Deploying and Managing Azure Sentinel as Code

Published 01-28-2020 12:28 AM 71.4K Views
Microsoft

clipboard_image_1.png

 

Philippe Zenhaeusern and Javier Soriano co-author this blog post.

 

In the last few months working on Azure Sentinel, we have talked to many partners and customers about ways to automate Azure Sentinel deployment and operations.

 

These are some of the typical questions: How can I automate customer onboarding into Sentinel? How can I programmatically configure connectors? As a partner, how do I push to my new customer all the custom analytics rules/workbooks/playbooks that I have created for other customers?

 

In this post, we will try to answer all these questions, not only describing how to do it but also giving you some of the work done with a repository that contains a minimum viable product (MVP) around how to build a full Sentinel as Code environment.

 

The post will follow this structure:

 

  1.  Infrastructure as Code
  2.  Azure Sentinel Automation Overview
  3.  Automating the deployment of specific Azure Sentinel components
  4.  Building your Sentinel as Code in Azure DevOps

We recommend you go one by one in order to fully understand how it works.

 

Infrastructure as Code

You might be familiar with the Infrastructure as Code concept. Have you heard about the Azure Resource Manager, Terraform, or AWS Cloud Formation? Well, they are all ways to describe your infrastructure as code so that you can treat it as such…put it under source control (e.g., git, svn), so you can track changes to your infrastructure the same way you track changes in your code. You can use any source control platform, but in this article, we will use Github.

 

Besides treating your infrastructure as code, you can also use DevOps tooling to test that code and deploy that infrastructure into your environment, all in a programmatic way. This is also referred to as Continuous Integration/Continuous Delivery (CICD). Please take a look at this article if you want to know more. This post will use Azure DevOps as our DevOps tool, but the concepts are the same for any other tool.

 

The whole idea is to codify your Azure Sentinel deployment in the Sentinel context and put it in a code repository. Every time there is a change in the files that define this Sentinel environment, this change will trigger a pipeline that will verify the changes and deploys them into your Sentinel environment. But how do we programmatically make these changes into Sentinel?

 

Azure Sentinel Automation Overview

As you probably know, there are different components inside Azure Sentinel…we have Connectors, Analytics Rules, Workbooks, Playbooks, Hunting Queries, Notebooks, and so on.

These components can be managed easily through the Azure Portal, but what can I use to modify all these programmatically?

 

Here is a table that summarizes what can be used for each:

 

Component

Automated with

Onboarding

API, Powershell, ARM

Alert Rules

API, Powershell

Hunting Queries

API, Powershell

Playbooks

ARM

Workbooks

ARM

Connectors

API

 

  • Powershell: Special thanks to Wortell for writing the AzSentinel module, which greatly facilitates many of the tasks. We will use it in the three components that support it (Onboarding, Alert Rules, Hunting Queries).
  • API: Some components don’t currently have a Powershell module and can only be configured programmatically via API. The Sentinel API is now public, and its details can be found here. We will use it to enable Connectors.
  • ARM: This is Azure’s native management and deployment service. You can use ARM templates to define Azure resources as code. We will use it for Playbooks and Workbooks.

How to structure your Sentinel code repository

Here we would like to show what we think is the recommended way to structure your repository.

 

 

 

 

 

 

|
|- contoso/  ________________________ # Root folder for customer
|  |- AnalyticsRules/  ______________________ # Subfolder for Analytics Rules
|     |- analytics-rules.json _________________ # Analytics Rules definition file (JSON)
|
|  |- Connectors/  ______________________ # Subfolder for Connectors
|     |- connectors.json _________________ # Connectors definition file (JSON)
|
|  |- HuntingRules/ _____________________ # 
|     |- hunting-rules.json _______________ # Hunting Rules definition file (JSON)
|
|  |- Onboard/  ______________________ # Subfolder for Onboarding
|     |- onboarding.json _________________ # Onboarding definition file (JSON)
|
|  |- Pipelines/ _____________________ # Subfolder for Pipelines 
|     |- pipeline.yml _______________ # Pipeline definition files (YAML)
|
|  |- Playbooks/  ______________________ # Subfolder for Playbooks
|     |- playbook.json _________________ # Playbooks definition files (ARM)
|
|  |- Scripts/ _____________________ # Subfolder for script helpers 
|     |- CreateAnalyticsRules.ps1 _______________ # Script files (PowerShell)
|
|  |- Workbooks/  ______________________ # Subfolder for Workbooks
|     |- workbook-sample.json _________________ # Workbook definition files (ARM)

 

 

 

 

 

 

You can find a sample repository with this structure here.

 

We will use this same repository throughout this post as we have placed there the whole testing environment. Note: take into account that this is just a Minimum Viable Product and is subject to improvements. Feel free to clone it and enhance it.

 

Automating deployment of specific Azure Sentinel components

Now that we have a clear view of what to use to automate what and how to structure our code repository, we can start creating things. Let’s go, component by component, detailing how to automate its deployment and operation.

 

Onboarding

Thanks to the AzSentinel Powershell module by Wortell, we have a command that simplifies this process. We just need to execute the following command to enable Sentinel on a given Log Analytics workspace:

 

Set-AzSentinel [-SubscriptionId <String>] -WorkspaceName <String> [-WhatIf] [-Confirm] [<CommonParameters>]

We have a created a script (InstallSentinel.ps1) with some more logic in it, so we can use it in our pipelines. This script takes a configuration file (JSON) as an input where we specify the different workspaces where the Sentinel (SecurityInsights) solution should be enabled. The file has the following format:

 

 

 

 

 

 

 

{
    "deployments": [
        {
            "resourcegroup": "<rgname>",
            "workspace": "<workspacename>"
        },
        {
            "resourcegroup": "<rgname2>",
            "workspace": "<workspacename2>"
        }
    ]
}

 

 

 

 

 

 

The InstallSentinel.ps1 script is located in our repo here and has the following syntax:

 

InstallSentinel.ps1 -OnboardingFile <String>

We will use this script in our pipeline.

 

Connectors

Sentinel Data Connectors can currently only be automated over the API, which is not officially documented yet. However, with Developer Tools enabled in your browser, it is quite easy to catch the related connector calls. Please take into account that this API might change in the future without notice, so be cautious when using it.

 

The following script runs through an example connecting to “Azure Security Center” and “Azure Activity Logs” to the Sentinel workspace. Both are very common connectors to collect data from your Azure environments. (Be aware that some connectors will require additional rights, connecting the “Azure Active Directory” source, for instance, will require additional AAD Diagnostic Settings permissions besides the “Global Administrator” or “Security Administrator” permissions on your Azure tenant.)

The “EnableConnectorsAPI.ps1” script is located inside our repo here and has the following syntax:

 

EnableConnectorsAPI.ps1 -TenantId <String> -ClientId <String> -ClientSecret <String> -SubscriptionId <String> -ResourceGroup <String> -Workspace <String> -ConnectorsFile <String>

The ConnectorsFile parameter references a JSON file that specifies all the data sources you want to connect to your Sentinel workspace. Here is a sample file:

 

 

 

 

 

{
    "connectors": [
    {
        "kind": "AzureSecurityCenter",
        "properties": {
            "subscriptionId": "subscriptionId",
            "dataTypes": {
                "alerts": {
                    "state": "Enabled"
                }
            }
        },
    },
    {
        "kind": "AzureActivityLog",
        "properties": {
            "linkedResourceId": "/subscriptions/subscriptionId/providers/microsoft.insights/eventtypes/management"
        }
    }]
}

 

 

 

 

 

 

The script will iterate through this JSON file and enable the data connectors one by one. This JSON file should be placed into the Connectors directory so the script can read it.

 

As you can imagine, there are some connectors that cannot be automated, like all the ones based on Syslog/CEF, as they require installing an agent.

 

Analytics Rules

The AzSentinel Powershell module provides a command to be able to create new Analytics Rules (New-AzSentinelAlertRule), passing a bunch of parameters to define the rule characteristics. An even more interesting command allows you to create analytics rules based on an input file where all the rules' properties are specified. This command is Import-AzSentinelAlertRule.

 

We have created a script that takes the workspace and rules file and creates the analytics rules accordingly.

 

The script is located inside our repo here and has the following syntax:

CreateAnalyticsRules.ps1 -Workspace <String> -RulesFile <String>

 

As you can see, one of the parameters is a rules file (in JSON format) where you will specify all the rules (of any type) that need to be added to your Sentinel environment. Here is a sample file:

 

 

 

 

 

 

{
  "Scheduled": [
    {
      "displayName": "AlertRule01",
      "description": "",
      "severity": "Medium",
      "enabled": true,
      "query": "SecurityEvent | where EventID == \"4688\" | where CommandLine contains \"-noni -ep bypass $\"",
      "queryFrequency": "5H",
      "queryPeriod": "6H",
      "triggerOperator": "GreaterThan",
      "triggerThreshold": 5,
      "suppressionDuration": "6H",
      "suppressionEnabled": false,
      "tactics": [
        "Persistence",
        "LateralMovement",
        "Collection"
      ],
      "playbookName": "",
      "aggregationKind": "SingleAlert",
      "createIncident": true,
      "groupingConfiguration": {
        "enabled": false,
        "reopenClosedIncident": false,
        "lookbackDuration": "PT5H",
        "entitiesMatchingMethod": "All",
        "groupByEntities": [
          "Account",
          "Ip",
          "Host",
          "Url"
        ]
      }
    },
    {
      "displayName": "AlertRule02",
      "description": "",
      "severity": "Medium",
      "enabled": true,
      "query": "SecurityEvent | where EventID == \"4688\" | where CommandLine contains \"-noni -ep bypass $\"",
      "queryFrequency": "5H",
      "queryPeriod": "6H",
      "triggerOperator": "GreaterThan",
      "triggerThreshold": 5,
      "suppressionDuration": "6H",
      "suppressionEnabled": false,
      "tactics": [
        "Persistence",
        "LateralMovement",
        "Collection"
      ],
      "playbookName": ""
    }
  ],
  "Fusion": [
    {
      "displayName": "Advanced Multistage Attack Detection",
      "enabled": true,
      "alertRuleTemplateName": "f71aba3d-28fb-450b-b192-4e76a83015c8"
    }
  ],
  "MLBehaviorAnalytics": [
    {
      "displayName": "(Preview) Anomalous SSH Login Detection",
      "enabled": true,
      "alertRuleTemplateName": "fa118b98-de46-4e94-87f9-8e6d5060b60b"
    }
  ],
  "MicrosoftSecurityIncidentCreation": [
    {
      "displayName": "Create incidents based on Azure Active Directory Identity Protection alerts",
      "description": "Create incidents based on all alerts generated in Azure Active Directory Identity Protection",
      "enabled": true,
      "productFilter": "Microsoft Cloud App Security",
      "severitiesFilter": [
        "High",
        "Medium",
        "Low"
      ],
      "displayNamesFilter": null
    }
  ]
}

 

 

 

 

 

 

As you can see, Fusion and MLBehaviorAnalytics rules need a field called alertRuleTemplateName. This is an ID that is consistent across all Sentinel environments, so you should use the same values in your own files. As Sentinel grows, we are adding more MLBehaviorAnalytics rules, so you might need to get the alertRuleTemplateName values in order for you to add them to your rules JSON file. In order to get the values for alertRuleTemplateName, you can execute the following command available in AzSentinel:

 

Get-AzSentinelAlertRuleTemplates -WorkspaceName <workspace_name> -Kind MLBehaviorAnalytics

The output will contain a name field that contains the alertRuleTemplateName value.

 

The script will iterate through this JSON file and create/enable the analytics rule alerts. The script also supports updating existing alerts that are already enabled. This JSON file should be placed into the Analytics Rules directory so the script can read it. The script also supports attaching playbooks for automated response to an alert. This is specified in the playbook property for each alert in the JSON file.

 

Workbooks

Workbooks are a native object in Azure, and therefore, can be created through an ARM template. The idea is that you would place all the custom workbooks that you have developed inside the Workbooks folder in your repo, and any change on these will trigger a pipeline that creates them in your Sentinel environment.

 

We have created a script (placed in the same repo here) that can be used to automate this process. It has the following syntax:

CreateWorkbooks.ps1 -SubscriptionId <String> -ResourceGroup <String> -WorkbooksFolder <String> -Workspace <String>

The script will iterate through all the workbooks in the WorksbooksFolder and deploy them into your Azure Sentinel instance.

 

Also, consider that the deployment will fail if a workbook with the same name already exists.

If you're building your own workbook ARM template, make sure that you add "sentinel" as the workbookType in the template (look at our examples here)

 

Hunting Rules

In order to automate the deployment of Hunting Rules, we will use the AzSentinel module.

We have a created another script that takes as an input a JSON file where all the Hunting Rules are defined. The script will iterate over them and create/update them accordingly.

 

The syntax for this script is the following:

CreateHuntingRulesAPI.ps1 -Workspace <String> -RulesFile <String>

 

Playbooks

This will work the same way as Workbooks. Playbooks use Azure Logic Apps in order to automatically respond to incidents. Logic Apps are a native resource in ARM, and therefore we can automate its deployment with ARM templates. The idea is that you would place all the custom playbooks that you have developed inside the Playbooks folder in your repo, and any change on these will trigger a pipeline that creates them in your Sentinel environment.

 

We have created a script (placed in the same repo here) that can be used to automate this process. It has the following syntax:

CreatePlaybooks.ps1 -ResourceGroup <String> -PlaybooksFolder <String>

This script will succeed even if the playbooks are already there.

 

Building your Sentinel as Code in Azure DevOps

Now that we have a clear view of how to structure our code repository and what to use to automate each Sentinel component, we can start creating things in Azure DevOps. This is a high-level list of tasks that we will perform:

 

  • Create an Azure DevOps organization
  • Create a project in Azure DevOps
  • Create a service connection to your Azure environment/s
  • Create variables
  • Connect your existing code repository with your Az DevOps project
  • Create pipelines

Let’s review them one by one.

 

Create an Azure DevOps organization

This is the first step in order to have your Azure DevOps environment. You can see the details on how to do this here.

 

Create a project in Azure DevOps

A project provides a repository for source code and a place for a group of people to plan, track progress, and collaborate on building software solutions. It will be the container for your code repository, pipelines, boards, etc. See instructions on how to create it here.

 

Create a service connection to your Azure environment

In order to talk to our Azure environment, we need to create a connection with specific Azure credentials. In Azure DevOps, this is called a service connection. The credentials that you will use to create this service connection are typically a service principal account defined on Azure.

 

You have full details on how to create a service connection here. Once you have created the principal, you will need to grant it access to your Azure environment where Sentinel would live.

 

These are the fields you need to provide to create your service connection:

 

clipboard_image_0.png

Take a note of the Connection name you provide, as you will need to use this name in your pipelines.

 

Create variables

We are going to need several variables defined in the Azure DevOps environment so they can be passed to our scripts to specify the Sentinel workspace, resource group, config files, and API connection information.

 

As we will need these variables across all our pipelines, the best thing to do is create an Azure DevOps variable group. With this, we can define the variable group once and then reuse it in different pipelines across our project. Here you have instructions on how to do it.

 

We have called our variable group “Az connection settings”; this is important because we will reference this name in our pipelines. Here is a screenshot of the variables that we will need to define:

clipboard_image_1.png

 

Connect your existing code repository with your Az DevOps project

In this article, you can see how to import an existing repo into Az DevOps. It works for Github, Bitbucket, Gitlab, and other locations. See instructions here.

 

Create pipelines

There are two ways to create our Azure Pipelines: in classic mode or as YAML files. We are going to create them as YAML files because that way, we can place them into our code repository so they can be easily tracked and reused anywhere. Here you have the basic steps to create a new pipeline.

 

In the new pipeline wizard, select Github YAML in the Connect step:

clipboard_image_2.png

Then select your repository and then choose Starter pipeline if you want to build your own pipeline, or Existing Azure Pipelines YAML file if you want to use the ones we already have in the repository:

Capture.PNG

We are going to create one CI (build) pipeline for Scripts and several CICD (build+deploy) pipelines (one for each Sentinel component).

 

Create a CI pipeline for Scripts

We will treat Scripts slightly differently than the rest. This is because it is not a Sentinel component, and the scripts themselves won’t get deployed to Azure. We will just use them to deploy other things.

Because of this, the only thing we need to do with scripts is to make sure they are available in the other pipelines to be used as artifacts. To accomplish this, we just need two tasks in our CI pipeline: Copy Files and Publish Pipeline Artifact. 

 

Update! we have now added a syntax validator in our pipelines based on the Files Validator task available in the Visual Studio marketplace. You will need to install this task if you want to use our templates.

 

Here is an example of the YAML code that will define this pipeline:

 

 

 

 

# Scripts build pipeline
# Copies script files to the agent and publishes an artifact with them

trigger:
 paths:
   include:
     - Scripts/*

pool:
  vmImage: 'windows-2019'

steps:
- task: CopyFiles@2
  displayName: 'Copy Scripts'
  inputs:
    SourceFolder: Scripts
    TargetFolder: '$(build.artifactstagingdirectory)'
- task: Files-Validator@1
  inputs:
    rootDir: '$(build.artifactstagingdirectory)/*.ps1'
    validateXML: false
    validateJSON: false
    validateYAML: false
    validatePS: true
- task: PublishPipelineArtifact@1
  displayName: 'Publish Pipeline Artifact'
  inputs:
    targetPath: Scripts
    artifact: Scripts

 

 

 

 

As you can see, we have added three tasks, one to copy the script files, another one that checks the PowerShell syntax, and the last one to publish the pipeline artifacts. You can find this pipeline in our Github repo here.

 

Create CICD pipelines for each Sentinel component

With the Scripts now available as an artifact, we can now use them in our Sentinel component pipelines. These pipelines will be different from the previous one because we will do CI and CD (build+deploy). We define these in our YAML pipeline file as stages.

 

Here is one sample pipeline for Analytics Rules:

 

 

 

 

# Analytics Rules build and deploy pipeline
# This pipeline publishes the rules file as an artifact and then uses a powershell task to deploy

name: build and deploy Alert Rules
resources:
 pipelines:
   - pipeline: Scripts
     source: 'scriptsCI'
trigger:
 paths:
   include:
     - AnalyticsRules/*

stages:
- stage: build_alert_rules

  jobs:
    - job: AgentJob
      pool:
       name: Azure Pipelines
       vmImage: 'vs2017-win2016'
      steps:
       - task: CopyFiles@2
         displayName: 'Copy Alert Rules'
         inputs:
          SourceFolder: AnalyticsRules
          TargetFolder: '$(Pipeline.Workspace)'
       - task: Files-Validator@1
         inputs:
           rootDir: '$(Pipeline.Workspace)/*.json'
           validateXML: false
           validateJSON: true
           validateYAML: false
           validatePS: false
       - task: PublishBuildArtifacts@1
         displayName: 'Publish Artifact: RulesFile'
         inputs:
          PathtoPublish: '$(Pipeline.Workspace)'
          ArtifactName: RulesFile

- stage: deploy_alert_rules
  jobs:
    - job: AgentJob
      pool:
       name: Azure Pipelines
       vmImage: 'windows-2019'
      variables: 
      - group: Az connection settings
      steps:
      - download: current
        artifact: RulesFile
      - download: Scripts
        patterns: '*.ps1'
      - task: AzurePowerShell@4
        displayName: 'Create and Update Alert Rules'
        inputs:
         azureSubscription: 'Soricloud Visual Studio'
         ScriptPath: '$(Pipeline.Workspace)/Scripts/Scripts/CreateAnalyticsRules.ps1'
         ScriptArguments: '-Workspace $(Workspace) -RulesFile analytics-rules.json'
         azurePowerShellVersion: LatestVersion
         pwsh: true

 

 

 

As you can see, we now have two stages: build and deploy. We also had to define resources to reference the artifact that we need from our Scripts build pipeline.

 

The build stage is the same as the one we did for scripts, the only difference being that we validate the JSON files syntax (again, using the Files Validator task)

 

In the deployment stage, we have a couple of new things. First, we are pointing to the variable group that we defined some minutes ago. For that, we use the variables keyword. Then we need to download the artifacts that we will use in our deployment task. For that, we use the download keyword.

 

As the last step in our CICD pipeline, we will use an Azure Powershell task where we will point to our script and specify any parameters needed. As you can see, we reference the imported variables here. One last peculiarity of this pipeline is that we need to use Powershell Core (required by AzSentinel), so we need to specify that with pwsh.

 

If everything went correctly, we would run this pipeline now and verify that our Sentinel analytics rules were deployed automatically. :smile:

 

This and all the other pipelines for the rest of the components are in our repo inside the Pipelines folder.

For Onboarding, the pipeline has no automatic triggers, as we consider that this would be executed only once at installation time.

 

Working with multiple workspaces

 

Whether you are a customer with an Azure Sentinel environment containing multiple workspaces or you’re a partner that needs to operate several customers, you need to have a strategy to manage more than one workspace.

 

As you have seen during the article, we have used a variable group to store details like resource group and workspace name. These values will change if we need to manage multiple workspaces, so we would need more than one variable group. For example, one for customer A and another for customer B, or one for Europe and one for Asia.

 

After that’s done, we can choose between two approaches:

  1. Add more stages to your current pipelines. Until now, we only had one deploy stage that deployed to our only Sentinel environment, but now we can add additional stages (with the same steps and tasks) that deploy to other resource groups and workspaces.
  2. Create new pipelines. We can just clone our existing pipelines and just modify the variable group to point to a different target environment.

 

In Summary

We have shown you how to describe your Azure Sentinel deployment using code and then use a DevOps tool to deploy that code into your Azure environment.

148 Comments
Occasional Visitor

Great article! Regarding Connector you can use this script here https://github.com/azsec/azure-sentinel-tools/blob/master/scripts/Connect-AzureSecurityCenter.ps1 to connect all ASCs from a list of target subscription.

 

I hope API will be released soon. The real-world issue is not the creation but the update and continuous change on Analytics rule that require a little tricky in the pipeline. A use case if that you would want to tune the analytics rule to increase fidelity - so having a fixed rule is not something we expect.

 

I'm not sure if you have tested Update case?

Microsoft

Thanks for the comments @azsec !

 

Yes, we have tested the update of Analytics Rules and it works. Of course there might be corner cases where it doesn't work...but in general you can just update the json file, the pipeline will trigger automatically, identify that the rule already exists and update accordingly. Take a look at lines 54 to 172 in the script here, this is where existing rules are handled.

 

In any case, as we say in the post, this is an MVP and for sure it can be improved.

 

Regards

Occasional Visitor

Thank you for replies. In the real-world deployment you would probably name your rule with a unique ID (GUID) and when performing an update the pipeline should know which rule it needs to update. This would sound like an egg-and-chicken story. Otherwise the pipeline checks the display name and get its unique ID (aka name).

Awesome blogpost :cool: Thanks for Sharing with the Community!

New Contributor

Hi @Javier Soriano,


Thanks for sharing this.
It would be great to be able to replicate our initial deployment and keep improving as required.

 

Regarding the DevOps approach, I was able to import the repo, build the scripts artifact, but keep getting errors when trying to run the onboardingCICD.yml pipeline.


Error is: "Unable to resolve definition scriptsCI in project ...."

I cannot find any documentation regarding that error. Any ideas?

 

Thanks in advance

Microsoft

Hi @caiodaruizcorrea ,

 

It looks like the pipeline is not able to find the source pipeline (in our case scriptsCI). Here you have the reference documentation on how the pipeline artifact is defined in YAML.

 

Review that the name scriptsCI is the actual name of your pipeline. To do that, click on Pipelines->Pipelines, and then select Edit/Rename for your scripts pipeline. It should look like this:

 

Capture.PNG

 

Let me know if this doesn't fix it.

 

Regards

New Contributor

Hi @Javier Soriano,

 

I ended up figuring it out myself yesterday after a bunch of failures that was the pipeline name that I was using initially to build the scripts artifact was just using a default name instead.

 

Thanks for the screenshot anyway!


Regarding, the onboarding yaml file (and AzSentinel Powershell module), is it supposed to create the pre-requisites for Sentinel such as the Azure resource group, analytics workspace, and Sentinel link to the workspace, or is it expecting them to be created in advance?

 

Thanks again

Microsoft

hi @caiodaruizcorrea , no, it will not create the workspace or the resource group. The script expects these two things to be already in place.

 

Glad you figured out the issue :)

 

Regards

Senior Member

Hi Javier,

 

Thank for all your help.

 

Is it possible to deploy alert rules via YAML files, similar to the ones available in sentinel GitHub with long KQL queries, via the pipelline. Using JSON files make long queries difficult to write and maintain.

 

Regards

Microsoft

Yes, why not. You just need to build the logic so the script is able to iterate through the YAML file with the rules. You could use other sources too...text files, csv files, etc.

 

Regards

Senior Member

Hi Javier,

 

i cant seem to be able to deploy long queries, e.g: - is there a limit?

 

 

let starttime = 14d;
let endtime = 1d;
// The number of operations below which an IP address is considered an unusual source of role assignment operations
let alertOperationThreshold = 5;
let createRoleAssignmentActivity = AzureActivity
| where OperationName == \"Create role assignment\";
createRoleAssignmentActivity
| where TimeGenerated between (ago(starttime) .. ago(endtime))
| summarize count() by CallerIpAddress, Caller
| where count_ >= alertOperationThreshold
| join kind = rightanti (
createRoleAssignmentActivity
| where TimeGenerated > ago(endtime)
| summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus),
OperationIds = makelist(OperationId), CorrelationId = makelist(CorrelationId), ActivityCountByCallerIPAddress = count()
by ResourceId, CallerIpAddress, Caller, OperationName, Resource, ResourceGroup
) on CallerIpAddress, Caller
| extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress

 

Microsoft

Mmm, I would need to check that. Adding @Pouyan Khabazi as he built the AZSentinel module and may have more details. 

Senior Member

hi @kay106 Just tested your example query and was able to successfully create the alert rule using the import function, see below the JSON file I have used:

{
  "analytics": [
    {
      "displayName": "AlertRule010001",
      "description": "",
      "severity": "Medium",
      "enabled": true,
      "query": "let starttime = 14d;
      let endtime = 1d;
      // The number of operations below which an IP address is considered an unusual source of role assignment operations
      let alertOperationThreshold = 5;
      let createRoleAssignmentActivity = AzureActivity
      | where OperationName == \"Create role assignment\";
      createRoleAssignmentActivity
      | where TimeGenerated between (ago(starttime) .. ago(endtime))
      | summarize count() by CallerIpAddress, Caller
      | where count_ >= alertOperationThreshold
      | join kind = rightanti (
      createRoleAssignmentActivity
      | where TimeGenerated > ago(endtime)
      | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated), ActivityTimeStamp = makelist(TimeGenerated), ActivityStatus = makelist(ActivityStatus),
      OperationIds = makelist(OperationId), CorrelationId = makelist(CorrelationId), ActivityCountByCallerIPAddress = count()
      by ResourceId, CallerIpAddress, Caller, OperationName, Resource, ResourceGroup
      ) on CallerIpAddress, Caller
      | extend timestamp = StartTimeUtc, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress",
      "queryFrequency": "5H",
      "queryPeriod": "6H",
      "triggerOperator": "GreaterThan",
      "triggerThreshold": 5,
      "suppressionDuration": "6H",
      "suppressionEnabled": false,
      "tactics": [
        "Persistence",
        "LateralMovement",
        "Collection"
      ],
      "playbookName": ""
    }
  ]
}

Output: 

Annotation 2020-03-15 150720.png

 

please let me know if you keep experiencing error's, you can also open an issue on GitHub and share your error message etc. with us for further troubleshooting: https://github.com/wortell/AZSentinel/issues

Microsoft

Thanks @Pouyan Khabazi ! I also tested with the pipeline used in our repo and it is successful as well.

 

Let us know if you are still facing the issue

Senior Member

Great blog post!

Contributor

I get the below error when I run the pipeline.  Appreciate your advice. 


The Pipeline is not valid. Unable to resolve latest version for pipeline Scripts. This could be due to inaccessible  pipeline or no version is available.

Microsoft

Hi @PrashTechTalk , take a look at the comment from @caiodaruizcorrea above...I think he faced the same issue and at the end had to do with the name you provide to the pipeline.

 

Also, make sure that you run the ScriptsCI pipeline first, so the artifacts are available.

 

Regards

Contributor

Thanks Javier.  File Naming was the issue as you clearly pointed.   I progressed a step ahead a step in onboarding sentinel on the workspace although job results are successful I don't see sentinel being enabled on my workspace.  Trying to figure out what the issue is.... 

error.PNGspace.

Microsoft

It looks like your onboarding file was not there...if you look at the script here, you can see that if you have workspaces to act on, it would get into the for loop and write a message for each workspace that is being processed, and you didn't get anything. 

Senior Member

Hi @Javier Soriano,

I am working to enable more connects such as a Threat intelligence - TAXII, Azure AD and Threat Intelligence Platforms.
After modify the Json with a parameters necessary I am struggling in the Powershell script to Add those connectors.

One of those lines I saw this comment:
#unknown ID, clarify with Javi
$curiousId = "1e1b282a-ce14-4feb-8bc1-48249fab9109"
$uri = "$baseUri/providers/Microsoft.SecurityInsights/dataConnectors/${curiousId}?api-version=2019-01-01-preview"


It is using to call the API, could you clarify it?
Another point, Do you have a good documentation about that API? 

 
Senior Member

Hi Javier,

 

I can deploy the Alert Rules to Dev, Qa, Prod, and various other tennats. The only issue is the naming, I need the naming to reflect the envinronment. E.g RO-001-APGDev... RO-002-APGQa... RO-002-APGPrd etc. What is the best way to reflect this naming covention on the Alert Rule name?

 

Thanks, 

Kay

Microsoft

Hi @kay106 , the way I would do it is creating a new variable in your variable group that contains the environment (Dev, Prod, etc.) and then using that variable in your script, where you will append the alert rule name to whatever environment is being pushed at that time.

 

Hope this helps.

 

Regards

Senior Member

Hi Javier,

 

Thanks I got this to work by modifing the script.

 

I now face another challenge. I have backlashes in my KQL query e.g:

 

SecurityEvent
| where EventID == \"5145\"
| where AccountType == \"User\"
| where ShareName == \"\\\\*\\SYSVOL$\"

 

^ i need the four backlashes behind * and the two after the *

 

Whenever I use backlash including double backlash to escape, the Alert rule isn't created. Please let me know how I can counter this problem.

 

Thank you in advance.

 

Contributor

@Javier Soriano   - Sadly i am beating around the bush to understand the error. My script is able to call & execute the shell file from Git.  But the below line from the file doesn't works...  Write-Host line "Processing workspace..."  before this script works but the later one doesn't write nor failing with any error.   Information of resource group & workspace at Onboarding.json file is also correct.

