Deploying SecurityAlert and SecurityIncident tables from ARM template

John Farley 41 Reputation points
2022-11-29T16:07:53.18+00:00

Hi,

We're testing the deployment of custom alert rules in a new Sentinel install, but the SecurityAlert and SecurityIncident tables are not generated unless we manually create a new alert rule. Even then the deployed alert rules are not connected to those tables. Is there a way to automatically generate and connect data to those tables from ARM deployment? Thanks in advance.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,048 questions
0 comments No comments
{count} votes

Accepted answer
  1. Alistair Ross 7,106 Reputation points Microsoft Employee
    2022-11-30T10:21:12.247+00:00

    Hello @John Farley

    A little secret that I find people miss is that the Microsoft managed tables are already there, just hidden. If you navigate to the Log Analytics workspace and press the settings cog in the upper right corner, the settings menu will appear, and you can toggle the switch Show tables with no data.

    265649-image.png

    If you want to manage the tables, such as retention, change the tables type from analytics to basic (though I do not recomend this for SecurityAlert and Security Incident!) or create custom templates, the template references can be found here

    https://learn.microsoft.com/en-us/azure/templates/microsoft.operationalinsights/2022-10-01/workspaces/tables?pivots=deployment-language-arm-template

    I hope this helps provide you with the information you need. If it does, please make sure to mark the question as answered so it helps other people in future.

    Kind regards

    Alistair


0 additional answers

Sort by: Most helpful