Security insights module New-AzSentinelAlertRule Tactic Parameter wrong Type

[hiba-farhat]

Description

it should be array type not string as we can choose more than one tactic but it's not possible with powershell

Issue script & Debug output

$AnalyticsRulesData = @(
 @{ 
    Enabled = $True
    Query = 'AuditLogs
    | where OperationName =~"Delete conditional access policy"
    | where Result =~ "success"
    | project TimeGenerated, OperationName, policy=TargetResources[0].displayName,modifiedByUpn=InitiatedBy.user.userPrincipalName, modifiedById=InitiatedBy.user.id, result=Result
    | order by TimeGenerated'
    DisplayName = "Conditional Access policy was deleted"
    Description = "Detect when a Conditional Access policy was deleted."
    QueryPeriod = (New-TimeSpan -Hours 1)
    QueryFrequency = (New-TimeSpan -Minutes 5)
    TriggerThreshold = 10
    TriggerOperator = "GreaterThan"
    Severity = "Low"
    Tactic  = @("Initial Access", "Execution", "Persistence")
   }
)

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.18362.1474
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.18362.1474
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

Script     3.0.1      Az.SecurityInsights                 {Get-AzSentinelAlertRule, Get-AzSentinelAlert...
Script     2.2.0      Az.ServiceBus                       {New-AzServiceBusNamespace, Get-AzServiceBusN...

Error output

Cannot process argument transformation on 
parameter 'Tactic'. Cannot convert value to type System.String.

[isra-fel]

Thanks for reporting 👍 Let me route this to the security insights team.

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @amirke.

Issue Details

---

Description

it should be array type not string as we can choose more than one tactic but it's not possible with powershell

Issue script & Debug output

$AnalyticsRulesData = @(
 @{ 
    Enabled = $True
    Query = 'AuditLogs
    | where OperationName =~"Delete conditional access policy"
    | where Result =~ "success"
    | project TimeGenerated, OperationName, policy=TargetResources[0].displayName,modifiedByUpn=InitiatedBy.user.userPrincipalName, modifiedById=InitiatedBy.user.id, result=Result
    | order by TimeGenerated'
    DisplayName = "Conditional Access policy was deleted"
    Description = "Detect when a Conditional Access policy was deleted."
    QueryPeriod = (New-TimeSpan -Hours 1)
    QueryFrequency = (New-TimeSpan -Minutes 5)
    TriggerThreshold = 10
    TriggerOperator = "GreaterThan"
    Severity = "Low"
    Tactic  = @("Initial Access", "Execution", "Persistence")
   }
)

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.18362.1474
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.18362.1474
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Module versions

Script     3.0.1      Az.SecurityInsights                 {Get-AzSentinelAlertRule, Get-AzSentinelAlert...
Script     2.2.0      Az.ServiceBus                       {New-AzServiceBusNamespace, Get-AzServiceBusN...

Error output

Cannot process argument transformation on 
parameter 'Tactic'. Cannot convert value to type System.String.

Author:	hiba-farhat
Assignees:	-
Labels:	Service Attention, bug, customer-reported, SecurityInsights
Milestone:	-