Creating Alert rules fails with "suppressionDuration" set

[dmaasland]

Hello,

I've noticed that creating a new rule using New-AzSentinelAlertRule and setting any value to the SuppressionDuration parameter, the rule creation fails with the following error:

##[error]Unable to initiate class with error: Invalid Properties for Scheduled alert rule: 'suppressionDuration' should be greater than or equal to 'queryFrequency'

I'm using this data to create a rule:

{
  "Tactics": [
    "InitialAccess",
    "CredentialAccess"
  ],
  "LookbackDuration": "1H",
  "TriggerThreshold": 5,
  "TriggerOperator": "GreaterThan",
  "SuppressionEnabled": true,
  "GroupingConfigurationEnabled": false,
  "Kind": "Scheduled",
  "CreateIncident": true,
  "SuppressionDuration": "1H",
  "PlaybookName": [],
  "ReopenClosedIncident": false,
  "WorkspaceName": "TEST-DevLab",
  "AggregationKind": "SingleAlert",
  "GroupByEntities": [
    "Account",
    "Ip",
    "Host",
    "Url",
    "FileHash"
  ],
  "DisplayName": "Multiple failed login attempts",
  "Enabled": false,
  "QueryFrequency": "5M",
  "EntitiesMatchingMethod": "All",
  "Description": "",
  "Severity": "Low",
  "Query": "<removed for readability>",
  "QueryPeriod": "30M"
}

So my parameters are:

"QueryFrequency": "5M",
"SuppressionEnabled": true,
 "SuppressionDuration": "1H"

I think I have tracked the issue down to this line in ScheduledAlertProp.ps1.

It seems to use -ge to compare QueryFrequency and SuppressionDuration. However, running the compare manually gives:

PS /> "PT1H" -ge "PT5M"

False

This is clearly wrong. There is a workaround though, for now. Specify all times in the same format. So 1H becomes 60M:

PS /> "PT60M" -ge "PT5M"

True
PS /> "PT60M" -ge "PT61M"

False

[rleal124]

Change to suppressionDuration: PT1H

[dmaasland]

That makes no difference. 1H is transformed to PT1H regardless:

# Format hour and minute time periods
        if ($value -match ".*[HM]") {
            return "PT$value"
        }
        return $value