[SourceControlId ]`: Source control Id
+ - `[SubscriptionId ]`: The ID of the target subscription.
+ - `[WorkspaceName ]`: The name of the workspace.
+
+## RELATED LINKS
+
diff --git a/src/SecurityInsights/docs/Get-AzSentinelDataConnector.md b/src/SecurityInsights/docs/Get-AzSentinelDataConnector.md
new file mode 100644
index 000000000000..45b3e1d4a717
--- /dev/null
+++ b/src/SecurityInsights/docs/Get-AzSentinelDataConnector.md
@@ -0,0 +1,209 @@
+---
+external help file:
+Module Name: Az.SecurityInsights
+online version: https://docs.microsoft.com/powershell/module/az.securityinsights/get-azsentineldataconnector
+schema: 2.0.0
+---
+
+# Get-AzSentinelDataConnector
+
+## SYNOPSIS
+Gets a data connector.
+
+## SYNTAX
+
+### List (Default)
+```
+Get-AzSentinelDataConnector -ResourceGroupName -WorkspaceName [-SubscriptionId ]
+ [-DefaultProfile ] []
+```
+
+### Get
+```
+Get-AzSentinelDataConnector -Id -ResourceGroupName -WorkspaceName
+ [-SubscriptionId ] [-DefaultProfile ] []
+```
+
+### GetViaIdentity
+```
+Get-AzSentinelDataConnector -InputObject [-DefaultProfile ]
+ []
+```
+
+## DESCRIPTION
+Gets a data connector.
+
+## EXAMPLES
+
+### Example 1: List all Data Connectors
+```powershell
+ Get-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName"
+```
+
+```output
+Kind : AzureActiveDirectory
+Name : 8207e1f9-a793-4869-afb1-5ad4540d66d1
+
+Kind : AzureAdvancedThreatProtection
+Name : 1d75aada-a558-4461-986b-c6822182e81d
+
+Kind : Office365
+Name : 6323c716-83ae-4cfd-bf93-58235c8beb23
+
+```
+
+This command lists all DataConnectors under a Microsoft Sentinel workspace.
+
+### Example 2: Get a specific Data Connector
+```powershell
+ Get-AzSentinelDataConnector -ResourceGroupName "myResourceGroupName" -workspaceName "myWorkspaceName" | Where-Object {$_.kind -eq "Office365"}
+```
+
+```output
+Kind : Office365
+Name : 6323c716-83ae-4cfd-bf93-58235c8beb23
+SharePointState : enabled
+```
+
+This command gets a specific DataConnector based on kind
+
+## PARAMETERS
+
+### -DefaultProfile
+The credentials, account, tenant, and subscription used for communication with Azure.
+
+```yaml
+Type: System.Management.Automation.PSObject
+Parameter Sets: (All)
+Aliases: AzureRMContext, AzureCredential
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -Id
+Connector ID
+
+```yaml
+Type: System.String
+Parameter Sets: Get
+Aliases: DataConnectorId
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -InputObject
+Identity Parameter
+To construct, see NOTES section for INPUTOBJECT properties and create a hash table.
+
+```yaml
+Type: Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity
+Parameter Sets: GetViaIdentity
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: True (ByValue)
+Accept wildcard characters: False
+```
+
+### -ResourceGroupName
+The name of the resource group.
+The name is case insensitive.
+
+```yaml
+Type: System.String
+Parameter Sets: Get, List
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -SubscriptionId
+The ID of the target subscription.
+
+```yaml
+Type: System.String[]
+Parameter Sets: Get, List
+Aliases:
+
+Required: False
+Position: Named
+Default value: (Get-AzContext).Subscription.Id
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### -WorkspaceName
+The name of the workspace.
+
+```yaml
+Type: System.String
+Parameter Sets: Get, List
+Aliases:
+
+Required: True
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
+### CommonParameters
+This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutVariable, -OutBuffer, -PipelineVariable, -Verbose, -WarningAction, and -WarningVariable. For more information, see [about_CommonParameters](http://go.microsoft.com/fwlink/?LinkID=113216).
+
+## INPUTS
+
+### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.ISecurityInsightsIdentity
+
+## OUTPUTS
+
+### Microsoft.Azure.PowerShell.Cmdlets.SecurityInsights.Models.Api20210901Preview.IDataConnector
+
+## NOTES
+
+ALIASES
+
+COMPLEX PARAMETER PROPERTIES
+
+To create the parameters described below, construct a hash table containing the appropriate properties. For information on hash tables, run Get-Help about_Hash_Tables.
+
+
+INPUTOBJECT : Identity Parameter
+ - `[ActionId ]`: Action ID
+ - `[AlertRuleTemplateId ]`: Alert rule template ID
+ - `[AutomationRuleId ]`: Automation rule ID
+ - `[BookmarkId ]`: Bookmark ID
+ - `[ConsentId ]`: consent ID
+ - `[DataConnectorId ]`: Connector ID
+ - `[EntityId ]`: entity ID
+ - `[EntityQueryId ]`: entity query ID
+ - `[EntityQueryTemplateId