 

What other issues can you point this in case ? 

 

 $solutions = Get-AzOperationalInsightsIntelligencePack -resourcegroupname $item.resourcegroup -WorkspaceName $item.workspace -WarningAction:SilentlyContinue 

 

Prash915_0-1585954268885.png

 

Thanks.

Microsoft

Hi @PrashTechTalk , add some debugging to the script, for example, print the workspace variable to see if it contains anything

Contributor

@Javier Soriano - Thankyou for your response..

 

Debugging scripts to print workspace variables prints all values before this line .

 $solutions = Get-AzOperationalInsightsIntelligencePack -resourcegroupname $item.resourcegroup -WorkspaceName $item.workspace -WarningAction:SilentlyContinue 

 

When i tried executing this line at a powershell console it works perfectly fine but not the same when executed at devops pipe.   

However i noticed the following when enabled diagnostics.  I am not sure if the issue is related to the .net framework version.. appreciate your response.

 

devops diagnostics.PNG

Thanks

Microsoft

Hi @PrashTechTalk , from you previous screenshot I see that at least there was one workspace to process...once there, it should go to either install Sentinel or discard. Did you check the agent that you're using in the pipeline? In our example we are using windows-2019 image and powershell core. See the yaml pipeline definition here: https://github.com/javiersoriano/sentinelascode/blob/master/Pipelines/onboardingCICD.yml

Senior Member

Hi,

About the Workbooks ...

I understand to create a new ones I need to change workbook ID inside json file and change the value serializedData in this json as well.

My question is, how can I convert json samples I can find in Sentinel Github to these serializedData format?

Could you help me?

Microsoft

Hi @alexlimabh ,

 

No, you don't have to change the workbookId in the json file. Workbook ID is passed as a parameter that you add to your variable group in Azure DevOps.

You have two ways to get the json data from a workbook, full ARM template or Gallery template. I recommend using the full ARM template and just placing it in your Workbooks folder in your repo...that should work just fine. If you choose Gallery template that will contain just the serialized parameter contents and you will have to do more copy/paste. See screenshot below:

tempsnip.png

 

 

Senior Member

Hi @Javier Soriano,

Thank you for the tip.

When I execute the script manually everything working.

However, after change the session workbookSourceId in json to use variables as you can see below:

 

"workbookSourceId": {
"type": "string",
"defaultValue": "/subscriptions/${SubscriptionId}/resourcegroups/${ResourceGroup}/providers/microsoft.operationalinsights/workspaces/${Workspace}",
"metadata": {
"description": "The id of resource instance to which the workbook will be associated"
}
},

 

The pipeline was execute with success and the logs looks like good, but the workbook wasn't created.

 

PS: I removed the subscriptionId manually.

 

2020-04-07T13:01:59.7495956Z Folder is: D:\a\1/Workbooks
2020-04-07T13:01:59.7536587Z Files are:  D:\a\1\Workbooks\securityalert.json
2020-04-07T13:02:18.5001829Z 
2020-04-07T13:02:18.5019374Z DeploymentName          : securityalert
2020-04-07T13:02:18.5037233Z ResourceGroupName       : ***
2020-04-07T13:02:18.5057194Z ProvisioningState       : Succeeded
2020-04-07T13:02:18.5082536Z Timestamp               : 4/7/2020 1:02:17 PM
2020-04-07T13:02:18.5116416Z Mode                    : Incremental
2020-04-07T13:02:18.5117206Z TemplateLink            : 
2020-04-07T13:02:18.5135246Z Parameters              : 
2020-04-07T13:02:18.5153321Z                           Name                   Type                       Value     
2020-04-07T13:02:18.5205181Z                           =====================  =========================  ==========
2020-04-07T13:02:18.5219399Z                           workbookDisplayName    String                     Azure Activity
2020-04-07T13:02:18.5236614Z                           workbookType           String                     sentinel  
2020-04-07T13:02:18.5255757Z                           workbookSourceId       String                     /subscriptions/$SubscriptionId/resourcegrou
2020-04-07T13:02:18.5276810Z                           ps/$ResourceGroup/providers/microsoft.operationalinsights/workspaces/$Workspace
2020-04-07T13:02:18.5297694Z                           workbookId             String                     202bf405-ea37-4056-8a92-7727de4dc790
2020-04-07T13:02:18.5318274Z                           
2020-04-07T13:02:18.5332367Z Outputs                 : 
2020-04-07T13:02:18.5353029Z                           Name             Type                       Value     
2020-04-07T13:02:18.5372683Z                           ===============  =========================  ==========
2020-04-07T13:02:18.5391000Z                           workbookId       String                     /subscriptions/XXXXXX-XXX-XXXX-XXX-XX
2020-04-07T13:02:18.5410061Z                           /resourceGroups/***/providers/microsoft.insights/workbooks/202bf405-ea37-4056-8a
2020-04-07T13:02:18.5444302Z                           92-7727de4dc790
2020-04-07T13:02:18.5446523Z                           
2020-04-07T13:02:18.5457200Z DeploymentDebugLogLevel : 

If I hard coded everything (SubscriptionId, WorkSpace, ResourceGroups) I can deploy without any issue.

Any clue to fix it?

 

Contributor

@Javier Soriano,  Issue was at the service connection as i established SP automatic connection (because the tool says recommended)  instead of manual.   Thus resolved upon creating Service principal with manual configuration . Thankyou.

 

 

 

 

 

 

Microsoft

@alexlimabh you don't have to modify the workbook json file to enter the workbookSourceId. The script takes care of that. You just need to add a new variable to the variable group that contains the workbookId and the script will take care of the rest.

 

If you're grabbing the workbook from outside Sentinel, make sure that the workbookType parameter is set to sentinel. If you don't do this it won't be created within Sentinel and you won't see it.

 

Regards

Senior Member

Hi @Javier Soriano ,
I am here again, I am trying to create a new connector, but I am experiencing some issues.
I modified the json connector and the EnableConnectorsAPI.ps1 script.
When I tried to create the connector for Azure AD, Threat Intelligence, the API returned the message: "Internal server error (HTTP status code: 500)". First, I think there is something about permissions. I checked the permission and the Azure DevOps Service Connection has contributor rights in the subscription and Security Administrator role in AD and user user_impersonation in the API Permission. I tried again and got the same message. I added the user as Owner and GA and the same error continued.
However, when I tested with my user, I was successful, then I assume my script was good.
PS: I used this link tutorial to generate a token for my user.

(https://www.sepago.de/blog/how-to-generate-a-bearer-access-token-for-azure-rest-access-with-username...).
After trying a few other things, I don't know how I can move forward. Do you have any tips to help me?

Microsoft

Hi @alexlimabh , automating certain connectors via service principal is not something that Sentinel supports today. Those are connectors that need Azure AD level permissions (instead of Azure-only permissions). There's work ongoing to enabling this scenario, but as of now, you will have to enable those connector with your user identity.

 

Regards

Contributor

@Javier Soriano - Sadly AzSentinel  commandlets does not support PowerShell Version below 6.2 . When tried executing a powershell .ps1 file from a local machine its a pain to make sure powershell version is upgraded to minimum 6.2 . Not really practical as most local machines with windows 10 and supported OS have powershell with 5.x version.   Its good if these commandlets support previous powershell version. 

 Works absolutely fine when run on a Azure powershell console or through DevOps pipes.

 

Set-AzSentinel [-SubscriptionId <String>] -WorkspaceName <String> [-WhatIf] [-Confirm] [<CommonParameters>]

 

Microsoft

Tagging @Pouyan Khabazi  in case he can comment. @PrashTechTalk you can also look at opening an issue in the AzSentinel powershell project on github

Occasional Contributor

@Javier Soriano : How can we protect the intellectual property of rules, queries and playbooks etc. from end customers in case we provide sentinel as a managed service model?

Microsoft

Hi @Deepanshu_Marwah take a look at minute 51:20 on this webinar: https://www.youtube.com/watch?v=hwahlwgJPnE&feature=youtu.be where @Ofer_Shezaf explains how this scenario would work. We are also working on a blog post summarizing the different scenarios.

Occasional Contributor

@Javier Soriano In the light house model where we might leverage customer's subscription instead of creating a new subscription by CSP, there is suppose to be BlackBox capability that protects partners analytic rules. Is there any ETA on that ?

Microsoft

Hi @Deepanshu_Marwah , yes, as of today you can create an analytics rule in your own tenant querying the customer tenant. That way the customer won't be able to see it.

Deleted
Not applicable

Hi guys, 

 

first of all great article, i've used this as reference for our design concept to deploy workbooks.

Now I actually have a question about maintaining/creating/updating workbooks.(please refer me if I this is not the place to ask me this question).

As in this article you have set up a PowerShell script that deploys per workbook, each workbook in a separate json file that contains actually the workbook data(queries etc).

 

Is there another approach of how you could do this?

I just like to know . I could give you a sample of how we have done this.  https://raw.githubusercontent.com/joerianto83/templates/master/sampleworkbook

in my opinion this is not efficient, and doesn't give any good overview and it so faulty sensitive. Like to know your opinion about it.

What I would prefer is the method you are using here, create separate workbooks  keep the logic and data separated.

 

 

Microsoft

Hi @Deleted , interesting approach. We chose the other approach because it's easier IMO. You can just grab the workbooks from github or from the azure portal and just place it in a folder and it will get deployed.

 

Your approach would work as well, what I would do though is parametrize it a little bit more. Basically modify the template to be able to deploy an array of workbooks that are passed in a separate parameters file. That way the same template would work for any number of workbooks with any kind of queries. Makes sense? If you get to do it, I'd like to see it!

Contributor

Hi @Javier Soriano I'd love to get this working.

I've installed AzSentinel and I can use the READ commands, but any write-related commands return an error 400.

I'm logged into Azure as the Global Admin.

I'm running this from the Azure powershell window.

eg:

New-AzSentinelAlertRule -WorkspaceName "dbazLAW3" -DisplayName "test1" -Description "b
lah" -Severity "High" -Enabled $true -Query 'blah' -QueryFrequency "5M" -QueryPeriod "5M" -TriggerOperator "GreaterThan" -TriggerThreshold 0
-SuppressionDuration "" -SuppressionEnabled $false -Tactics @("Collection") -PlaybookName ""
New-AzSentinelAlertRule: Unable to invoke webrequest with error message: Response status code does not indicate success: 400 (Bad Request).

Any idea on how to troubleshoot this?

Microsoft

Hi @bobsyouruncle , I just tried with the latest version from my windows terminal and it worked fine. Could you try from your local machine? From Azure DevOps it will work fine for sure because it uses an agent that is consistent across any environment.

 

Regards

Contributor

From my local machine I'm getting token expired.

I see the powershell is talking to this url:
https://management.azure.com/subscriptions/<your  subscription id>/providers/microsoft.insights/alertrules?api-version=2016-03-01

What controls my access to this url?

 

 

Senior Member

@bobsyouruncle I am using the bearer token generated from the Connect-AzAccount command in the AzSentinel module. When do you get the timeout message? Because there is an auto refresh token function which should prevent this from happening. 

Contributor

Well that gives a clue related the the problem.

If I run Connect-AzAccount manually it returns my Account, but not the SubscriptionName or TenantId:

sentinel-analytics-library> Connect-AzAccount

WARNING: To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code ERW9XXXXX to authenticate.

 

Account           SubscriptionName TenantId Environment

-------           ---------------- -------- -----------

xxxxx@gmail.com                           AzureCloud

 

And I should have mentioned, the error after the Token error is related to the missing SubscriptionID:

Write-Error: /Users/xxxxx/.local/share/powershell/Modules/AzSentinel/0.6.4/AzSentinel.psm1:456

Line |

456 |         Get-LogAnalyticWorkspace @arguments

     |         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

     | No SubscriptionID provided

 

 

Senior Member

@bobsyouruncle so is there an Azure Subscription associated to the account that you are using to login? and Is Azure Sentinel deployed in the same Subscription? If you need more help please create an incident on GitHub so that I can track the status: https://github.com/wortell/azsentinel/issues  (please also share the verbose output for troubleshooting purpose).

Regular Visitor

Hey Pouyan, thanks for your reply.

I suspect my issue lies in the Azure AD application permissions.

This article doesn't touch on any of the access requirements needed, so I'm looking into the app registration api permissions.

I'm also trying some other alternatives like using the 'az rest' command, which handles all of the token handshaking.

And I'm working with the Resource Explorer (resources.azure.com) to understand the different api related resources.

i.e. I need to understand all of the api permission fundamentals before digging into the devops side of things.

Any resources/tips you have for the above topics are appreciated.

(Oh and a tip for anyone working with the AZSentinel powershell commands, your best options are -Debug and -Verbose!)

Occasional Visitor

I have several JSON templates for Playbooks and Logic apps. I can deploy them successfully with any issues. However, I have to manually authorize API connections used in Sentinel Playbook.

 

Is there a script/solution to authorize API connections without user interaction?

