New-AzSentinelAlertRule does not work with tactic parameter even if the values are formatted correctly about azsentinel HOT 4 OPEN

hi @jutlag, The property "resourceGroupName" is not port of AzSentinel so I think you are using the MS PowerShell module. In AzSentinel Tactics are configured as following:

-Tactics @("Persistence","LateralMovement")

see readme for more info

from azsentinel.

Exactly that is what we tried and still get the same error. The same error message is received.

from azsentinel.

can you try running it as following:

AzSentinel\New-AzSentinelAlertRule -WorkspaceName "dev" -DisplayName "test0103" -Description "something" -Severity High -Enabled $true -Query 'SecurityEvent' -QueryFrequency "5H" -QueryPeriod "6H" -TriggerOperator GreaterThan -TriggerThreshold 5 -SuppressionDuration "5h" -SuppressionEnabled $false -Tactics @("Persistence","LateralMovement") 

from azsentinel.

Still getting the same error

I had tried all these options before contacting you guys. I understand the data type expected by the parameter value. I can dump the existing tactics with the get command and see the format used as well. I have taken examples from the ARM templates. I know how the expected data type i.e. "System.Collections.Generic.IList`1[System.String]" can be constructed and passed. There seems to be a problem in the module code in parsing the data provided to this parameter. I would really appreciate if you could review the code please.

from azsentinel.