AZSentinel icon indicating copy to clipboard operation
AZSentinel copied to clipboard

Published 20 hours ago verified publisher icon wortell

Import-AzSentinelAlertRule with invalid rule does not cause exception

Open hpemart opened this issue 2 years ago • 0 comments

Environment

Windows build number: Microsoft Windows [Version 10.0.22000.795] PowerShell version 7,2,5

Steps to reproduce

  • Enable Sentinel in a subscription
  • Take AZSentinel/examples/AlertRules.json] and attempt to import it

Import-AzSentinelAlertRule -SettingsFile .\alertrules.json -WorkspaceName "foo"

`WARNING: Unable to find LogicApp playbook01 under Subscription Id: (redacted)

Import-AzSentinelAlertRule: Unable to invoke webrequest for rule AlertRule01 with error message: Unable to create Action for Rule: with Playbook playbook01 Error: Response status code does not indicate success: 400 (Bad Request).

WARNING: "AlertRule02" configuration is not following the official API schema, consider updating the incident and grouping configuration.

Import-AzSentinelAlertRule: Unable to invoke webrequest for rule AlertRule02 with error message: Response status code does not indicate success: 400 (Bad Request).

WARNING: "AlertRule03" configuration is not following the official API schema, consider updating the incident and grouping configuration.`

Expected behavior

Exception thrown at the first invalid rule

Actual behavior

  • Rules import continues regardless

image

  • Rules actually appear in console, despite errors shown on output

I'm unsure if we have nothing actually wrong with the rule definitions in this repos' sample file, and a bug in the import commandlet here, and/or an issue with raising exceptions.

Thanks

hpemart avatar Aug 02 '22 10:08 hpemart