search

Azure / Azure-Sentinel

Cloud-native SIEM for intelligent security analytics for your entire enterprise.
https://azure.microsoft.com/en-us/services/azure-sentinel/
MIT License
4.62k stars 3.03k forks source link

Need Help Correcting KQL Validation errors in Solution #11460

Closed daviditkin closed 4 days ago

daviditkin commented 5 days ago

In https://github.com/Azure/Azure-Sentinel/pull/11445 I see many kql validation errors.

For example in the logs I'm seeing:

Kqlvalidations.Tests.KqlValidationTests.Validate_DetectionQueries_HaveValidKql(fileName: "BloodHoundEnterpriseExposure.yaml", encodedFilePath: "L2hvbWUvdnN0cy93b3JrLzEvcy9Tb2x1dGlvbnMvQmxvb2RIb3"...)

Template Id: b1f6aed2-ebb9-4fe4-bd7c-6657d02a0cc8 is not valid in Line: 1 col: 1
                    Errors: The name 'BloodHoundLogs_CL' does not refer to any known table, tabular variable or function., Code: 'KS204', Severity: 'Error', Location: '0..17'
Expected: True
Actual:   False

there are many more issues but I am starting here. Thanks.

v-sudkharat commented 4 days ago

Hey @daviditkin, Had a discussion with our PR review team on this issue, Our team will help/assist you on this PR itself- https://github.com/Azure/Azure-Sentinel/pull/11445 to fix it. So, we are closing this issue from here, please feel-free to reopen the issue if you have anything for us. Thanks!