%3CLINGO-SUB%20id%3D%22lingo-sub-1134321%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1134321%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20article!%20Regarding%20Connector%20you%20can%20use%20this%20script%20here%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fazsec%2Fazure-sentinel-tools%2Fblob%2Fmaster%2Fscripts%2FConnect-AzureSecurityCenter.ps1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fazsec%2Fazure-sentinel-tools%2Fblob%2Fmaster%2Fscripts%2FConnect-AzureSecurityCenter.ps1%3C%2FA%3E%20to%20connect%20all%20ASCs%20from%20a%20list%20of%20target%20subscription.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20API%20will%20be%20released%20soon.%20The%20real-world%20issue%20is%20not%20the%20creation%20but%20the%20update%20and%20continuous%20change%20on%20Analytics%20rule%20that%20require%20a%20little%20tricky%20in%20the%20pipeline.%20A%20use%20case%20if%20that%20you%20would%20want%20to%20tune%20the%20analytics%20rule%20to%20increase%20fidelity%20-%20so%20having%20a%20fixed%20rule%20is%20not%20something%20we%20expect.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20not%20sure%20if%20you%20have%20tested%20Update%20case%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1134354%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1134354%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20the%20comments%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F536280%22%20target%3D%22_blank%22%3E%40azsec%3C%2FA%3E%26nbsp%3B!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYes%2C%20we%20have%20tested%20the%20update%20of%20Analytics%20Rules%20and%20it%20works.%20Of%20course%20there%20might%20be%20corner%20cases%20where%20it%20doesn't%20work...but%20in%20general%20you%20can%20just%20update%20the%20json%20file%2C%20the%20pipeline%20will%20trigger%20automatically%2C%20identify%20that%20the%20rule%20already%20exists%20and%20update%20accordingly.%20Take%20a%20look%20at%20lines%2054%20to%20172%20in%20the%20script%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinelascode%2Fblob%2Fmaster%2FScripts%2FCreateAnalyticsRulesAPI.ps1%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%2C%20this%20is%20where%20existing%20rules%20are%20handled.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20any%20case%2C%20as%20we%20say%20in%20the%20post%2C%20this%20is%20an%20MVP%20and%20for%20sure%20it%20can%20be%20improved.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1134374%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1134374%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20replies.%20In%20the%20real-world%20deployment%20you%20would%20probably%20name%20your%20rule%20with%20a%20unique%20ID%20(GUID)%20and%20when%20performing%20an%20update%20the%20pipeline%20should%20know%20which%20rule%20it%20needs%20to%20update.%20This%20would%20sound%20like%20an%20egg-and-chicken%20story.%20Otherwise%20the%20pipeline%20checks%20the%20display%20name%20and%20get%20its%20unique%20ID%20(aka%20name).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1136524%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1136524%22%20slang%3D%22en-US%22%3E%3CP%3EAwesome%20blogpost%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Fhtml%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%20Thanks%20for%20Sharing%20with%20the%20Community!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1219152%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1219152%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EThanks%20for%20sharing%20this.%3CBR%20%2F%3EIt%20would%20be%20great%20to%20be%20able%20to%20replicate%20our%20initial%20deployment%20and%20keep%20improving%20as%20required.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegarding%20the%20DevOps%20approach%2C%20I%20was%20able%20to%20import%20the%20repo%2C%20build%20the%20scripts%20artifact%2C%20but%20keep%20getting%20errors%20when%20trying%20to%20run%20the%20onboardingCICD.yml%20pipeline.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EError%20is%3A%20%22Unable%20to%20resolve%20definition%20scriptsCI%20in%20project%20....%22%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EI%20cannot%20find%20any%20documentation%20regarding%20that%20error.%20Any%20ideas%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1219861%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1219861%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F536747%22%20target%3D%22_blank%22%3E%40caiodaruizcorrea%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20looks%20like%20the%20pipeline%20is%20not%20able%20to%20find%20the%20source%20pipeline%20(in%20our%20case%20scriptsCI).%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdevops%2Fpipelines%2Fyaml-schema%3Fview%3Dazure-devops%26amp%3Btabs%3Dschema%252Cparameter-schema%23pipeline-resource%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EHere%3C%2FA%3E%20you%20have%20the%20reference%20documentation%20on%20how%20the%20pipeline%20artifact%20is%20defined%20in%20YAML.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EReview%20that%20the%20name%20scriptsCI%20is%20the%20actual%20name%20of%20your%20pipeline.%20To%20do%20that%2C%20click%20on%20Pipelines-%26gt%3BPipelines%2C%20and%20then%20select%20Edit%2FRename%20for%20your%20scripts%20pipeline.%20It%20should%20look%20like%20this%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Capture.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F176165iF6CA5D8CDD74845B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Capture.PNG%22%20alt%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20me%20know%20if%20this%20doesn't%20fix%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1221040%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1221040%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20ended%20up%20figuring%20it%20out%20myself%20yesterday%20after%20a%20bunch%20of%20failures%20that%20was%20the%20pipeline%20name%20that%20I%20was%20using%20initially%20to%20build%20the%20scripts%20artifact%20was%20just%20using%20a%20default%20name%20instead.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20screenshot%20anyway!%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ERegarding%2C%20the%20onboarding%20yaml%20file%20(and%20AzSentinel%20Powershell%20module)%2C%20is%20it%20supposed%20to%20create%20the%20pre-requisites%20for%20Sentinel%20such%20as%20the%20Azure%20resource%20group%2C%20analytics%20workspace%2C%20and%20Sentinel%20link%20to%20the%20workspace%2C%20or%20is%20it%20expecting%20them%20to%20be%20created%20in%20advance%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1221837%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1221837%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F536747%22%20target%3D%22_blank%22%3E%40caiodaruizcorrea%3C%2FA%3E%26nbsp%3B%2C%20no%2C%20it%20will%20not%20create%20the%20workspace%20or%20the%20resource%20group.%20The%20script%20expects%20these%20two%20things%20to%20be%20already%20in%20place.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGlad%20you%20figured%20out%20the%20issue%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1223501%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1223501%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Javier%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20for%20all%20your%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CBLOCKQUOTE%3E%3CP%3EIs%20it%20possible%20to%20deploy%20alert%20rules%20via%20YAML%20files%2C%20similar%20to%20the%20ones%20available%20in%20sentinel%20GitHub%20with%20long%20KQL%20queries%2C%20via%20the%20pipelline.%20Using%20JSON%20files%20make%20long%20queries%20difficult%20to%20write%20and%20maintain.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3C%2FBLOCKQUOTE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1224299%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1224299%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20why%20not.%20You%20just%20need%20to%20build%20the%20logic%20so%20the%20script%20is%20able%20to%20iterate%20through%20the%20YAML%20file%20with%20the%20rules.%20You%20could%20use%20other%20sources%20too...text%20files%2C%20csv%20files%2C%20etc.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1227429%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1227429%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Javier%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20cant%20seem%20to%20be%20able%20to%20deploy%20long%20queries%2C%20e.g%3A%20-%20is%20there%20a%20limit%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3Elet%20starttime%20%3D%2014d%3B%0Alet%20endtime%20%3D%201d%3B%0A%2F%2F%20The%20number%20of%20operations%20below%20which%20an%20IP%20address%20is%20considered%20an%20unusual%20source%20of%20role%20assignment%20operations%0Alet%20alertOperationThreshold%20%3D%205%3B%0Alet%20createRoleAssignmentActivity%20%3D%20AzureActivity%0A%7C%20where%20OperationName%20%3D%3D%20%5C%22Create%20role%20assignment%5C%22%3B%0AcreateRoleAssignmentActivity%0A%7C%20where%20TimeGenerated%20between%20(ago(starttime)%20..%20ago(endtime))%0A%7C%20summarize%20count()%20by%20CallerIpAddress%2C%20Caller%0A%7C%20where%20count_%20%26gt%3B%3D%20alertOperationThreshold%0A%7C%20join%20kind%20%3D%20rightanti%20(%0AcreateRoleAssignmentActivity%0A%7C%20where%20TimeGenerated%20%26gt%3B%20ago(endtime)%0A%7C%20summarize%20StartTimeUtc%20%3D%20min(TimeGenerated)%2C%20EndTimeUtc%20%3D%20max(TimeGenerated)%2C%20ActivityTimeStamp%20%3D%20makelist(TimeGenerated)%2C%20ActivityStatus%20%3D%20makelist(ActivityStatus)%2C%0AOperationIds%20%3D%20makelist(OperationId)%2C%20CorrelationId%20%3D%20makelist(CorrelationId)%2C%20ActivityCountByCallerIPAddress%20%3D%20count()%0Aby%20ResourceId%2C%20CallerIpAddress%2C%20Caller%2C%20OperationName%2C%20Resource%2C%20ResourceGroup%0A)%20on%20CallerIpAddress%2C%20Caller%0A%7C%20extend%20timestamp%20%3D%20StartTimeUtc%2C%20AccountCustomEntity%20%3D%20Caller%2C%20IPCustomEntity%20%3D%20CallerIpAddress%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1229168%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1229168%22%20slang%3D%22en-US%22%3E%3CP%3EMmm%2C%20I%20would%20need%20to%20check%20that.%20Adding%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9936%22%20target%3D%22_blank%22%3E%40Pouyan%20Khabazi%3C%2FA%3E%26nbsp%3Bas%20he%20built%20the%20AZSentinel%20module%20and%20may%20have%20more%20details.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1229403%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1229403%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F567283%22%20target%3D%22_blank%22%3E%40kay106%3C%2FA%3E%26nbsp%3BJust%20tested%20your%20example%20query%20and%20was%20able%20to%20successfully%20create%20the%20alert%20rule%20using%20the%20import%20function%2C%20see%20below%20the%20JSON%20file%20I%20have%20used%3A%3C%2FP%3E%3CPRE%3E%7B%0A%20%20%22analytics%22%3A%20%5B%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%22displayName%22%3A%20%22AlertRule010001%22%2C%0A%20%20%20%20%20%20%22description%22%3A%20%22%22%2C%0A%20%20%20%20%20%20%22severity%22%3A%20%22Medium%22%2C%0A%20%20%20%20%20%20%22enabled%22%3A%20true%2C%0A%20%20%20%20%20%20%22query%22%3A%20%22let%20starttime%20%3D%2014d%3B%0A%20%20%20%20%20%20let%20endtime%20%3D%201d%3B%0A%20%20%20%20%20%20%2F%2F%20The%20number%20of%20operations%20below%20which%20an%20IP%20address%20is%20considered%20an%20unusual%20source%20of%20role%20assignment%20operations%0A%20%20%20%20%20%20let%20alertOperationThreshold%20%3D%205%3B%0A%20%20%20%20%20%20let%20createRoleAssignmentActivity%20%3D%20AzureActivity%0A%20%20%20%20%20%20%7C%20where%20OperationName%20%3D%3D%20%5C%22Create%20role%20assignment%5C%22%3B%0A%20%20%20%20%20%20createRoleAssignmentActivity%0A%20%20%20%20%20%20%7C%20where%20TimeGenerated%20between%20(ago(starttime)%20..%20ago(endtime))%0A%20%20%20%20%20%20%7C%20summarize%20count()%20by%20CallerIpAddress%2C%20Caller%0A%20%20%20%20%20%20%7C%20where%20count_%20%26gt%3B%3D%20alertOperationThreshold%0A%20%20%20%20%20%20%7C%20join%20kind%20%3D%20rightanti%20(%0A%20%20%20%20%20%20createRoleAssignmentActivity%0A%20%20%20%20%20%20%7C%20where%20TimeGenerated%20%26gt%3B%20ago(endtime)%0A%20%20%20%20%20%20%7C%20summarize%20StartTimeUtc%20%3D%20min(TimeGenerated)%2C%20EndTimeUtc%20%3D%20max(TimeGenerated)%2C%20ActivityTimeStamp%20%3D%20makelist(TimeGenerated)%2C%20ActivityStatus%20%3D%20makelist(ActivityStatus)%2C%0A%20%20%20%20%20%20OperationIds%20%3D%20makelist(OperationId)%2C%20CorrelationId%20%3D%20makelist(CorrelationId)%2C%20ActivityCountByCallerIPAddress%20%3D%20count()%0A%20%20%20%20%20%20by%20ResourceId%2C%20CallerIpAddress%2C%20Caller%2C%20OperationName%2C%20Resource%2C%20ResourceGroup%0A%20%20%20%20%20%20)%20on%20CallerIpAddress%2C%20Caller%0A%20%20%20%20%20%20%7C%20extend%20timestamp%20%3D%20StartTimeUtc%2C%20AccountCustomEntity%20%3D%20Caller%2C%20IPCustomEntity%20%3D%20CallerIpAddress%22%2C%0A%20%20%20%20%20%20%22queryFrequency%22%3A%20%225H%22%2C%0A%20%20%20%20%20%20%22queryPeriod%22%3A%20%226H%22%2C%0A%20%20%20%20%20%20%22triggerOperator%22%3A%20%22GreaterThan%22%2C%0A%20%20%20%20%20%20%22triggerThreshold%22%3A%205%2C%0A%20%20%20%20%20%20%22suppressionDuration%22%3A%20%226H%22%2C%0A%20%20%20%20%20%20%22suppressionEnabled%22%3A%20false%2C%0A%20%20%20%20%20%20%22tactics%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%22Persistence%22%2C%0A%20%20%20%20%20%20%20%20%22LateralMovement%22%2C%0A%20%20%20%20%20%20%20%20%22Collection%22%0A%20%20%20%20%20%20%5D%2C%0A%20%20%20%20%20%20%22playbookName%22%3A%20%22%22%0A%20%20%20%20%7D%0A%20%20%5D%0A%7D%3C%2FPRE%3E%3CP%3EOutput%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Annotation%202020-03-15%20150720.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F177022i9BAC7620AA2A0338%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Annotation%202020-03-15%20150720.png%22%20alt%3D%22Annotation%202020-03-15%20150720.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eplease%20let%20me%20know%20if%20you%20keep%20experiencing%20error's%2C%20you%20can%20also%20open%20an%20issue%20on%20GitHub%20and%20share%20your%20error%20message%20etc.%20with%20us%20for%20further%20troubleshooting%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%2Fissues%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%2Fissues%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1230260%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1230260%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9936%22%20target%3D%22_blank%22%3E%40Pouyan%20Khabazi%3C%2FA%3E%26nbsp%3B!%20I%20also%20tested%20with%20the%20pipeline%20used%20in%20our%20repo%20and%20it%20is%20successful%20as%20well.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20us%20know%20if%20you%20are%20still%20facing%20the%20issue%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1241224%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1241224%22%20slang%3D%22en-US%22%3E%3CP%3EGreat%20blog%20post!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1258928%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1258928%22%20slang%3D%22en-US%22%3E%3CP%3EI%20get%20the%20below%20error%20when%20I%20run%20the%20pipeline.%26nbsp%3B%20Appreciate%20your%20advice.%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%20color%3D%22%23993300%22%3E%3CBR%20%2F%3EThe%20Pipeline%20is%20not%20valid.%20Unable%20to%20resolve%20latest%20version%20for%20pipeline%20Scripts.%20This%20could%20be%20due%20to%20inaccessible%26nbsp%3B%20pipeline%20or%20no%20version%20is%20available.%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1258949%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1258949%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F516158%22%20target%3D%22_blank%22%3E%40Prash915%3C%2FA%3E%26nbsp%3B%2C%20take%20a%20look%20at%20the%20comment%20from%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F536747%22%20target%3D%22_blank%22%3E%40caiodaruizcorrea%3C%2FA%3E%26nbsp%3Babove...I%20think%20he%20faced%20the%20same%20issue%20and%20at%20the%20end%20had%20to%20do%20with%20the%20name%20you%20provide%20to%20the%20pipeline.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%2C%20make%20sure%20that%20you%20run%20the%20ScriptsCI%20pipeline%20first%2C%20so%20the%20artifacts%20are%20available.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1259093%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1259093%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EThanks%20Javier.%26nbsp%3B%20File%20Naming%20was%20the%20issue%20as%20you%20clearly%20pointed.%20%26nbsp%3B%20I%20progressed%20a%20step%20ahead%20a%20step%20in%20onboarding%20sentinel%20on%20the%20workspace%20although%20job%20results%20are%20successful%20I%20don't%20see%20sentinel%20being%20enabled%20on%20my%20workspace.%26nbsp%3B%20Trying%20to%20figure%20out%20what%20the%20issue%20is....%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22error.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F179965i896997BACAD0F3DB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22error.PNG%22%20alt%3D%22error.PNG%22%20%2F%3E%3C%2FSPAN%3Espace.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1259133%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1259133%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20looks%20like%20your%20onboarding%20file%20was%20not%20there...if%20you%20look%20at%20the%20script%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinelascode%2Fblob%2Fmaster%2FScripts%2FInstallSentinel.ps1%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%2C%20you%20can%20see%20that%20if%20you%20have%20workspaces%20to%20act%20on%2C%20it%20would%20get%20into%20the%20for%20loop%20and%20write%20a%20message%20for%20each%20workspace%20that%20is%20being%20processed%2C%20and%20you%20didn't%20get%20anything.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1259260%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1259260%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%2C%3C%2FP%3E%3CP%3EI%20am%20working%20to%20enable%20more%20connects%20such%20as%20a%20Threat%20intelligence%20-%20TAXII%2C%20Azure%20AD%20and%26nbsp%3BThreat%20Intelligence%20Platforms.%3CBR%20%2F%3EAfter%26nbsp%3Bmodify%20the%20Json%20with%20a%20parameters%20necessary%20I%20am%20struggling%20in%20the%20Powershell%20script%20to%20Add%20those%20connectors.%3C%2FP%3E%3CP%3EOne%20of%20those%20lines%20I%20saw%20this%20comment%3A%3CBR%20%2F%3E%23unknown%20ID%2C%20clarify%20with%20Javi%3CBR%20%2F%3E%24curiousId%20%3D%20%221e1b282a-ce14-4feb-8bc1-48249fab9109%22%3CBR%20%2F%3E%24uri%20%3D%20%22%24baseUri%2Fproviders%2FMicrosoft.SecurityInsights%2FdataConnectors%2F%24%7BcuriousId%7D%3Fapi-version%3D2019-01-01-preview%22%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EIt%20is%20using%20to%20call%20the%20API%2C%20could%20you%20clarify%20it%3F%3CBR%20%2F%3EAnother%20point%2C%20Do%20you%20have%20a%20good%20documentation%20about%20that%20API%3F%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1269412%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1269412%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Javier%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20deploy%20the%20Alert%20Rules%20to%20Dev%2C%20Qa%2C%20Prod%2C%20and%20various%20other%20tennats.%20The%20only%20issue%20is%20the%20naming%2C%20I%20need%20the%20naming%20to%20reflect%20the%20envinronment.%20E.g%20RO-001-APGDev...%20RO-002-APGQa...%20RO-002-APGPrd%20etc.%20What%20is%20the%20best%20way%20to%20reflect%20this%20naming%20covention%20on%20the%20Alert%20Rule%20name%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%26nbsp%3B%3C%2FP%3E%3CP%3EKay%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1271525%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1271525%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F567283%22%20target%3D%22_blank%22%3E%40kay106%3C%2FA%3E%26nbsp%3B%2C%20the%20way%20I%20would%20do%20it%20is%20creating%20a%20new%20variable%20in%20your%20variable%20group%20that%20contains%20the%20environment%20(Dev%2C%20Prod%2C%20etc.)%20and%20then%20using%20that%20variable%20in%20your%20script%2C%20where%20you%20will%20append%20the%20alert%20rule%20name%20to%20whatever%20environment%20is%20being%20pushed%20at%20that%20time.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHope%20this%20helps.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1273250%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1273250%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Javier%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20I%20got%20this%20to%20work%20by%3CSPAN%3E%26nbsp%3Bmodifing%20the%20script.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20now%20face%20another%20challenge.%20I%20have%20backlashes%20in%20my%20KQL%20query%20e.g%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESecurityEvent%3CBR%20%2F%3E%7C%20where%20EventID%20%3D%3D%20%5C%225145%5C%22%3CBR%20%2F%3E%7C%20where%20AccountType%20%3D%3D%20%5C%22User%5C%22%3CBR%20%2F%3E%7C%20where%20ShareName%20%3D%3D%20%5C%22%5C%5C%5C%5C*%5C%5CSYSVOL%24%5C%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%5E%20i%20need%20the%20four%20backlashes%20behind%20*%20and%20the%20two%20after%20the%20*%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhenever%20I%20use%20backlash%20including%20double%20backlash%20to%20escape%2C%20the%20Alert%20rule%20isn't%20created.%20Please%20let%20me%20know%20how%20I%20can%20counter%20this%20problem.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20in%20advance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1280171%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1280171%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3B%20%26nbsp%3B-%20Sadly%20i%20am%20beating%20around%20the%20bush%20to%20understand%20the%20error.%20My%20script%20is%20able%20to%20call%20%26amp%3B%20execute%20the%20shell%20file%20from%20Git.%26nbsp%3B%20But%20the%20below%20line%20from%20the%20file%20doesn't%20works...%26nbsp%3B%20%3CSPAN%3EWrite-Host%20line%26nbsp%3B%3C%2FSPAN%3E%22Processing%20workspace...%22%26nbsp%3B%20before%20this%20script%20works%20but%20the%20later%20one%20doesn't%20write%20nor%20failing%20with%20any%20error.%26nbsp%3B%20%26nbsp%3BInformation%20of%20resource%20group%20%26amp%3B%20workspace%20at%20Onboarding.json%20file%20is%20also%20correct.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhat%20other%20issues%20can%20you%20point%20this%20in%20case%20%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3CSPAN%20class%3D%22pl-smi%22%3E%24solutions%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22pl-k%22%3E%3D%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22pl-c1%22%3EGet-AzOperationalInsightsIntelligencePack%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22pl-k%22%3E-%3C%2FSPAN%3E%3CSPAN%3Eresourcegroupname%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22pl-smi%22%3E%24item.resourcegroup%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22pl-k%22%3E-%3C%2FSPAN%3E%3CSPAN%3EWorkspaceName%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22pl-smi%22%3E%24item.workspace%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22pl-k%22%3E-%3C%2FSPAN%3E%3CSPAN%3EWarningAction%3ASilentlyContinue%3C%2FSPAN%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Prash915_0-1585954268885.png%22%20style%3D%22width%3A%20743px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F182059i340C492E4EDD0F53%2Fimage-dimensions%2F743x312%3Fv%3D1.0%22%20width%3D%22743%22%20height%3D%22312%22%20title%3D%22Prash915_0-1585954268885.png%22%20alt%3D%22Prash915_0-1585954268885.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1283778%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1283778%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F516158%22%20target%3D%22_blank%22%3E%40Prash915%3C%2FA%3E%26nbsp%3B%2C%20add%20some%20debugging%20to%20the%20script%2C%20for%20example%2C%20print%20the%20workspace%20variable%20to%20see%20if%20it%20contains%20anything%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1285542%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1285542%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3B-%20Thankyou%20for%20your%20response..%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDebugging%20scripts%20to%20print%20workspace%20variables%20prints%20all%20values%20before%20this%20line%20.%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22pl-smi%22%3E%24solutions%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22pl-k%22%3E%3D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22pl-c1%22%3EGet-AzOperationalInsightsIntelligencePack%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22pl-k%22%3E-%3C%2FSPAN%3E%3CSPAN%3Eresourcegroupname%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22pl-smi%22%3E%24item.resourcegroup%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22pl-k%22%3E-%3C%2FSPAN%3E%3CSPAN%3EWorkspaceName%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22pl-smi%22%3E%24item.workspace%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22pl-k%22%3E-%3C%2FSPAN%3E%3CSPAN%3EWarningAction%3ASilentlyContinue%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWhen%20i%20tried%20executing%20this%20line%20at%20a%20powershell%20console%20it%20works%20perfectly%20fine%20but%20not%20the%20same%20when%20executed%20at%20devops%20pipe.%26nbsp%3B%20%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EHowever%20i%20noticed%20the%20following%20when%20enabled%20diagnostics.%26nbsp%3B%20I%20am%20not%20sure%20if%20the%20issue%20is%20related%20to%20the%20.net%20framework%20version..%20appreciate%20your%20response.%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22devops%20diagnostics.PNG%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F182416iE3ACC9C401F6C92D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22devops%20diagnostics.PNG%22%20alt%3D%22devops%20diagnostics.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1286015%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1286015%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F516158%22%20target%3D%22_blank%22%3E%40Prash915%3C%2FA%3E%26nbsp%3B%2C%20from%20you%20previous%20screenshot%20I%20see%20that%20at%20least%20there%20was%20one%20workspace%20to%20process...once%20there%2C%20it%20should%20go%20to%20either%20install%20Sentinel%20or%20discard.%20Did%20you%20check%20the%20agent%20that%20you're%20using%20in%20the%20pipeline%3F%20In%20our%20example%20we%20are%20using%26nbsp%3B%3CSPAN%3Ewindows-2019%20image%20and%20powershell%20core.%20See%20the%20yaml%20pipeline%20definition%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinelascode%2Fblob%2Fmaster%2FPipelines%2FonboardingCICD.yml%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinelascode%2Fblob%2Fmaster%2FPipelines%2FonboardingCICD.yml%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1287786%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1287786%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EAbout%20the%20Workbooks%20...%3C%2FP%3E%3CP%3EI%20understand%20to%20create%20a%20new%20ones%20I%20need%20to%20change%20workbook%20ID%20inside%20json%20file%20and%20change%20the%20value%26nbsp%3BserializedData%20in%20this%20json%20as%20well.%3C%2FP%3E%3CP%3EMy%20question%20is%2C%20how%20can%20I%20convert%20json%20samples%20I%20can%20find%20in%20Sentinel%20Github%20to%20these%20serializedData%20format%3F%3C%2FP%3E%3CP%3ECould%20you%20help%20me%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1287813%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1287813%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F475111%22%20target%3D%22_blank%22%3E%40alexlimabh%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENo%2C%20you%20don't%20have%20to%20change%20the%20workbookId%20in%20the%20json%20file.%20Workbook%20ID%20is%20passed%20as%20a%20parameter%20that%20you%20add%20to%20your%20variable%20group%20in%20Azure%20DevOps.%3C%2FP%3E%0A%3CP%3EYou%20have%20two%20ways%20to%20get%20the%20json%20data%20from%20a%20workbook%2C%20full%20ARM%20template%20or%20Gallery%20template.%20I%20recommend%20using%20the%20full%20ARM%20template%20and%20just%20placing%20it%20in%20your%20Workbooks%20folder%20in%20your%20repo...that%20should%20work%20just%20fine.%20If%20you%20choose%20Gallery%20template%20that%20will%20contain%20just%20the%20serialized%20parameter%20contents%20and%20you%20will%20have%20to%20do%20more%20copy%2Fpaste.%20See%20screenshot%20below%3A%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22tempsnip.png%22%20style%3D%22width%3A%20635px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F182707iB17754D68B986424%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22tempsnip.png%22%20alt%3D%22tempsnip.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorJavier%20Soriano_0%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1288369%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1288369%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%2C%3C%2FP%3E%3CP%3EThank%20you%20for%20the%20tip.%3C%2FP%3E%3CP%3EWhen%20I%20execute%20the%20script%20manually%20everything%20working.%3C%2FP%3E%3CP%3EHowever%2C%20after%20change%20the%20session%26nbsp%3B%3CSPAN%3EworkbookSourceId%20in%20json%20to%20use%20variables%20as%20you%20can%20see%20below%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%22workbookSourceId%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22string%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22defaultValue%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22%2Fsubscriptions%2F%24%7BSubscriptionId%7D%2Fresourcegroups%2F%24%7BResourceGroup%7D%2Fproviders%2Fmicrosoft.operationalinsights%2Fworkspaces%2F%24%7BWorkspace%7D%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%22metadata%22%3A%20%7B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22description%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22The%20id%20of%20resource%20instance%20to%20which%20the%20workbook%20will%20be%20associated%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20pipeline%20was%20execute%20with%20success%20and%20the%20logs%20looks%20like%20good%2C%20but%20the%20workbook%20wasn't%20created.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPS%3A%20I%20removed%20the%20subscriptionId%20manually.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E2020-04-07T13%3A01%3A59.7495956Z%20Folder%20is%3A%20D%3A%5Ca%5C1%2FWorkbooks%0A2020-04-07T13%3A01%3A59.7536587Z%20Files%20are%3A%20%20D%3A%5Ca%5C1%5CWorkbooks%5Csecurityalert.json%0A2020-04-07T13%3A02%3A18.5001829Z%20%0A2020-04-07T13%3A02%3A18.5019374Z%20DeploymentName%20%20%20%20%20%20%20%20%20%20%3A%20securityalert%0A2020-04-07T13%3A02%3A18.5037233Z%20ResourceGroupName%20%20%20%20%20%20%20%3A%20***%0A2020-04-07T13%3A02%3A18.5057194Z%20ProvisioningState%20%20%20%20%20%20%20%3A%20Succeeded%0A2020-04-07T13%3A02%3A18.5082536Z%20Timestamp%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%204%2F7%2F2020%201%3A02%3A17%20PM%0A2020-04-07T13%3A02%3A18.5116416Z%20Mode%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%20Incremental%0A2020-04-07T13%3A02%3A18.5117206Z%20TemplateLink%20%20%20%20%20%20%20%20%20%20%20%20%3A%20%0A2020-04-07T13%3A02%3A18.5135246Z%20Parameters%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%20%0A2020-04-07T13%3A02%3A18.5153321Z%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Name%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Type%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Value%20%20%20%20%20%0A2020-04-07T13%3A02%3A18.5205181Z%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%20%20%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%20%20%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%0A2020-04-07T13%3A02%3A18.5219399Z%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20workbookDisplayName%20%20%20%20String%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Azure%20Activity%0A2020-04-07T13%3A02%3A18.5236614Z%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20workbookType%20%20%20%20%20%20%20%20%20%20%20String%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20sentinel%20%20%0A2020-04-07T13%3A02%3A18.5255757Z%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20workbookSourceId%20%20%20%20%20%20%20String%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2Fsubscriptions%2F%24SubscriptionId%2Fresourcegrou%0A2020-04-07T13%3A02%3A18.5276810Z%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20ps%2F%24ResourceGroup%2Fproviders%2Fmicrosoft.operationalinsights%2Fworkspaces%2F%24Workspace%0A2020-04-07T13%3A02%3A18.5297694Z%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20workbookId%20%20%20%20%20%20%20%20%20%20%20%20%20String%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20202bf405-ea37-4056-8a92-7727de4dc790%0A2020-04-07T13%3A02%3A18.5318274Z%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%0A2020-04-07T13%3A02%3A18.5332367Z%20Outputs%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3A%20%0A2020-04-07T13%3A02%3A18.5353029Z%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Name%20%20%20%20%20%20%20%20%20%20%20%20%20Type%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20Value%20%20%20%20%20%0A2020-04-07T13%3A02%3A18.5372683Z%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%20%20%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%20%20%3D%3D%3D%3D%3D%3D%3D%3D%3D%3D%0A2020-04-07T13%3A02%3A18.5391000Z%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20workbookId%20%20%20%20%20%20%20String%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2Fsubscriptions%2FXXXXXX-XXX-XXXX-XXX-XX%0A2020-04-07T13%3A02%3A18.5410061Z%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2FresourceGroups%2F***%2Fproviders%2Fmicrosoft.insights%2Fworkbooks%2F202bf405-ea37-4056-8a%0A2020-04-07T13%3A02%3A18.5444302Z%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%2092-7727de4dc790%0A2020-04-07T13%3A02%3A18.5446523Z%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%0A2020-04-07T13%3A02%3A18.5457200Z%20DeploymentDebugLogLevel%20%3A%20%3C%2FPRE%3E%3CP%3EIf%20I%20hard%20coded%20everything%20(SubscriptionId%2C%20WorkSpace%2C%20ResourceGroups)%20I%20can%20deploy%20without%20any%20issue.%3C%2FP%3E%3CP%3EAny%20clue%20to%20fix%20it%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1288666%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1288666%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%3CSPAN%3E%2C%26nbsp%3B%20Issue%20was%20at%20the%20service%20connection%20as%20i%20established%20SP%20automatic%20connection%20(because%20the%20tool%20says%20recommended)%26nbsp%3B%20instead%20of%20manual.%26nbsp%3B%20%26nbsp%3BThus%20resolved%20upon%20creating%26nbsp%3BService%20principal%26nbsp%3Bwith%20manual%20configuration%20.%20Thankyou.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1289717%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1289717%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F475111%22%20target%3D%22_blank%22%3E%40alexlimabh%3C%2FA%3E%26nbsp%3Byou%20don't%20have%20to%20modify%20the%20workbook%20json%20file%20to%20enter%20the%20workbookSourceId.%20The%20script%20takes%20care%20of%20that.%20You%20just%20need%20to%20add%20a%20new%20variable%20to%20the%20variable%20group%20that%20contains%20the%20workbookId%20and%20the%20script%20will%20take%20care%20of%20the%20rest.