RFPD-77178: log ingestion API by aommm · Pull Request #20 · recordedfuture/Azure-Sentinel

aommm · 2026-06-02T09:41:10Z

No description provided.

aommm · 2026-06-02T13:28:35Z

            "type": "Microsoft.Logic/workflows"
        },
+        {
+            "type": "Microsoft.Authorization/roleAssignments",


FYI @ErikMangstenRecFut - this is pretty cool.

This is when using Managed Identity - you can apparently ship the role assignments like this, which makes onboarding easier.

We could do this eventually for more logic apps imo if it works well.

It does mean that the person instantiating the logic app needs high permissions. That's why (A)I added an option for it, see other comment

That is really cool.
Wonder if this is a "well known" pattern, but in some sense, I feel like all of these "easier onboarding" steps is just possible because we have such high permissions, and as we know, questions about permissions is like the number 1 question regarding Azure. So I'm a bit ambivalent of adding these things we quite don't understand and requires high permissions.

I also wonder if it's well-known / if Microsoft will accept it. I understand it to some extent, I think the new readme covers it pretty well, so I'll try to submit it with the role assignment and see what Microsoft says.

ErikMangstenRecFut · 2026-06-10T13:54:21Z

@@ -0,0 +1,92 @@
+{


I don't think this will be accepted by msft. I tried to add this in a previous PR but it was rejected :(

Gotcha. I'll try again :)

FYI @ErikMangstenRecFut I moved this JSON to the Data Connectors folder in order to pass validation

aommm · 2026-06-15T06:25:50Z

/upstream-pr

github-actions · 2026-06-15T06:29:36Z

/upstream-pr succeeded. 🚀

Upstream branch: feat/RFPD-77178-log-ingestion-api
Next steps: Open PR towards Microsoft

Cherry-picked commits:

25be003 RFI: migrate RFI-Playbook-Alert-Importer-LAW to DCE/DCR
4c077ba feat: add connector definition tile for RFI Alert Importer
8310c34 refactor: rename connector definition params to match solution convention
d6fc3f5 refactor: derive workspaceResourceId from workspace name in data connectors template
27f14bb docs: add Monitoring Contributor and RBAC prereqs for Data Connectors deploy
99156d9 fix: add create_role_assignment param
6a1d2e8 fix
f26fe2e test: try array for prerequisitesDeployTemplateFile
6d563e0 revert: prerequisitesDeployTemplateFile back to single string
d3a6106 feat: merge connector definition into azuredeploy-alert-importer, add create_role_assignment param, sync readme params, add azuredeploy-v3.json infra for v3.0 playbooks
d9d71b4 revert: remove azuredeploy-v3.json, not ready to ship yet
f235914 feat: add ARM deploy template for NRT analytic rule, add deploy button to readme
678a8f1 docs: update readme manually
3bf5b8a docs: update readme with AI + manually
2e46320 docs: update readme manually

aommm · 2026-06-15T06:46:34Z

/upstream-pr

github-actions · 2026-06-15T06:47:20Z

/upstream-pr succeeded. 🚀

Upstream branch: feat/RFPD-77178-log-ingestion-api
Next steps: Open PR towards Microsoft

Cherry-picked commits:

b760c75 feat: migrate RFI-Playbook-Alert-Importer-LAW to DCE/DCR
1e4fa4c feat: add ARM deploy template for NRT analytic rule, add deploy button to readme
30cf3b7 docs: update readme

aommm · 2026-06-15T06:53:40Z

/upstream-pr

github-actions · 2026-06-15T06:54:24Z

/upstream-pr succeeded. 🚀

Upstream branch: feat/RFPD-77178-log-ingestion-api
Next steps: Open PR towards Microsoft

Cherry-picked commits:

b760c75 feat: migrate RFI-Playbook-Alert-Importer-LAW to DCE/DCR
1e4fa4c feat: add ARM deploy template for NRT analytic rule, add deploy button to readme
30cf3b7 docs: update readme
bdd4440 docs: update deploy button URLs to Azure/Azure-Sentinel master

…n to readme

aommm · 2026-06-15T08:21:55Z

/upstream-pr

aommm · 2026-06-15T08:22:23Z

Opened PR with MSFT: Azure#14478

github-actions · 2026-06-15T08:22:42Z

/upstream-pr succeeded. 🚀

Upstream branch: feat/RFPD-77178-log-ingestion-api
Next steps: Open PR towards Microsoft

Cherry-picked commits:

ae79c87 feat: migrate RFI-Playbook-Alert-Importer-LAW to DCE/DCR
30ad2e7 feat: add ARM deploy template for NRT analytic rule, add deploy button to readme
78cd8d3 docs: update readme
48bdedf docs: update deploy button URLs to Azure/Azure-Sentinel master

Renamed to azuredeploy-incident-creation-analytic-rule.json and moved to Data Connectors/ to pass DetectionTemplateSchemaValidation which requires all files in Analytic Rules/ to be .yaml. Updated deploy button URL in Playbooks/readme.md to match new path.

Adds the custom table definition so KqlValidations CI passes (KS204).

