Oct 02 2024 01:14 AM - edited Oct 02 2024 02:34 AM
Greetings,
I have a Central workspace manager Sentinel (no data is ingested). However we have some Sentinel workspaces that have data connectors and data being ingested and are monitored by a SOC.
We would like to be able to save analytics to this central workspace and deploy the analytics to the child workspaces. However we cannot save the rule in the central workspace as the table does not exist.
For example I have an Okta analytic in a child workspace, where the query will query the Okta_CL table and some of the fields. I have exported it from the child and wish to import to the parent workspace so I can distribute to other children using Workspace manager. However I get an error because the Okta_CL table does not exist and does not have the fields.
Does anyone have any ideas of how we can work around this to "force" the analytic to be present in the parent tenant? The children tenant CANNOT be linked in workspace manager.
EDIT - Example error below.
Status Message: Error in EntityMappings: The given column 'column_name' does not exist. (Code:BadRequest)
Regards