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you're%20grabbing%20the%20workbook%20from%20outside%20Sentinel%2C%20make%20sure%20that%20the%20workbookType%20parameter%20is%20set%20to%20sentinel.%20If%20you%20don't%20do%20this%20it%20won't%20be%20created%20within%20Sentinel%20and%20you%20won't%20see%20it.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1312753%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1312753%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3B%2C%3CBR%20%2F%3EI%20am%20here%20again%2C%20I%20am%20trying%20to%20create%20a%20new%20connector%2C%20but%20I%20am%20experiencing%20some%20issues.%3CBR%20%2F%3EI%20modified%20the%20json%20connector%20and%20the%20EnableConnectorsAPI.ps1%20script.%3CBR%20%2F%3EWhen%20I%20tried%20to%20create%20the%20connector%20for%20Azure%20AD%2C%20Threat%20Intelligence%2C%20the%20API%20returned%20the%20message%3A%20%22Internal%20server%20error%20(HTTP%20status%20code%3A%20500)%22.%20First%2C%20I%20think%20there%20is%20something%20about%20permissions.%20I%20checked%20the%20permission%20and%20the%20Azure%20DevOps%20Service%20Connection%20has%20contributor%20rights%20in%20the%20subscription%20and%20Security%20Administrator%20role%20in%20AD%20and%20user%20user_impersonation%20in%20the%20API%20Permission.%20I%20tried%20again%20and%20got%20the%20same%20message.%20I%20added%20the%20user%20as%20Owner%20and%20GA%20and%20the%20same%20error%20continued.%3CBR%20%2F%3EHowever%2C%20when%20I%20tested%20with%20my%20user%2C%20I%20was%20successful%2C%20then%20I%20assume%20my%20script%20was%20good.%3CBR%20%2F%3EPS%3A%20I%20used%20this%20link%20tutorial%20to%20generate%20a%20token%20for%20my%20user.%3C%2FP%3E%3CP%3E(%3CA%20href%3D%22https%3A%2F%2Fwww.sepago.de%2Fblog%2Fhow-to-generate-a-bearer-access-token-for-azure-rest-access-with-username-and-password-only-feasibility-test%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.sepago.de%2Fblog%2Fhow-to-generate-a-bearer-access-token-for-azure-rest-access-with-username%20password%20only%20feasibility%20test%20%2F%3C%2FA%3E).%3CBR%20%2F%3EAfter%20trying%20a%20few%20other%20things%2C%20I%20don't%20know%20how%20I%20can%20move%20forward.%20Do%20you%20have%20any%20tips%20to%20help%20me%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1312777%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1312777%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F475111%22%20target%3D%22_blank%22%3E%40alexlimabh%3C%2FA%3E%26nbsp%3B%2C%20automating%20certain%20connectors%20via%20service%20principal%20is%20not%20something%20that%20Sentinel%20supports%20today.%20Those%20are%20connectors%20that%20need%20Azure%20AD%20level%20permissions%20(instead%20of%20Azure-only%20permissions).%20There's%20work%20ongoing%20to%20enabling%20this%20scenario%2C%20but%20as%20of%20now%2C%20you%20will%20have%20to%20enable%20those%20connector%20with%20your%20user%20identity.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1336034%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1336034%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3B-%20Sadly%26nbsp%3BAzSentinel%26nbsp%3B%20commandlets%20does%20not%20support%26nbsp%3BPowerShell%20Version%20below%206.2%20.%20When%20tried%20executing%20a%20powershell%20.ps1%20file%20from%20a%20local%20machine%20its%20a%20pain%20to%20make%20sure%20powershell%20version%20is%20upgraded%20to%20minimum%206.2%20.%20Not%20really%20practical%20as%20most%20local%20machines%20with%20windows%2010%20and%20supported%20OS%20have%20powershell%20with%205.x%20version.%26nbsp%3B%20%26nbsp%3BIts%20good%20if%20these%20commandlets%20support%20previous%20powershell%20version.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BWorks%20absolutely%20fine%20when%20run%20on%20a%20Azure%20powershell%20console%20or%20through%20DevOps%20pipes.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3ESet-AzSentinel%20%5B-SubscriptionId%20%26lt%3BString%26gt%3B%5D%20-WorkspaceName%20%26lt%3BString%26gt%3B%20%5B-WhatIf%5D%20%5B-Confirm%5D%20%5B%26lt%3BCommonParameters%26gt%3B%5D%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1339884%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1339884%22%20slang%3D%22en-US%22%3E%3CP%3ETagging%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9936%22%20target%3D%22_blank%22%3E%40Pouyan%20Khabazi%3C%2FA%3E%26nbsp%3B%20in%20case%20he%20can%20comment.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F516158%22%20target%3D%22_blank%22%3E%40Prash915%3C%2FA%3E%26nbsp%3Byou%20can%20also%20look%20at%20opening%20an%20issue%20in%20the%20AzSentinel%20powershell%20project%20on%20github%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1404488%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1404488%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3B%3A%20How%20can%20we%20protect%20the%20intellectual%20property%20of%20rules%2C%20queries%20and%20playbooks%20etc.%20from%20end%20customers%20in%20case%20we%20provide%20sentinel%20as%20a%20managed%20service%20model%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1404978%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1404978%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F494450%22%20target%3D%22_blank%22%3E%40Deepanshu_Marwah%3C%2FA%3E%26nbsp%3Btake%20a%20look%20at%20minute%2051%3A20%20on%20this%20webinar%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DhwahlwgJPnE%26amp%3Bfeature%3Dyoutu.be%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DhwahlwgJPnE%26amp%3Bfeature%3Dyoutu.be%3C%2FA%3E%26nbsp%3Bwhere%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3Bexplains%20how%20this%20scenario%20would%20work.%20We%20are%20also%20working%20on%20a%20blog%20post%20summarizing%20the%20different%20scenarios.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1405045%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1405045%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3BIn%20the%20light%20house%20model%20where%20we%20might%20leverage%20customer's%20subscription%20instead%20of%20creating%20a%20new%20subscription%20by%20CSP%2C%20there%20is%20suppose%20to%20be%20%3CSTRONG%3EBlackBox%3C%2FSTRONG%3E%20capability%20that%20protects%20partners%20analytic%20rules.%20Is%20there%20any%20ETA%20on%20that%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1413183%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1413183%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F494450%22%20target%3D%22_blank%22%3E%40Deepanshu_Marwah%3C%2FA%3E%26nbsp%3B%2C%20yes%2C%20as%20of%20today%20you%20can%20create%20an%20analytics%20rule%20in%20your%20own%20tenant%20querying%20the%20customer%20tenant.%20That%20way%20the%20customer%20won't%20be%20able%20to%20see%20it.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1439379%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1439379%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20guys%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Efirst%20of%20all%20great%20article%2C%20i've%20used%20this%20as%20reference%20for%20our%20design%20concept%20to%20deploy%20workbooks.%3C%2FP%3E%3CP%3ENow%20I%20actually%20have%20a%20question%20about%20maintaining%2Fcreating%2Fupdating%20workbooks.(please%20refer%20me%20if%20I%20this%20is%20not%20the%20place%20to%20ask%20me%20this%20question).%3C%2FP%3E%3CP%3EAs%20in%20this%20article%20you%20have%20set%20up%20a%20PowerShell%20script%20that%20deploys%20per%20workbook%2C%20each%20workbook%20in%20a%20separate%20json%20file%20that%20contains%20actually%20the%20workbook%20data(queries%20etc).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20another%20approach%20of%20how%20you%20could%20do%20this%3F%3C%2FP%3E%3CP%3EI%20just%20like%20to%20know%20.%20I%20could%20give%20you%20a%20sample%20of%20how%20we%20have%20done%20this.%20%26nbsp%3B%3CA%20title%3D%22sampleworkbook%22%20href%3D%22https%3A%2F%2Fraw.githubusercontent.com%2Fjoerianto83%2Ftemplates%2Fmaster%2Fsampleworkbook%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3E%3CFONT%3Ehttps%3A%2F%2Fraw.githubusercontent.com%2Fjoerianto83%2Ftemplates%2Fmaster%2Fsampleworkbook%3C%2FFONT%3E%3C%2FA%3E%3C%2FP%3E%3CP%3Ein%20my%20opinion%20this%20is%20not%20efficient%2C%20and%20doesn't%20give%20any%20good%20overview%20and%20it%20so%20faulty%20sensitive.%20Like%20to%20know%20your%20opinion%20about%20it.%3C%2FP%3E%3CP%3EWhat%20I%20would%20prefer%20is%20the%20method%20you%20are%20using%20here%2C%20create%20separate%20workbooks%26nbsp%3B%20keep%20the%20logic%20and%20data%20separated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1439743%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1439743%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F194398%22%20target%3D%22_blank%22%3E%40Joe%20Tahsin%3C%2FA%3E%26nbsp%3B%2C%20interesting%20approach.%20We%20chose%20the%20other%20approach%20because%20it's%20easier%20IMO.%20You%20can%20just%20grab%20the%20workbooks%20from%20github%20or%20from%20the%20azure%20portal%20and%20just%20place%20it%20in%20a%20folder%20and%20it%20will%20get%20deployed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYour%20approach%20would%20work%20as%20well%2C%20what%20I%20would%20do%20though%20is%20parametrize%20it%20a%20little%20bit%20more.%20Basically%20modify%20the%20template%20to%20be%20able%20to%20deploy%20an%20array%20of%20workbooks%20that%20are%20passed%20in%20a%20separate%20parameters%20file.%20That%20way%20the%20same%20template%20would%20work%20for%20any%20number%20of%20workbooks%20with%20any%20kind%20of%20queries.%20Makes%20sense%3F%20If%20you%20get%20to%20do%20it%2C%20I'd%20like%20to%20see%20it!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1451034%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1451034%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3BI'd%20love%20to%20get%20this%20working.%3C%2FP%3E%3CP%3EI've%20installed%20AzSentinel%20and%20I%20can%20use%20the%20READ%20commands%2C%20but%20any%20write-related%20commands%20return%20an%20error%20400.%3C%2FP%3E%3CP%3EI'm%20logged%20into%20Azure%20as%20the%20Global%20Admin.%3C%2FP%3E%3CP%3EI'm%20running%20this%20from%20the%20Azure%20powershell%20window.%3C%2FP%3E%3CP%3Eeg%3A%3C%2FP%3E%3CP%3ENew-AzSentinelAlertRule%20-WorkspaceName%20%22dbazLAW3%22%20-DisplayName%20%22test1%22%20-Description%20%22b%3CBR%20%2F%3Elah%22%20-Severity%20%22High%22%20-Enabled%20%24true%20-Query%20'blah'%20-QueryFrequency%20%225M%22%20-QueryPeriod%20%225M%22%20-TriggerOperator%20%22GreaterThan%22%20-TriggerThreshold%200%3CBR%20%2F%3E-SuppressionDuration%20%22%22%20-SuppressionEnabled%20%24false%20-Tactics%20%40(%22Collection%22)%20-PlaybookName%20%22%22%3CBR%20%2F%3E%3CSTRONG%3ENew-AzSentinelAlertRule%3A%20Unable%20to%20invoke%20webrequest%20with%20error%20message%3A%20Response%20status%20code%20does%20not%20indicate%20success%3A%20400%20(Bad%20Request).%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EAny%20idea%20on%20how%20to%20troubleshoot%20this%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1451203%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1451203%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F434938%22%20target%3D%22_blank%22%3E%40bobsyouruncle%3C%2FA%3E%26nbsp%3B%2C%20I%20just%20tried%20with%20the%20latest%20version%20from%20my%20windows%20terminal%20and%20it%20worked%20fine.%20Could%20you%20try%20from%20your%20local%20machine%3F%20From%20Azure%20DevOps%20it%20will%20work%20fine%20for%20sure%20because%20it%20uses%20an%20agent%20that%20is%20consistent%20across%20any%20environment.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1451538%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1451538%22%20slang%3D%22en-US%22%3E%3CP%3EFrom%20my%20local%20machine%20I'm%20getting%20token%20expired.%3C%2FP%3E%3CP%20class%3D%22p5%22%20data-unlink%3D%22true%22%3EI%20see%20the%20powershell%20is%20talking%20to%20this%20url%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fmanagement.azure.com%2Fsubscriptions%2F%26lt%3Byour%26nbsp%3B%26nbsp%3Bsubscription%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmanagement.azure.com%2Fsubscriptions%2F%3CYOUR%3E%20id%26gt%3B%2Fproviders%2Fmicrosoft.insights%2Falertrules%3Fapi-version%3D2016-03-01%3C%2FYOUR%3E%3C%2FA%3E%3C%2FP%3E%3CP%20class%3D%22p5%22%20data-unlink%3D%22true%22%3EWhat%20controls%20my%20access%20to%20this%20url%3F%3C%2FP%3E%3CP%20class%3D%22p5%22%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22p5%22%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1451730%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1451730%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F434938%22%20target%3D%22_blank%22%3E%40bobsyouruncle%3C%2FA%3E%26nbsp%3BI%20am%20using%20the%20bearer%20token%20generated%20from%20the%20Connect-AzAccount%20command%20in%20the%20AzSentinel%20module.%20When%20do%20you%20get%20the%20timeout%20message%3F%20Because%20there%20is%20an%20auto%20refresh%20token%20function%20which%20should%20prevent%20this%20from%20happening.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1451791%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1451791%22%20slang%3D%22en-US%22%3E%3CP%3EWell%20that%20gives%20a%20clue%20related%20the%20the%20problem.%3C%2FP%3E%3CP%3EIf%20I%20run%20Connect-AzAccount%20manually%20it%20returns%20my%20Account%2C%20but%20not%20the%20SubscriptionName%20or%20TenantId%3A%3C%2FP%3E%3CP%20class%3D%22p1%22%3E%3CSPAN%20class%3D%22s1%22%3Esentinel-analytics-library%26gt%3B%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22s2%22%3EConnect-AzAccount%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p2%22%3E%3CSPAN%20class%3D%22s1%22%3EWARNING%3A%20To%20sign%20in%2C%20use%20a%20web%20browser%20to%20open%20the%20page%20%3CA%20href%3D%22https%3A%2F%2Fmicrosoft.com%2Fdevicelogin%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fmicrosoft.com%2Fdevicelogin%3C%2FA%3E%20and%20enter%20the%20code%20ERW9XXXXX%20to%20authenticate.%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p3%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22p1%22%3E%3CSPAN%20class%3D%22s1%22%3EAccount%20%3CSPAN%20class%3D%22Apple-converted-space%22%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%3C%2FSPAN%3ESubscriptionName%20TenantId%20Environment%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p1%22%3E%3CSPAN%20class%3D%22s1%22%3E-------%20%3CSPAN%20class%3D%22Apple-converted-space%22%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%3C%2FSPAN%3E----------------%20--------%20-----------%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p1%22%3E%3CSPAN%20class%3D%22s1%22%3Exxxxx%40gmail.com%20%3CSPAN%20class%3D%22Apple-converted-space%22%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%3C%2FSPAN%3EAzureCloud%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p3%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22p3%22%3EAnd%20I%20should%20have%20mentioned%2C%20the%20error%20after%20the%20Token%20error%20is%20related%20to%20the%20missing%20SubscriptionID%3A%3C%2FP%3E%3CP%20class%3D%22p1%22%3E%3CSPAN%20class%3D%22s1%22%3EWrite-Error%3A%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22s2%22%3E%2FUsers%2Fxxxxx%2F.local%2Fshare%2Fpowershell%2FModules%2FAzSentinel%2F0.6.4%2FAzSentinel.psm1%3A456%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p2%22%3E%3CSPAN%20class%3D%22s2%22%3ELine%20%7C%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p2%22%3E%3CSPAN%20class%3D%22s2%22%3E456%20%7C%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22s3%22%3E%3CSPAN%20class%3D%22Apple-converted-space%22%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22s2%22%3EGet-LogAnalyticWorkspace%20%40arguments%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p3%22%3E%3CSPAN%20class%3D%22Apple-converted-space%22%3E%26nbsp%3B%26nbsp%3B%20%26nbsp%3B%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22s4%22%3E%7C%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22s2%22%3E%3CSPAN%20class%3D%22Apple-converted-space%22%3E%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%26nbsp%3B%20%3C%2FSPAN%3E~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p3%22%3E%3CSPAN%20class%3D%22Apple-converted-space%22%3E%26nbsp%3B%26nbsp%3B%20%26nbsp%3B%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22s4%22%3E%7C%20%3C%2FSPAN%3E%3CSPAN%20class%3D%22s2%22%3ENo%20SubscriptionID%20provided%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22p3%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22p3%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1454811%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1454811%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F434938%22%20target%3D%22_blank%22%3E%40bobsyouruncle%3C%2FA%3E%26nbsp%3Bso%20is%20there%20an%20Azure%20Subscription%20associated%20to%20the%20account%20that%20you%20are%20using%20to%20login%3F%20and%20Is%20Azure%20Sentinel%20deployed%20in%20the%20same%20Subscription%3F%20If%20you%20need%20more%20help%20please%20create%20an%20incident%20on%20GitHub%20so%20that%20I%20can%20track%20the%20status%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fwortell%2Fazsentinel%2Fissues%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fwortell%2Fazsentinel%2Fissues%3C%2FA%3E%26nbsp%3B%20(please%20also%20share%20the%20verbose%20output%20for%20troubleshooting%20purpose).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1454889%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1454889%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20Pouyan%2C%20thanks%20for%20your%20reply.%3C%2FP%3E%3CP%3EI%20suspect%20my%20issue%20lies%20in%20the%20Azure%20AD%20application%20permissions.%3C%2FP%3E%3CP%3EThis%20article%20doesn't%20touch%20on%20any%20of%20the%20access%20requirements%20needed%2C%20so%20I'm%20looking%20into%20the%20app%20registration%20api%20permissions.%3C%2FP%3E%3CP%3EI'm%20also%20trying%20some%20other%20alternatives%20like%20using%20the%20'az%20rest'%20command%2C%20which%20handles%20all%20of%20the%20token%20handshaking.%3C%2FP%3E%3CP%3EAnd%20I'm%20working%20with%20the%20Resource%20Explorer%20(resources.azure.com)%20to%20understand%20the%20different%20api%20related%20resources.%3C%2FP%3E%3CP%3Ei.e.%20I%20need%20to%20understand%20all%20of%20the%20api%20permission%20fundamentals%20before%20digging%20into%20the%20devops%20side%20of%20things.%3C%2FP%3E%3CP%3EAny%20resources%2Ftips%20you%20have%20for%20the%20above%20topics%20are%20appreciated.%3C%2FP%3E%3CP%3E(Oh%20and%20a%20tip%20for%20anyone%20working%20with%20the%20AZSentinel%20powershell%20commands%2C%20your%20best%20options%20are%20-Debug%20and%20-Verbose!)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1463791%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1463791%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20several%20JSON%20templates%20for%20Playbooks%20and%20Logic%20apps.%20I%20can%20deploy%20them%20successfully%20with%20any%20issues.%20However%2C%20I%20have%20to%20manually%20authorize%20API%20connections%20used%20in%20Sentinel%20Playbook.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20script%2Fsolution%20to%20authorize%20API%20connections%20without%20user%20interaction%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1467320%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1467320%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F699829%22%20target%3D%22_blank%22%3E%40JaroslavKozak%3C%2FA%3E%26nbsp%3B%2C%20the%20only%20way%20I%20know%20to%20automate%20the%20authorization%20of%20API%20connections%20is%20using%20this%20script%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Flogicappsio%2FLogicAppConnectionAuth%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Flogicappsio%2FLogicAppConnectionAuth%3C%2FA%3E.%20I%20haven't%20tried%20it%20myself%20but%20it%20should%20work%20even%20if%20is%20using%20AzureRM%20module.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%20us%20know%20how%20it%20goes%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1473473%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1473473%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%2C%20The%20%22%3CSPAN%3ECreateHuntingRulesAPI.ps1%3C%2FSPAN%3E%22%20script%20does%20not%20update%20the%20Hunting%20Rules.%20If%20we%20update%20one%20of%20the%20rules%20and%20run%20the%20Pipeline%2C%20It%20just%20create%20another%20Rule%20with%20Same%20name.%20Any%20fix%20for%20this%3F%20thanks%20in%20advance%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1473544%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1473544%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F694573%22%20target%3D%22_blank%22%3E%40s4secure%3C%2FA%3E%26nbsp%3B%2C%20we%20rely%20on%20AzSentinel%20Powershell%20module%20in%20this%20case.%20In%20theory%2C%20AzSentinel%20supports%20updating%20Hunting%20Rules%2C%20but%20there%20might%20be%20a%20bug.%20Tagging%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9936%22%20target%3D%22_blank%22%3E%40Pouyan%20Khabazi%3C%2FA%3E%26nbsp%3Bin%20case%20he%20is%20already%20aware.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20also%20open%20an%20issue%20in%20the%20AzSentinel%20github%20project%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1564796%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1564796%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20the%20client%20id%20and%20client%20secret%2C%20we%20need%20to%20register%20an%20application%20on%20azure.%20Can%20you%20please%20tell%20me%20how%20can%20I%20use%20sentinel%20API%3F%20I'm%20not%20getting%20any%20sentinel%20API%20on%20the%20portal.%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20what%20should%20I%20enter%20in%20Client%20ID%20and%20secret%20variable%20on%20Azure%20DevOps%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1564933%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1564933%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F692762%22%20target%3D%22_blank%22%3E%40luckyr_%3C%2FA%3E%26nbsp%3B%2C%20you%20just%20need%20to%20create%20a%20service%20principal%20(instructions%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcli%2Fazure%2Fcreate-an-azure-service-principal-azure-cli%3Fview%3Dazure-cli-latest%23create-a-service-principal%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E)%20and%20then%20grant%20that%20principal%20access%20to%20your%20Azure%20environment.%20Normally%2C%20Contributor%20access%20to%20the%20resource%20group%20where%20you%20want%20to%20host%20your%20Sentinel%20environment%20is%20enough.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1577464%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1577464%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%2C%20it%20worked%20for%20me.%3C%2FP%3E%3CP%3ECan%20we%20automate%20the%20azure%20dashboard%20deployment%20using%20the%20same%20approach%20via%20Azure%20DevOps%20pipelines%3F%3C%2FP%3E%3CP%3EIf%20yes%2C%20can%20you%20please%20help%20me%20with%20the%20PowerShell%20scripts%20for%20the%20same.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1607658%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1607658%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F692762%22%20target%3D%22_blank%22%3E%40luckyr_%3C%2FA%3E%26nbsp%3B%2C%20sorry%20for%20the%20late%20reply.%20In%20the%20github%20repo%20you%20can%20find%20a%20script%20to%20deploy%20workbooks%20across%20Sentinel%20environments.%20I%20haven't%20tried%20it%20using%20it%20with%20dashboards%20instead%20of%20workbooks%2C%20but%20it%20should%20work%20very%20similar.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1616726%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1616726%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Javier%2C%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20simply%20use%20only%20the%20analytic%20rules%20or%20connectors%20as%20a%20standalone%20automation%20process%20of%20sentinel%20without%20having%20to%20do%20a%20setup%20of%20the%20whole%20repo%20and%20code%20as%20described%20in%20your%20blog%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1617414%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1617414%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F773559%22%20target%3D%22_blank%22%3E%40AlphaOmega%3C%2FA%3E%26nbsp%3B%2C%20of%20course%2C%20you%20can%20just%20create%20a%20repository%20with%20the%20analytics%20rule%20JSON%20file.%20Then%20create%20the%20Azure%20DevOps%20project%2C%20service%20connections%20and%20variables%20and%20lastly%20your%20Scripts%20and%20Analytics%20Rule%20pipeline.%20That%20will%20work%20perfectly%20fine.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAnother%20even%20simple%20option%20is%20to%20just%20have%20a%20JSON%20file%20and%20a%20script%20that%20iterates%20through%20that%20file%20and%20enables%20the%20rules.%20This%20script%20will%20be%20very%20very%20similar%20to%20the%20one%20we%20have%20in%20the%20repo%2C%20you%20just%20need%20to%20modify%20the%20first%20part%20to%20take%20the%20file%20from%20a%20different%20place.%20With%20this%20approach%20you%20remove%20the%20whole%20Azure%20DevOps%20(CI%2FCD)%20stuff.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1632951%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1632951%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Javier%2C%3C%2FP%3E%3CP%3Ei%20am%20having%20an%20issue%20when%20i%20try%20to%20build%20the%20connector%20pipeline.%20was%20wondering%20if%20you%20could%20give%20me%20an%20insight%20on%20where%20the%20issue%20might%20be%20coming%20from%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Bsal00_0-1599158833470.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F216368iC1C7F82B544C8A2D%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Bsal00_0-1599158833470.png%22%20alt%3D%22Bsal00_0-1599158833470.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1634447%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1634447%22%20slang%3D%22en-US%22%3E%3CP%3EHI%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F781391%22%20target%3D%22_blank%22%3E%40Bsal00%3C%2FA%3E%26nbsp%3B%2C%20it%20seems%20like%20the%20agent%20(the%20server%20where%20you're%20commands%20are%20being%20executed)%20couldn't%20find%20the%20script%20to%20execute.%20Did%20you%20run%20the%20Scripts%20pipeline%20before%20this%20one%3F%20did%20it%20succeed%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1636556%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1636556%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Javier%2C%3C%2FP%3E%3CP%3Ethanks%20for%20the%20reply%2C%20Maybe%20I%20am%20missing%20something%20or%20doing%20it%20incorrectly.%26nbsp%3B%3C%2FP%3E%3CP%3E-%20First%20step%20is%20to%20create%20new%20pipeline%20and%20run%20the%20buildscript.yml%20file%20which%20runs%20correctly%20and%20produces%20an%20artifact%20with%20analytics%2C%20connectors%20and%20installsentinel.ps1%3C%2FP%3E%3CP%3E-%20second%20step%20is%20to%20run%20a%20new%20pipeline%20with%20the%20connectors.yml%20which%20produces%20the%20previously%20shown%20error%20with%201%20published%20and%201%20consumed%20msg%3C%2FP%3E%3CP%3Ehere%20is%20the%20repo%20structure%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Bsal00_0-1599240973689.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F216638iACE64A03E274BFF1%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Bsal00_0-1599240973689.png%22%20alt%3D%22Bsal00_0-1599240973689.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Bsal00_1-1599241121939.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F216639i5374664B3C80632C%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22Bsal00_1-1599241121939.png%22%20alt%3D%22Bsal00_1-1599241121939.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1640534%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1640534%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20would%20need%20to%20do%20some%20troubleshooting%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F781391%22%20target%3D%22_blank%22%3E%40Bsal00%3C%2FA%3E%26nbsp%3B.%20You%20can%20use%20cmd%20task%20in%20AZ%20DevOps%20to%20list%20the%20files%20that%20are%20available%20in%20the%20agent%20and%20see%20why%20is%20not%20there...%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1640460%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1640460%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20question%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F699829%22%20target%3D%22_blank%22%3E%40JaroslavKozak%3C%2FA%3E%26nbsp%3B.%20As%20far%20as%20I%20know%20there's%20no%20easy%20way%20to%20automate%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1674278%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1674278%22%20slang%3D%22en-US%22%3E%3CP%3Ehello%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%2C%20I'm%20following%20this%20document%20as%20you%20mentioned%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20have%20cloned%20the%20repo%20into%20my%20Azure%20DevOps%20repository%20list%2C%20and%20would%20like%20to%20know%20where%20I%20should%20execute%20the%20below%20command%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3ESet-AzSentinel%20%5B-SubscriptionId%20%26lt%3BString%26gt%3B%5D%20-WorkspaceName%20%26lt%3BString%26gt%3B%20%5B-WhatIf%5D%20%5B-Confirm%5D%20%5B%26lt%3BCommonParameters%26gt%3B%5D%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1675333%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1675333%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F793593%22%20target%3D%22_blank%22%3E%40SP545%3C%2FA%3E%26nbsp%3B%2C%20that%20command%20is%20not%20part%20of%20our%20repo.%20In%20any%20case%2C%20that%20command%20is%20used%20to%20install%20the%20Sentinel%20solution%20on%20top%20of%20an%20existing%20log%20analytics%20workspace.%20You%20can%20run%20it%20in%20your%20Azure%20environment%20and%20against%20a%20log%20analytics%20workspace.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EMaybe%20read%20the%20whole%20article%20first%20and%20you'll%20see%20how%20everything%20fits%20together%20before%20starting%20to%20execute%20commands.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1680869%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1680869%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20you're%20missing%20all%20the%20parameters%2C%20but%20you%20don't%20need%20to%20build%20your%20own%20pipeline%20like%20you%20did...you%20can%20reuse%20the%20ones%20that%20we%20have%20in%20the%20repo%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinelascode%2Ftree%2Fmaster%2FPipelines%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinelascode%2Ftree%2Fmaster%2FPipelines%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1681076%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1681076%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3BI%26nbsp%3Bam%20trying%20with%20only%26nbsp%3B%20stand-alone%20%22Onboarding%22%20component%20for%20testing%20%2C%20not%20all%20the%20components%20together%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20ran%20into%20some%20Powershell%20compatibility%20issues%20while%20executing%20pipeline%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22WhatsApp%20Image%202020-09-17%20at%204.56.50%20PM.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F219371iAF231AC7E0004DDD%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22WhatsApp%20Image%202020-09-17%20at%204.56.50%20PM.jpeg%22%20alt%3D%22WhatsApp%20Image%202020-09-17%20at%204.56.50%20PM.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3CSPAN%3EIs%20there%20any%20possibility%20to%20force%20this%20script%20to%20execute%20and%20compatible%20with%26nbsp%3B%205.1%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAgents%20i%20used%3A%20VS2019%2C%20Win2019%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1679917%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1679917%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20cloned%20the%20repo%20and%20tried%20to%20start%20with%20the%20%22Onboarding%22%20component%20alone%20to%20see%20the%20sample%26nbsp%3B%20Sentinel%20and%20workspace%20in%20Azure%2C%20I%20have%20created%20a%20CI%20pipeline%20for%20testing%2C%20here%20is%20my%26nbsp%3B%20%26nbsp%3Berror%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22WhatsApp%20Image%202020-09-17%20at%2010.28.17%20PM.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F219418iC210C632F3FE5F43%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22WhatsApp%20Image%202020-09-17%20at%2010.28.17%20PM.jpeg%22%20alt%3D%22WhatsApp%20Image%202020-09-17%20at%2010.28.17%20PM.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eany%20thoughts%3F%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%3A%20I%20have%20modified%20the%20%22onboard.json%22%20file%20as%20per%20my%20requirement%20and%20put%20only%20one%20workspace%20as%20below%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%7B%0A%20%20%20%20%22deployments%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%22resourcegroup%22%3A%20%22test_rg%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22workspace%22%3A%20%22test_sentinel%22%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%5D%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1683434%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1683434%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F793593%22%20target%3D%22_blank%22%3E%40SP545%3C%2FA%3E%26nbsp%3B%2C%20it%20was%20to%20be%20Powershell%20Core.%20You%20can%20see%20all%20prerrequisites%20for%20AzSentinel%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1683473%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1683473%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F793593%22%20target%3D%22_blank%22%3E%40SP545%3C%2FA%3E%2C%20try%20enabling%20PowerShell%20core%20support%20by%20checking%20the%20box%20under%20the%20advanced%20section.%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Screenshot%202020-09-18%20135816.png%22%20style%3D%22width%3A%20346px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F219530i7DF2D3CE4A80E95F%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Screenshot%202020-09-18%20135816.png%22%20alt%3D%22Screenshot%202020-09-18%20135816.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1684522%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1684522%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ehi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9936%22%20target%3D%22_blank%22%3E%40Pouyan%20Khabazi%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20trying%20this%20to%20get%20this%20accomplished%20%2C%20but%20having%20some%20issues%20%2C%20here%20I%20have%20done%20so%20far%2C%20please%20provide%20some%20inputs%20what%20I%20missed%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20Imported%20the%20repo%20from%20GIT%20into%20my%20Azure%20DevOps%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2)%20created%20a%20service%20connection%20and%20variable%20group%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3)%20method%201%3A%26nbsp%3B%20Created%20a%20pipeline%20synced%20with%20onboardingCICD.YAML%20and%20executed%20got%20above%20error%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22WhatsApp%20Image%202020-09-18%20at%2011.36.05%20AM.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F219588i94687CC1646AF22B%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22WhatsApp%20Image%202020-09-18%20at%2011.36.05%20AM.jpeg%22%20alt%3D%22WhatsApp%20Image%202020-09-18%20at%2011.36.05%20AM.