Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard

Published 20 hours ago verified publisher icon Azure

Manually ASIM Deployment - Failed to validate, Conflict

Open rcegan opened this issue 1 year ago • 23 comments

Describe the bug Upon trying to deploy ASIM parsers via the 'Deploy to Azure' button and filling out the required parameters, a 'Conflict' error appears with the following error: (workspace, location and resource group have been omitted)

The resource '<SENTINELWORKSPACE> already exists in location <LOCATION> in resource group <RESOURCEGROUP>. A resource with the same name cannot be created in location <LOCATION>. Please select a new resource name.

Upon giving it a different name, it creates a new LAW in the designated resource group.

To Reproduce Steps to reproduce the behavior:

  1. Go to list of parsers https://github.com/Azure/Azure-Sentinel/tree/master/ASIM
  2. Deploy any of them
  3. Fill out the workspace name in the 'Workspace' field and pick the correct resource group containing the LAW
  4. Deploy

Expected behavior The parsers should deploy into the targeted workspace and become available for query.

Screenshots image

Desktop (please complete the following information):

  • OS: Windows 11
  • Browser: Edge
  • Version: 115

Additional context I have all required permissions to deploy this content.

rcegan avatar Jul 25 '23 03:07 rcegan

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] avatar Jul 25 '23 03:07 github-actions[bot]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] avatar Jul 25 '23 03:07 github-actions[bot]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] avatar Jul 25 '23 03:07 github-actions[bot]

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] avatar Jul 25 '23 04:07 github-actions[bot]

Hi @rcegan, we are checking on this and we will provide an update soon.

v-rbajaj avatar Jul 26 '23 12:07 v-rbajaj

Hi @rcegan, waiting for update from concerned team, once we receive an update will let you know.

v-rbajaj avatar Jul 28 '23 10:07 v-rbajaj

Hi @rcegan, waiting for update from concerned team, once we receive an update will let you know.

v-rbajaj avatar Aug 01 '23 12:08 v-rbajaj

Hi @rcegan, we are still waiting for update from concerned team, we will get back to you once there is an update.

v-rbajaj avatar Aug 04 '23 12:08 v-rbajaj

Hi @rcegan, we are still waiting for update from concerned team, we will get back to you once there is an update.

v-rbajaj avatar Aug 09 '23 09:08 v-rbajaj

I was able to work around the problem by deploying the resources to a different location than the log analytics workspace itself. Solves my issue but I suspect that's probably not the intended behaviour

rcegan avatar Aug 13 '23 06:08 rcegan

I was able to work around the problem by deploying the resources to a different location than the log analytics workspace itself. Solves my issue but I suspect that's probably not the intended behaviour

According to the error message, it is working as expected.

Try deleting the previous one and installing in the same location, it should work fine.

v-rbajaj avatar Aug 16 '23 11:08 v-rbajaj

@rcegan thanks for raising this issue. Can you please share the location details where it failed and where it worked for you?

vakohl avatar Aug 18 '23 13:08 vakohl

I was working with Australia Southeast and Australia East. Deploying to Australia Southeast, with the log analytics workspace in the same location, the deployment failed (due to a resource already existing in that location - the workspace itself). Picking a different location (Australia East) it appeared to work fine.

rcegan avatar Aug 20 '23 06:08 rcegan

Hi, This behavior is as expected due to the following reason. When deploying the ASIM parsers using the ARM templates a POST request is done at the background.

Because the ASIM parsers already exists, this will result in an error as described above.

There are 2 workarounds to remediate this issue:

  • Remove the existing ASIM parsers for the workspace using the Microsoft PowerShell script
  • Deploy the updated parsers using the API using the UPDATE method.

It is more an issue related to Log Analytics than Microsoft Sentinel or ASIM as they are dependent on Log Analytics.

What I can do is create a PowerShell script that updates the ASIM parsers is they already exists and use the ASIM yaml files as input. Or create and ARM template that uses a Script Extension to run the PowerShell script in a different context.

This might need some extra permissions in the Azure Subscription / Resource Group but need to validate this first.

@rcegan @vakohl

azurekid avatar Sep 18 '23 07:09 azurekid

@rcegan I created a new workspace, deployed Process Event parsers multiple times on same workspace. I didn't got that error. Am I missing anything that you tried? Which schema parser you were trying to deploy. Can you please retry on a new and on the same workspace you previously tried, see if you are still getting that error?

vakohl avatar Sep 22 '23 17:09 vakohl

Hi @rcegan,

Gentle Reminder: We are awaiting for your response on this issue. If you still need to keep this issue active please respond on it in the next 2 days. If we don't receive response, we will be close this issue.

v-rbajaj avatar Sep 27 '23 08:09 v-rbajaj

Sorry to add to the noise, but I'm having the exact same problem. Tried deploying all ASIM parsers and then just one-by-one, same error message "Conflict"

image

I've tried putting the LAW in Australia Southeast and the LAW in Australia East, and also putting them in the same region, no difference to the output.

Drilling into the error message isn't any more help, just states eTAG for specific error was outdated

newer data exists. If you are using eTag please use the latest one and try again in a few minutes. Operation Id: '4918a525df68776dd0a7063aaa6db6dd' (Code: NewerDataExists)

Trying to redeploy multiple times to get other deployments to succeed does not help either.

jusso-dev avatar Sep 27 '23 22:09 jusso-dev

@rcegan @jusso-dev FYI, this issue is being investigated.

vakohl avatar Nov 23 '23 12:11 vakohl

@rcegan @jusso-dev @azurekid This issue is still being looked into. This seems more of Log Analytics issue than Sentinel, we are working with concerned teams to get this fixed.

vakohl avatar Dec 06 '23 13:12 vakohl