Old Analytic Rules versions in /solutions/ #11307
Comments
|
Hi @hitem , thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks! |
|
Hi @hitem , In analytical rule version 1.0.3, there are no major changes, which is why this version is not yet available in the content hub. Additionally, there is no script to sync the GitHub version with the content hub version. When there is an update in GitHub, we need to package the solution and then publish it. Only after these steps will it be available in the content hub. To make it available, certain checks need to be passed. Closing this issue. If you still need support for this issue, feel free to re-open it any time. Thank you for your co-operation. |
Thank you for the quick reply. |
Issues: The version on analytic rules in github has missmatch with content-hub.
Example: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Cloud%20Identity%20Threat%20Protection%20Essentials/Analytic%20Rules/NewExtUserGrantedAdmin.yaml (version 1.0.3, updated 5 months ago).
Meenwhile, in the content hub the currenct version (of this exact analytic rule) is 1.0.2 (updated recently, marked as "update available").
Screenshoot from my instance, on the analytic rule -> update blade:
That means the versioning between content-hub and github is mitchmatch or github is far behind the correct versions of content hub.
Exported analytic rules from sentinel results in JSON-format has "templateversion" which seems to match the "version" of analytic rules in content hub (and sometimes github).
However, when you list contenthub you ALWAYS get the latest verison available for all content in the in that content package - you dont get your current version of installed analytic rules, for that you have to retrieve/extract all your current analytic rules (JSON) and try to match the values on contentID (in content hub) which is alerttemplaterulename in the analytic (JSON) - but not unique - and version in the content hub vs templateversion in the JSON.
WITH that in mind, you have to build a massive script (which i did) to try to keep track of updates to rules (unless you log in and check an instance of sentinel everyday and it basically just check one instance of sentinel), the script also has to download your analytic rules as a JSON locally and compare with installed content hub packages - this is very limited and PER sentinel instance. So, having multiple instances of sentinel, what i did and wanted was to build a RSS feed that checks the URL of a list of analytic rules (github urls), store the version and check once a month, if a new version:x.x.x is updated it posts the new stuff into an RSS feed and then powerapps/flow to do the rest. But as you can see above, github is not kept up to date with the analytic rules deployed in content hub, so here i am.
Is there a reason for this or is it possible to improve the process when you update content hub/analytic rules to also update this github repo of your own rules? Or have a feed when rules are updated related to your installed analytic rules (unique id's etc).
edit: removed my sidetrack about updating/managing content hub through europe api's, as all locations are not supporting the apis you see in sentinel gui or be able to see the "update available" through API - including version currently/latest - and not only GUI.
The text was updated successfully, but these errors were encountered: