fix: upgraded recorded future identity for msft defender#13682
fix: upgraded recorded future identity for msft defender#13682ErikMangstenRecFut wants to merge 11 commits intoAzure:masterfrom
Conversation
|
Kindly review and address the failing validation error. Thanks! |
|
@v-maheshbh I have done some changes, but the workflows does not run, do you need to do something. |
|
@v-maheshbh The error makes no sense, am I unable to reference a log analytics custom table that will be created by our Playbooks on runtime? Or is there somewhere where I can specify tables that will be used? Secondly, I created this YAML rule based on a working json rule (that I created in Microsoft Sentinel), but there is no official tool to actually generate a YAML rule, so this was made with the help of copilot, so I would like to know HOW I can verify that this rule will work and how to do proper JSON (which is the one exported by Microsoft Sentinel) to YAML conversion. |
Kindly update your branch from the master branch |
ErikMangstenRecFut
force-pushed
the
feat-rfi-defender-portal-migration
branch
from
d859f2b to
f803e73
Compare
|
Kindly add the 'RecordedFutureIdentity_PlaybookAlertResults_CL' custom table schema under the below mentioned path to resolve the KQL validation error: Thanks! |
|
@v-maheshbh I have now done this. |
|
@v-maheshbh I have now added the Microsoft Log Analytics default field of |
|
Kindly add the analytic rule in the appropriate data file and repackage the solution so the changes are reflected in the main template. Thanks! |
|
@v-maheshbh I have now updated the package |
analytical rule not reflected in main template. kindly repackage using v3 tool. Thanks! |
|
@v-maheshbh I was using v3, but seems like the module |
|
Please attach the testing screenshot of the analytical rule creation for reference. Thanks! |
|
@v-maheshbh Is there a specific provided yaml-to-json tool that I should use to ensure that the transformation is valid? Since it's not possible to deploy a .yaml file to Microsoft Sentinel. |
We do not have any such tool available. Kindly consider using Copilot for assistance. Thanks! |
|
I'm not entirely sure exactly what screen shot you are requesting. Here is a screenshot of a successful deployment after I transformed the YAML to a JSON with CoPilot. |
|
@v-maheshbh Is there something more that needs to be done? |
Kindly verify analytic rule creation by deploying the solution, enabling the rule under Sentinel → Analytics, and attach a screenshot confirming successful creation. Thanks! |
|
Please note that any changes made must be followed by repackaging the solution, so that the updates are correctly reflected in the mainTemplate.json. Thanks! |
|
@v-maheshbh Yes, thanks for the information. Redoing some parts of the solution since to be able to enable the analytic rule the table and all columns need to exist, and since we are using |
3 participants
Required items, please complete
Change(s):
Reason for Change(s):