MicrosoftHello,
After constructing a Analytic Rule in yaml format and trying importing it using Azure Pipeline / Azure DevOps I faced the following issues during the "Create and Update Alert Rules" step:
1. When I manually set the enabled: true in the yaml template the Analytic fails to import to Azure Sentinel. The error dislayed is:
Line |
6 | Import-AzSentinelAlertRule -SubscriptionId XXXXXXXXX- …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Unable to invoke webrequest for rule RuleName01 with error message: Response status code
| does not indicate success: 400 (Bad Request).
When I put a comment before the "enabled" the Analytic Rule is getting imported with out any issues. Is there any problem generally when i am trying to import an analytic Rule with status Enabled?
2. In the yaml template I am using things like:
customDetails:
CustomField1: Field1
eventGroupingSettings:
aggregationKind: AlertPerResult
but both of them are ignored after the succesful import of the Analytic Rule. Nothing is written under the "Custom details" section. Additionally, in the Event grouping the option is still "Group all events into a single alert"
Regards,
Greg