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3%20Method2%3A%20Created%20a%20new%20pipeline%20with%20steps%2C%20and%20got%20the%20error%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22WhatsApp%20Image%202020-09-18%20at%2011.38.47%20AM.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F219589iD31B19240A1CF9DB%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22WhatsApp%20Image%202020-09-18%20at%2011.38.47%20AM.jpeg%22%20alt%3D%22WhatsApp%20Image%202020-09-18%20at%2011.38.47%20AM.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ecan%20you%20please%20put%20all%20the%26nbsp%3B%20steps%20in%20sequence%20so%20that%20I%20can%20co-relate%20and%20check%20where%20I%20missed%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1690045%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1690045%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F793593%22%20target%3D%22_blank%22%3E%40SP545%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%0A%3CP%3EDid%20you%20grant%20permissions%20to%20the%20service%20principal%20to%20have%20access%20to%20the%20Log%20Analytics%20workspace%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1696716%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1696716%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%2C%20I%20have%20requested%20for%20the%20access%20internally%2C%20will%20try%20to%20execute%20it%20once%20I%20get%20the%20access%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethank%20you%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1710140%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1710140%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%2C%20I%20have%20executed%20the%20pipeline%20in%20below%20order%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1)%20build%20scrpts.yml%3C%2FP%3E%3CP%3E2)onboardingCICD.yml%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHere%2C%20is%20this%20total%20pipeline%20script%26nbsp%3B%20part%20is%20expecting%20to%20create%20the%20sentinel%20workspace%20manually%20via%20portal%20beforehand%20%3F%20or%20it%20creates%20a%20brand%20new%20sentinel%20workspace%26nbsp%3B%20right%20after%20executing%20this%20pipeline%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20created%20one%20workspace%20manually%20via%20portal%20UI%20and%20provided%20the%20same%20name%20in%20the%20onboarding.JSON%2C%20I%20got%20below%20as%20shown%20in%20the%20screenshot%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22WhatsApp%20Image%202020-09-24%20at%203.12.41%20PM.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F221916i5D8E8DD3A75EC3F5%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22WhatsApp%20Image%202020-09-24%20at%203.12.41%20PM.jpeg%22%20alt%3D%22WhatsApp%20Image%202020-09-24%20at%203.12.41%20PM.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eif%20it%20expected%20the%20workspace%20to%20be%20created%20already%20in%20the%20Azure%20portal%2C%20can%20I%20go%20for%20a%20connectors%20pipeline%20execution%2C%20or%20I%20can%20execute%20any%20CICD%20pipeline%20in%20any%20order%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1719261%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1719261%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can%20execute%20in%20any%20order%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F793593%22%20target%3D%22_blank%22%3E%40SP545%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1729618%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1729618%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20executed%20the%20pipelines%20and%20I%20see%20new%20components%20have%20been%20created%20successfully%2C%20when%20I%20tried%20to%20update%2Fmodify%20the%20existing%20files(Analytics%20rules%2C%20Hunting%20rules%20in%20my%20case)%2C%20it's%20not%20let%20me%20do%20that%20and%20throws%20below%20error%2C%3C%2FP%3E%3CP%3Ealso%2C%20I%20have%20seen%20your%20reply%20to%20one%20of%20the%20comment%20says%2C%20we%20just%20need%20to%20update%20the%20JSON%20file%20with%20new%20rules%20if%20we%20want%20to%20modify.%20but%20in%20my%20case%2C%20it's%20not%20happening%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ehis%20is%20happening%20with%20Hunting%20rules%2C%20Analytics%20rules%2C%20Playbooks%2C%20workbooks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eplease%20let%20me%20know%20your%20thoughts%20here%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22WhatsApp%20Image%202020-09-30%20at%2010.52.25%20AM.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F223076iD8734F902AB303EE%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22WhatsApp%20Image%202020-09-30%20at%2010.52.25%20AM.jpeg%22%20alt%3D%22WhatsApp%20Image%202020-09-30%20at%2010.52.25%20AM.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1734460%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1734460%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F793593%22%20target%3D%22_blank%22%3E%40SP545%3C%2FA%3E%26nbsp%3B%2C%20I%20haven't%20seen%20that%20error%20before.%20Can%20you%20try%20pulling%20the%20latest%20scripts%20and%20pipelines%20from%20the%20repo%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1734504%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1734504%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EWhat%20an%20awesome%20blog!%26nbsp%3B%20Looking%20forward%20to%20trying%20this%20out...%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2Fimages%2Femoticons%2Fcool_40x40.gif%22%20alt%3D%22%3Acool%3A%22%20title%3D%22%3Acool%3A%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EThanks%20for%20Sharing%20with%20the%20Community!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1736742%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1736742%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Javier%2C%3C%2FP%3E%3CP%3EThis%20line%20from%20the%20EnableconnectorsAPI%20is%20giving%20the%20below%20error%2C%20can't%20really%20figure%20out%20why.%20Any%20input%3F%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Bsal00_0-1601582556955.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F223473i025CF9018316A78D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Bsal00_0-1601582556955.png%22%20alt%3D%22Bsal00_0-1601582556955.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Bsal00_2-1601582813335.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F223475i3431428B39A8EF1E%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Bsal00_2-1601582813335.png%22%20alt%3D%22Bsal00_2-1601582813335.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1737152%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1737152%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20wrong%2C%20that%20is%20not%20the%20line%20causing%20the%20issue%2C%20these%20are%20the%20modifications%20i%20had%20to%20do%20so%20that%20it%20would%20work%20with%20my%20organization.%20I%20do%20get%20the%20token%20printed%20out%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Bsal00_0-1601591531036.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F223541i7F859206B06B2FBC%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Bsal00_0-1601591531036.png%22%20alt%3D%22Bsal00_0-1601591531036.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1738446%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1738446%22%20slang%3D%22en-US%22%3E%3CP%3EHI%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F781391%22%20target%3D%22_blank%22%3E%40Bsal00%3C%2FA%3E%26nbsp%3B%2C%20our%20original%20script%20uses%20a%20service%20principal%20to%20authenticate%20to%20Azure.%20It%20looks%20like%20you're%20authenticating%20with%20the%20current%20logged%20in%20user%2C%20right%3F%20Glad%20you%20got%20it%20working%20anyway%2C%20and%20by%20the%20way%2C%20if%20you're%20using%20that%20method%2C%20you%20now%20have%20the%20option%20to%20enable%20other%20connectors%20via%20API%20as%20you%20can%20see%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fsecurityinsights%2Fdataconnectors%2Fcreateorupdate%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fsecurityinsights%2Fdataconnectors%2Fcreateorupdate%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1738983%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1738983%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Javier%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Esorry%20i%20should%20have%20been%20more%20clear%2C%20still%20having%20the%20above%20error.%20I%20wanted%20to%20show%20what%20modifications%20were%20done%20to%20help%20with%20the%20troubleshooting.%3C%2FP%3E%3CP%3EYes%20there%20is%20already%20a%20logged%20in%20user%20from%20what%20i%20undrestod%20so%20far%3C%2FP%3E%3CP%3EWould%20i%20be%20able%20to%20simply%20reuse%20the%20same%20code%20in%20the%20connectors.ps1%20or%20it%20would%20need%20extensive%20modifications%20to%20activate%20other%20connectors%3F%3C%2FP%3E%3CP%3EStill%20new%20to%20azure%20in%20general%20so%20appreciate%20any%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1744915%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1744915%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F781391%22%20target%3D%22_blank%22%3E%40Bsal00%3C%2FA%3E%26nbsp%3B%2C%20the%20scripts%20in%20our%20repository%20are%20written%20to%20work%20with%20Azure%20Pipelines%20and%20therefore%20contain%20some%20variables%20that%20can%20only%20be%20interpreted%20by%20the%20Azure%20Pipelines%20agent.%20This%20is%20basically%20the%20part%20where%20you%20reference%20the%20connectors.json%20file%2C%20so%20you%20can%20just%20modify%20that%20part%20and%20you'll%20be%20good%20to%20go.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1746074%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1746074%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20you%20said%2C%26nbsp%3B%20I%20have%20imported%20the%20latest%20repo%2C%26nbsp%3B%20I%20see%20a%20new%20setting%20called%20%22File%20Validator%22%20added%20in%20the%20YAML%20script%2C%20my%20organization%20is%20not%20allowing%20that%20extension%20to%20be%20downloaded%2Fadded%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewithout%20that%20extension%2C%20I%20have%20tested%20the%20pipeline%20for%20updating%20analytics%20rules%2C%20hunting%20rules%20components%2C%20still%20getting%20the%20same%20error%20as%20before%26nbsp%3B%3C%2FP%3E%3CP%3EI%20fact%20I%20just%20made%20a%20simple%20change%20in%20the%20hunting%20rule%20JSON%20file%20(change%20event%20code%20from%204688%20to%204625)%2C%20but%20it%20failed%20to%20update%20the%20rule%20with%20a%20new%20ID%20in%20the%20sentinel%20workspace%20(but%20new%20rule%20creation%20is%20good%20though)%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22WhatsApp%20Image%202020-09-30%20at%2010.52.25%20AM.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F224209i45DB11DEA7CB4D03%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20title%3D%22WhatsApp%20Image%202020-09-30%20at%2010.52.25%20AM.jpeg%22%20alt%3D%22WhatsApp%20Image%202020-09-30%20at%2010.52.25%20AM.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3CP%3Eany%20suggestions%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1749255%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1749255%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F793593%22%20target%3D%22_blank%22%3E%40SP545%3C%2FA%3E%26nbsp%3B%2C%20it%20is%20a%20bug%20in%20AzSentinel%20module.%20It%20only%20affects%20New-AzSentinelHuntingRule%20as%20far%20as%20I%20know.%20See%20github%20issue%20opened%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%2Fissues%2F114%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%2Fissues%2F114%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETagging%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9936%22%20target%3D%22_blank%22%3E%40Pouyan%20Khabazi%3C%2FA%3E%26nbsp%3Bfyi%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1757895%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1757895%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EInterested%20in%20the%20'EnableConnectorsAPI'%20for%20creating%20and%20adding%20Threat%20Intelligence%20TAXII%20feeds%20and%20was%20after%20an%20example%20of%20the%20connectors%20file%20to%20handle%20this...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETim%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1757930%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1757930%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F802711%22%20target%3D%22_blank%22%3E%40tipper1510%3C%2FA%3E%26nbsp%3B%2C%20it%20would%20be%20like%20this%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CDIV%3E%0A%3CDIV%3E%3CSPAN%3E%22content%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22kind%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22ThreatIntelligenceTaxii%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22properties%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22tenantId%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22xxx-xxx-xxx-xxx%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22workspaceId%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22xxx-xxx-xxx-xxx%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22friendlyName%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22testserver%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22taxiiServer%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22%3CA%20href%3D%22https%3A%2F%2Flimo.anomali.com%2Fapi%2Fv1%2Ftaxii2%2Ffeeds%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flimo.anomali.com%2Fapi%2Fv1%2Ftaxii2%2Ffeeds%2F%3C%2FA%3E%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22collectionId%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22107%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22username%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22guest%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22password%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22guest%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22taxiiClients%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Enull%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22dataTypes%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22taxiiClient%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22state%22%3C%2FSPAN%3E%3CSPAN%3E%3A%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22enabled%22%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1767715%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1767715%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Javier%20thank%20you%20for%20this%20great%20solution%2C%3CBR%20%2F%3EI%20have%20some%20questions%20Regarding%20the%20MSSP%20stages%20(taken%20from%20the%20webinar)%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22DavidSho_1-1602347967879.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F225749iE2DB0512196E1AE5%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22DavidSho_1-1602347967879.png%22%20alt%3D%22DavidSho_1-1602347967879.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI%20am%20new%20to%20Azure%20Devops%2C%20how%20can%20I%20point%20each%20stage%20to%20a%20different%20Azure%20subscription%3F%3CBR%20%2F%3EWhat%20are%20the%20task%20that's%20need%20to%20be%20added%20to%20the%20first%20MSSP%20stage%3F%3CBR%20%2F%3EI%20want%20to%20implement%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinelascode%2Fblob%2Fmaster%2FPipelines%2FSamples%2FARmultistage.yml%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinelascode%2Fblob%2Fmaster%2FPipelines%2FSamples%2FARmultistage.yml%3C%2FA%3E%3CBR%20%2F%3Ethat%20will%20be%20first%20deployed%20to%20the%20MSSP%20workplace%2C%20then%20to%20the%20customers%20workspaces.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1772821%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1772821%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F579140%22%20target%3D%22_blank%22%3E%40DavidSho%3C%2FA%3E%26nbsp%3B%2C%20You%20can%20point%20to%20each%20different%20Azure%20subscription%20by%20using%20different%20Service%20Connections.%20You%20define%20these%20at%20the%20project%20level.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20terms%20of%20the%20tasks%20at%20the%20first%20level%2C%20you%20could%20run%20a%20powershell%20task%20to%20deploy%20the%20artifacts%20(analytics%20rules%2C%20workbooks%2C%20etc.)%26nbsp%3B%20to%20the%20workspace%20used%20by%20the%20MSSP%2C%20maybe%20then%20add%20some%20post-deployment%20approvals%20to%20move%20forward%20to%20the%20customer%20stages.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1774045%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1774045%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F579140%22%20target%3D%22_blank%22%3E%40DavidSho%3C%2FA%3E%26nbsp%3B%2C%20yes%2C%20both%20powershell%20tasks%20would%20look%20the%20same%20except%20the%20%3CEM%3EazureSubscription%20property.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EThe%20script%20path%20and%20arguments%20would%20be%20like%20this%3A%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3E%20ScriptPath%3A%20'%24(Pipeline.Workspace)%2FScripts%2FScripts%2FCreateAnalyticsRules.ps1'%3CBR%20%2F%3EScriptArguments%3A%20'-Workspace%20%24(Workspace)%20-RulesFile%20analytics-rules.json'%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3ERegards%3C%2FEM%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1773990%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1773990%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3Bthank%20you%20for%20the%20response!%3CBR%20%2F%3ESo%20I%20have%20created%20a%20different%26nbsp%3B%3CSPAN%3EService%20Connection%26nbsp%3Band%20a%20variable%20group%20for%20each%20customer%20subscription%2C%20and%20assigned%20it%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinelascode%2Fblob%2Fmaster%2FPipelines%2FSamples%2FARmultistage.yml%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EARmultistage.yml%3C%2FA%3E%26nbsp%3B(group%2C%20azureSubscription)%3CBR%20%2F%3EBut%20I'm%26nbsp%3Bnot%20sure%20how%20the%20PowerShell%26nbsp%3Btask%20to%20deploy%20the%20artifacts%20should%20look%20like%20(in%20the%20release%20stage).%3CBR%20%2F%3EFor%20example%20if%20I%20want%20to%20deploy%20analytic%26nbsp%3Brules%20is%20it%20enough%20to%20call%20the%20script%20like%20this%3F%3C%2FSPAN%3E%26nbsp%3B%3CBR%20%2F%3E%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22DavidSho_0-1602579272947.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F226233i82B3347BD516F48D%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22DavidSho_0-1602579272947.png%22%20alt%3D%22DavidSho_0-1602579272947.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EHow%20can%20I%20control%20the%20first%20stage%20to%20work%20only%20on%20the%20MSSP%20environment%3F%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1778526%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1778526%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHi%2C%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%2C%20trying%20to%20run%26nbsp%3BEnableConnectorsAPI.ps1%2C%20which%20API%20permissions%20do%20i%20need%20as%20I'm%20getting%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWrite-Error%3A%20Unable%20to%20invoke%20webrequest%20with%20error%20message%3A%20The%20client%20'%20'%26nbsp%3Bwith%20object%20id%26nbsp%3B%20'%20'%26nbsp%3Bdoes%20not%20have%20authorization%20to%20perform%20action%20'microsoft.aadiam%2FdiagnosticSettings%2Fwrite'%20over%20scope%20'%2Fproviders%2Fmicrosoft.aadiam%2FdiagnosticSettings%2FAzureSentinel_tm-training-workspace'%20or%20the%20scope%20is%20invalid.%20If%20access%20was%20recently%20granted%2C%20please%20refresh%20your%20credentials.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECurrently%20it%20has%202%20Microsoft%20graph%20permissions%3A%3C%2FP%3E%3CP%3EThreatIndicators%2CReadWrite.Ownedby%3C%2FP%3E%3CP%3EUser.Read%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMany%20thanks%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETim%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1778816%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1778816%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20in%20order%20to%20enable%20AAD%20connector%2C%20you%20need%20additional%20permissions%20at%20the%20tenant%20level.%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20assign%20these%20permissions%20to%20your%20service%20principal%20like%20this%3A%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3E%23%20az%20role%20assignment%20create%20--role%20Owner%20--scope%20%22%2F%22%20--assignee%20%7BSPN_ID%7D%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1779504%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1779504%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHi%2C%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsing%20an%20app%20reg%20so%20assume%20that%20will%20not%20make%20too%20much%20difference%3F%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20has%20owner%20permissions.%20Any%20specfici%20API%20permissions%20it%20needs%20to%20work...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETim%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1779505%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1779505%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F802711%22%20target%3D%22_blank%22%3E%40tipper1510%3C%2FA%3E%26nbsp%3Bpermissions%20are%20normally%20set%20at%20the%20subscription%20or%20management%20group%20level%2C%20but%20this%20is%20not%20enough%20in%20this%20case%2C%20you%20need%20to%20set%20at%20the%20%2F%20level%20as%20explained%20above.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1780412%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1780412%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAttempted%20to%20do%20via%20the%26nbsp%3B%3CSPAN%3Eaz%20role%20assignment%20create%20command%3C%2FSPAN%3E%26nbsp%3Bbut%20get%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EForbiddenError%3A%20The%20client%20'%23%23%23%23%23%23%23%23%23%23%23%23%23%23.onmicrosoft.com'%20with%20object%20id%20'%23%23%23%23%23%23%23%23%23%23%23%23%23%23%23'%20does%20not%20have%20authorization%20to%20perform%20action%20'Microsoft.Authorization%2FroleAssignments%2Fwrite'%20over%20scope%20'%2Fproviders%2FMicrosoft.Authorization%2FroleAssignments%2F%23%23%23%23%23%23%23%23%23'%20or%20the%20scope%20is%20invalid.%20If%20access%20was%20recently%20granted%2C%20please%20refresh%20your%20credentials.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETim%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1781246%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1781246%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20seems%20like%20you%20don't%20have%20permissions%20to%20perform%20that%20action%2C%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F802711%22%20target%3D%22_blank%22%3E%40tipper1510%3C%2FA%3E%26nbsp%3B.%20Are%20you%20a%20global%20admin%20in%20that%20AAD%20tenant%3F%20If%20you%20are%20and%20is%20still%20not%20working%2C%20you%20will%20need%20to%20follow%20the%20process%20described%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Frole-based-access-control%2Felevate-access-global-admin%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Frole-based-access-control%2Felevate-access-global-admin%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1781953%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1781953%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Javier%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20hard%20would%20it%20be%20to%20create%20a%20template%20to%20deploy%20the%20AzureWebApplicationFirewall%3F%20Also%20would%20the%20existing%20PS1%20script%20work%20or%20it%20would%20need%20to%20be%20modified%20heavily%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1782437%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1782437%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F781391%22%20target%3D%22_blank%22%3E%40Bsal00%3C%2FA%3E%26nbsp%3B%2C%20there%20are%20already%20ARM%20templates%20that%20do%20this%20(see%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fag%2Fquick-create-template%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fweb-application-firewall%2Fag%2Fquick-create-template%3C%2FA%3E).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegarding%20the%20scripts%2C%20it%20would%20be%20similar%20(but%20not%20the%20same)%20to%20the%20ones%20used%20in%20Workbooks%20and%20Playbooks.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1783886%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1783886%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ewhen%20I%20try%20to%20onboard%20the%26nbsp%3B%20second%20brand%20new%20worksace%20belongs%20o%26nbsp%3B%20same%20Resource%20group%2C%20it%20failed%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20just%20added%20two%20more%20lines%20as%20below%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22resourcegroup%22%3A%20%22%3CMY-RG%3E%22%3C%2FMY-RG%3E%3C%2FP%3E%3CP%3E%22workspace%22%3A%20%22Test-Sentinel-workspace2%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eand%20the%20error%20I%20got%20below%20is%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22WhatsApp%20Image%202020-10-15%20at%2010.43.11%20AM.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F226915i002731B781B9C0F5%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22WhatsApp%20Image%202020-10-15%20at%2010.43.11%20AM.jpeg%22%20alt%3D%22WhatsApp%20Image%202020-10-15%20at%2010.43.11%20AM.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1784037%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1784037%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F793593%22%20target%3D%22_blank%22%3E%40SP545%3C%2FA%3E%2C%3C%2FSPAN%3E%3C%2FP%3E%3CBLOCKQUOTE%3E%3CSPAN%3Ewhen%20I%20try%20to%20onboard%20the%26nbsp%3B%20second%20brand%20new%20worksace%20belongs%20o%26nbsp%3B%20same%20Resource%20group%2C%20it%20failed%26nbsp%3B%3C%2FSPAN%3E%3C%2FBLOCKQUOTE%3E%3CP%3EIf%20your%20service%20principal%20is%20not%20contributor%20or%20admin%20on%20the%20subscription%2C%20it%20may%20be%20missing%20permissions%20on%20the%20new%20workspace.%3CBR%20%2F%3EOtherwise%2C%20if%20not%20an%20issue%20about%20the%20workspace%20not%20being%20fully%20provisioned%20yet%2C%20I'd%20say%20it%20likely%20has%20to%20do%20with%20some%20misspelled%20value%20in%20configuration.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1817260%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1817260%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3B%2C%3CBR%20%2F%3EWhat%20value%20should%20I%20pass%20in%20the%26nbsp%3B%3CEM%3EPipeline.Workspace%26nbsp%3B%3C%2FEM%3Evariable%20(On%20the%20PowerShell%20release%20task)%3F%3CBR%20%2F%3EI'm%20also%20getting%20error%20since%20the%20agent%20PowerShell%20is%20coming%20with%20old%20version%2C%20how%20can%20I%20update%20the%20agent%20version%3F%3CBR%20%2F%3EMany%20thanks%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22A.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F229181i8A9D97857E411B63%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22A.png%22%20alt%3D%22A.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1817590%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1817590%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F579140%22%20target%3D%22_blank%22%3E%40DavidSho%3C%2FA%3E%26nbsp%3B%2C%20workspace%20variable%20refers%20to%20the%20Sentinel%20workspace%20where%20you%20want%20to%20deploy%20the%20given%20artifacts%20(Analytics%20Rules%2C%20Hunting%20queries%2C%20etc.).%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20error%20in%20your%20screenshot%20is%20because%20you're%20not%20using%20Powershell%20core...make%20sure%20you%20specify%20that%20with%20%3CEM%3Epwsh%3A%20true%20%3C%2FEM%3Ein%20your%20yaml%20pipeline%20file.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1824008%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1824008%22%20slang%3D%22en-US%22%3E%3CP%3EJavier%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAre%20you%20able%20to%20send%20me%20a%20list%20of%20connectors%20I%20could%20manually%20add%20to%20the%20JSON%3F%20I%20am%20not%20using%20DEVOPS%20at%20the%20moment%20I%20have%20configured%20the%20scripts%20with%20the%20JSONS%20directly%20in%20the%20script.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E(The%20main%20ones%20I'm%20looking%20for%20now%20are%20Cloud%20App%20Security%20along%20with%20Defender%20for%20Identity%20(ATP)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMuch%20Appreciated%2C%3C%2FP%3E%3CP%3EAiden%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1825052%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1825052%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F847872%22%20target%3D%22_blank%22%3E%40AidenWright%3C%2FA%3E%26nbsp%3B%2C%20take%20a%20look%20at%20the%20script%20in%20this%20repo%20to%20see%20how%20to%20enable%20different%20connectors%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinel-all-in-one%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinel-all-in-one%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlso%20take%20a%20look%20at%20the%20Import-AzSentinelDataConnector%20command%20in%20AzSentinel%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%2Fblob%2Fmaster%2FAzSentinel%2Fdocs%2FImport-AzSentinelDataConnector.md%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%2Fblob%2Fmaster%2FAzSentinel%2Fdocs%2FImport-AzSentinelDataConnector.md%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1826912%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1826912%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Javier%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20was%20exactly%20what%20I%20was%20looking%20for%20thank%20you.%3C%2FP%3E%3CP%3EUsing%20the%20connectors%20you%20provided%20I%20created%20the%20following%20JSON%3B%3C%2FP%3E%3CP%3E'%7B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22connectors%22%3A%26nbsp%3B%5B%3C%2FSPAN%3E%3C%2FDIV%3E%3CBR%20%2F%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22kind%22%3A%26nbsp%3B%22Office365%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22properties%22%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22dataTypes%22%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22sharePoint%22%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22state%22%3A%26nbsp%3B%22enabled%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22exchange%22%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22state%22%3A%26nbsp%3B%22enabled%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22teams%22%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22state%22%3A%26nbsp%3B%22enabled%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22kind%22%3A%26nbsp%3B%22AzureActivityLog%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22kind%22%3A%26nbsp%3B%22MicrosoftCloudAppSecurity%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22properties%22%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22dataTypes%22%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22alerts%22%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22state%22%3A%26nbsp%3B%22enabled%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22discoveryLogs%22%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22state%22%3A%26nbsp%3B%22enabled%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22kind%22%3A%26nbsp%3B%22AzureAdvancedThreatProtection%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22properties%22%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22dataTypes%22%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22alerts%22%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22state%22%3A%26nbsp%3B%22enabled%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22kind%22%3A%26nbsp%3B%22MicrosoftDefenderAdvancedThreatProtection%22%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22properties%22%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22dataTypes%22%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22alerts%22%3A%26nbsp%3B%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%22state%22%3A%26nbsp%3B%22enabled%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%7D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%26nbsp%3B%26nbsp%3B%26nbsp%3B%26nbsp%3B%5D%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7D%3C%2FSPAN%3E%3CSPAN%3E'%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EAnd%20got%20the%20following%20result%3B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E'Processing%20alert%20rule%3A%20Office365%3CBR%20%2F%3EProcessing%20alert%20rule%3A%20AzureActivityLog%3CBR%20%2F%3EData%20connector%20AzureActivityLog%20is%20not%20enabled%3CBR%20%2F%3EEnabling%20data%20connector%20AzureActivityLog%3CBR%20%2F%3ESuccessfully%20enabled%20data%20connector%3A%20AzureActivityLog%20with%20status%3A%20OK%3CBR%20%2F%3EProcessing%20alert%20rule%3A%20MicrosoftCloudAppSecurity%3CBR%20%2F%3EProcessing%20alert%20rule%3A%20AzureAdvancedThreatProtection%3CBR%20%2F%3EProcessing%20alert%20rule%3A%20MicrosoftDefenderAdvancedThreatProtection'%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3EBut%20none%20of%20the%20connectors%20have%20activated%20within%20sentinel%20itself%20and%20it%20looks%20like%20only%20AzureActivityLog%20was%20successfully%20enabled%20within%20the%20script%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20again%20for%20your%20help%20with%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAiden%3C%2FP%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1827357%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1827357%22%20slang%3D%22en-US%22%3E%3CP%3EHI%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F847872%22%20target%3D%22_blank%22%3E%40AidenWright%3C%2FA%3E%26nbsp%3B%2C%20what%20script%20are%20you%20using%20in%20conjunction%20with%20that%20JSON%20file%3F%20the%20script%20that%20is%20able%20to%20enable%20those%20connectors%20is%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinel-all-in-one%2Fblob%2Fmaster%2FSentinelallInOne.ps1%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%20one%3C%2FA%3E.%20Also%2C%20take%20into%20account%20that%20most%20of%20those%20connectors%20need%20a%20user%20principal%20to%20sign%20in%20to%20Azure...service%20principal%20authentication%20will%20not%20work.