Update Audit-BreakGlassAccountSignIn.kql #4
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Deploy Content to sentinel [f40ae3b7-b470-48c8-8832-a62a970a49f2] | |
| # Note: This workflow will deploy everything in the root directory. | |
| # To deploy content only from a specific path (for example SentinelContent): | |
| # 1. Add the target path to the "paths" property like such | |
| # paths: | |
| # - 'SentinelContent/**' | |
| # - '!.github/workflows/**' | |
| # - '.github/workflows/sentinel-deploy-f40ae3b7-b470-48c8-8832-a62a970a49f2.yml' | |
| # 2. Append the path to the directory environment variable below | |
| # directory: '${{ github.workspace }}/SentinelContent' | |
| on: | |
| push: | |
| branches: [ main ] | |
| paths: | |
| - '**' | |
| - '!.github/workflows/**' # this filter prevents other workflow changes from triggering this workflow | |
| - '.github/workflows/sentinel-deploy-f40ae3b7-b470-48c8-8832-a62a970a49f2.yml' | |
| jobs: | |
| deploy-content: | |
| runs-on: windows-latest | |
| env: | |
| resourceGroupName: 'monitoring' | |
| workspaceName: 'sentinel' | |
| workspaceId: '302557e1-4a10-41f0-be2b-fcd644c9287b' | |
| directory: '${{ github.workspace }}' | |
| cloudEnv: 'AzureCloud' | |
| creds: ${{ secrets.AZURE_SENTINEL_CREDENTIALS_f40ae3b7b47048c88832a62a970a49f2 }} | |
| contentTypes: 'AnalyticsRule,AutomationRule,HuntingQuery,Parser,Playbook,Workbook' | |
| branch: 'main' | |
| sourceControlId: 'f40ae3b7-b470-48c8-8832-a62a970a49f2' | |
| rootDirectory: '${{ github.workspace }}' | |
| githubAuthToken: ${{ secrets.GITHUB_TOKEN }} | |
| smartDeployment: 'true' | |
| steps: | |
| - name: Login to Azure (Attempt 1) | |
| continue-on-error: true | |
| id: login1 | |
| uses: azure/login@v1 | |
| if: ${{ env.cloudEnv == 'AzureCloud' }} | |
| with: | |
| creds: ${{ secrets.AZURE_SENTINEL_CREDENTIALS_f40ae3b7b47048c88832a62a970a49f2 }} | |
| enable-AzPSSession: true | |
| - name: Wait 30 seconds if login attempt 1 failed | |
| if: ${{ env.cloudEnv == 'AzureCloud' && steps.login1.outcome=='failure' }} | |
| run: powershell Start-Sleep -s 30 | |
| - name: Login to Azure (Attempt 2) | |
| continue-on-error: true | |
| id: login2 | |
| uses: azure/login@v1 | |
| if: ${{ env.cloudEnv == 'AzureCloud' && steps.login1.outcome=='failure' }} | |
| with: | |
| creds: ${{ secrets.AZURE_SENTINEL_CREDENTIALS_f40ae3b7b47048c88832a62a970a49f2 }} | |
| enable-AzPSSession: true | |
| - name: Wait 30 seconds if login attempt 2 failed | |
| if: ${{ env.cloudEnv == 'AzureCloud' && steps.login2.outcome=='failure' }} | |
| run: powershell Start-Sleep -s 30 | |
| - name: Login to Azure (Attempt 3) | |
| continue-on-error: false | |
| id: login3 | |
| uses: azure/login@v1 | |
| if: ${{ env.cloudEnv == 'AzureCloud' && steps.login2.outcome=='failure' }} | |
| with: | |
| creds: ${{ secrets.AZURE_SENTINEL_CREDENTIALS_f40ae3b7b47048c88832a62a970a49f2 }} | |
| enable-AzPSSession: true | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| - name: Deploy Content to Azure Sentinel | |
| uses: azure/powershell@v1 | |
| with: | |
| azPSVersion: 'latest' | |
| inlineScript: | | |
| ${{ github.workspace }}//.github/workflows/azure-sentinel-deploy-f40ae3b7-b470-48c8-8832-a62a970a49f2.ps1 |