Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard
verified publisher icon Azure

All of these rules fail with the same error when you try to create them

Open anfisher1967 opened this issue 3 years ago • 9 comments

Attempting to Create Rule: Dev-0530 IOC - July 2022 Error Creating Rule: Error in EntityMappings: The given column 'FileHashCustomEntity' does not exist.

Attempting to Create Rule: ACTINIUM AV hits - Feb 2022 Error Creating Rule: Error in EntityMappings: The given column 'FileHashType' does not exist.

Attempting to Create Rule: Tarrask malware IOC - April 2022 Error Creating Rule: Error in EntityMappings: The given column 'FileHashCustomEntity' does not exist.

Attempting to Create Rule: KNOTWEED File Hashes July 2022 Error Creating Rule: Error in EntityMappings: The given column 'FileHashCustomEntity' does not exist.

Attempting to Create Rule: Hive Ransomware IOC - July 2022 Error Creating Rule: Error in EntityMappings: The given column 'FileHashCustomEntity' does not exist.

Attempting to Create Rule: Zinc Actor IOCs files - October 2022 Error Creating Rule: Error in EntityMappings: The given column 'AlgorithmCustomEntity' does not exist.

anfisher1967 avatar Oct 12 '22 01:10 anfisher1967

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] avatar Oct 12 '22 01:10 github-actions[bot]

These too Attempting to Create Rule: ACTINIUM Actor IOCs - Feb 2022 Error Creating Rule: Error in EntityMappings: The given column 'FileHashType' does not exist.

Attempting to Create Rule: Mercury - Domain, Hash and IP IOCs - August 2022 Error Creating Rule: Error in EntityMappings: The given column 'FileHashCustomEntity' does not exist.

Attempting to Create Rule: Europium - Hash and IP IOCs - September 2022 Error Creating Rule: Error in EntityMappings: The given column 'FileHashCustomEntity' does not exist.

anfisher1967 avatar Oct 12 '22 01:10 anfisher1967

How are you attempting to deploy/create these rules? Through the UI? API? Or TF provider?

Phrozyn avatar Oct 12 '22 17:10 Phrozyn

UI

On Oct 12, 2022, at 1:30 PM, A Smith @.***> wrote:



How are you attempting to deploy/create these rules? Through the UI? API? Or TF provider?

— Reply to this email directly, view it on GitHubhttps://github.com/Azure/Azure-Sentinel/issues/6363#issuecomment-1276513509, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AIC5OWAEJABTSYDYE26QSG3WC3YUDANCNFSM6AAAAAARCZR7QQ. You are receiving this because you authored the thread.Message ID: @.***>

anfisher1967 avatar Oct 12 '22 22:10 anfisher1967

+1 on this as well

richlilly2004 avatar Oct 13 '22 17:10 richlilly2004

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] avatar Oct 18 '22 05:10 github-actions[bot]

Any news on this issue?

abaddon82 avatar Nov 03 '22 14:11 abaddon82

This is pure speculation but if you read the YAML for these rules the FileHashCustomEntity is a SHA256 algorithm value

| extend timestamp = TimeGenerated, HostCustomEntity = Hostname , AccountCustomEntity = AccountName, FileHashCustomEntity = SHA256

The correct entry in the YAML for the entity mapping is probably

  • entityType: FileHash fieldMappings:
    • identifier: Algorithm columnName: SHA256
    • identifier: Value columnName: FileHashCustomEntity

akmatthewsuk avatar Nov 07 '22 17:11 akmatthewsuk

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] avatar Jan 10 '23 12:01 github-actions[bot]

Hi @anfisher1967, Sorry for the delayed response. We are able to create analytic rules for the above mentioned items. Could you please re-verify again if its working at your end or not? Thanks!

v-amolpatil avatar Jan 31 '23 11:01 v-amolpatil

Same error in two different tenants. Let me know if you want a screen shot.

anfisher1967 avatar Jan 31 '23 15:01 anfisher1967

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] avatar Apr 10 '23 12:04 github-actions[bot]

Hi @anfisher1967, We wanted to check on the status of Issue https://github.com/Azure/Azure-Sentinel/issues/6363. The issue is pending for more than expected days. Please let us know if you need any assistance to review this Issue. As per our standard operating procedures if no response is received in the next 7 business days, we will close this Issue. Thank you for your cooperation.

v-rbajaj avatar Jun 07 '23 12:06 v-rbajaj

Since we have not received a response in the last 7 days, we are closing your issue as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation

v-vdixit avatar Jun 15 '23 05:06 v-vdixit

Thank you for submitting an Issue to the Azure Sentinel GitHub repo! You should expect an initial response to your Issue from the team within 5 business days. Note that this response may be delayed during holiday periods. For urgent, production-affecting issues please raise a support ticket via the Azure Portal.

github-actions[bot] avatar Jun 15 '23 05:06 github-actions[bot]