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1846268%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1846268%22%20slang%3D%22en-US%22%3E%3CP%3Ehello%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%2C%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9936%22%20target%3D%22_blank%22%3E%40Pouyan%20Khabazi%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'd%20like%20to%20build%20the%20pipelines%20in%20a%20classic%20pipeline%20way%20(%20with%20more%20like%20a%20visual%20way%20)%20from%20the%20YAML%20approach%20reference%2C%20I%20stuck%20at%20below%20steps%20part%26nbsp%3B%20how%20I%20can%20add%20them%20in%20the%20classic%20pipeline%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3BExample%3A%20(onboardingCICD.yml)%26nbsp%3B%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3E%3CSPAN%20class%3D%22pl-ent%22%3Eresources%3C%2FSPAN%3E%3A%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E%26nbsp%3B%3C%2FTD%3E%3CTD%3E%3CSPAN%20class%3D%22pl-ent%22%3Epipelines%3C%2FSPAN%3E%3A%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E%26nbsp%3B%3C%2FTD%3E%3CTD%3E-%20%3CSPAN%20class%3D%22pl-ent%22%3Epipeline%3C%2FSPAN%3E%3A%20%3CSPAN%20class%3D%22pl-s%22%3EScripts%3C%2FSPAN%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E%26nbsp%3B%3C%2FTD%3E%3CTD%3E%3CSPAN%20class%3D%22pl-ent%22%3Esource%3C%2FSPAN%3E%3A%20%3CSPAN%20class%3D%22pl-s%22%3E%3CSPAN%20class%3D%22pl-pds%22%3E'%3C%2FSPAN%3EscriptsCI%3CSPAN%20class%3D%22pl-pds%22%3E'%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3E%3CSPAN%20class%3D%22pl-ent%22%3Esteps%3C%2FSPAN%3E%3A%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E%26nbsp%3B%3C%2FTD%3E%3CTD%3E-%20%3CSPAN%20class%3D%22pl-ent%22%3Edownload%3C%2FSPAN%3E%3A%20%3CSPAN%20class%3D%22pl-s%22%3Ecurrent%3C%2FSPAN%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E%26nbsp%3B%3C%2FTD%3E%3CTD%3E%3CSPAN%20class%3D%22pl-ent%22%3Eartifact%3C%2FSPAN%3E%3A%20%3CSPAN%20class%3D%22pl-s%22%3EOnboardingFile%3C%2FSPAN%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E%26nbsp%3B%3C%2FTD%3E%3CTD%3E-%20%3CSPAN%20class%3D%22pl-ent%22%3Edownload%3C%2FSPAN%3E%3A%20%3CSPAN%20class%3D%22pl-s%22%3EScripts%3C%2FSPAN%3E%3C%2FTD%3E%3C%2FTR%3E%3CTR%3E%3CTD%3E%26nbsp%3B%3C%2FTD%3E%3CTD%3E%3CSPAN%20class%3D%22pl-ent%22%3Epatterns%3C%2FSPAN%3E%3A%20%3CSPAN%20class%3D%22pl-s%22%3E%3CSPAN%20class%3D%22pl-pds%22%3E'%3C%2FSPAN%3E*.ps1%3CSPAN%20class%3D%22pl-pds%22%3E'%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBuild%20pipeline%20%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22WhatsApp%20Image%202020-11-03%20at%206.06.25%20PM.jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F231284i8DF076E3F998F1A2%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22WhatsApp%20Image%202020-11-03%20at%206.06.25%20PM.jpeg%22%20alt%3D%22WhatsApp%20Image%202020-11-03%20at%206.06.25%20PM.jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22WhatsApp%20Image%202020-11-03%20at%206.06.25%20PM%20(1).jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F231285i969C8FC1B8DA8FE2%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22WhatsApp%20Image%202020-11-03%20at%206.06.25%20PM%20(1).jpeg%22%20alt%3D%22WhatsApp%20Image%202020-11-03%20at%206.06.25%20PM%20(1).jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22WhatsApp%20Image%202020-11-03%20at%206.06.25%20PM%20(2).jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F231286i765E459360E67793%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22WhatsApp%20Image%202020-11-03%20at%206.06.25%20PM%20(2).jpeg%22%20alt%3D%22WhatsApp%20Image%202020-11-03%20at%206.06.25%20PM%20(2).jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3CP%3ERelease%20pipeline%20%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22WhatsApp%20Image%202020-11-03%20at%206.06.25%20PM%20(3).jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F231287iC5B4FFEDA39375EB%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22WhatsApp%20Image%202020-11-03%20at%206.06.25%20PM%20(3).jpeg%22%20alt%3D%22WhatsApp%20Image%202020-11-03%20at%206.06.25%20PM%20(3).jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22WhatsApp%20Image%202020-11-03%20at%206.06.25%20PM%20(4).jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F231288i93F1D6493107A489%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22WhatsApp%20Image%202020-11-03%20at%206.06.25%20PM%20(4).jpeg%22%20alt%3D%22WhatsApp%20Image%202020-11-03%20at%206.06.25%20PM%20(4).jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EError%20log%3A%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22WhatsApp%20Image%202020-11-03%20at%206.06.25%20PM%20(5).jpeg%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F231289i52A79CB7DD6A8D72%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22WhatsApp%20Image%202020-11-03%20at%206.06.25%20PM%20(5).jpeg%22%20alt%3D%22WhatsApp%20Image%202020-11-03%20at%206.06.25%20PM%20(5).jpeg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3CP%3E%E2%80%83%3C%2FP%3E%3CP%3Ecan%20you%20please%20let%20me%20know%20if%20this%20the%20correct%20way%20to%20do%20so%20that%20I%20can%20use%20it%20as%20a%20reference%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1894515%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1894515%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F793593%22%20target%3D%22_blank%22%3E%40SP545%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F847872%22%20target%3D%22_blank%22%3E%40AidenWright%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20Get%20below%20error%20when%20-%20running%20analyticsrule%20pipeline.%3C%2FP%3E%3CDIV%20class%3D%22bolt-fixed-height-list-row%20scroll-hidden%20absolute%20focused%22%3ERule%20import%20failed%20with%20message%3A%20Exception%20setting%20%22Name%22%3A%20%22Cannot%20convert%20value%20%22BuiltInFusion%22%20to%3C%2FDIV%3E%3CDIV%20class%3D%22bolt-fixed-height-list-row%20scroll-hidden%20absolute%22%3E%3CDIV%20class%3D%22line-row%20flex-row%20flex-grow%22%3E%3CSPAN%20class%3D%22line-area%20flex-center%20flex-row%20flex-grow%20justify-start%22%3E%3CSPAN%20class%3D%22content%22%3E%3CSPAN%20class%3D%22pl-plain%22%3E%3CSPAN%3E%3CSPAN%20class%3D%22ansifg-r%20bright%20%22%3Etype%20%22System.Guid%22.%20Error%3A%20%22Guid%20should%20contain%2032%20digits%20with%204%20dashes%20%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22bolt-fixed-height-list-row%20scroll-hidden%20absolute%22%3E%3CDIV%20class%3D%22line-row%20flex-row%20flex-grow%22%3E%3CSPAN%20class%3D%22line-area%20flex-center%20flex-row%20flex-grow%20justify-start%22%3E%3CSPAN%20class%3D%22content%22%3E%3CSPAN%20class%3D%22pl-plain%22%3E%3CSPAN%3E%3CSPAN%20class%3D%22ansifg-r%20bright%20%22%3E(xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%20class%3D%22line-row%20flex-row%20flex-grow%22%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%20class%3D%22line-row%20flex-row%20flex-grow%22%3E%3CSPAN%20class%3D%22line-area%20flex-center%20flex-row%20flex-grow%20justify-start%22%3E%3CSPAN%20class%3D%22content%22%3E%3CSPAN%20class%3D%22pl-plain%22%3E%3CSPAN%3E%3CSPAN%20class%3D%22ansifg-r%20bright%20%22%3EI%20have%20not%20set%20WorkbookSourceID%20in%20VariableGroup%20.I%20am%20not%20sure%20what%20value%20to%20pass%20for%20WorkbookSourceID.%20How%20do%20i%20get%20this%20value.%20is%20the%20error%20related%20to%26nbsp%3BWorkbookSourceID%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1894594%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1894594%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F871604%22%20target%3D%22_blank%22%3E%40pnandak%3C%2FA%3E%26nbsp%3B%2C%20the%20error%20is%20not%20because%20of%20WorkbookSourceID%2C%20it%20looks%20like%20your%20input%20file%20doesn't%20have%20the%20right%20format%20for%20the%20alert%20you're%20trying%20to%20push.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECan%20you%20send%20the%20alert%20in%20json%20format%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EREgards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1894650%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1894650%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3E%7B%0A%20%20%22Scheduled%22%3A%20%5B%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%22displayName%22%3A%20%22AlertRule01%22%2C%0A%20%20%20%20%20%20%22description%22%3A%20%22%22%2C%0A%20%20%20%20%20%20%22severity%22%3A%20%22Medium%22%2C%0A%20%20%20%20%20%20%22enabled%22%3A%20true%2C%0A%20%20%20%20%20%20%22query%22%3A%20%22SecurityEvent%20%7C%20where%20EventID%20%3D%3D%20%5C%224688%5C%22%20%7C%20where%20CommandLine%20contains%20%5C%22-noni%20-ep%20bypass%20%24%5C%22%22%2C%0A%20%20%20%20%20%20%22queryFrequency%22%3A%20%225H%22%2C%0A%20%20%20%20%20%20%22queryPeriod%22%3A%20%226H%22%2C%0A%20%20%20%20%20%20%22triggerOperator%22%3A%20%22GreaterThan%22%2C%0A%20%20%20%20%20%20%22triggerThreshold%22%3A%205%2C%0A%20%20%20%20%20%20%22suppressionDuration%22%3A%20%226H%22%2C%0A%20%20%20%20%20%20%22suppressionEnabled%22%3A%20false%2C%0A%20%20%20%20%20%20%22tactics%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%22Persistence%22%2C%0A%20%20%20%20%20%20%20%20%22LateralMovement%22%2C%0A%20%20%20%20%20%20%20%20%22Collection%22%0A%20%20%20%20%20%20%5D%2C%0A%20%20%20%20%20%20%22playbookName%22%3A%20%22%22%2C%0A%20%20%20%20%20%20%22aggregationKind%22%3A%20%22SingleAlert%22%2C%0A%20%20%20%20%20%20%22createIncident%22%3A%20true%2C%0A%20%20%20%20%20%20%22groupingConfiguration%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22enabled%22%3A%20false%2C%0A%20%20%20%20%20%20%20%20%22reopenClosedIncident%22%3A%20false%2C%0A%20%20%20%20%20%20%20%20%22lookbackDuration%22%3A%20%22PT5H%22%2C%0A%20%20%20%20%20%20%20%20%22entitiesMatchingMethod%22%3A%20%22All%22%2C%0A%20%20%20%20%20%20%20%20%22groupByEntities%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%20%20%22Account%22%2C%0A%20%20%20%20%20%20%20%20%20%20%22Ip%22%2C%0A%20%20%20%20%20%20%20%20%20%20%22Host%22%2C%0A%20%20%20%20%20%20%20%20%20%20%22Url%22%0A%20%20%20%20%20%20%20%20%5D%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%2C%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%22displayName%22%3A%20%22AlertRule02%22%2C%0A%20%20%20%20%20%20%22description%22%3A%20%22%22%2C%0A%20%20%20%20%20%20%22severity%22%3A%20%22Medium%22%2C%0A%20%20%20%20%20%20%22enabled%22%3A%20true%2C%0A%20%20%20%20%20%20%22query%22%3A%20%22SecurityEvent%20%7C%20where%20EventID%20%3D%3D%20%5C%224688%5C%22%20%7C%20where%20CommandLine%20contains%20%5C%22-noni%20-ep%20bypass%20%24%5C%22%22%2C%0A%20%20%20%20%20%20%22queryFrequency%22%3A%20%225H%22%2C%0A%20%20%20%20%20%20%22queryPeriod%22%3A%20%226H%22%2C%0A%20%20%20%20%20%20%22triggerOperator%22%3A%20%22GreaterThan%22%2C%0A%20%20%20%20%20%20%22triggerThreshold%22%3A%205%2C%0A%20%20%20%20%20%20%22suppressionDuration%22%3A%20%226H%22%2C%0A%20%20%20%20%20%20%22suppressionEnabled%22%3A%20false%2C%0A%20%20%20%20%20%20%22tactics%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%22Persistence%22%2C%0A%20%20%20%20%20%20%20%20%22LateralMovement%22%2C%0A%20%20%20%20%20%20%20%20%22Collection%22%0A%20%20%20%20%20%20%5D%2C%0A%20%20%20%20%20%20%22playbookName%22%3A%20%22%22%0A%20%20%20%20%7D%0A%20%20%5D%2C%0A%20%20%22Fusion%22%3A%20%5B%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%22displayName%22%3A%20%22Advanced%20Multistage%20Attack%20Detection%22%2C%0A%20%20%20%20%20%20%22enabled%22%3A%20true%2C%0A%20%20%20%20%20%20%22alertRuleTemplateName%22%3A%20%22f71aba3d-28fb-450b-b192-4e76a83015c8%22%0A%20%20%20%20%7D%0A%20%20%5D%2C%0A%20%20%22MLBehaviorAnalytics%22%3A%20%5B%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%22displayName%22%3A%20%22(Preview)%20Anomalous%20SSH%20Login%20Detection%22%2C%0A%20%20%20%20%20%20%22enabled%22%3A%20true%2C%0A%20%20%20%20%20%20%22alertRuleTemplateName%22%3A%20%22fa118b98-de46-4e94-87f9-8e6d5060b60b%22%0A%20%20%20%20%7D%0A%20%20%5D%2C%0A%20%20%22MicrosoftSecurityIncidentCreation%22%3A%20%5B%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%22displayName%22%3A%20%22Create%20incidents%20based%20on%20Azure%20Active%20Directory%20Identity%20Protection%20alerts%22%2C%0A%20%20%20%20%20%20%22description%22%3A%20%22Create%20incidents%20based%20on%20all%20alerts%20generated%20in%20Azure%20Active%20Directory%20Identity%20Protection%22%2C%0A%20%20%20%20%20%20%22enabled%22%3A%20true%2C%0A%20%20%20%20%20%20%22productFilter%22%3A%20%22Microsoft%20Cloud%20App%20Security%22%2C%0A%20%20%20%20%20%20%22severitiesFilter%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%22High%22%2C%0A%20%20%20%20%20%20%20%20%22Medium%22%2C%0A%20%20%20%20%20%20%20%20%22Low%22%0A%20%20%20%20%20%20%5D%2C%0A%20%20%20%20%20%20%22displayNamesFilter%22%3A%20null%0A%20%20%20%20%7D%0A%20%20%5D%0A%7D%3C%2FPRE%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1894688%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1894688%22%20slang%3D%22en-US%22%3E%3CP%3EAre%20you%20sure%20you're%20using%20the%20latest%20AzSentinel%20module%20and%20using%20that%20file%20as%20input%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F871604%22%20target%3D%22_blank%22%3E%40pnandak%3C%2FA%3E%26nbsp%3B%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1894691%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1894691%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20am%20using%20the%20one%20from%20below%3A%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinelascode%2Fblob%2Fmaster%2FAnalyticsRules%2Fanalytics-rules.json%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinelascode%2Fblob%2Fmaster%2FAnalyticsRules%2Fanalytics-rules.json%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eexcept%20that%20product%20filter%20changed%20to%20Microsoft%20Cloud%20app%20Security.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1894902%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1894902%22%20slang%3D%22en-US%22%3E%3CP%3EIt%20seems%20like%20a%20bug%20in%20AzSentinel.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9936%22%20target%3D%22_blank%22%3E%40Pouyan%20Khabazi%3C%2FA%3E%26nbsp%3Bcan%20you%20take%20a%20look%3F%20I'm%20seeing%20this%20error%20using%20the%20Import-AzSentinelAlertRule%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EImport-AzSentinelAlertRule%20-WorkspaceName%20xxx%20-SettingsFile%20.%5Canalytics-rules.json%3CBR%20%2F%3ESetValueInvocationException%3A%20C%3A%5CUsers%5Cjasorian%5CDocuments%5CPowerShell%5CModules%5CAzSentinel%5C0.6.13%5CAzSentinel.psm1%3A338%3CBR%20%2F%3ELine%20%7C%3CBR%20%2F%3E338%20%7C%20%24this.Name%20%3D%20%24Name%3CBR%20%2F%3E%7C%20~~~~~~~~~~~~~~~~~~%3CBR%20%2F%3E%7C%20Exception%20setting%20%22Name%22%3A%20%22Cannot%20convert%20value%20%22firstRule2%22%20to%20type%20%22System.Guid%22.%20Error%3A%20%22Guid%20should%20contain%2032%20digits%20with%204%20dashes%20(xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).%22%22%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1910353%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1910353%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F871604%22%20target%3D%22_blank%22%3E%40pnandak%3C%2FA%3E%26nbsp%3Bthanks%20for%20the%20feedback%2C%20I%20have%20just%20released%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.powershellgallery.com%2Fpackages%2FAzSentinel%2F0.6.15%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3EAzSentinel%20version%200.6.15%3C%2FA%3E%20which%20includes%20a%20fix%20for%20issue%20that%20you%20are%20having.%20Please%20test%20it%20in%20your%20environment%20and%20let%20me%20know%20if%20it%20works%20for%20you.%20Kr%2C%20Pouyan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1959557%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1959557%22%20slang%3D%22en-US%22%3E%3CP%3ERunning%20the%20Workbooks%20Pipeline%20more%20than%20once%20(eg%20adding%20more%20.json%20Workbook%20Templates%20in%20the%20Workbooks%20folder)%20gives%20me%20this%20error%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Jaa9H_0-1607205992171.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F238028i9844A413D8CFD2C4%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Jaa9H_0-1607205992171.png%22%20alt%3D%22Jaa9H_0-1607205992171.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EAnybody%20else%20experienced%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3B%3A%20In%20your%20examples%20there%20are%20only%203%20connectors%20listed.%20Where%20can%20I%20find%20the%20correct%20syntax%20for%20enabling%20f.ex%20Office%20365%2C%20Cloud%20App%20Security%20%2B%2B%2B.%20There%20are%20now%2061%20different%20connectors%20available%20GA.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1968406%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1968406%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20error%20is%20expected%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F892182%22%20target%3D%22_blank%22%3E%40Jaa9H%3C%2FA%3E%26nbsp%3B.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegarding%20other%20connectors%2C%20they%20follow%20the%20API%20format%20specified%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fsecurityinsights%2Fdataconnectors%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EData%20Connectors%20(Azure%20Sentinel)%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1131928%22%20slang%3D%22en-US%22%3EDeploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1131928%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22clipboard_image_1.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F167679i8C61546891B9EE52%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22clipboard_image_1.png%22%20alt%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CEM%3EPhilippe%20Zenhaeusern%20and%20Javier%20Soriano%20co-author%20this%20blog%20post.%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIn%20the%20last%20few%20months%20working%20on%20Azure%20Sentinel%2C%20we%20have%20talked%20to%20many%20partners%20and%20customers%20about%20ways%20to%20automate%20Azure%20Sentinel%20deployment%20and%20operations.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThese%20are%20some%20of%20the%20typical%20questions%3A%20How%20can%20I%20automate%20customer%20onboarding%20into%20Sentinel%3F%20How%20can%20I%20programmatically%20configure%20connectors%3F%20As%20a%20partner%2C%20how%20do%20I%20push%20to%20my%20new%20customer%20all%20the%20custom%20analytics%20rules%2Fworkbooks%2Fplaybooks%20that%20I%20have%20created%20for%20other%20customers%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIn%20this%20post%2C%20we%20will%20try%20to%20answer%20all%20these%20questions%2C%20not%20only%20describing%20how%20to%20do%20it%20but%20also%20giving%20you%20some%20of%20the%20work%20done%20with%20a%20repository%20that%20contains%20a%20minimum%20viable%20product%20(MVP)%20around%20how%20to%20build%20a%20full%20Sentinel%20as%20Code%20environment.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20post%20will%20follow%20this%20structure%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%26nbsp%3BInfrastructure%20as%20Code%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3BAzure%20Sentinel%20Automation%20Overview%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3BAutomating%20the%20deployment%20of%20specific%20Azure%20Sentinel%20components%3C%2FLI%3E%0A%3CLI%3E%26nbsp%3BBuilding%20your%20Sentinel%20as%20Code%20in%20Azure%20DevOps%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3EWe%20recommend%20you%20go%20one%20by%20one%20in%20order%20to%20fully%20understand%20how%20it%20works.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413636232%22%20id%3D%22toc-hId--1413657311%22%3EInfrastructure%20as%20Code%3C%2FH2%3E%0A%3CP%3E%3CSPAN%3EYou%20might%20be%20familiar%20with%20the%20Infrastructure%20as%20Code%20concept.%20Have%20you%20heard%20about%20the%20Azure%20Resource%20Manager%2C%20Terraform%2C%20or%20AWS%20Cloud%20Formation%3F%20Well%2C%20they%20are%20all%20ways%20to%20describe%20your%20infrastructure%20as%20code%20so%20that%20you%20can%20treat%20it%20as%20such%E2%80%A6put%20it%20under%20source%20control%20(e.g.%2C%20git%2C%20svn)%2C%20so%20you%20can%20track%20changes%20to%20your%20infrastructure%20the%20same%20way%20you%20track%20changes%20in%20your%20code.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EYou%20can%20use%20any%20source%20control%20platform%2C%20but%20in%20this%20article%2C%20we%20will%20use%20%3CSTRONG%3EGithub%3C%2FSTRONG%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EBesides%20treating%20your%20infrastructure%20as%20code%2C%20you%20can%20also%20use%20DevOps%20tooling%20to%20test%20that%20code%20and%20deploy%20that%20infrastructure%20into%20your%20environment%2C%20all%20in%20a%20programmatic%20way.%20This%20is%20also%20referred%20to%20as%20Continuous%20Integration%2FContinuous%20Delivery%20(CICD).%26nbsp%3B%3C%2FSPAN%3EPlease%20take%20a%20look%20at%20%3CA%20style%3D%22background-color%3A%20%23ffffff%3B%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdevops%2Flearn%2Fwhat-is-infrastructure-as-code%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ethis%20article%3C%2FA%3E%20if%20you%20want%20to%20know%20more.%26nbsp%3B%3CSPAN%3EThis%20post%20will%20use%20%3CSTRONG%3EAzure%20DevOps%20%3C%2FSTRONG%3Eas%20our%20DevOps%20tool%2C%20but%20the%20concepts%20are%20the%20same%20for%20any%20other%20tool.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20whole%20idea%20is%20to%20codify%20your%20Azure%20Sentinel%20deployment%20in%20the%20Sentinel%20context%20and%20put%20it%20in%20a%20code%20repository.%20Every%20time%20there%20is%20a%20change%20in%20the%20files%20that%20define%20this%20Sentinel%20environment%2C%20this%20change%20will%20trigger%20a%20pipeline%20that%20will%20verify%20the%20changes%20and%20deploys%20them%20into%20your%20Sentinel%20environment.%20But%20how%20do%20we%20programmatically%20make%20these%20changes%20into%20Sentinel%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073876601%22%20id%3D%22toc-hId-1073855522%22%3E%3CSPAN%3EAzure%20Sentinel%20Automation%20Overview%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%3EAs%20you%20probably%20know%2C%20there%20are%20different%20components%20inside%20Azure%20Sentinel%E2%80%A6we%20have%20Connectors%2C%20Analytics%20Rules%2C%20Workbooks%2C%20Playbooks%2C%20Hunting%20Queries%2C%20Notebooks%2C%20and%20so%20on.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThese%20components%20can%20be%20managed%20easily%20through%20the%20Azure%20Portal%2C%20but%20what%20can%20I%20use%20to%20modify%20all%20these%20programmatically%3F%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EHere%20is%20a%20table%20that%20summarizes%20what%20can%20be%20used%20for%20each%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CTABLE%20style%3D%22border-style%3A%20solid%3B%20margin-left%3A%20auto%3B%20margin-right%3A%20auto%3B%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22189%22%3E%3CP%3E%3CSTRONG%3EComponent%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22189%22%3E%3CP%3E%3CSTRONG%3EAutomated%20with%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22189%22%3E%3CP%3E%3CSTRONG%3EOnboarding%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22189%22%3E%3CP%3EAPI%2C%20Powershell%2C%20ARM%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22189%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%3EAlert%20Rules%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22189%22%3E%3CP%3E%3CSPAN%3EAPI%2C%20Powershell%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22189%22%3E%3CP%3E%3CSTRONG%3EHunting%20Queries%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22189%22%3E%3CP%3EAPI%2C%20Powershell%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22189%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%3EPlaybooks%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22189%22%3E%3CP%3E%3CSPAN%3EARM%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22189%22%3E%3CP%3E%3CSTRONG%3EWorkbooks%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22189%22%3E%3CP%3EARM%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3CTR%3E%0A%3CTD%20width%3D%22189%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%3EConnectors%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3CTD%20width%3D%22189%22%3E%3CP%3E%3CSPAN%3EAPI%3C%2FSPAN%3E%3C%2FP%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3E%3CSPAN%3EPowershell%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%3E%3A%20Special%20thanks%20to%20Wortell%20for%20writing%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzSentinel%3C%2FA%3E%20module%2C%20which%20greatly%20facilitates%20many%20of%20the%20tasks.%20We%20will%20use%20it%20in%20the%20three%20components%20that%20support%20it%20(Onboarding%2C%20Alert%20Rules%2C%20Hunting%20Queries).%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3E%3CSPAN%3EAPI%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%3E%3A%20Some%20components%20don%E2%80%99t%20currently%20have%20a%20Powershell%20module%20and%20can%20only%20be%20configured%20programmatically%20via%20API.%20The%20Sentinel%20API%20is%20now%20public%2C%20and%20its%20details%20can%20be%20found%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fsecurityinsights%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%20We%20will%20use%20it%20to%20enable%20Connectors.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3E%3CSPAN%3EARM%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%3E%3A%20This%20is%20Azure%E2%80%99s%20native%20management%20and%20deployment%20service.%20You%20can%20use%20ARM%20templates%20to%20define%20Azure%20resources%20as%20code.%20We%20will%20use%20it%20for%20Playbooks%20and%20Workbooks.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH3%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764438075%22%20id%3D%22toc-hId-1764416996%22%3E%3CSPAN%3EHow%20to%20structure%20your%20Sentinel%20code%20repository%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3EHere%20we%20would%20like%20to%20show%20what%20we%20think%20is%20the%20recommended%20way%20to%20structure%20your%20repository.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%7C%0A%7C-%20contoso%2F%20%20________________________%20%23%20Root%20folder%20for%20customer%0A%7C%20%20%7C-%20AnalyticsRules%2F%20%20______________________%20%23%20Subfolder%20for%20Analytics%20Rules%0A%7C%20%20%20%20%20%7C-%20analytics-rules.json%20_________________%20%23%20Analytics%20Rules%20definition%20file%20(JSON)%0A%7C%0A%7C%20%20%7C-%20Connectors%2F%20%20______________________%20%23%20Subfolder%20for%20Connectors%0A%7C%20%20%20%20%20%7C-%20connectors.json%20_________________%20%23%20Connectors%20definition%20file%20(JSON)%0A%7C%0A%7C%20%20%7C-%20HuntingRules%2F%20_____________________%20%23%20%0A%7C%20%20%20%20%20%7C-%20hunting-rules.json%20_______________%20%23%20Hunting%20Rules%20definition%20file%20(JSON)%0A%7C%0A%7C%20%20%7C-%20Onboard%2F%20%20______________________%20%23%20Subfolder%20for%20Onboarding%0A%7C%20%20%20%20%20%7C-%20onboarding.json%20_________________%20%23%20Onboarding%20definition%20file%20(JSON)%0A%7C%0A%7C%20%20%7C-%20Pipelines%2F%20_____________________%20%23%20Subfolder%20for%20Pipelines%20%0A%7C%20%20%20%20%20%7C-%20pipeline.yml%20_______________%20%23%20Pipeline%20definition%20files%20(YAML)%0A%7C%0A%7C%20%20%7C-%20Playbooks%2F%20%20______________________%20%23%20Subfolder%20for%20Playbooks%0A%7C%20%20%20%20%20%7C-%20playbook.json%20_________________%20%23%20Playbooks%20definition%20files%20(ARM)%0A%7C%0A%7C%20%20%7C-%20Scripts%2F%20_____________________%20%23%20Subfolder%20for%20script%20helpers%20%0A%7C%20%20%20%20%20%7C-%20CreateAnalyticsRules.ps1%20_______________%20%23%20Script%20files%20(PowerShell)%0A%7C%0A%7C%20%20%7C-%20Workbooks%2F%20%20______________________%20%23%20Subfolder%20for%20Workbooks%0A%7C%20%20%20%20%20%7C-%20workbook-sample.json%20_________________%20%23%20Workbook%20definition%20files%20(ARM)%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20can%20find%20a%20sample%20repository%20with%20this%20structure%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinelascode%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWe%20will%20use%20this%20same%20repository%20throughout%20this%20post%20as%20we%20have%20placed%20there%20the%20whole%20testing%20environment.%20%3CFONT%20color%3D%22%23FF0000%22%3E%3CSTRONG%3E%3CEM%3ENote%3C%2FEM%3E%3C%2FSTRONG%3E%3C%2FFONT%3E%3A%20take%20into%20account%20that%20this%20is%20just%20a%20Minimum%20Viable%20Product%20and%20is%20subject%20to%20improvements.%20Feel%20free%20to%20clone%20it%20and%20enhance%20it.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753934971%22%20id%3D%22toc-hId-1753913892%22%3E%3CA%20target%3D%22_blank%22%20name%3D%22_Toc31035036%22%3E%3C%2FA%3E%3CSPAN%3EAutomating%20deployment%20of%20specific%20Azure%20Sentinel%20components%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%3ENow%20that%20we%20have%20a%20clear%20view%20of%20what%20to%20use%20to%20automate%20what%20and%20how%20to%20structure%20our%20code%20repository%2C%20we%20can%20start%20creating%20things.%20Let%E2%80%99s%20go%2C%20component%20by%20component%2C%20detailing%20how%20to%20automate%20its%20deployment%20and%20operation.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850470851%22%20id%3D%22toc-hId--1850491930%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637041982%22%20id%3D%22toc-hId-637020903%22%3E%3CSPAN%3EOnboarding%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3EThanks%20to%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EAzSentinel%20Powershell%20module%3C%2FA%3E%20by%20Wortell%2C%20we%20have%20a%20command%20that%20simplifies%20this%20process.%20We%20just%20need%20to%20execute%20the%20following%20command%20to%20enable%20Sentinel%20on%20a%20given%20Log%20Analytics%20workspace%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3ESet-AzSentinel%20%5B-SubscriptionId%20%26lt%3BString%26gt%3B%5D%20-WorkspaceName%20%26lt%3BString%26gt%3B%20%5B-WhatIf%5D%20%5B-Confirm%5D%20%5B%26lt%3BCommonParameters%26gt%3B%5D%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%3EWe%20have%20a%20created%20a%20script%20(%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinelascode%2Fblob%2Fmaster%2FScripts%2FInstallSentinel.ps1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EInstallSentinel.ps1%3C%2FA%3E)%20with%20some%20more%20logic%20in%20it%2C%20so%20we%20can%20use%20it%20in%20our%20pipelines.%20This%20script%20takes%20a%20configuration%20file%20(JSON)%20as%20an%20input%20where%20we%20specify%20the%20different%20workspaces%20where%20the%20Sentinel%20(SecurityInsights)%20solution%20should%20be%20enabled.%20The%20file%20has%20the%20following%20format%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%7B%0A%20%20%20%20%22deployments%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%22resourcegroup%22%3A%20%22%3CRGNAME%3E%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22workspace%22%3A%20%22%3CWORKSPACENAME%3E%22%0A%20%20%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%22resourcegroup%22%3A%20%22%3CRGNAME2%3E%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22workspace%22%3A%20%22%3CWORKSPACENAME2%3E%22%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%5D%0A%7D%3C%2FWORKSPACENAME2%3E%3C%2FRGNAME2%3E%3C%2FWORKSPACENAME%3E%3C%2FRGNAME%3E%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20InstallSentinel.ps1%20script%20is%20located%20in%20our%20repo%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinelascode%2Fblob%2Fmaster%2FScripts%2FInstallSentinel.ps1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%26nbsp%3Band%20has%20the%20following%20syntax%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EInstallSentinel.ps1%20-OnboardingFile%20%26lt%3BString%26gt%3B%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%3EWe%20will%20use%20this%20script%20in%20our%20pipeline.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170412481%22%20id%3D%22toc-hId--1170433560%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317100352%22%20id%3D%22toc-hId-1317079273%22%3EConnectors%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3ESentinel%20Data%20Connectors%20can%20currently%20only%20be%20automated%20over%20the%20API%2C%20which%20is%20not%20officially%20documented%20yet.%20However%2C%20with%20Developer%20Tools%20enabled%20in%20your%20browser%2C%20it%20is%20quite%20easy%20to%20catch%20the%20related%20connector%20calls.%20Please%20take%20into%20account%20that%20this%20API%20might%20change%20in%20the%20future%20without%20notice%2C%20so%20be%20cautious%20when%20using%20it.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20following%20script%20runs%20through%20an%20example%20connecting%20to%20%E2%80%9CAzure%20Security%20Center%E2%80%9D%20and%20%E2%80%9CAzure%20Activity%20Logs%E2%80%9D%20to%20the%20Sentinel%20workspace.%20Both%20are%20very%20common%20connectors%20to%20collect%20data%20from%20your%20Azure%20environments.%20(Be%20aware%20that%20some%20connectors%20will%20require%20additional%20rights%2C%20connecting%20the%20%E2%80%9CAzure%20Active%20Directory%E2%80%9D%20source%2C%20for%20instance%2C%20will%20require%20additional%20AAD%20Diagnostic%20Settings%20permissions%20besides%20the%20%E2%80%9CGlobal%20Administrator%E2%80%9D%20or%20%E2%80%9CSecurity%20Administrator%E2%80%9D%20permissions%20on%20your%20Azure%20tenant.)%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20%E2%80%9CEnableConnectorsAPI.ps1%E2%80%9D%20script%20is%20located%20inside%20our%20repo%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinelascode%2Fblob%2Fmaster%2FScripts%2FEnableConnectorsAPI.ps1%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%20and%20has%20the%20following%20syntax%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3EEnableConnectorsAPI.ps1%20-TenantId%20%26lt%3BString%26gt%3B%20-ClientId%20%26lt%3BString%26gt%3B%20-ClientSecret%20%26lt%3BString%26gt%3B%20-SubscriptionId%20%26lt%3BString%26gt%3B%20-ResourceGroup%20%26lt%3BString%26gt%3B%20-Workspace%20%26lt%3BString%26gt%3B%20-ConnectorsFile%20%26lt%3BString%26gt%3B%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%3EThe%20ConnectorsFile%20parameter%20references%20a%20JSON%20file%20that%20specifies%20all%20the%20data%20sources%20you%20want%20to%20connect%20to%20your%20Sentinel%20workspace.%20Here%20is%20a%20sample%20file%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-markup%22%3E%3CCODE%3E%7B%0A%20%20%20%20%22connectors%22%3A%20%5B%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%22kind%22%3A%20%22AzureSecurityCenter%22%2C%0A%20%20%20%20%20%20%20%20%22properties%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%22subscriptionId%22%3A%20%22subscriptionId%22%2C%0A%20%20%20%20%20%20%20%20%20%20%20%20%22dataTypes%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22alerts%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22state%22%3A%20%22Enabled%22%0A%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%20%20%20%20%7D%2C%0A%20%20%20%20%7D%2C%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%20%20%22kind%22%3A%20%22AzureActivityLog%22%2C%0A%20%20%20%20%20%20%20%20%22properties%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%20%20%20%20%22linkedResourceId%22%3A%20%22%2Fsubscriptions%2FsubscriptionId%2Fproviders%2Fmicrosoft.insights%2Feventtypes%2Fmanagement%22%0A%20%20%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%5D%0A%7D%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20script%20will%20iterate%20through%20this%20JSON%20file%20and%20enable%20the%20data%20connectors%20one%20by%20one.%20This%20JSON%20file%20should%20be%20placed%20into%20the%20Connectors%20directory%20so%20the%20script%20can%20read%20it.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAs%20you%20can%20imagine%2C%20there%20are%20some%20connectors%20that%20cannot%20be%20automated%2C%20like%20all%20the%20ones%20based%20on%20Syslog%2FCEF%2C%20as%20they%20require%20installing%20an%20agent.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490354111%22%20id%3D%22toc-hId--490375190%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997158722%22%20id%3D%22toc-hId-1997137643%22%3E%3CSPAN%3EAnalytics%20Rules%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3EThe%20AzSentinel%20Powershell%20module%20provides%20a%20command%20to%20be%20able%20to%20create%20new%20Analytics%20Rules%20(%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%2Fblob%2Fmaster%2FAzSentinel%2Fdocs%2FNew-AzSentinelAlertRule.md%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ENew-AzSentinelAlertRule%3C%2FA%3E)%2C%20passing%20a%20bunch%20of%20parameters%20to%20define%20the%20rule%20characteristics.