fix: upgraded recorded future identity for msft defender#13682
fix: upgraded recorded future identity for msft defender#13682v-atulyadav merged 18 commits intoAzure:masterfrom
Conversation
|
Kindly review and address the failing validation error. Thanks! |
|
@v-maheshbh I have done some changes, but the workflows does not run, do you need to do something. |
|
@v-maheshbh The error makes no sense, am I unable to reference a log analytics custom table that will be created by our Playbooks on runtime? Or is there somewhere where I can specify tables that will be used? Secondly, I created this YAML rule based on a working json rule (that I created in Microsoft Sentinel), but there is no official tool to actually generate a YAML rule, so this was made with the help of copilot, so I would like to know HOW I can verify that this rule will work and how to do proper JSON (which is the one exported by Microsoft Sentinel) to YAML conversion. |
Kindly update your branch from the master branch |
ErikMangstenRecFut
force-pushed
the
feat-rfi-defender-portal-migration
branch
from
d859f2b to
f803e73
Compare
|
Kindly add the 'RecordedFutureIdentity_PlaybookAlertResults_CL' custom table schema under the below mentioned path to resolve the KQL validation error: https://github.com/Azure/Azure-Sentinel/tree/master/.script/tests/KqlvalidationsTests/CustomTables Thanks! |
|
@v-maheshbh I have now done this. |
|
@v-maheshbh I have now added the Microsoft Log Analytics default field of |
|
Kindly add the analytic rule in the appropriate data file and repackage the solution so the changes are reflected in the main template. Thanks! |
|
@v-maheshbh I have now updated the package |
analytical rule not reflected in main template. kindly repackage using v3 tool. Thanks! |
|
@v-maheshbh I was using v3, but seems like the module |
|
Please attach the testing screenshot of the analytical rule creation for reference. Thanks! |
|
@v-maheshbh Is there a specific provided yaml-to-json tool that I should use to ensure that the transformation is valid? Since it's not possible to deploy a .yaml file to Microsoft Sentinel. |
We do not have any such tool available. Kindly consider using Copilot for assistance. Thanks! |
|
I'm not entirely sure exactly what screen shot you are requesting. Here is a screenshot of a successful deployment after I transformed the YAML to a JSON with CoPilot. |
|
@v-maheshbh Is there something more that needs to be done? |
Kindly verify analytic rule creation by deploying the solution, enabling the rule under Sentinel → Analytics, and attach a screenshot confirming successful creation. Thanks! |
|
Please note that any changes made must be followed by repackaging the solution, so that the updates are correctly reflected in the mainTemplate.json. Thanks! |
|
@v-maheshbh Yes, thanks for the information. Redoing some parts of the solution since to be able to enable the analytic rule the table and all columns need to exist, and since we are using |
|
@v-maheshbh I have now updated the packaging to reflect the changes made. Attaching screenshot of successful enablement of Analytic rule: |
|
kindly give me branch access. Thanks! |
|
@v-maheshbh As this is forked from a org repo, I'm unable to give you access for this specific pr. But I have invited you to our fork, this should give you access to this specific branch. |
Update Recorded Future Identity package mainTemplate.json and package zip. Add an AlertId variable and a helper _AlertId variable, replace the hardcoded "playbook_alert_id_s" in customDetails with a variable reference, and remove unused empty grouping arrays (groupByCustomDetails and groupByAlertDetails) from incidentGrouping configuration. Also updated the packaged 3.1.3.zip. These changes make the alert ID configurable and tidy grouping settings.
Refresh Recorded Future Identity package (3.1.3.zip) and update ARM templates/playbook metadata: adjust sample date-time examples (timezone offsets updated to +05:30), replace references from 'Azure Sentinel' to 'Microsoft Sentinel' in deprecation notes, reorder/fix alertDetailsOverride and customDetails fields (including enabling createIncident and lookbackDuration placement), and tweak entityMappings formatting. Also update corresponding azuredeploy.json deprecation text.
3 participants
Required items, please complete
Change(s):
Reason for Change(s):