Open gu1llaume-b opened 1 year ago
Thank you for opening this issue, we will look into it.
Thank you for your feedback. This has been routed to the support team for assistance.
Thanks for the feedback! We are routing this to the appropriate team for follow-up. cc @amirkeren.
Author: | gu1llaume-b |
---|---|
Assignees: | SwathiDhanwada-MSFT |
Labels: | `Service Attention`, `customer-reported`, `SecurityInsights`, `CXP Attention` |
Milestone: | - |
@amirkeren, could you please help check if it's an inconsistency issue between swagger and service?
Hi @jsntcy, I was notified by the product group that they do not handle issues via github. Please open a ticket with support. Thanks.
Got it, thanks. @SwathiDhanwada-MSFT, could you please help open a ticket with support for this issue?
@gu1llaume-b Can you please raise support ticket as requested ?
@SwathiDhanwada-MSFT I do not have the ability to create new Azure support tickets (require a paid subscription that I don't have).
Would it be a possibility to do it on your side? Or would you have any alternatives for this? Thank you
@SwathiDhanwada-MSFT Have you had a chance to have a look at my comment above?
@gu1llaume-b Kindly send email with subject as "Attn:Swathi" to AzCommunity@microsoft.com with subscription id and the github link for context. Thanks
Same issue here. Status? @SwathiDhanwada-MSFT
@Creddi To be honest, I do not remember all the details but I have checked the resolution of the support request that I have created back then and this was the outcome:
Now in the body section there is a parameter called as "Source Type" as per the document the supported values to this parameter are " Local file or Remote Storage". Now when we are executing the command with the Source type parameter as "Local File" we get an error message. Upon checking further, we analyzed that the "Source Type" parameter is one of the optional parameters, so we thought to execute the command without that parameter, and the command got executed and the new watchlist was also created. So, we concluded that the command is working fine without using the Source Type parameter and watchlist is also getting deployed, with the scope gets resolved too. Now I will be having one task before I archive this support request and that will be to check with the team if there are any known issues with the Source Type field so we can get that changed in the documents.
Hope this will help you. Otherwise, I can try to find some time in the coming days to check that further.
@gu1llaume-b Thanks a million mate, that actually made it deploy but everything in the csv watchlist is empty. Have you stumbled upon that issue?
@Creddi I have the same behavior now. The command succeeds but the CSV content does not get uploaded in the Sentinel watchlist. This also happens even if I pass the CSV content in the Azure CLI command (however, I can see that the API call includes my data - not sure what happens here). I believe it was working when I went over this with the Microsoft Support engineer, not sure if something has changed.
We have changed to ARM templates instead of the Azure CLI for Sentinel because we had some troubles with the Azure CLI for our use cases. I also managed to make it work using the API directly.
@gu1llaume-b Yeah, we're probably heading down that route as well. Thanks!
@gu1llaume-b
You don't happen to have an example code-snippet for uploading via REST? Seems to fail for us every time
Hi,
There is an error in the documentation for the creation of Microsoft Sentinel watchlists via the Azure CLI. When uploading content from a local file, the --source-type parameter is required (one of the required parameters). The accepted value are "Local file" or "Remote storage" as described in the documentation. However, when providing "Local storage" as a value for the --source-type parameter, I get the following error:
Azure CLI command being used:
az sentinel watchlist create --name watchlist --resource-group RG --workspace-name LAW --display-name watchlist --provider Microsoft --items-search-key "Asset Name" --source-type "Local file" --source watchlist.csv --raw-content watchlist.csv
After investigating this with the API, I have noticed that the same values are mentioned as being accepted in the documentation. However, in practice, "local" is actually accepted by the API instead of "Local file"
When "Local file" is provided:
When "Local" is provided:
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.