%20An%20even%20more%20interesting%20command%20allows%20you%20to%20create%20analytics%20rules%20based%20on%20an%20input%20file%20where%20all%20the%20rules'%20properties%20are%20specified.%20This%20command%20is%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%2Fblob%2Fmaster%2FAzSentinel%2Fdocs%2FImport-AzSentinelAlertRule.md%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EImport-AzSentinelAlertRule%3C%2FA%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWe%20have%20created%20a%20script%20that%20takes%20the%20workspace%20and%20rules%20file%20and%20creates%20the%20analytics%20rules%20accordingly.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20script%20is%20located%20inside%20our%20repo%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinelascode%2Fblob%2Fmaster%2FScripts%2FCreateAnalyticsRules.ps1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E%20and%20has%20the%20following%20syntax%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%3ECreateAnalyticsRules.ps1%20-Workspace%20%26lt%3BString%26gt%3B%20-RulesFile%20%26lt%3BString%26gt%3B%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAs%20you%20can%20see%2C%20one%20of%20the%20parameters%20is%20a%20rules%20file%20(in%20JSON%20format)%20where%20you%20will%20specify%20all%20the%20rules%20(of%20any%20type)%20that%20need%20to%20be%20added%20to%20your%20Sentinel%20environment.%20Here%20is%20a%20sample%20file%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-json%22%3E%3CCODE%3E%7B%0A%20%20%22Scheduled%22%3A%20%5B%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%22displayName%22%3A%20%22AlertRule01%22%2C%0A%20%20%20%20%20%20%22description%22%3A%20%22%22%2C%0A%20%20%20%20%20%20%22severity%22%3A%20%22Medium%22%2C%0A%20%20%20%20%20%20%22enabled%22%3A%20true%2C%0A%20%20%20%20%20%20%22query%22%3A%20%22SecurityEvent%20%7C%20where%20EventID%20%3D%3D%20%5C%224688%5C%22%20%7C%20where%20CommandLine%20contains%20%5C%22-noni%20-ep%20bypass%20%24%5C%22%22%2C%0A%20%20%20%20%20%20%22queryFrequency%22%3A%20%225H%22%2C%0A%20%20%20%20%20%20%22queryPeriod%22%3A%20%226H%22%2C%0A%20%20%20%20%20%20%22triggerOperator%22%3A%20%22GreaterThan%22%2C%0A%20%20%20%20%20%20%22triggerThreshold%22%3A%205%2C%0A%20%20%20%20%20%20%22suppressionDuration%22%3A%20%226H%22%2C%0A%20%20%20%20%20%20%22suppressionEnabled%22%3A%20false%2C%0A%20%20%20%20%20%20%22tactics%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%22Persistence%22%2C%0A%20%20%20%20%20%20%20%20%22LateralMovement%22%2C%0A%20%20%20%20%20%20%20%20%22Collection%22%0A%20%20%20%20%20%20%5D%2C%0A%20%20%20%20%20%20%22playbookName%22%3A%20%22%22%2C%0A%20%20%20%20%20%20%22aggregationKind%22%3A%20%22SingleAlert%22%2C%0A%20%20%20%20%20%20%22createIncident%22%3A%20true%2C%0A%20%20%20%20%20%20%22groupingConfiguration%22%3A%20%7B%0A%20%20%20%20%20%20%20%20%22enabled%22%3A%20false%2C%0A%20%20%20%20%20%20%20%20%22reopenClosedIncident%22%3A%20false%2C%0A%20%20%20%20%20%20%20%20%22lookbackDuration%22%3A%20%22PT5H%22%2C%0A%20%20%20%20%20%20%20%20%22entitiesMatchingMethod%22%3A%20%22All%22%2C%0A%20%20%20%20%20%20%20%20%22groupByEntities%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%20%20%22Account%22%2C%0A%20%20%20%20%20%20%20%20%20%20%22Ip%22%2C%0A%20%20%20%20%20%20%20%20%20%20%22Host%22%2C%0A%20%20%20%20%20%20%20%20%20%20%22Url%22%0A%20%20%20%20%20%20%20%20%5D%0A%20%20%20%20%20%20%7D%0A%20%20%20%20%7D%2C%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%22displayName%22%3A%20%22AlertRule02%22%2C%0A%20%20%20%20%20%20%22description%22%3A%20%22%22%2C%0A%20%20%20%20%20%20%22severity%22%3A%20%22Medium%22%2C%0A%20%20%20%20%20%20%22enabled%22%3A%20true%2C%0A%20%20%20%20%20%20%22query%22%3A%20%22SecurityEvent%20%7C%20where%20EventID%20%3D%3D%20%5C%224688%5C%22%20%7C%20where%20CommandLine%20contains%20%5C%22-noni%20-ep%20bypass%20%24%5C%22%22%2C%0A%20%20%20%20%20%20%22queryFrequency%22%3A%20%225H%22%2C%0A%20%20%20%20%20%20%22queryPeriod%22%3A%20%226H%22%2C%0A%20%20%20%20%20%20%22triggerOperator%22%3A%20%22GreaterThan%22%2C%0A%20%20%20%20%20%20%22triggerThreshold%22%3A%205%2C%0A%20%20%20%20%20%20%22suppressionDuration%22%3A%20%226H%22%2C%0A%20%20%20%20%20%20%22suppressionEnabled%22%3A%20false%2C%0A%20%20%20%20%20%20%22tactics%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%22Persistence%22%2C%0A%20%20%20%20%20%20%20%20%22LateralMovement%22%2C%0A%20%20%20%20%20%20%20%20%22Collection%22%0A%20%20%20%20%20%20%5D%2C%0A%20%20%20%20%20%20%22playbookName%22%3A%20%22%22%0A%20%20%20%20%7D%0A%20%20%5D%2C%0A%20%20%22Fusion%22%3A%20%5B%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%22displayName%22%3A%20%22Advanced%20Multistage%20Attack%20Detection%22%2C%0A%20%20%20%20%20%20%22enabled%22%3A%20true%2C%0A%20%20%20%20%20%20%22alertRuleTemplateName%22%3A%20%22f71aba3d-28fb-450b-b192-4e76a83015c8%22%0A%20%20%20%20%7D%0A%20%20%5D%2C%0A%20%20%22MLBehaviorAnalytics%22%3A%20%5B%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%22displayName%22%3A%20%22(Preview)%20Anomalous%20SSH%20Login%20Detection%22%2C%0A%20%20%20%20%20%20%22enabled%22%3A%20true%2C%0A%20%20%20%20%20%20%22alertRuleTemplateName%22%3A%20%22fa118b98-de46-4e94-87f9-8e6d5060b60b%22%0A%20%20%20%20%7D%0A%20%20%5D%2C%0A%20%20%22MicrosoftSecurityIncidentCreation%22%3A%20%5B%0A%20%20%20%20%7B%0A%20%20%20%20%20%20%22displayName%22%3A%20%22Create%20incidents%20based%20on%20Azure%20Active%20Directory%20Identity%20Protection%20alerts%22%2C%0A%20%20%20%20%20%20%22description%22%3A%20%22Create%20incidents%20based%20on%20all%20alerts%20generated%20in%20Azure%20Active%20Directory%20Identity%20Protection%22%2C%0A%20%20%20%20%20%20%22enabled%22%3A%20true%2C%0A%20%20%20%20%20%20%22productFilter%22%3A%20%22Microsoft%20Cloud%20App%20Security%22%2C%0A%20%20%20%20%20%20%22severitiesFilter%22%3A%20%5B%0A%20%20%20%20%20%20%20%20%22High%22%2C%0A%20%20%20%20%20%20%20%20%22Medium%22%2C%0A%20%20%20%20%20%20%20%20%22Low%22%0A%20%20%20%20%20%20%5D%2C%0A%20%20%20%20%20%20%22displayNamesFilter%22%3A%20null%0A%20%20%20%20%7D%0A%20%20%5D%0A%7D%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAs%20you%20can%20see%2C%20Fusion%20and%20MLBehaviorAnalytics%20rules%20need%20a%20field%20called%20%3CEM%3EalertRuleTemplateName%3C%2FEM%3E.%20This%20is%20an%20ID%20that%20is%20consistent%20across%20all%20Sentinel%20environments%2C%20so%20you%20should%20use%20the%20same%20values%20in%20your%20own%20files.%20As%20Sentinel%20grows%2C%20we%20are%20adding%20more%20MLBehaviorAnalytics%20rules%2C%20so%20you%20might%20need%20to%20get%20the%20%3CEM%3EalertRuleTemplateName%3C%2FEM%3E%20values%20in%20order%20for%20you%20to%20add%20them%20to%20your%20rules%20JSON%20file.%20In%20order%20to%20get%20the%20values%20for%20%3CEM%3EalertRuleTemplateName%2C%3C%2FEM%3E%20you%20can%20execute%20the%20following%20command%20available%20in%20AzSentinel%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%3EGet-AzSentinelAlertRuleTemplates%20-WorkspaceName%20%3CWORKSPACE_NAME%3E%20-Kind%20MLBehaviorAnalytics%3C%2FWORKSPACE_NAME%3E%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3EThe%20output%20will%20contain%20a%20name%20field%20that%20contains%20the%20%3CEM%3EalertRuleTemplateName%3C%2FEM%3E%20value.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20script%20will%20iterate%20through%20this%20JSON%20file%20and%20create%2Fenable%20the%20analytics%20rule%20alerts.%20The%20script%20also%20supports%20updating%20existing%20alerts%20that%20are%20already%20enabled.%20This%20JSON%20file%20should%20be%20placed%20into%20the%20Analytics%20Rules%20directory%20so%20the%20script%20can%20read%20it.%20The%20script%20also%20supports%20attaching%20playbooks%20for%20automated%20response%20to%20an%20alert.%20This%20is%20specified%20in%20the%20playbook%20property%20for%20each%20alert%20in%20the%20JSON%20file.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505459220%22%20id%3D%22toc-hId--505480299%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982053613%22%20id%3D%22toc-hId-1982032534%22%3E%3CSPAN%3EWorkbooks%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3EWorkbooks%20are%20a%20native%20object%20in%20Azure%2C%20and%20therefore%2C%20can%20be%20created%20through%20an%20ARM%20template.%20The%20idea%20is%20that%20you%20would%20place%20all%20the%20custom%20workbooks%20that%20you%20have%20developed%20inside%20the%20Workbooks%20folder%20in%20your%20repo%2C%20and%20any%20change%20on%20these%20will%20trigger%20a%20pipeline%20that%20creates%20them%20in%20your%20Sentinel%20environment.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWe%20have%20created%20a%20script%20(placed%20in%20the%20same%20repo%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinelascode%2Fblob%2Fmaster%2FScripts%2FCreateWorkbooks.ps1%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E)%20that%20can%20be%20used%20to%20automate%20this%20process.%20It%20has%20the%20following%20syntax%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%3ECreateWorkbooks.ps1%20-SubscriptionId%20%26lt%3BString%26gt%3B%20-ResourceGroup%20%26lt%3BString%26gt%3B%20-WorkbooksFolder%20%26lt%3BString%26gt%3B%20-Workspace%20%26lt%3BString%26gt%3B%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%3EThe%20script%20will%20iterate%20through%20all%20the%20workbooks%20in%20the%20%3CEM%3EWorksbooksFolder%3C%2FEM%3E%20and%20deploy%20them%20into%20your%20Azure%20Sentinel%20instance.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAlso%2C%20consider%20that%20the%20deployment%20will%20fail%20if%20a%20workbook%20with%20the%20same%20name%20already%20exists.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIf%20you're%20building%20your%20own%20workbook%20ARM%20template%2C%20make%20sure%20that%20you%20add%20%22sentinel%22%20as%20the%20%3CEM%3EworkbookType%3C%2FEM%3E%20in%20the%20template%20(look%20at%20our%20examples%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinelascode%2Ftree%2Fmaster%2FWorkbooks%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E)%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174599150%22%20id%3D%22toc-hId-174578071%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632855313%22%20id%3D%22toc-hId--1632876392%22%3E%3CSPAN%3EHunting%20Rules%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3EIn%20order%20to%20automate%20the%20deployment%20of%20Hunting%20Rules%2C%20we%20will%20use%20the%20AzSentinel%20module.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWe%20have%20a%20created%20another%20script%20that%20takes%20as%20an%20input%20a%20JSON%20file%20where%20all%20the%20Hunting%20Rules%20are%20defined.%20The%20script%20will%20iterate%20over%20them%20and%20create%2Fupdate%20them%20accordingly.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20syntax%20for%20this%20script%20is%20the%20following%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%3ECreateHuntingRulesAPI.ps1%20-Workspace%20%26lt%3BString%26gt%3B%20-RulesFile%20%26lt%3BString%26gt%3B%3C%2FPRE%3E%0A%3CH3%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854657520%22%20id%3D%22toc-hId-854636441%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952796943%22%20id%3D%22toc-hId--952818022%22%3EPlaybooks%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3EThis%20will%20work%20the%20same%20way%20as%20Workbooks.%20Playbooks%20use%20Azure%20Logic%20Apps%20in%20order%20to%20automatically%20respond%20to%20incidents.%20Logic%20Apps%20are%20a%20native%20resource%20in%20ARM%2C%20and%20therefore%20we%20can%20automate%20its%20deployment%20with%20ARM%20templates.%20The%20idea%20is%20that%20you%20would%20place%20all%20the%20custom%20playbooks%20that%20you%20have%20developed%20inside%20the%20Playbooks%20folder%20in%20your%20repo%2C%20and%20any%20change%20on%20these%20will%20trigger%20a%20pipeline%20that%20creates%20them%20in%20your%20Sentinel%20environment.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWe%20have%20created%20a%20script%20(placed%20in%20the%20same%20repo%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinelascode%2Fblob%2Fmaster%2FScripts%2FCreatePlaybooks.ps1%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E)%20that%20can%20be%20used%20to%20automate%20this%20process.%20It%20has%20the%20following%20syntax%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CPRE%3E%3CSPAN%3ECreatePlaybooks.ps1%20-ResourceGroup%20%3CSTRING%3E%20-PlaybooksFolder%20%3CSTRING%3E%3C%2FSTRING%3E%3C%2FSTRING%3E%3C%2FSPAN%3E%3C%2FPRE%3E%0A%3CP%3E%3CSPAN%3EThis%20script%20will%20succeed%20even%20if%20the%20playbooks%20are%20already%20there.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405633171%22%20id%3D%22toc-hId-1405612092%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401821292%22%20id%3D%22toc-hId--401842371%22%3E%3CA%20target%3D%22_blank%22%20name%3D%22_Toc31035037%22%3E%3C%2FA%3E%3CSPAN%3EBuilding%20your%20Sentinel%20as%20Code%20in%20Azure%20DevOps%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%3ENow%20that%20we%20have%20a%20clear%20view%20of%20how%20to%20structure%20our%20code%20repository%20and%20what%20to%20use%20to%20automate%20each%20Sentinel%20component%2C%20we%20can%20start%20creating%20things%20in%20Azure%20DevOps.%20This%20is%20a%20high-level%20list%20of%20tasks%20that%20we%20will%20perform%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSPAN%3ECreate%20an%20Azure%20DevOps%20organization%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ECreate%20a%20project%20in%20Azure%20DevOps%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ECreate%20a%20service%20connection%20to%20your%20Azure%20environment%2Fs%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ECreate%20variables%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3EConnect%20your%20existing%20code%20repository%20with%20your%20Az%20DevOps%20project%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ECreate%20pipelines%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSPAN%3ELet%E2%80%99s%20review%20them%20one%20by%20one.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080193036%22%20id%3D%22toc-hId--2080214115%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407319797%22%20id%3D%22toc-hId-407298718%22%3E%3CSPAN%3ECreate%20an%20Azure%20DevOps%20organization%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3EThis%20is%20the%20first%20step%20in%20order%20to%20have%20your%20Azure%20DevOps%20environment.%20You%20can%20see%20the%20details%20on%20how%20to%20do%20this%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdevops%2Forganizations%2Faccounts%2Fcreate-organization%3Fview%3Dazure-devops%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701972725%22%20id%3D%22toc-hId--701993804%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785540108%22%20id%3D%22toc-hId-1785519029%22%3E%3CSPAN%3ECreate%20a%20project%20in%20Azure%20DevOps%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3EA%20project%20provides%20a%20repository%20for%20source%20code%20and%20a%20place%20for%20a%20group%20of%20people%20to%20plan%2C%20track%20progress%2C%20and%20collaborate%20on%20building%20software%20solutions.%20It%20will%20be%20the%20container%20for%20your%20code%20repository%2C%20pipelines%2C%20boards%2C%20etc.%20See%20instructions%20on%20how%20to%20create%20it%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdevops%2Forganizations%2Fprojects%2Fabout-projects%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21914355%22%20id%3D%22toc-hId--21935434%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829368818%22%20id%3D%22toc-hId--1829389897%22%3E%3CSPAN%3ECreate%20a%20service%20connection%20to%20your%20Azure%20environment%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3EIn%20order%20to%20talk%20to%20our%20Azure%20environment%2C%20we%20need%20to%20create%20a%20connection%20with%20specific%20Azure%20credentials.%20In%20Azure%20DevOps%2C%20this%20is%20called%20a%20service%20connection.%20The%20credentials%20that%20you%20will%20use%20to%20create%20this%20service%20connection%20are%20typically%20a%20service%20principal%20account%20defined%20on%20Azure.%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20have%20full%20details%20on%20how%20to%20create%20a%20service%20connection%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdevops%2Fpipelines%2Flibrary%2Fservice-endpoints%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%20Once%20you%20have%20created%20the%20principal%2C%20you%20will%20need%20to%20grant%20it%20access%20to%20your%20Azure%20environment%20where%20Sentinel%20would%20live.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThese%20are%20the%20fields%20you%20need%20to%20provide%20to%20create%20your%20service%20connection%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22clipboard_image_0.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F167598i565C8CBEEB5910EC%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22clipboard_image_0.png%22%20alt%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ETake%20a%20note%20of%20the%20%3CEM%3EConnection%20name%3C%2FEM%3E%20you%20provide%2C%20as%20you%20will%20need%20to%20use%20this%20name%20in%20your%20pipelines.%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658144015%22%20id%3D%22toc-hId-658122936%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149310448%22%20id%3D%22toc-hId--1149331527%22%3E%3CSPAN%3ECreate%20variables%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3EWe%20are%20going%20to%20need%20several%20variables%20defined%20in%20the%20Azure%20DevOps%20environment%20so%20they%20can%20be%20passed%20to%20our%20scripts%20to%20specify%20the%20Sentinel%20workspace%2C%20resource%20group%2C%20config%20files%2C%20and%20API%20connection%20information.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAs%20we%20will%20need%20these%20variables%20across%20all%20our%20pipelines%2C%20the%20best%20thing%20to%20do%20is%20create%20an%20Azure%20DevOps%20variable%20group.%20With%20this%2C%20we%20can%20define%20the%20variable%20group%20once%20and%20then%20reuse%20it%20in%20different%20pipelines%20across%20our%20project.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdevops%2Fpipelines%2Flibrary%2Fvariable-groups%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EHere%3C%2FA%3E%20you%20have%20instructions%20on%20how%20to%20do%20it.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWe%20have%20called%20our%20variable%20group%20%E2%80%9CAz%20connection%20settings%E2%80%9D%3B%20this%20is%20important%20because%20we%20will%20reference%20this%20name%20in%20our%20pipelines.%20Here%20is%20a%20screenshot%20of%20the%20variables%20that%20we%20will%20need%20to%20define%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22clipboard_image_1.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F167599i52F7A636EDCB6900%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22clipboard_image_1.png%22%20alt%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338202385%22%20id%3D%22toc-hId-1338181306%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469252078%22%20id%3D%22toc-hId--469273157%22%3E%3CSPAN%3EConnect%20your%20existing%20code%20repository%20with%20your%20Az%20DevOps%20project%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3EIn%20this%20article%2C%20you%20can%20see%20how%20to%20import%20an%20existing%20repo%20into%20Az%20DevOps.%20It%20works%20for%20Github%2C%20Bitbucket%2C%20Gitlab%2C%20and%20other%20locations.%20See%20instructions%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdevops%2Frepos%2Fgit%2Fimport-git-repository%3Fview%3Dazure-devops%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018260755%22%20id%3D%22toc-hId-2018239676%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210806292%22%20id%3D%22toc-hId-210785213%22%3E%3CSPAN%3ECreate%20pipelines%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3EThere%20are%20two%20ways%20to%20create%20our%20Azure%20Pipelines%3A%20in%20classic%20mode%20or%20as%20YAML%20files.%20We%20are%20going%20to%20create%20them%20as%20YAML%20files%20because%20that%20way%2C%20we%20can%20place%20them%20into%20our%20code%20repository%20so%20they%20can%20be%20easily%20tracked%20and%20reused%20anywhere.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fdevops%2Fpipelines%2Fcreate-first-pipeline%3Fview%3Dazure-devops%26amp%3Btabs%3Dbrowser%252Ctfs-2018-2%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EHere%3C%2FA%3E%20you%20have%20the%20basic%20steps%20to%20create%20a%20new%20pipeline.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIn%20the%20new%20pipeline%20wizard%2C%20select%20Github%20YAML%20in%20the%20%3CEM%3EConnect%3C%2FEM%3E%20step%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22clipboard_image_2.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F167600iA103F82E704479EF%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22clipboard_image_2.png%22%20alt%3D%22clipboard_image_2.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThen%20select%20your%20repository%20and%20then%20choose%20%3CEM%3EStarter%20pipeline%20%3C%2FEM%3Eif%20you%20want%20to%20build%20your%20own%20pipeline%2C%20or%3CEM%3E%20Existing%20Azure%20Pipelines%20YAML%20%3C%2FEM%3Efile%20if%20you%20want%20to%20use%20the%20ones%20we%20already%20have%20in%20the%20repository%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20image-alt%3D%22Capture.PNG%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F225387i21DE330B290DDD44%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Capture.PNG%22%20alt%3D%22Capture.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWe%20are%20going%20to%20create%20one%20CI%20(build)%20pipeline%20for%20Scripts%20and%20several%20CICD%20(build%2Bdeploy)%20pipelines%20(one%20for%20each%20Sentinel%20component).%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898486230%22%20id%3D%22toc-hId--898507309%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589026603%22%20id%3D%22toc-hId-1589005524%22%3E%3CSPAN%3ECreate%20a%20CI%20pipeline%20for%20Scripts%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3EWe%20will%20treat%20Scripts%20slightly%20differently%20than%20the%20rest.%20This%20is%20because%20it%20is%20not%20a%20Sentinel%20component%2C%20and%20the%20scripts%20themselves%20won%E2%80%99t%20get%20deployed%20to%20Azure.%20We%20will%20just%20use%20them%20to%20deploy%20other%20things.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EBecause%20of%20this%2C%20the%20only%20thing%20we%20need%20to%20do%20with%20scripts%20is%20to%20make%20sure%20they%20are%20available%20in%20the%20other%20pipelines%20to%20be%20used%20as%20artifacts.%20To%20accomplish%20this%2C%20we%20just%20need%20two%20tasks%20in%20our%20CI%20pipeline%3A%20Copy%20Files%20and%20Publish%20Pipeline%20Artifact.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EUpdate!%20we%20have%20now%20added%20a%20syntax%20validator%20in%20our%20pipelines%20based%20on%20the%20%3CA%20href%3D%22https%3A%2F%2Fmarketplace.visualstudio.com%2Fitems%3FitemName%3Droshkovski.Files-Validator%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EFiles%20Validator%20task%3C%2FA%3E%20available%20in%20the%20Visual%20Studio%20marketplace.%20You%20will%20need%20to%20install%20this%20task%20if%20you%20want%20to%20use%20our%20templates.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EHere%20is%20an%20example%20of%20the%20YAML%20code%20that%20will%20define%20this%20pipeline%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-yaml%22%3E%3CCODE%3E%23%20Scripts%20build%20pipeline%0A%23%20Copies%20script%20files%20to%20the%20agent%20and%20publishes%20an%20artifact%20with%20them%0A%0Atrigger%3A%0A%20paths%3A%0A%20%20%20include%3A%0A%20%20%20%20%20-%20Scripts%2F*%0A%0Apool%3A%0A%20%20vmImage%3A%20'windows-2019'%0A%0Asteps%3A%0A-%20task%3A%20CopyFiles%402%0A%20%20displayName%3A%20'Copy%20Scripts'%0A%20%20inputs%3A%0A%20%20%20%20SourceFolder%3A%20Scripts%0A%20%20%20%20TargetFolder%3A%20'%24(build.artifactstagingdirectory)'%0A-%20task%3A%20Files-Validator%401%0A%20%20inputs%3A%0A%20%20%20%20rootDir%3A%20'%24(build.artifactstagingdirectory)%2F*.ps1'%0A%20%20%20%20validateXML%3A%20false%0A%20%20%20%20validateJSON%3A%20false%0A%20%20%20%20validateYAML%3A%20false%0A%20%20%20%20validatePS%3A%20true%0A-%20task%3A%20PublishPipelineArtifact%401%0A%20%20displayName%3A%20'Publish%20Pipeline%20Artifact'%0A%20%20inputs%3A%0A%20%20%20%20targetPath%3A%20Scripts%0A%20%20%20%20artifact%3A%20Scripts%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAs%20you%20can%20see%2C%20we%20have%20added%20three%20tasks%2C%20one%20to%20copy%20the%20script%20files%2C%20another%20one%20that%20checks%20the%20PowerShell%20syntax%2C%20and%20the%20last%20one%20to%20publish%20the%20pipeline%20artifacts.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3EYou%20can%20find%20this%20pipeline%20in%20our%20Github%20repo%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fjaviersoriano%2Fsentinelascode%2Fblob%2Fmaster%2FPipelines%2FbuildScripts.yml%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Ehere%3C%2FA%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218427860%22%20id%3D%22toc-hId--218448939%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025882323%22%20id%3D%22toc-hId--2025903402%22%3E%3CSPAN%3ECreate%20CICD%20pipelines%20for%20each%20Sentinel%20component%3C%2FSPAN%3E%3C%2FH3%3E%0A%3CP%3E%3CSPAN%3EWith%20the%20Scripts%20now%20available%20as%20an%20artifact%2C%20we%20can%20now%20use%20them%20in%20our%20Sentinel%20component%20pipelines.%20These%20pipelines%20will%20be%20different%20from%20the%20previous%20one%20because%20we%20will%20do%20CI%20and%20CD%20(build%2Bdeploy).%20We%20define%20these%20in%20our%20YAML%20pipeline%20file%20as%20%3CEM%3Estages%3C%2FEM%3E.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EHere%20is%20one%20sample%20pipeline%20for%20Analytics%20Rules%3A%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-yaml%22%3E%3CCODE%3E%23%20Analytics%20Rules%20build%20and%20deploy%20pipeline%0A%23%20This%20pipeline%20publishes%20the%20rules%20file%20as%20an%20artifact%20and%20then%20uses%20a%20powershell%20task%20to%20deploy%0A%0Aname%3A%20build%20and%20deploy%20Alert%20Rules%0Aresources%3A%0A%20pipelines%3A%0A%20%20%20-%20pipeline%3A%20Scripts%0A%20%20%20%20%20source%3A%20'scriptsCI'%0Atrigger%3A%0A%20paths%3A%0A%20%20%20include%3A%0A%20%20%20%20%20-%20AnalyticsRules%2F*%0A%0Astages%3A%0A-%20stage%3A%20build_alert_rules%0A%0A%20%20jobs%3A%0A%20%20%20%20-%20job%3A%20AgentJob%0A%20%20%20%20%20%20pool%3A%0A%20%20%20%20%20%20%20name%3A%20Azure%20Pipelines%0A%20%20%20%20%20%20%20vmImage%3A%20'vs2017-win2016'%0A%20%20%20%20%20%20steps%3A%0A%20%20%20%20%20%20%20-%20task%3A%20CopyFiles%402%0A%20%20%20%20%20%20%20%20%20displayName%3A%20'Copy%20Alert%20Rules'%0A%20%20%20%20%20%20%20%20%20inputs%3A%0A%20%20%20%20%20%20%20%20%20%20SourceFolder%3A%20AnalyticsRules%0A%20%20%20%20%20%20%20%20%20%20TargetFolder%3A%20'%24(Pipeline.Workspace)'%0A%20%20%20%20%20%20%20-%20task%3A%20Files-Validator%401%0A%20%20%20%20%20%20%20%20%20inputs%3A%0A%20%20%20%20%20%20%20%20%20%20%20rootDir%3A%20'%24(Pipeline.Workspace)%2F*.json'%0A%20%20%20%20%20%20%20%20%20%20%20validateXML%3A%20false%0A%20%20%20%20%20%20%20%20%20%20%20validateJSON%3A%20true%0A%20%20%20%20%20%20%20%20%20%20%20validateYAML%3A%20false%0A%20%20%20%20%20%20%20%20%20%20%20validatePS%3A%20false%0A%20%20%20%20%20%20%20-%20task%3A%20PublishBuildArtifacts%401%0A%20%20%20%20%20%20%20%20%20displayName%3A%20'Publish%20Artifact%3A%20RulesFile'%0A%20%20%20%20%20%20%20%20%20inputs%3A%0A%20%20%20%20%20%20%20%20%20%20PathtoPublish%3A%20'%24(Pipeline.Workspace)'%0A%20%20%20%20%20%20%20%20%20%20ArtifactName%3A%20RulesFile%0A%0A-%20stage%3A%20deploy_alert_rules%0A%20%20jobs%3A%0A%20%20%20%20-%20job%3A%20AgentJob%0A%20%20%20%20%20%20pool%3A%0A%20%20%20%20%20%20%20name%3A%20Azure%20Pipelines%0A%20%20%20%20%20%20%20vmImage%3A%20'windows-2019'%0A%20%20%20%20%20%20variables%3A%20%0A%20%20%20%20%20%20-%20group%3A%20Az%20connection%20settings%0A%20%20%20%20%20%20steps%3A%0A%20%20%20%20%20%20-%20download%3A%20current%0A%20%20%20%20%20%20%20%20artifact%3A%20RulesFile%0A%20%20%20%20%20%20-%20download%3A%20Scripts%0A%20%20%20%20%20%20%20%20patterns%3A%20'*.ps1'%0A%20%20%20%20%20%20-%20task%3A%20AzurePowerShell%404%0A%20%20%20%20%20%20%20%20displayName%3A%20'Create%20and%20Update%20Alert%20Rules'%0A%20%20%20%20%20%20%20%20inputs%3A%0A%20%20%20%20%20%20%20%20%20azureSubscription%3A%20'Soricloud%20Visual%20Studio'%0A%20%20%20%20%20%20%20%20%20ScriptPath%3A%20'%24(Pipeline.Workspace)%2FScripts%2FScripts%2FCreateAnalyticsRules.ps1'%0A%20%20%20%20%20%20%20%20%20ScriptArguments%3A%20'-Workspace%20%24(Workspace)%20-RulesFile%20analytics-rules.json'%0A%20%20%20%20%20%20%20%20%20azurePowerShellVersion%3A%20LatestVersion%0A%20%20%20%20%20%20%20%20%20pwsh%3A%20true%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAs%20you%20can%20see%2C%20we%20now%20have%20two%20stages%3A%20build%20and%20deploy.%20We%20also%20had%20to%20define%20resources%20to%20reference%20the%20artifact%20that%20we%20need%20from%20our%20Scripts%20build%20pipeline.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThe%20build%20stage%20is%20the%20same%20as%20the%20one%20we%20did%20for%20scripts%2C%20the%20only%20difference%20being%20that%20we%20validate%20the%20JSON%20files%20syntax%20(again%2C%20using%20the%20%3CA%20href%3D%22https%3A%2F%2Fmarketplace.visualstudio.com%2Fitems%3FitemName%3Droshkovski.Files-Validator%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EFiles%20Validator%3C%2FA%3E%20task)%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIn%20the%20deployment%20stage%2C%20we%20have%20a%20couple%20of%20new%20things.%20First%2C%20we%20are%20pointing%20to%20the%20variable%20group%20that%20we%20defined%20some%20minutes%20ago.%20For%20that%2C%20we%20use%20the%20%3CEM%3Evariables%20%3C%2FEM%3Ekeyword.%20Then%20we%20need%20to%20download%20the%20artifacts%20that%20we%20will%20use%20in%20our%20deployment%20task.%20For%20that%2C%20we%20use%20the%26nbsp%3B%3CEM%3Edownload%20%3C%2FEM%3Ekeyword.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAs%20the%20last%20step%20in%20our%20CICD%20pipeline%2C%20we%20will%20use%20an%20Azure%20Powershell%20task%20where%20we%20will%20point%20to%20our%20script%20and%20specify%20any%20parameters%20needed.%20As%20you%20can%20see%2C%20we%20reference%20the%20imported%20variables%20here.%20One%20last%20peculiarity%20of%20this%20pipeline%20is%20that%20we%20need%20to%20use%20Powershell%20Core%20(required%20by%20AzSentinel)%2C%20so%20we%20need%20to%20specify%20that%20with%20pwsh.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EIf%20everything%20went%20correctly%2C%20we%20would%20run%20this%20pipeline%20now%20and%20verify%20that%20our%20Sentinel%20analytics%20rules%20were%20deployed%20automatically.%26nbsp%3B%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EThis%20and%20all%20the%20other%20pipelines%20for%20the%20rest%20of%20the%20components%20are%20in%20our%20repo%20inside%20the%20Pipelines%20folder.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EFor%20Onboarding%2C%20the%20pipeline%20has%20no%20automatic%20triggers%2C%20as%20we%20consider%20that%20this%20would%20be%20executed%20only%20once%20at%20installation%20time.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332547791%22%20id%3D%22toc-hId-332526712%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474906672%22%20id%3D%22toc-hId--1474927751%22%3E%3CA%20target%3D%22_blank%22%20name%3D%22_Toc31035038%22%3E%3C%2FA%3E%3CSPAN%3EWorking%20with%20multiple%20workspaces%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EWhether%20you%20are%20a%20customer%20with%20an%20Azure%20Sentinel%20environment%20containing%20multiple%20workspaces%20or%20you%E2%80%99re%20a%20partner%20that%20needs%20to%20operate%20several%20customers%2C%20you%20need%20to%20have%20a%20strategy%20to%20manage%20more%20than%20one%20workspace.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAs%20you%20have%20seen%20during%20the%20article%2C%20we%20have%20used%20a%20variable%20group%20to%20store%20details%20like%20resource%20group%20and%20workspace%20name.%20These%20values%20will%20change%20if%20we%20need%20to%20manage%20multiple%20workspaces%2C%20so%20we%20would%20need%20more%20than%20one%20variable%20group.%20For%20example%2C%20one%20for%20customer%20A%20and%20another%20for%20customer%20B%2C%20or%20one%20for%20Europe%20and%20one%20for%20Asia.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EAfter%20that%E2%80%99s%20done%2C%20we%20can%20choose%20between%20two%20approaches%3A%20%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3E%3CSPAN%3EAdd%20more%20stages%20to%20your%20current%20pipelines.%20Until%20now%2C%20we%20only%20had%20one%20deploy%20stage%20that%20deployed%20to%20our%20only%20Sentinel%20environment%2C%20but%20now%20we%20can%20add%20additional%20stages%20(with%20the%20same%20steps%20and%20tasks)%20that%20deploy%20to%20other%20resource%20groups%20and%20workspaces.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ECreate%20new%20pipelines.%20We%20can%20just%20clone%20our%20existing%20pipelines%20and%20just%20modify%20the%20variable%20group%20to%20point%20to%20a%20different%20target%20environment.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CH2%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012606161%22%20id%3D%22toc-hId-1012585082%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794848302%22%20id%3D%22toc-hId--794869381%22%3E%3CA%20target%3D%22_blank%22%20name%3D%22_Toc31035039%22%3E%3C%2FA%3E%3CSPAN%3EIn%20Summary%3C%2FSPAN%3E%3C%2FH2%3E%0A%3CP%3E%3CSPAN%3EWe%20have%20shown%20you%20how%20to%20describe%20your%20Azure%20Sentinel%20deployment%20using%20code%20and%20then%20use%20a%20DevOps%20tool%20to%20deploy%20that%20code%20into%20your%20Azure%20environment.%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1131928%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EDo%20you%20want%20to%20learn%20how%20to%20deploy%20and%20operate%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20class%3D%22hashtag-a11y%20ember-view%22%3E%3CSPAN%20class%3D%22hashtag-a11y__name%22%3EAzure%20Sentinel%3C%2FSPAN%3E%3C%2FSPAN%3E%26nbsp%3B%3CSPAN%3Eas%20code%3F%20In%20this%20post%20we%20explain%20the%20end-to-end%20process%20and%20also%20provide%20you%20with%20a%20working%20prototype%20for%20use%20to%20reuse%20and%20extend.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1131928%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2130373%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2130373%22%20slang%3D%22en-US%22%3E%3CP%3EQuestion%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20currently%20using%20Import-AzSentinelAlertRule%20to%20import%20json%20formatted%20rules%20to%20Sentinel.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20an%20easy%20way%20to%20convert%20these%20.yaml%20rules%20in%20GitHub%20to%20the%20json%20format%20that%20works%20with%20Import-AzSentinel%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2133814%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2133814%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F434938%22%20target%3D%22_blank%22%3E%40bobsyouruncle%3C%2FA%3E%26nbsp%3Byou%20don't%20need%20to%20convert%20the%20YAML%20files%20into%20JSON%20format%2C%20Import-AzSentinelAlertrule%20also%20supports%20YAML%20files.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3EImport-AzSentinelAlertRule%20-WorkspaceName%20%22%22%20-SettingsFile%20%22.