Torch02
commented
2 months ago I have a similar problem with CloudShell & EastUs2:
Issue script & Debug output
PS /home/admin> $incident | %{Update-AzSentinelIncident -ResourceGroupName "security-operations-center-msn1" -WorkspaceName "XdrWorkspace-msn1" -Id $_.id -Classification 'Undetermined' -ClassificationReason 'InaccurateData' -Status 'Closed' -debug}
DEBUG: 3:47:01 PM - [ConfigManager] Got [True] from [DisplaySecretsWarning], Module = [], Cmdlet = [].
DEBUG: 3:47:01 PM - GetAzureRMContextCommand begin processing with ParameterSet 'GetSingleContext'.
DEBUG: 3:47:01 PM - [ConfigManager] Got nothing from [DisplayBreakingChangeWarning], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 3:47:01 PM - [ConfigManager] Got [True] from [DisplaySecretsWarning], Module = [], Cmdlet = [].
DEBUG: 3:47:01 PM - [ConfigManager] Got nothing from [DisplayRegionIdentified], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 3:47:01 PM - [ConfigManager] Got nothing from [CheckForUpgrade], Module = [], Cmdlet = []. Returning default value [True].
DEBUG: 3:47:01 PM - GetAzureRMContextCommand end processing.
DEBUG: [CmdletBeginProcessing]: Starting command
DEBUG: CmdletBeginProcessing:
DEBUG: CmdletProcessRecordStart:
Confirm
Are you sure you want to perform this action?
Performing the operation "Update-AzSentinelIncident_UpdateExpanded" on target "Call remote 'IncidentsCreateOrUpdate' operation".
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): A
DEBUG: CmdletGetPipeline:
DEBUG: CmdletBeforeAPICall:
DEBUG: URLCreated: /subscriptions/506a413b-e256-42c8-b98c-adc54ee35c28/resourceGroups/security-operations-center-msn1/providers/Microsoft.OperationalInsights/workspaces/XdrWorkspace-msn1/providers/Microsoft.SecurityInsights/incidents/%2Fsubscriptions%2F506a413b-e256-42c8-b98c-adc54ee35c28%2FresourceGroups%2Fsecurity-operations-center-msn1%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2FXdrWorkspace-msn1%2Fproviders%2FMicrosoft.SecurityInsights%2FIncidents%2F542a47a8-80b1-4f2f-913b-4297518cd3bf?api-version=2021-09-01-preview
DEBUG: RequestCreated: /subscriptions/506a413b-e256-42c8-b98c-adc54ee35c28/resourceGroups/security-operations-center-msn1/providers/Microsoft.OperationalInsights/workspaces/XdrWorkspace-msn1/providers/Microsoft.SecurityInsights/incidents/%2Fsubscriptions%2F506a413b-e256-42c8-b98c-adc54ee35c28%2FresourceGroups%2Fsecurity-operations-center-msn1%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2FXdrWorkspace-msn1%2Fproviders%2FMicrosoft.SecurityInsights%2FIncidents%2F542a47a8-80b1-4f2f-913b-4297518cd3bf?api-version=2021-09-01-preview
DEBUG: HeaderParametersAdded:
DEBUG: BodyContentSet:
DEBUG: 3:47:18 PM - [ConfigManager] Got nothing from [DisableInstanceDiscovery], Module = [], Cmdlet = []. Returning default value [False].
DEBUG: 3:47:18 PM - [ConfigManager] Got [False] from [EnableLoginByWam], Module = [], Cmdlet = [].
