-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Moved hunting queries to workspace deployment saved searches #3469
Conversation
@javiersoriano & @v-maudan - please help in merging this as this validation is due to the files outside this PR. |
@samikroy - I think the validation failure is properly failing, I am just not sure the validation should be configured the way it is. You are checking in JSON files to the Solutions folder. The validation indicates there should only be YAML files which is wrong and not only that the validation does not indicate which files should be YAML files. Your checked in files: Validation failure snip [xUnit.net 00:00:53.44] Kqlvalidations.Tests.DetectionTemplateSchemaValidationTests.Validate_DetectionTemplates_AllFilesAreYamls [FAIL] @v-maudan and @Amitbergman - I think you both worked on these validations and might be able to diagnose the bug in - https://github.com/Azure/Azure-Sentinel/blob/master/.script/tests/detectionTemplateSchemaValidation/DetectionTemplateSchemaValidationTests.cs |
Thank you @shainw . |
@samikroy - Scratch that, just re-ran the checks and it passed. I think @petebryan fixed the issue in a recent PR - https://github.com/Azure/Azure-Sentinel/pull/3471/files. Looks like good to get approved now if @javiersoriano and @v-maudan agree. |
Thank you @shainw. |
Hi @samikroy , We tried to leave the rules as similar as possible to the original ones, that's why we left the rest of the tables in the query even though they are not used. What is the benefit for the user if we remove the other tables? I agree on moving the hunting query to workspace.json instead of having it in mainTemplate.json. The rest of the changes are just cosmetic. |
Agree @javiersoriano |
Got it. If that's the reason, I would change the name of the rule, so it clearly indicates that this is a test rule and that is seen in the incident as well. That would involve changing screenshots and text in the guide though |
In addition, we might need to update this in the UI template too, but this this file is not a latest version (please point me to the correct file in that case) |
@samikroy the intention of the training lab is to be deployed in a clean workspace, and for sure not in a production workspace, so we are hesitant to change the rule name. can you just leave the move of the savedSearch to workspace.json and remove the other changes so we can approve? Thanks |
@javiersoriano - Done. |
Fixes # Removed actual tables from hunting queries and analytic rule.
Proposed Changes