The ARM engine accepts string expressions (e.g. "[parameters('flag')]") for the resource condition field — this is the standard pattern for conditional resource deployment in ARM templates. The schema validator was incorrectly limiting condition to literal boolean values only, causing PlaybooksValidations CI to fail on any template that uses an ARM expression for condition (e.g. role assignments gated on a create_role_assignment parameter). This change aligns the schema with actual ARM behavior by accepting both boolean and string types for the resource-level condition field. The output-level condition (a separate definition) is unchanged.

aommm · 2026-06-16T12:41:26Z

/upstream-pr

github-actions · 2026-06-16T12:42:15Z

/upstream-pr succeeded. 🚀

Upstream branch: feat/RFPD-77178-log-ingestion-api
Next steps: Open PR towards Microsoft

Cherry-picked commits:

ae79c87 feat: migrate RFI-Playbook-Alert-Importer-LAW to DCE/DCR
30ad2e7 feat: add ARM deploy template for NRT analytic rule, add deploy button to readme
78cd8d3 docs: update readme
48bdedf docs: update deploy button URLs to Azure/Azure-Sentinel master

aommm · 2026-06-16T12:54:09Z

/upstream-pr

github-actions · 2026-06-16T12:55:02Z

/upstream-pr succeeded. 🚀

Upstream branch: feat/RFPD-77178-log-ingestion-api
Next steps: Open PR towards Microsoft

Cherry-picked commits:

ae79c87 feat: migrate RFI-Playbook-Alert-Importer-LAW to DCE/DCR
30ad2e7 feat: add ARM deploy template for NRT analytic rule, add deploy button to readme
78cd8d3 docs: update readme
48bdedf docs: update deploy button URLs to Azure/Azure-Sentinel master
dc4b21a fix: move analytic rule azuredeploy.json out of Analytic Rules folder
b75f8ea fix: register RFI_PlaybookAlertResults_V2_CL in KQL CustomTables
6178153 fix: allow string type for condition field in ARM template schema

aommm · 2026-06-16T12:59:53Z

New PR towards MSFT: Azure#14495

aommm · 2026-06-16T13:27:15Z

@@ -0,0 +1,49 @@
+{


FYI @ErikMangstenRecFut , I think we need to add this in order to pass validation 🤯

We did have an entry in this folder for the previous Identity solution as well so it feels OK.

Yes this is needed to pass validation, one of the many new "features" :D

aommm · 2026-06-16T13:28:46Z

                },
                "condition": {
-                    "type": "boolean",
+                    "type": ["boolean", "string"],


FYI @ErikMangstenRecFut let's see what Microsoft says about this. But it did work to have condition as a string, this is what we used to implement the create_role_assignment parameter. So I think their validation is too strict here. See Claude's commit message for more details.

aommm force-pushed the RFPD-77178-log-ingestion-api branch 2 times, most recently from 8a26673 to 25be003 Compare June 2, 2026 11:11

aommm commented Jun 2, 2026

View reviewed changes

Comment thread Solutions/Recorded Future Identity/Playbooks/readme.md Outdated

aommm commented Jun 2, 2026

View reviewed changes

Comment thread Solutions/Recorded Future Identity/Playbooks/RFI-Playbook-Alert-Importer-LAW/azuredeploy.json

aommm commented Jun 2, 2026

View reviewed changes

ErikMangstenRecFut reviewed Jun 10, 2026

View reviewed changes

aommm force-pushed the RFPD-77178-log-ingestion-api branch 4 times, most recently from d0fb9fa to 30cf3b7 Compare June 15, 2026 06:46

aommm added 4 commits June 15, 2026 10:20

feat: migrate RFI-Playbook-Alert-Importer-LAW to DCE/DCR

ae79c87

feat: add ARM deploy template for NRT analytic rule, add deploy butto…

30ad2e7

…n to readme

docs: update readme

78cd8d3

docs: update deploy button URLs to Azure/Azure-Sentinel master

48bdedf

aommm force-pushed the RFPD-77178-log-ingestion-api branch from f522d7d to 48bdedf Compare June 15, 2026 08:21

aommm closed this Jun 15, 2026

aommm reopened this Jun 15, 2026

aommm added 3 commits June 16, 2026 13:44

fix: register RFI_PlaybookAlertResults_V2_CL in KQL CustomTables

b75f8ea

Adds the custom table definition so KqlValidations CI passes (KS204).

aommm commented Jun 16, 2026

View reviewed changes

Conversation

aommm commented Jun 2, 2026

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

aommm commented Jun 15, 2026

Uh oh!

github-actions Bot commented Jun 15, 2026

Uh oh!

aommm commented Jun 15, 2026

Uh oh!

github-actions Bot commented Jun 15, 2026

Uh oh!

aommm commented Jun 15, 2026

Uh oh!

github-actions Bot commented Jun 15, 2026

Uh oh!

aommm commented Jun 15, 2026

Uh oh!

aommm commented Jun 15, 2026

Uh oh!

github-actions Bot commented Jun 15, 2026

Uh oh!

aommm commented Jun 16, 2026

Uh oh!

github-actions Bot commented Jun 16, 2026

Uh oh!

aommm commented Jun 16, 2026

Uh oh!

github-actions Bot commented Jun 16, 2026

Uh oh!

aommm commented Jun 16, 2026

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

2 participants