DEBUG: ============================ HTTP REQUEST ============================
HTTP Method:
PUT
Absolute Uri:
https://management.azure.com/subscriptions/506a413b-e256-42c8-b98c-adc54ee35c28/resourceGroups/security-operations-center-msn1/providers/Microsoft.OperationalInsights/workspaces/XdrWorkspace-msn1/providers/Microsoft.SecurityInsights/incidents/%2Fsubscriptions%2F506a413b-e256-42c8-b98c-adc54ee35c28%2FresourceGroups%2Fsecurity-operations-center-msn1%2Fproviders%2FMicrosoft.OperationalInsights%2Fworkspaces%2FXdrWorkspace-msn1%2Fproviders%2FMicrosoft.SecurityInsights%2FIncidents%2F542a47a8-80b1-4f2f-913b-4297518cd3bf?api-version=2021-09-01-preview
Headers:
x-ms-unique-id : 603
x-ms-client-request-id : ac42a068-4e94-4e28-b85d-cb5f74b49225
CommandName : Update-AzSentinelIncident
FullCommandName : Update-AzSentinelIncident_UpdateExpanded
ParameterSetName : __AllParameterSets
User-Agent : AzurePowershell/v12.3.0,PSVersion/v7.4.5,Az.SecurityInsights/0.0.0,cloud-shell_1.0
Body:
{
"properties": {
"classification": "Undetermined",
"classificationReason": "InaccurateData",
"status": "Closed"
}
}
DEBUG: BeforeCall:
DEBUG: ============================ HTTP RESPONSE ============================
Status Code:
BadRequest
Headers:
Cache-Control : no-cache
Pragma : no-cache
x-ms-failure-cause : gateway
x-ms-request-id : 349ed0c2-3691-4bf5-ab80-3d765e81b1d8
x-ms-correlation-request-id : 349ed0c2-3691-4bf5-ab80-3d765e81b1d8
x-ms-routing-request-id : WESTUS:20240924T154719Z:349ed0c2-3691-4bf5-ab80-3d765e81b1d8
Strict-Transport-Security : max-age=31536000; includeSubDomains
X-Content-Type-Options : nosniff
X-Cache : CONFIG_NOCACHE
X-MSEdge-Ref : Ref A: 5D60BAD9FA8F4714A7C609605F570526 Ref B: SJC211051204023 Ref C: 2024-09-24T15:47:18Z
Date : Tue, 24 Sep 2024 15:47:18 GMT
Body:
{
"error": {
"code": "NoRegisteredProviderFound",
"message": "No registered resource provider found for location 'eastus2' and API version '2021-09-01-preview' for type 'workspaces'. The supported api-versions are '2015-03-20, 2015-11-01-preview, 2017-01-01-preview, 2017-03-03-preview, 2017-03-15-preview, 2017-04-26-preview, 2020-03-01-preview, 2020-08-01, 2020-10-01, 2021-03-01-privatepreview, 2021-06-01, 2021-12-01-preview, 2022-10-01, 2023-01-01-preview, 2023-09-01'. The supported locations are 'eastus, westeurope, southeastasia, australiasoutheast, westcentralus, japaneast, uksouth, centralindia, canadacentral, westus2, australiacentral, australiaeast, francecentral, koreacentral, northeurope, centralus, eastasia, eastus2, southcentralus, northcentralus, westus, ukwest, southafricanorth, brazilsouth, switzerlandnorth, switzerlandwest, germanywestcentral, australiacentral2, uaecentral, uaenorth, japanwest, brazilsoutheast, norwayeast, norwaywest, francesouth, southindia, koreasouth, jioindiacentral, jioindiawest, qatarcentral, canadaeast, westus3, swedencentral, southafricawest, germanynorth, polandcentral, israelcentral, italynorth, spaincentral'."
}
}
DEBUG: ResponseCreated:
DEBUG: BeforeResponseDispatch:
Update-AzSentinelIncident_UpdateExpanded: No registered resource provider found for location 'eastus2' and API version '2021-09-01-preview' for type 'workspaces'. The supported api-versions are '2015-03-20, 2015-11-01-preview, 2017-01-01-preview, 2017-03-03-preview, 2017-03-15-preview, 2017-04-26-preview, 2020-03-01-preview, 2020-08-01, 2020-10-01, 2021-03-01-privatepreview, 2021-06-01, 2021-12-01-preview, 2022-10-01, 2023-01-01-preview, 2023-09-01'. The supported locations are 'eastus, westeurope, southeastasia, australiasoutheast, westcentralus, japaneast, uksouth, centralindia, canadacentral, westus2, australiacentral, australiaeast, francecentral, koreacentral, northeurope, centralus, eastasia, eastus2, southcentralus, northcentralus, westus, ukwest, southafricanorth, brazilsouth, switzerlandnorth, switzerlandwest, germanywestcentral, australiacentral2, uaecentral, uaenorth, japanwest, brazilsoutheast, norwayeast, norwaywest, francesouth, southindia, koreasouth, jioindiacentral, jioindiawest, qatarcentral, canadaeast, westus3, swedencentral, southafricawest, germanynorth, polandcentral, israelcentral, italynorth, spaincentral'.