%5Cexamples%5CSuspectApplicationConsent.yaml%22%0AIn%20this%20example%20all%20the%20rules%20configured%20in%20the%20YAML%20file%20will%20be%20created%20or%20updated%3C%2FPRE%3E%3CP%3EI%20have%20also%20an%20example%20file%20available%20on%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%2Fblob%2Fmaster%2Fexamples%2FAlertRules.yaml%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3Erepo.%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2133994%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2133994%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9936%22%20target%3D%22_blank%22%3E%40Pouyan%20Khabazi%3C%2FA%3E%26nbsp%3Bthanks%20for%20your%20reply!%3C%2FP%3E%3CP%3ECan%20you%20tell%20me%20the%20difference%20between%20your%20yaml%20and%20that%20from%20here%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FDetections%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FDetections%3C%2FA%3E%3C%2FP%3E%3CP%3EYours%20works%20and%20the%20detections%20above%20don't.%3C%2FP%3E%3CP%3EI'd%20like%20to%20use%20community%20rules%20rather%20than%20reinvent%20the%20wheel.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2134013%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2134013%22%20slang%3D%22en-US%22%3E%3CP%3Eand%20just%20an%20fyi%2C%20your%20example%20yaml%20points%20to%20a%20%22Playbook01%22%20which%20of%20course%20I%20don't%20have%20so%20I%20get%20an%20error.%3C%2FP%3E%3CP%3EImport-AzSentinelAlertRule%20-WorkspaceName%20%22xxxx%22%20-SettingsFile%20test.yaml%3CBR%20%2F%3EWARNING%3A%20Unable%20to%20find%20LogicApp%20Playbook01%20under%20Subscription%20Id%3A%20xxxxx%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2135354%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2135354%22%20slang%3D%22en-US%22%3E%3CP%3EHI%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F434938%22%20target%3D%22_blank%22%3E%40bobsyouruncle%3C%2FA%3E%26nbsp%3B%2C%20Playbook01%20is%20just%20a%20placeholder%2C%20if%20you%20don't%20want%20to%20attach%20a%20playbook%20to%20the%20alert%2C%20just%20leave%20it%20empty%20and%20it%20should%20work.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIndeed%2C%20the%20format%20of%20the%20detections%20posted%20in%20the%20official%20repo%20is%20not%20the%20same%20as%20the%20one%20used%20by%20AzSentinel.%20You%20will%20need%20to%20do%20some%20reformatting.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2135592%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2135592%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F434938%22%20target%3D%22_blank%22%3E%40bobsyouruncle%3C%2FA%3E%26nbsp%3Bthere%20are%20indeed%20some%20difference%20in%20the%20layout%3A%3C%2FP%3E%3CP%3E1.%20The%20example%20yaml%20shows%20how%20you%20can%20configure%20multiple%20rules%20in%20one%20YAML%20file%20(not%20required)%3C%2FP%3E%3CP%3E2.%20The%20example%20contains%20some%20additional%20fields%20like%20playbookName%20(not%20required)%3C%2FP%3E%3CP%3E3.%20The%20example%20file%20misses%20some%20fields%2C%20but%20this%20fields%20are%20not%20processed%20bij%20the%20import%20function%20so%20they%20are%20not%20required.%20I%20will%20update%20the%20example%20files.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20Just%20tested%20the%20import%20function%20with%20a%20YAML%20from%20the%20Azure%20Sentinel%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FDetections%2FAzureActivity%2FCreating_Anomalous_Number_Of_Resources_detection.yaml%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Erepo%3C%2FA%3E%20without%20any%20errors%2C%20can%20you%20please%20share%20the%20rule%20that%20you%20are%20trying%20to%20import%20or%20the%20error%20message%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2136489%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2136489%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9936%22%20target%3D%22_blank%22%3E%40Pouyan%20Khabazi%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20doesn't%20seem%20to%20matter%20which%20yaml%20I%20pick%2C%20I%20get%20the%20same%20error.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20just%20tried%20the%20one%20you%20used%20and%20I%20get%20the%20exact%20same%20error%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EImport-AzSentinelAlertRule%20-SettingsFile%20.%2FCreating_Anomalous_Number_Of_Resources_detection.yaml%20-ver%20-deb%3CBR%20%2F%3E(entered%20workspace%20name...)%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EVERBOSE%3A%20Found%20compatibel%20yaml%20file%20Import-AzSentinelAlertRule%3A%20%3CSTRONG%3ECannot%20validate%20argument%20on%20parameter%20'RuleName'.%20The%20argument%20is%20null%20or%20empty%3C%2FSTRONG%3E.%20Provide%20an%20argument%20that%20is%20not%20null%20or%20empty%2C%20and%20then%20try%20the%20command%20again.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3ESome%20notes%3A%3C%2FP%3E%3CP%3E-%20I'm%20using%20powershell%20on%20a%20mac%3C%2FP%3E%3CP%3E-%20I've%20run%20Update-Module%3C%2FP%3E%3CP%3E-%20I%20get%20the%20same%20error%20for%20all%20rules%20-%20Cannot%20validate%20argument%20on%20parameter%20'RuleName'.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2147119%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2147119%22%20slang%3D%22en-US%22%3E%3CP%3Ehi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F434938%22%20target%3D%22_blank%22%3E%40bobsyouruncle%3C%2FA%3E%26nbsp%3Bcan%20you%20create%20an%20issue%20on%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%2Fissues%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EGitHub%3C%2FA%3E%20project%20so%20that%20we%20can%20investigate%20this%20issue.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2147288%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2147288%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F434938%22%20target%3D%22_blank%22%3E%40bobsyouruncle%3C%2FA%3E%2C%20in%20the%20yaml%20file%20you%20are%20trying%20to%20import%20change%20%3CSTRONG%3Ename%3C%2FSTRONG%3E%20to%26nbsp%3B%3CSTRONG%3Edisplayname%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%3CSPAN%3EFor%20more%20info%20on%20this%20see%20the%26nbsp%3BScheduled%20property%20values%20table%20on%20link%20below%3A%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2147332%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2147332%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F9936%22%20target%3D%22_blank%22%3E%40Pouyan%20Khabazi%3C%2FA%3E%26nbsp%3B%20I%20was%20writing%20up%20the%20github%20issue%20and%20magically%20everything%20is%20working%20perfectly%20today.%20So%20clearly%20I'm%20crazy.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20apologize%20for%20wasting%20your%20time.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EQuestion%3C%2FSTRONG%3E%3A%20Is%20the%20.yaml%20format%20preferred%20over%20json%20since%20that's%20what%20Azure%2FAzure-Sentinel%20is%20using%3F%3C%2FP%3E%3CP%3EIf%20so%20I'll%20just%20convert%20my%20json%20rules%20to%20yaml%20and%20focus%20on%20that%20syntax.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2162940%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2162940%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Javier%2C%3C%2FP%3E%3CP%3EI%20am%20getting%20an%20error%20while%20trying%20to%20deploy%20the%20Azure%20active%20directory%20through%20the%20pipeline%2C%3C%2FP%3E%3CP%3E%22unable%20to%20invoke%20webrequest%20with%20error%20message%3A%20The%20client%20'e69a0424-****-****-****-**********'%3C%2FP%3E%3CP%3Ewith%20object%20id%20'***'%20does%20not%20have%20authorization%20to%20perform%20action%22%3C%2FP%3E%3CP%3E%26nbsp%3Balso%20saw%20this%20in%20the%20powershell%20script%3C%2FP%3E%3CP%3E%23%20Azure%20Active%20Directory%20Audit%2FSignIn%20logs%20-%20requires%20special%20call%20and%20is%20therefore%20not%20connectors%20file%3CBR%20%2F%3E%23%20Be%20aware%20that%20you%20executing%20SPN%20needs%20Owner%20rights%20on%20tenant%20scope%20for%20this%20operation%2C%20can%20be%20added%20with%20following%20CLI%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Emy%20question%20is%20where%20do%20i%20enter%20this%20command%3F%3C%2FP%3E%3CP%3E%23%20az%20role%20assignment%20create%20--role%20Owner%20--scope%20%22%2F%22%20--assignee%20%7B13ece749-d0a0-46cf-8000-b2552b520631%7D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei%20also%20have%20security%20admin%20access%20at%20work%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2163587%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2163587%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F781391%22%20target%3D%22_blank%22%3E%40Bsal00%3C%2FA%3E%26nbsp%3B%2C%20enter%20that%20command%20from%20azure%20cli%20when%20logged%20in%20your%20Azure%20AD%20tenant%20with%20a%20global%20admin.%20The%20GUID%20after%20--assignee%2C%20is%20the%20service%20principal%20ID.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2167681%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2167681%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Javier%2C%20thanks%20for%20the%20reply%3C%2FP%3E%3CP%3Edo%20i%20enter%20the%20ID%20that%20i%20get%20from%20the%20error%20or%20the%20one%20that%20is%20in%20the%20script%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20also%20getting%20this%20error%20while%20trying%20to%20deploy%20the%20office%20365%20connector%3C%2FP%3E%3CDIV%20class%3D%22bolt-fixed-height-list-row%20scroll-hidden%20absolute%20focused%22%3E%3CDIV%20class%3D%22line-row%20flex-row%20flex-grow%22%3E%3CSPAN%20class%3D%22line-area%20flex-center%20flex-row%20flex-grow%20justify-start%22%3E%3CSPAN%20class%3D%22content%22%3E%3CSPAN%20class%3D%22pl-debug%22%3E%3CSPAN%3E%23%23%5Bdebug%5DMicrosoft.PowerShell.Commands.WriteErrorException%3A%20Unable%20to%20invoke%20webrequest%20with%20error%20message%3A%20Unable%20to%20enable%20data%20connector%20Office365%20with%20error%3A%20%7B%22error%22%3A%7B%22code%22%3A%22Unauthorized%22%2C%22message%22%3A%22Access%20denied%22%7D%7D%20%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3CDIV%20class%3D%22bolt-fixed-height-list-row%20scroll-hidden%20absolute%22%3E%3CDIV%20class%3D%22line-row%20flex-row%20flex-grow%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22line-area%20flex-center%20flex-row%20flex-grow%20justify-start%20highlight%22%3E%3CSPAN%20class%3D%22content%22%3E%3CSPAN%20class%3D%22pl-error%22%3E%3CSPAN%3E%23%23%5Berror%5DUnable%20to%20invoke%20webrequest%20with%20error%20message%3A%20Unable%20to%20enable%20data%20connector%20Office365%20with%20error%3A%20%7B%22error%22%3A%7B%22code%22%3A%22Unauthorized%22%2C%22message%22%3A%22Access%20denied%22%7D%7D%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2168931%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2168931%22%20slang%3D%22en-US%22%3E%3CP%3EI%20would%20love%20to%20contribute%20to%20the%20repo%20when%20i%20get%20all%20the%20issues%20ironed%20out%20%3CIMG%20class%3D%22lia-deferred-image%20lia-image-emoji%22%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Fhtml%2F%408341BD79091AF36AA2A09063B554B5CD%2Fimages%2Femoticons%2Fsmile_40x40.gif%22%20alt%3D%22%3Asmile%3A%22%20title%3D%22%3Asmile%3A%22%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2168985%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2168985%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20base%20URI%20should%20be%20fine%2C%20don't%20need%20to%20change%20that.%20You%20need%20to%20grant%20the%20service%20principal%20permissions%20to%20perform%20the%20task%20at%20hand.%20Look%20at%20this%20screenshot%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%222021-02-26_15-39-13.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F258353i5CD8066E99811B62%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%222021-02-26_15-39-13.png%22%20alt%3D%222021-02-26_15-39-13.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3Eyou%20access%20this%20screen%20from%20Azure%20AD%20-%26gt%3B%20Roles%20and%20administrators.%20Then%20select%20the%20role%20(Security%20Admin%20or%20Global%20Admin)%2C%20click%20add%20assignments%20and%20select%20the%20service%20principal%20that%20needs%20to%20have%20the%20required%20permissions.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2169069%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2169069%22%20slang%3D%22en-US%22%3E%3CP%3Ejust%20to%20be%20clear%2C%20i%20am%20able%20to%20deploy%20the%20connectors%20from%20the%20sentinel%20as%20code%20repo%20connector.ps1.%20The%20issues%20started%20when%20i%20switch%20to%20the%20sentinel%20all%20in%20one%20connector.ps1%20file.%3C%2FP%3E%3CP%3Emy%20add%20assignment%20is%20greyed%20out%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Bsal00_0-1614352622606.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F258394i4FDF48618AD3F3AB%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Bsal00_0-1614352622606.png%22%20alt%3D%22Bsal00_0-1614352622606.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3Ethe%20azure%20role%20assignment%20is%20contributor%2C%20could%20that%20be%20the%20issue%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2169391%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2169391%22%20slang%3D%22en-US%22%3E%3CP%3EI%20was%20able%20to%20deploy%20the%20office%20365%20connector%20through%20this%20link.%20I%20am%20assuming%20it%20works%20the%20same%20way%20as%20deploying%20through%20the%20pipeline%3F%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fsecurityinsights%2Fdataconnectors%2Fcreateorupdate%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Frest%2Fapi%2Fsecurityinsights%2Fdataconnectors%2Fcreateorupdate%3C%2FA%3E%3C%2FP%3E%3CP%3Eright%20now%20office365%20is%20giving%20me%20unauthorized%20as%20an%20error%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2172611%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2172611%22%20slang%3D%22en-US%22%3E%3CP%3EThe%20issue%20is%20that%20you%20don't%20have%20permissions%20to%20grant%20the%20service%20principal%20the%20appropriate%20role.%20In%20this%20case%20is%20not%20about%20your%20current%20Azure%20role%2C%20is%20about%20your%20Azure%20AD%20role.%20Even%20if%20you%20are%20a%20Security%20Administrator%20in%20your%20Azure%20AD%2C%20that%20doesn't%20give%20you%20enough%20privileges%20to%20grant%20the%20service%20principal%20the%20required%20role.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2178455%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2178455%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Javier%2C%3C%2FP%3E%3CP%3EI%20was%20able%20to%20deploy%20the%20azure%20security%20center%20so%20it%20is%20definitely%20my%20permission%2C%20office%20365%20and%20Azure%20AD%20throw%20the%20authorization%20errors%2C%20what%20would%20i%20need%20to%20be%20able%20to%20grant%20access%20to%20the%20service%20principal%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2181332%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2181332%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F781391%22%20target%3D%22_blank%22%3E%40Bsal00%3C%2FA%3E%26nbsp%3B%2C%20I%20think%20you%20need%20to%20be%20either%20global%20admin%20or%20privileged%20role%20administrator%20to%20be%20able%20to%20grant%20that%20role%20to%20the%20service%20principal.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2193113%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2193113%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3B%2C%20thank%20you%20very%20much%20for%20this%20detailed%20and%20informative%20blog%20post%20-%20I've%20managed%20to%20get%20very%20close%20to%20my%20end-goal%20of%20managing%20Sentinel%20through%20code%20with%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20question%2C%20and%20I'm%20not%20sure%20how%20to%20proceed%20further%20until%20I'm%20getting%20an%20answer%20for%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20already%20setup%20Azure%20Sentinel%20about%201%20year%20ago%2C%20but%20the%20changes%2Fcustomizations%20have%20been%20done%20through%20the%20UI.%20Now%20I'd%20like%20to%20migrate%20those%20changes%20in%20the%20repository%20we%20use%20for%20this%20purpose.%20I%20would%20like%20to%20%22export%22%20the%20rules%2Fconnectors%2Fplaybooks%20we're%20using%20in%20Sentinel%2C%20and%20I've%20moved%20forward%20with%20this%20by%20using%20the%20Az.SecurityInsights%20module%20(%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Faz.securityinsights%2Fget-azsentinelalertrule%3Fview%3Dazps-5.6.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Faz.securityinsights%2Fget-azsentinelalertrule%3Fview%3Dazps-5.6.0%3C%2FA%3E%20).%20I've%20managed%20to%20get%20a%20JSON%20of%20all%20Analytics%20rules%2C%20but%20I%20noticed%20that%20the%20format%20is%20a%20little%20bit%20different%20from%20the%20one%20in%20your%20examples%20-%20I've%20attached%20a%20redacted%20sample%20below%20from%20the%20output%20of%20running%26nbsp%3B%3CSTRONG%3EGet-AzSentinelAlertRule%3C%2FSTRONG%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22AlertRuleTemplateName%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22aa1eff90-29d4-49dc-a3ea-b65199f516db%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22DisplayName%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22New%20user%20created%20and%20added%20to%20the%20built-in%20administrators%20group%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Description%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22Identifies%20when%20a%20user%20account%20was%20created%20and%20then%20added%20to%20the%20builtin%20Administrators%20group%20in%20the%20same%20day.%3C%2FSPAN%3E%3CSPAN%3E%5Cn%3C%2FSPAN%3E%3CSPAN%3EThis%20should%20be%20monitored%20closely%20and%20all%20additions%20reviewed.%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Enabled%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3Etrue%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22LastModifiedUtc%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%222020-02-28T16%3A32%3A50.2423224Z%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Query%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22let%20timeframe%20%3D%201d%3B%3C%2FSPAN%3E%3CSPAN%3E%5Cn%3C%2FSPAN%3E%3CSPAN%3ESecurityEvent%3C%2FSPAN%3E%3CSPAN%3E%5Cn%3C%2FSPAN%3E%3CSPAN%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(timeframe)%20%3C%2FSPAN%3E%3CSPAN%3E%5Cn%3C%2FSPAN%3E%3CSPAN%3E%7C%20where%20EventID%20%3D%3D%204720%3C%2FSPAN%3E%3CSPAN%3E%5Cn%3C%2FSPAN%3E%3CSPAN%3E%7C%20where%20AccountType%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E%5C%22%3C%2FSPAN%3E%3CSPAN%3EUser%3C%2FSPAN%3E%3CSPAN%3E%5C%22%5Cn%3C%2FSPAN%3E%3CSPAN%3E%7C%20project%20CreatedUserTime%20%3D%20TimeGenerated%2C%20CreatedUserEventID%20%3D%20EventID%2C%20CreatedUserActivity%20%3D%20Activity%2C%20Computer%20%3D%20toupper(Computer)%2C%20%3C%2FSPAN%3E%3CSPAN%3E%5Cn%3C%2FSPAN%3E%3CSPAN%3ECreatedUser%20%3D%20tolower(TargetUserName)%2C%20Domain%20%3D%20toupper(TargetDomainName)%2C%20CreatedUserSid%20%3D%20TargetSid%2C%20AccountUsedToCreateUser%20%3D%20SubjectUserName%3C%2FSPAN%3E%3CSPAN%3E%5Cn%3C%2FSPAN%3E%3CSPAN%3E%7Cjoin%20(%3C%2FSPAN%3E%3CSPAN%3E%5Cn%3C%2FSPAN%3E%3CSPAN%3ESecurityEvent%20%3C%2FSPAN%3E%3CSPAN%3E%5Cn%3C%2FSPAN%3E%3CSPAN%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(timeframe)%20%3C%2FSPAN%3E%3CSPAN%3E%5Cn%3C%2FSPAN%3E%3CSPAN%3E%7C%20where%20AccountType%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E%5C%22%3C%2FSPAN%3E%3CSPAN%3EUser%3C%2FSPAN%3E%3CSPAN%3E%5C%22%5Cn%3C%2FSPAN%3E%3CSPAN%3E%2F%2F%204732%20-%20A%20member%20was%20added%20to%20a%20security-enabled%20local%20group%3C%2FSPAN%3E%3CSPAN%3E%5Cn%3C%2FSPAN%3E%3CSPAN%3E%7C%20where%20EventID%20%3D%3D%204732%3C%2FSPAN%3E%3CSPAN%3E%5Cn%3C%2FSPAN%3E%3CSPAN%3E%2F%2FTargetSid%20is%20the%20builin%20Admins%20group%3A%20S-1-5-32-544%3C%2FSPAN%3E%3CSPAN%3E%5Cn%3C%2FSPAN%3E%3CSPAN%3E%7C%20where%20TargetSid%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E%5C%22%3C%2FSPAN%3E%3CSPAN%3ES-1-5-32-544%3C%2FSPAN%3E%3CSPAN%3E%5C%22%5Cn%3C%2FSPAN%3E%3CSPAN%3E%7C%20project%20GroupAddTime%20%3D%20TimeGenerated%2C%20GroupAddEventID%20%3D%20EventID%2C%20GroupAddActivity%20%3D%20Activity%2C%20Computer%20%3D%20toupper(Computer)%2C%20GroupName%20%3D%20TargetUserName%2C%20%3C%2FSPAN%3E%3CSPAN%3E%5Cn%3C%2FSPAN%3E%3CSPAN%3EDomain%20%3D%20toupper(TargetDomainName)%2C%20GroupSid%20%3D%20TargetSid%2C%20UserAdded%20%3D%20SubjectUserName%2C%20UserAddedSid%20%3D%20SubjectUserSid%2C%20CreatedUser%20%3D%20tolower(SubjectUserName)%2C%20%3C%2FSPAN%3E%3CSPAN%3E%5Cn%3C%2FSPAN%3E%3CSPAN%3ECreatedUserSid%20%3D%20MemberSid%3C%2FSPAN%3E%3CSPAN%3E%5Cn%3C%2FSPAN%3E%3CSPAN%3E)%3C%2FSPAN%3E%3CSPAN%3E%5Cn%3C%2FSPAN%3E%3CSPAN%3Eon%20CreatedUserSid%3C%2FSPAN%3E%3CSPAN%3E%5Cn%3C%2FSPAN%3E%3CSPAN%3E%2F%2FCreate%20User%20first%2C%20then%20the%20add%20to%20the%20group.%3C%2FSPAN%3E%3CSPAN%3E%5Cn%3C%2FSPAN%3E%3CSPAN%3E%7C%20project%20Computer%2C%20CreatedUserTime%2C%20CreatedUserEventID%2C%20CreatedUserActivity%2C%20CreatedUser%2C%20CreatedUserSid%2C%20Domain%2C%20GroupAddTime%2C%20GroupAddEventID%2C%20%3C%2FSPAN%3E%3CSPAN%3E%5Cn%3C%2FSPAN%3E%3CSPAN%3EGroupAddActivity%2C%20AccountUsedToCreateUser%2C%20GroupName%2C%20GroupSid%2C%20UserAdded%2C%20UserAddedSid%20%3C%2FSPAN%3E%3CSPAN%3E%5Cn%3C%2FSPAN%3E%3CSPAN%3E%7C%20extend%20timestamp%20%3D%20CreatedUserTime%2C%20AccountCustomEntity%20%3D%20CreatedUser%2C%20HostCustomEntity%20%3D%20Computer%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22QueryFrequency%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Ticks%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E864000000000%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Days%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Hours%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Milliseconds%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Minutes%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Seconds%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22TotalDays%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E1.0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22TotalHours%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E24.0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22TotalMilliseconds%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E86400000.0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22TotalMinutes%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E1440.0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22TotalSeconds%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E86400.0%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22QueryPeriod%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Ticks%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E864000000000%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Days%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E1%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Hours%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Milliseconds%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Minutes%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Seconds%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22TotalDays%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E1.0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22TotalHours%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E24.0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22TotalMilliseconds%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E86400000.0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22TotalMinutes%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E1440.0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22TotalSeconds%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E86400.0%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Severity%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22Low%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22SuppressionDuration%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%7B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Ticks%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E180000000000%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Days%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Hours%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E5%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Milliseconds%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Minutes%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Seconds%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22TotalDays%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E0.20833333333333334%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22TotalHours%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E5.0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22TotalMilliseconds%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E18000000.0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22TotalMinutes%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E300.0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22TotalSeconds%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E18000.0%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22SuppressionEnabled%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3Efalse%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22TriggerOperator%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22GreaterThan%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22TriggerThreshold%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E0%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Tactics%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%5B%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Persistence%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22PrivilegeEscalation%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%5D%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Id%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22%2Fsubscriptions%2F*REDACTED*%2FresourceGroups%2F*REDACTED*%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2Fbv-sentinel%2Fproviders%2FMicrosoft.SecurityInsights%2FalertRules%2F362b5df5-c89a-4e9e-bcb5-9c663970f909%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Name%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22*REDACTED*-9c663970f909%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Type%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22Microsoft.SecurityInsights%2FalertRules%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Etag%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22%3C%2FSPAN%3E%3CSPAN%3E%5C%22%3C%2FSPAN%3E%3CSPAN%3E*REDACTED*%3C%2FSPAN%3E%3CSPAN%3E%5C%22%3C%2FSPAN%3E%3CSPAN%3E%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%22Kind%22%3C%2FSPAN%3E%3CSPAN%3E%3A%20%3C%2FSPAN%3E%3CSPAN%3E%22Scheduled%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3E%7D%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI%20am%20not%20very%20sure%20on%20the%20behaviour%20of%20running%20the%20deploy%20-%20I%20wouldn't%20want%20to%20mess%20with%20the%20current%20configurations%2C%20as%20we%20don't%20have%20versioning%20for%20them.%20My%20end%20goal%20is%20to%20%22export%22%20the%20current%20configuration%20we%20have%20in%20Sentinel%20and%20to%20apply%20it%20in%20code%2C%20and%20once%20we%20have%20this%20deployment%20method%20working%2C%20we%20would%20configure%20Sentinel%20UI%20to%20be%20read-only%20for%20analytic%20rules%2Fconnectors%2Fetc.%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EPlease%20let%20me%20know%20if%20I'm%20taking%20the%20wrong%20approach.%3CBR%20%2F%3E%3CBR%20%2F%3EThank%20you%2C%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2193196%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2193196%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F990412%22%20target%3D%22_blank%22%3E%40alexandrubagi%3C%2FA%3E%26nbsp%3B%2C%20you%20can%20find%20sample%20scripts%20on%20how%20to%20export%20and%20import%20analytics%20rules%20with%20the%20new%20Powershell%20module%20in%20this%20link%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%2Ftree%2Fmaster%2FTools%2FAz.SecurityInsights-Samples%2FAlert%2520Rules%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure-Sentinel%2FTools%2FAz.SecurityInsights-Samples%2FAlert%20Rules%20at%20master%20%C2%B7%20Azure%2FAzure-Sentinel%20(github.com)%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20should%20meet%20your%20needs.%20Let%20me%20know%20otherwise.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2193389%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2193389%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Javier%2C%3C%2FP%3E%3CP%3ECan%20some%20one%20with%20global%20admin%20grant%20access%20to%20the%20service%20principal%20while%20i%20am%20the%20one%20who%20run%20the%20scripts%20through%20the%20pipeline%20or%20the%20person%20who%20grants%20access%20has%20to%20do%20it%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2193465%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2193465%22%20slang%3D%22en-US%22%3E%3CP%3EYes%2C%20that%20should%20work%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F781391%22%20target%3D%22_blank%22%3E%40Bsal00%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2207845%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2207845%22%20slang%3D%22en-US%22%3E%3CP%3EIs%20Microsoft's%20Azure%20Sentinel%20Powershell%20module%20an%20alternative%20to%20Wortell's%3F%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fnew-year-new-official-azure-sentinel-powershell-module%2Fba-p%2F2025041%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fazure-sentinel%2Fnew-year-new-official-azure-sentinel-powershell-module%2Fba-p%2F2025041%3C%2FA%3E%3C%2FP%3E%3CP%3Eeg%3A%3C%2FP%3E%3CPRE%3E%3CSTRONG%3EInstall-Module%20-Name%20Az.SecurityInsights%26nbsp%3B-AllowClobber%3C%2FSTRONG%3E%3C%2FPRE%3E%3CP%3Evs%3A%3C%2FP%3E%3CPRE%3E%3CSPAN%20class%3D%22pl-c1%22%3EInstall-Module%3C%2FSPAN%3E%20AzSentinel%20%3CSPAN%20class%3D%22pl-k%22%3E-%3C%2FSPAN%3EScope%20CurrentUser%20%3CSPAN%20class%3D%22pl-k%22%3E-%3C%2FSPAN%3EForce%3C%2FPRE%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Faz.securityinsights%2Fnew-azsentinelincident%3Fview%3Dazps-5.6.0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fpowershell%2Fmodule%2Faz.securityinsights%2Fnew-azsentinelincident%3Fview%3Dazps-5.6.0%3C%2FA%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fgithub.com%2Fwortell%2FAZSentinel%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2210473%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2210473%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F434938%22%20target%3D%22_blank%22%3E%40bobsyouruncle%3C%2FA%3E%26nbsp%3B%2C%20sure%2C%20Az.SecurityInsights%20is%20an%20alternative%20to%20using%20Wortell's%20PS%20module%2C%20I%20just%20haven't%20had%20the%20time%20to%20re-implement%20with%20this%20new%20module.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20also%20have%20now%20support%20for%20ARM%20templates%20across%20the%20product%20(data%20connectors%2C%20analytics%20rules%2C%20etc.)%2C%20so%20this%20could%20also%20be%20an%20alternative.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2167735%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2167735%22%20slang%3D%22en-US%22%3E%3CP%3EGuess%20i%20should%20have%20clarified%2C%20i%20am%20able%20to%20use%20the%20sentinel%20as%20code%20repo%20and%20deploy%20everything%20there%20except%20the%20azure%20AD%20which%20i%20will%20be%20correcting%20with%20the%20CLI%20command%2C%20i%20am%20trying%20to%20integrate%20the%20sentinel%20all%20in%20one%20office%20365%20connector%20section%20into%20the%20sentinel%20as%20code%20ps1%20and%20that%20is%20where%20i%20am%20getting%20this%20error.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2276925%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2276925%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66621%22%20target%3D%22_blank%22%3E%40Javier%20Soriano%3C%2FA%3E%26nbsp%3Bgiven%20that%20this%20article%20is%20over%201%20year%20old%2C%20and%20that%20there%20have%20been%20numerous%20changes%20since%20then%2C%20how%20much%20of%20this%20approach%20has%20been%20superseded%3F%20Could%20you%20please%20add%20some%20notes%20in%20the%20appropriate%20places%20to%20identify%20the%20techniques%20that%20may%20be%20easier%20with%20newer%20apis%2Fmodules%2C%20etc.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2168432%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2168432%22%20slang%3D%22en-US%22%3E%3CP%3EHI%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F781391%22%20target%3D%22_blank%22%3E%40Bsal00%3C%2FA%3E%26nbsp%3B%2C%20did%20you%20grant%20the%20appropriate%20permissions%20to%20your%20service%20principal%20to%20enable%20the%20Office365%20data%20connector%3F%20Remember%20that%20it%20needs%20to%20have%20Security%20Admin%20or%20Global%20Admin%20permissions%20at%20the%20Azure%20AD%20level.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIf%20you%20get%20it%20working%2C%20I'd%20love%20if%20you%20contribute%20to%20the%20repo!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2168919%22%20slang%3D%22en-US%22%3ERe%3A%20Deploying%20and%20Managing%20Azure%20Sentinel%20as%20Code%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2168919%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Javier%2C%3C%2FP%3E%3CP%3EI%20have%20security%20admin%20access%20at%20work.%20Where%20would%20you%20grant%20the%20permission%20in%20your%20all%20in%20one%20sentinell%20ps1%20script%3F%20would%20it%20be%20the%20baseuri%3F%3C%2FP%3E%3CP%3Ei%20tried%20modifying%20the%20base%20uri%20and%20each%20time%20i%20would%20get%20a%20different%20error.%3C%2FP%3E%3CP%3Ewhen%20using%20baseuri%20as%20shown%20below%2C%20i%20would%20get%20the%20missing%20subscription%20error%3C%2FP%3E%3CP%3Ewhen%20using%20baseuri%20in%20the%20form%20of%20baseuri1%2C%20i%20would%20get%20the%20authorization%20error.%20i%20have%20also%20included%20a%20screen%20capture%20of%20the%20pipeline%20while%20deploying%20the%20connector.%3C%2FP%3E%3CP%3E%3CSPAN%3E%24baseUri%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%3D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22%3CA%20href%3D%22https%3A%2F%2Fmanagement.azure.com%2Fsubscriptions%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fmanagement.azure.com%2Fsubscriptions%2F%3C%2FA%3E%3C%2FSPAN%3E%3CSPAN%3E%24%3C%2FSPAN%3E%3CSPAN%3E%7BSubscriptionId%7D%2FresourceGroups%2F%3C%2FSPAN%3E%3CSPAN%3E%24%3C%2FSPAN%3E%3CSPAN%3E%7BResourceGroup%7D%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2F%3C%2FSPAN%3E%3CSPAN%3E%24%3C%2FSPAN%3E%3CSPAN%3E%7BWorkspace%7D%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%24baseUri1%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%3D%3C%2FSPAN%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3E%22%2Fsubscriptions%2F%3C%2FSPAN%3E%3CSPAN%3E%24%3C%2FSPAN%3E%3CSPAN%3E%7BSubscriptionId%7D%2FresourceGroups%2F%3C%2FSPAN%3E%3CSPAN%3E%24%3C%2FSPAN%3E%3CSPAN%3E%7BResourceGroup%7D%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2F%3C%2FSPAN%3E%3CSPAN%3E%24%3C%2FSPAN%3E%3CSPAN%3E%7BWorkspace%7D%22%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Bsal00_0-1614348845517.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F258350i8C4E272A7349A094%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22Bsal00_0-1614348845517.png%22%20alt%3D%22Bsal00_0-1614348845517.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
Version history
Last update:
‎Dec 29 2020 03:10 AM
Updated by: