search

Azure / azure-cli

Azure Command-Line Interface
MIT License
3.97k stars 2.95k forks source link

Invalid property value for properties.sourceType - Creation of Microsoft Sentinel Watchlist with Azure CLI #26332

Open gu1llaume-b opened 1 year ago

gu1llaume-b commented 1 year ago

Hi,

There is an error in the documentation for the creation of Microsoft Sentinel watchlists via the Azure CLI. When uploading content from a local file, the --source-type parameter is required (one of the required parameters). The accepted value are "Local file" or "Remote storage" as described in the documentation. However, when providing "Local storage" as a value for the --source-type parameter, I get the following error:

(400) There is an issue with deserializing : Error converting 'Local file' for path 'properties.sourceType'.
Code: 400
Message: There is an issue with deserializing : Error converting 'Local file' for path 'properties.sourceType'.

Azure CLI command being used: az sentinel watchlist create --name watchlist --resource-group RG --workspace-name LAW --display-name watchlist --provider Microsoft --items-search-key "Asset Name" --source-type "Local file" --source watchlist.csv --raw-content watchlist.csv

After investigating this with the API, I have noticed that the same values are mentioned as being accepted in the documentation. However, in practice, "local" is actually accepted by the API instead of "Local file"

Document Details

Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

yonzhan commented 1 year ago

Thank you for opening this issue, we will look into it.

ghost commented 1 year ago

Thank you for your feedback. This has been routed to the support team for assistance.

ghost commented 1 year ago

Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @amirkeren.

Issue Details
Hi, There is an error in the documentation for the creation of Microsoft Sentinel watchlists via the Azure CLI. When uploading content from a local file, the --source-type parameter is required (one of the required parameters). The accepted value are "Local file" or "Remote storage" as described in the documentation. However, when providing "Local storage" as a value for the --source-type parameter, I get the following error: ``` (400) There is an issue with deserializing : Error converting 'Local file' for path 'properties.sourceType'. Code: 400 Message: There is an issue with deserializing : Error converting 'Local file' for path 'properties.sourceType'. ``` Azure CLI command being used: `az sentinel watchlist create --name watchlist --resource-group RG --workspace-name LAW --display-name watchlist --provider Microsoft --items-search-key "Asset Name" --source-type "Local file" --source watchlist.csv --raw-content watchlist.csv` After investigating this with the API, I have noticed that the same values are mentioned as being accepted in the [documentation](https://learn.microsoft.com/en-us/rest/api/securityinsights/preview/watchlists/create-or-update?tabs=HTTP). However, in practice, "local" is actually accepted by the API instead of "Local file" - When "Local file" is provided: ![image](https://user-images.githubusercontent.com/61277439/236211944-50d0c550-2cd7-4c58-8978-95cc26472d9f.png) - When "Local" is provided: ![image](https://user-images.githubusercontent.com/61277439/236212468-3c74c531-ea51-4e60-843a-e738d562035b.png) --- #### Document Details ⚠ *Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.* * ID: 5f6030e2-3933-24e5-ffbb-214a85e8a420 * Version Independent ID: 7c799022-da60-4422-9066-715a69ac11b5 * Content: [az sentinel watchlist](https://learn.microsoft.com/en-us/cli/azure/sentinel/watchlist?view=azure-cli-latest) * Content Source: [latest/docs-ref-autogen/sentinel/watchlist.yml](https://github.com/MicrosoftDocs/azure-docs-cli/blob/main/latest/docs-ref-autogen/sentinel/watchlist.yml) * GitHub Login: @rloutlaw * Microsoft Alias: **routlaw**
Author: gu1llaume-b
Assignees: SwathiDhanwada-MSFT
Labels: `Service Attention`, `customer-reported`, `SecurityInsights`, `CXP Attention`
Milestone: -
jsntcy commented 1 year ago

@amirkeren, could you please help check if it's an inconsistency issue between swagger and service?

amirkeren commented 1 year ago

Hi @jsntcy, I was notified by the product group that they do not handle issues via github. Please open a ticket with support. Thanks.

jsntcy commented 1 year ago

Got it, thanks. @SwathiDhanwada-MSFT, could you please help open a ticket with support for this issue?

SwathiDhanwada-MSFT commented 1 year ago

@gu1llaume-b Can you please raise support ticket as requested ?

gu1llaume-b commented 1 year ago

@SwathiDhanwada-MSFT I do not have the ability to create new Azure support tickets (require a paid subscription that I don't have).

Would it be a possibility to do it on your side? Or would you have any alternatives for this? Thank you

gu1llaume-b commented 1 year ago

@SwathiDhanwada-MSFT Have you had a chance to have a look at my comment above?

SwathiDhanwada-MSFT commented 1 year ago

@gu1llaume-b Kindly send email with subject as "Attn:Swathi" to AzCommunity@microsoft.com with subscription id and the github link for context. Thanks

Creddi commented 4 months ago

Same issue here. Status? @SwathiDhanwada-MSFT

gu1llaume-b commented 4 months ago

@Creddi To be honest, I do not remember all the details but I have checked the resolution of the support request that I have created back then and this was the outcome:

Now in the body section there is a parameter called as "Source Type" as per the document the supported values to this parameter are " Local file or Remote Storage". Now when we are executing the command with the Source type parameter as "Local File" we get an error message. Upon checking further, we analyzed that the "Source Type" parameter is one of the optional parameters, so we thought to execute the command without that parameter, and the command got executed and the new watchlist was also created. So, we concluded that the command is working fine without using the Source Type parameter and watchlist is also getting deployed, with the scope gets resolved too. Now I will be having one task before I archive this support request and that will be to check with the team if there are any known issues with the Source Type field so we can get that changed in the documents.

Hope this will help you. Otherwise, I can try to find some time in the coming days to check that further.

Creddi commented 4 months ago

@gu1llaume-b Thanks a million mate, that actually made it deploy but everything in the csv watchlist is empty. Have you stumbled upon that issue?

gu1llaume-b commented 4 months ago

@Creddi I have the same behavior now. The command succeeds but the CSV content does not get uploaded in the Sentinel watchlist. This also happens even if I pass the CSV content in the Azure CLI command (however, I can see that the API call includes my data - not sure what happens here). I believe it was working when I went over this with the Microsoft Support engineer, not sure if something has changed.

We have changed to ARM templates instead of the Azure CLI for Sentinel because we had some troubles with the Azure CLI for our use cases. I also managed to make it work using the API directly.

Creddi commented 4 months ago

@gu1llaume-b Yeah, we're probably heading down that route as well. Thanks!

Creddi commented 4 months ago

@gu1llaume-b

You don't happen to have an example code-snippet for uploading via REST? Seems to fail for us every time