DEBUG: [Finally]: Getting exception 'Microsoft.Azure.Commands.Common.Exceptions.AzPSCloudException: InternalException' from response
DEBUG: Finally:
DEBUG: CmdletAfterAPICall:
DEBUG: [CmdletProcessRecordAsyncEnd]: Finish HTTP process
DEBUG: CmdletProcessRecordAsyncEnd:
DEBUG: CmdletProcessRecordEnd:
DEBUG: AzureQoSEvent: Module: Az.SecurityInsights:3.1.2; CommandName: Update-AzSentinelIncident; PSVersion: 7.4.5; IsSuccess: False; Duration: 00:00:17.7950544; SanitizeDuration: 00:00:00; Exception: InternalException;Environment
$PSVersionTable
Name Value
---- -----
PSVersion 7.4.5
PSEdition Core
GitCommitId 7.4.5
OS CBL-Mariner/Linux
Platform Unix
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1
WSManStackVersion 3.0Module versions
Get-Module Az*
ModuleType Version PreRelease Name ExportedCommands
---------- ------- ---------- ---- ----------------
Script 3.0.4 Az.Accounts {Add-AzEnvironment, Clear-AzConfig, Clear-AzContext, Clear-AzDefault…}
Script 8.3.0 Az.Compute {Add-AzImageDataDisk, Add-AzVhd, Add-AzVMAdditionalUnattendContent, Add-AzVMDataDisk…}
Script 7.8.1 Az.Network {Add-AzApplicationGatewayAuthenticationCertificate, Add-AzApplicationGatewayBackendAddressPool, Add-AzApplicationGatewayBackendHttpSetting, Add-AzApplicationGateway…
Script 7.4.0 Az.Resources {Export-AzResourceGroup, Export-AzTemplateSpec, Get-AzDenyAssignment, Get-AzDeployment…}
Script 3.1.2 Az.SecurityInsights {Get-AzSentinelAlertRule, Get-AzSentinelAlertRuleAction, Get-AzSentinelAlertRuleTemplate, Get-AzSentinelAutomationRule…}
Script 7.3.0 Az.Storage {Add-AzRmStorageContainerLegalHold, Add-AzStorageAccountManagementPolicyAction, Add-AzStorageAccountNetworkRule, Close-AzStorageFileHandle…}
Script 1.1.3 Az.Tools.Predictor {Disable-AzPredictor, Enable-AzPredictor, Open-AzPredictorSurvey, Send-AzPredictorRating}
Script 0.0.0.10 AzureAD.Standard.Preview {Add-AzureADApplicationOwner, Add-AzureADDeviceRegisteredOwner, Add-AzureADDeviceRegisteredUser, Add-AzureADDirectoryRoleMember…}
Script 0.9.3 AzurePSDrive
AndreasRogge
Description
Hi, I wanted to use the mentioned module to update my incidents automatically. Unfortunately I always get the following error:
Resource Provider Microsoft.SecurityInsights and Microsoft.OperationalInsights are registered. When I check the API versions on SecurityInsights I can see that "2021-09-01-preview" is available but on OperationalInsights it is unavailable on resource type "workspaces" like mentioned in the picture.
If I look at the source: https://github.com/Azure/azure-powershell/blob/main/src/SecurityInsights/SecurityInsights.Autorest/UX/Microsoft.OperationalInsights/workspaces-incidents.json I can see that API version "2021-09-01-preview" is used. But as I mentioned above this version is not avilable for "workspace" in OperationalInsights:
Issue script & Debug output
Environment data
Module versions
Error output