Import-AzSentinelAlertRule update to support CustomDetails

[Gareze]

Summary of the new feature/enhancement

Microsoft added Custom Details mapping and Event Grouping for each event (Trigger an alert for each event (preview)) for Analytical Rules. This allows for more flexibility when it comes to data mapping and event grouping.

https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-alert-enrichment-custom-details-and-entity-mapping/ba-p/2195409

Details of use

We are using your powershell module for Analytical Rule automation and custom details are part of the new rules we are planning to deploy. Both are present when exporting the Analytical Rules using Get-AzSentinelAlertRule. The Event grouping feature is represented as "AlertPerResult" in the export as seen in the example below. Example output: { "queryFrequency": "PT15M", "queryPeriod": "PT15M", "triggerOperator": "GreaterThan", "triggerThreshold": 0, "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "severity": "Medium", "query": "Some data query", "suppressionDuration": "PT1H", "suppressionEnabled": false, "customDetails": { "AlertPack": "AlertPack" }, "displayName": "TEST-008-Alert", "enabled": true, "description": "", "tactics": [], "alertRuleTemplateName": null, "createIncident": false, "groupingConfiguration": { "enabled": false, "reopenClosedIncident": false, "lookbackDuration": "PT5H", "entitiesMatchingMethod": "All", "groupByEntities": [] }, "playbookName": "" }

Proposed technical implementation details

API version 2021-03-01-preview seems to enable these options so looks like the function needs to be updated to that version.

It would be great if these two new features could be added to the Import-AzSentinelAlertRule function. Thank you in advance.

[sandeep5234]

Do we have an approx. ETA on this? We are using azsentinel latest module and custom details are important part that our Analytics queries needs. Please let us know.