7.2 KiB
Microsoft Sentinel Solutions Known Issues
Known Issue #1 – Resource Group selection during solution Deployment
Microsoft Sentinel solutions deploy resources for Microsoft Sentinel scenarios. This means the resource group selected for deployment needs to have Microsoft Sentinel enabled for the deployment to succeed, specifically for Microsoft Sentinel resources like analytics rules, hunting queries etc. Hence do not select a ‘New’ resource group while deploying an Microsoft Sentinel solution as that would result in deployment failure as a new resource group would not have Microsoft Sentinel enabled by default.
Known Issue #2 – Solution Re-deployment or update
Updating or Redeploying or Reinstalling the Solution creates duplicate content items in the respective feature galleries. The Solutions package includes content like analytic rules, workbooks etc. that gets saved in the Active rules gallery, saved workbooks gallery etc., respectively. Overwriting the content would mean loss in customizations if any to any content post Solution deployment. Hence, duplicate content items are created so that you can decide and delete the extraneous content as needed.
Refer to following screenshots as examples.
Known Issue #3 – Content configuration and enablement
If the Solution you’re deploying includes data connectors and associated content, enable the data connector and ensure the data type / tables are set and data is flowing before enabling related content like analytical rules or running hunting queries or workbooks that operate on that data. Usually after the data connector is enabled, it takes around 5-10 minutes for data to flow in Microsoft Sentinel / Azure Log Analytics. For Azure Logic Apps playbooks configuration process during deployment, if you are unaware of the specific configuration values, you can enter invalid entries to proceed with successful deployment and then reconfigure with correct values in the playbooks gallery as needed so that the playbook runs are successful.
Known Issue #4 – Missing metadata information for content
Workbooks and Hunting queries deployed by Solutions may miss correct metadata information post deployment as illustrated in the screenshots below. However, this does not reduce the value the content is intended to deliver in terms of delivering the data monitoring and threat hunting capabilities in Microsoft Sentinel.
Known Issue #5 - Content uninstall
A central option to uninstall all content associated with an Microsoft Sentinel Solution is not available. Content associated with a Solution can be deleted by exercising the delete option available in the respective galleries for each content type in alignment with the feature gallery UX support (some feature galleries may not provide a content delete option by design).
Known Issue #6 - CSP Program Enablement
All Microsoft Sentinel solutions are now enabled for CSP Program (Cloud Service Providers) in Content hub. If you try to install (Create) a Microsoft Sentinel solution in a CSP subscription and encounter the error message 'This offer is not available for subscriptions from Microsoft Azure Cloud Solution Providers', please contact Microsoft Support.
Known Issue #7 - Private solutions in Content hub
Private solutions or Azure Marketplace private offers are not currently supported in Microsoft Sentinel Content hub.
Known Issue #8 - Error "Detected multiple functions with the same name:"
Background: As part of the consolidation of content as solutions in content hub, corresponding parsers are also packaged as part of the solutions. If a customer has used the data connector before, the installation instructions guided them to create a parser manually. Now, when customers install the solution, it will cause the problem as parser with the same name exists in their workspace.
Cause of the error: Log Analytics throws this error when more than one Function [parser] is created with the same name.
Resolution Steps: Delete the installed Functions manually and reinstall the solution by following the steps below
- Go to your Sentinel workspace and select logs from the left menu.
- Click on Functions and search for the name of the parser (part of the error text) and once it is visible hover over the name and click on delete. NOTE: After Deleting the parser it will take 5-10 min to reflect.
- Repeat step 2 for all the parsers that exist for the name that is shown in the error.
- Reinstall the solution
- Verify that there is only one instance of parser installed.
The Data Connectors blade performs a connectivity check of all connectors on-load - that connectivity check is based on a Sentinel (Log Analytics) Workspace Function (not a Function App Resource in Sentinel’s Resource Group.)
To delete an existing Kusto Function (or Parser), click and hover over the function name, a flyover panel appears with the delete option:
Note after deleting the function named in the workspace error message, re-searching for it should find the duplicate function again. If manually recreating it is necessary, many Data Connectors deployed from the Content Hub will directly link to the 'Kusto Function' Parser KQL source code. These can also be found by browsing the source repository for Content Hub solution packages: Drill down under the solution's folder > Data Connectors > Parsers.
Known Issue #9 - Limitations of unified system in Oracle Database Audit data connector"
However, there are limitations with Oracle database unified and syslog limitations, which may require to make changes at the Oracle side. For example, you might need to create and enable an audit policy to log all the events, restart the database, and add the syslog config.
If the rule is not giving appropriate results, it might be due to the complexity of the SQL injection patterns or the configuration of the Oracle servers. It’s recommended to revalidate the SQL injection patterns rule and adjust it according to the specific needs and configurations of the Oracle servers.