Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ASIM/Deploy ASIM - Deploy to Azure templates failing (specifically Registry Event) #10481

Closed
KenMAG opened this issue May 14, 2024 · 4 comments
Closed

ASIM/Deploy ASIM - Deploy to Azure templates failing (specifically Registry Event) #10481

KenMAG opened this issue May 14, 2024 · 4 comments
Assignees
@vakohl @v-sudkharat
Labels
ASIM

Comments

@KenMAG
Copy link

KenMAG commented May 14, 2024

Describe the bug
The template deployment fails with multiple errors.

To Reproduce
Steps to reproduce the behavior:

  1. Go to 'https://github.com/Azure/Azure-Sentinel/tree/master/ASIM'
  2. Scroll down to 'Registry Event'
  3. Click on 'Deploy to Azure'
  4. Complete template form
  5. Review & Create
  6. Create
  7. Deployment starts and then fails with multiple errors.
  8. Error is typically: {"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"Conflict","message":"{\r\n "error": {\r\n "code": "NewerDataExists",\r\n "message": "Failed to modify resource '/subscriptions/38302863-0deb-4a70-b9d4-17085ffb8023/resourceGroups/sentientRG/providers/Microsoft.OperationalInsights/workspaces/sentient', newer data exists. If you are using eTag please use the latest one and try again in a few minutes. Operation Id: '24912523afb7a6b2dc4350b72444d641'"\r\n }\r\n}"}]}

Expected behavior
ASIM parsers are deployed without error and can be used in Microsoft Sentinel.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

  • OS: Win 11
  • Browser: Microsoft Edge
  • Version:124.0.2478.97 (Official build) (64-bit)

Smartphone (please complete the following information):

  • Device: [e.g. iPhone6]
  • OS: [e.g. iOS8.1]
  • Browser [e.g. stock browser, safari]
  • Version [e.g. 22]

Additional context
I tried multiple Azure subscriptions..
@KenMAG KenMAG mentioned this issue May 14, 2024
Closed
1 task
@KenMAG
Copy link
Author

KenMAG commented May 14, 2024

Unrelated to the above issue, but the vimRegistryEventMicrosoftSecurityEvents workspace parser has gone missing too.

@azurekid
Copy link
Contributor

Hey @KenMAG
It looks like what's going on is that the ASIM parser is already available within the workspace. So, when you (re)deploy, it's totally normal to see this error pop up.

What you can do is open the target workspace and remove the existing parser.
There is also a PowerShell script available on the repository to remove existing parsers.

Hope this helps

@vakohl
Copy link
Contributor

vakohl commented May 15, 2024
edited
Loading

@KenMAG this is an ongoing issue, not prioritized yet. This is happening due to multiple parallel functions deployment to LA workspace. I would suggest performing re-deployment if you receive this deployment error. Can I ask why you are performing this deployment? _Im_RegistryEvent and related parsers would be part of your workspace by default, no installation required
image

@vakohl
Copy link
Contributor

vakohl commented May 15, 2024

@KenMAG
We have an existing issue open for this, can be tracked here: #8623
Closing this one.

@vakohl vakohl mentioned this issue May 15, 2024
Open
@vakohl vakohl closed this as completed May 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vakohl vakohl

@v-sudkharat v-sudkharat

Labels
ASIM
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@KenMAG @azurekid @vakohl @v-sudkharat