Share via

Hunting Query Deployment to Sentinel using Azure DevOps

Liam Jones 146 Reputation points
2022-10-20T16:37:12.3+00:00

Hi Everyone,

For some reason I can't get my hunting queries to deploy through my Repo.

What I have done

  1. Grabbed an ARM template of the queries I wish to deploy in JSON format.
  2. Uploaded this to my Azure DevOps repository, linked to my Sentinel instance
  3. Run the pipeline.

The powerShell script is failing with the error message: 

[Error] Failed to check valid resource type.  
[Warning] Skipping deployment for D:\a\1\s\HuntingRules\Deploy\MicrosoftUEBA.json. The file contains resources for content that was not selected for deployment. Please add content type to connection if you want this file to be deployed.

I have double checked that I have the appropriate content type ticked in the Sentinel repository connection and Hunting rules is ticked in there.

I have also tried to deploy a specially formatted JSON file (not just the whole ARM template). Here is the specially formatted JSON:
252591-image.png

Any help greatly appreciated! Thank you in advance!

Microsoft Security Microsoft Sentinel
Accepted answer
  1. Ruben van Osch 106 Reputation points
    2023-01-03T14:42:00.64+00:00

    I had a similar issue. My solution was to change the type of the ARM resource to the one documented in the example repo.
    So in this case: 

    {  
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",  
  "contentVersion": "1.0.0.0",  
  "parameters": {  
    "workspace": {  
      "type": "String"  
    }  
  },  
  "resources": [  
    {  
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",  
      "apiVersion": "2020-08-01",  
      "name": "[concat(parameters('workspace'), '/NewBotAddedToTeams')]",  
      "location": "[resourceGroup().location]",  
      "properties": {  
        "eTag": "*",  
        "displayName": "Anomalies on users tagged as VIP",  
        "category": "Hunting Queries",  
        "query": "YOUR QUERY  HERE",  
        "version": 1,  
        "tags": [  
          {  
            "name": "description",  
            "value": "Shows all users tagged as VIP in the VIP users watchlist that had anomalies with a score greater than 0"  
          },  
          {  
            "name": "tactics",  
            "value": "Persistence,Collection"  
          },  
          {  
            "name": "relevantTechniques",  
            "value": "T1176,T1119"  
          }  
        ]  
      }  
    }  
  ]  
}

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Zubair Rahim 1 Reputation point
    2023-01-03T10:28:12.013+00:00

    Did you find any solution?

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.