ARM template: trying to create Sentinel alert rules based on log query function

John Farley 41 Reputation points

Hi All,

I'm trying to deploy a few Sentinel alert rules based on a query function from an ARM template. I try to create both the function and alert at deployment, but I get an error: "Failed to run the analytics rule query. One of the tables does not exist." I assumed that meant the deploy is trying to create the alert rule before the query function is set. I've tried using dependsOn and nesting the alert rules inside the query function resource to ensure the query function was created first, but nothing seems to work. If I deploy the function first, then redeploy, the following (truncated) code works to create the rules. I was hoping I would be able to deploy both the function and the rule in one deployment. Can anyone see what I might be missing? Thanks in advance.

My function resource:

"type": "Microsoft.OperationalInsights/workspaces/savedSearches",  
            "apiVersion": "2020-08-01",  
            "name": "[format('{0}/{1}', parameters('workspace'), parameters('functionName'))]",  
            "properties": {  
                "etag": "*",  
                "displayName": "[parameters('functionName')]",  
                "category": "[parameters('functionName')]",  
                "functionAlias": "[parameters('functionName')]",  
                "query": "CommonSecurityLog...  
                "version": 2  

My alert rule:

                    "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",  
                    "name": "[variables('alertRuleName')]",  
                    "kind": "NRT",  
                    "apiVersion": "2021-09-01-preview",  
                    "dependsOn": [  
                        " [resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), parameters('functionName'))]"  
                    "properties": { etc.  
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
706 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andrew Blumhardt 8,261 Reputation points Microsoft Employee

    I am not super deep on ARM templates. Functions can take 1-2 minutes to be available. Tables can take 5-10 minutes after creation. I think the real question here is can you put a wait or delay in an ARM template?

    Have you considered just putting the function query in the rule directly or as a let statement?

    Related tip. The UI has an export option that will create an ARM template for your rules.

0 additional answers

Sort by: Most helpful