Unable to use Disable-AzSentinelAlertRule or Enable-AzSentinelAlertRule

[pemontto]

Environment

> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.0.3
PSEdition                      Core
GitCommitId                    7.0.3
OS                             Darwin 18.7.0 Darwin Kernel Version 18.7.0: Tue Aug 20 16:57:14 PDT 2019; root:xnu-4903.271.2~2/RELEASE_X86_64
Platform                       Unix
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Steps to reproduce

Attempt to disable a scheduled rule that is currently enabled.

Disable-AzSentinelAlertRule -Verbose -Debug -SubscriptionId XXX -WorkspaceName XXX -RuleName "(Preview) TI map Email entity to OfficeActivity"

Expected behavior

The rule gets disabled.

Actual behavior

The command produces errors when, I'm guessing, it tries to build the Scheduled Alert rule object:

<snip>
InvalidOperation: /x/powershell/Modules/AzSentinel/0.6.5/AzSentinel.psm1:644
Line |
 644 |                  $bodyAlertProp = [AlertProp]::new(
     |                                   ~~~~~~~~~~~
     | Unable to find type [AlertProp].

MethodException: /x/powershell/Modules/AzSentinel/0.6.5/AzSentinel.psm1:648
Line |
 648 |                  $body = [AlertRule]::new(
     |                  ~~~~~~~~~~~~~~~~~~~~~~~~~
     | Cannot find an overload for "new" and the argument count: "2".
<snip>
Disable-AzSentinelAlertRule: Response status code does not indicate success: 400 (Bad Request).

[pemontto]

Hoping this was a simple one, but changing AlertProp to ScheduledAlertProp didn't fix it. The $rule object properties are seemingly treated as a single argument to the constructor rather than the individual key/values.

AzSentinel/Public/Disable-AzSentinelAlertRule.ps1:63-65

$bodyAlertProp = [ScheduledAlertProp]::new(
    ($rule | Select-Object * -ExcludeProperty lastModifiedUtc, etag, id)
)

The subsequent errors:

MethodException: /x/git/AZSentinel/AzSentinel/Public/Disable-AzSentinelAlertRule.ps1:66
Line |
  66 |  …           @($rule | Select-Object * -ExcludeProperty lastModifiedUtc, …
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Cannot find an overload for "new" and the argument count: "1".

MethodException: /x/git/AZSentinel/AzSentinel/Public/Disable-AzSentinelAlertRule.ps1:69
Line |
  69 |                  $body = [AlertRule]::new(
     |                  ~~~~~~~~~~~~~~~~~~~~~~~~~
     | Cannot find an overload for "new" and the argument count: "2".

[rleal124]

I am cross the same situation. I am sure works before last commit.
Do have some workaround?

[pemontto]

I haven't been able to get this working either. Currently on 0.6.10

Get-Command -Module AzSentinel Disable-AzSentinelAlertRule

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Disable-AzSentinelAlertRule                        0.6.10     AzSentinel

Get-Command -Module AzSentinel Enable-AzSentinelAlertRule

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Enable-AzSentinelAlertRule                         0.6.10     AzSentinel

Disable-AzSentinelAlertRule -WorkspaceName $Workspace -RuleName $RuleName -Verbose -Debug
<SNIP>
InvalidOperation: /Users/test/.local/share/powershell/Modules/AzSentinel/0.6.10/AzSentinel.psm1:3376
Line |
3376 |                  $bodyAlertProp = [AlertProp]::new(
     |                                   ~~~~~~~~~~~
     | Unable to find type [AlertProp].

MethodException: /Users/test/.local/share/powershell/Modules/AzSentinel/0.6.10/AzSentinel.psm1:3380
Line |
3380 |                  $body = [AlertRule]::new(
     |                  ~~~~~~~~~~~~~~~~~~~~~~~~~
     | Cannot find an overload for "new" and the argument count: "2".

[rleal124]

@pemontto I know works before, because I running a script last week and works well. Yesterday i starting have the issues with disable the AlertRule

[pemontto]

For now you can have a look at your previous versions and rollback to a version that works

Get-Module -ListAvailable AzSentinel

Rollback

Import-Module AzSentinel -RequiredVersion "0.6.8" -Force

[rleal124]

I am try using the 0.6.10, 0.6.8 and 0.6.5 and I still have same error.

Disable-AzSentinelAlertRule -SubscriptionId $SubscriptionId -WorkspaceName $WorkspaceName -RuleName $RuleName

InvalidOperation: C:\Users\user\Documents\PowerShell\Modules\AzSentinel\0.6.5\AzSentinel.psm1:644
Line |
644 | $bodyAlertProp = [AlertProp]::new(
| ~~~~~~~~~~~
| Unable to find type [AlertProp].

MethodException: C:\Users\user\Documents\PowerShell\Modules\AzSentinel\0.6.5\AzSentinel.psm1:648
Line |
648 | $body = [AlertRule]::new(

Disable-AzSentinelAlertRule: Response status code does not indicate success: 400 (Bad Request).
| ~~~~~~~~~~~~~~~~~~~~~~~~~
| Cannot find an overload for "new" and the argument count: "2".

[pkhabazi]

@rleal124 thanks for the feedback, I see what's broken. Already fixed the issue for disable and enable function. Will merge this.

[rleal124]

@pkhabazi Thanks for your feedback.

[pkhabazi]

@pemontto and @rleal124 please update to version 0.6.11, problem should be fixed in this version

[rleal124]

@pkhabazi Thanks, I tested now and works well. Many thanks for your support.