Hi All,
I'm trying to deploy a few Sentinel alert rules based on a query function from an ARM template. I try to create both the function and alert at deployment, but I get an error: "Failed to run the analytics rule query. One of the tables does not exist." I assumed that meant the deploy is trying to create the alert rule before the query function is set. I've tried using dependsOn and nesting the alert rules inside the query function resource to ensure the query function was created first, but nothing seems to work. If I deploy the function first, then redeploy, the following (truncated) code works to create the rules. I was hoping I would be able to deploy both the function and the rule in one deployment. Can anyone see what I might be missing? Thanks in advance.
My function resource:
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-08-01",
"name": "[format('{0}/{1}', parameters('workspace'), parameters('functionName'))]",
"properties": {
"etag": "*",
"displayName": "[parameters('functionName')]",
"category": "[parameters('functionName')]",
"functionAlias": "[parameters('functionName')]",
"query": "CommonSecurityLog...
",
"version": 2
},
My alert rule:
{
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"name": "[variables('alertRuleName')]",
"kind": "NRT",
"apiVersion": "2021-09-01-preview",
"dependsOn": [
" [resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), parameters('functionName'))]"
],
"properties": { etc.
}
}