Share via

How to Update ASIM Microsoft Sentinel

Jeffry Haryanto Gunawan 0 Reputation points
2023-12-14T08:24:04.9233333+00:00

How to update ASIM on Microsoft Sentinel? because i try to reinstall from this template its failed and conflict : https://github.com/Azure/Azure-Sentinel/tree/master/ASIM

User's image

User's image

Microsoft Security | Microsoft Sentinel

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator
    2023-12-15T20:40:12.4766667+00:00

    @Jeffry Haryanto Gunawan
    Thank you for your post!

    When it comes to your ASIM Deployment issue, I was able to reproduce it within my Azure tenant and it looks like this is a known issue with one recommend workaround, which I'll share below.

    User's image

    MVP Recommended Solution:

    Hi, This behavior is as expected due to the following reason.
    When deploying the ASIM parsers using the ARM templates a POST request is done at the background. Because the ASIM parsers already exists, this will result in an error as described above. There are 2 workarounds to remediate this issue:

    • Remove the existing ASIM parsers for the workspace using the Microsoft PowerShell script
    • Deploy the updated parsers using the API using the UPDATE method.

    It is more an issue related to Log Analytics than Microsoft Sentinel or ASIM as they are dependent on Log Analytics.

    For more info: Manually ASIM Deployment - Failed to validate, Conflict #8623

    Product Group Update:

    This issue is still being looked into. This seems more of Log Analytics issue than Sentinel, we are working with concerned teams to get this fixed.

    When looking more into this, I did notice that I already deployed these ASIM parsers previously, which could also be contributing to the issue. I'd also recommend, ensuring your Microsoft Sentinel Log Analytics workspace doesn't already have these tables.

    User's image

    • Note: If you'd like to work closer with our support team on this, please let me know. I'd be happy to enable a one-time free technical support request for your subscription so you can work with our support engineers to get this issue resolved.

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

    If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.