@vmanojreddy & @aprakash13 - Able to create rule in Sentinel.
Not sure if a column in watchlist is not getting recognized in build validation.
Request your help !

@vmanojreddy & @aprakash13 - Could you please here !

@aprakash13 Please take a look and provide your approve.

Thanks @samikroy. Sorry for the delay here. I will look into the validation errors and get that addressed before we can merge this.

Thank you for the update @aprakash13 . Please let me know for any changes needed.
My observation is that it is failing as the watch list is referred and assuming the same to be available as a built schema.

@aprakash13 :Please have a look for validation errors.

@hi @samikroy We wanted to check on the status of PR #4679. PR is pending from more long time. Let us know if any assistance is required for this PR. As Per our standard operating procedures if no response is received in the next 7 business days we will close this PR. Thank you for your cooperation.

@hi @samikroy We wanted to check on the status of PR #4679. PR is pending from more long time. Let us know if any assistance is required for this PR. As Per our standard operating procedures if no response is received in the next 7 business days we will close this PR. Thank you for your cooperation.

Thank you for your response @v-marimanda.
Seems this need a revisit to the validation rules in the pipiline.
As have used watchlists in NRT rules which is supported.
https://docs.microsoft.com/en-us/azure/sentinel/near-real-time-rules#:~:text=%2C%20refer%20to%20multiple%20watchlists%20and%20to%20threat%20intelligence%20feeds.

Hi @samikroy
Please address the suggestions provided by @oshezaf. If you have already addressed the comments, please request @oshezaf for re review your changes.
Thanks

@oshezaf - Thank you for your suggestion & apologies for the delay in response.
Have update the query .
Request you to have a look
Thank you.

Approved at least as far as my comment goes.

Thank you @oshezaf .
@v-mchatla - Could you please help merge this rule.

Hi @samikroy
All the checks need to be passed to merge the PR. Can you please fix the validation failures.

Hi @samikroy All the checks need to be passed to merge the PR. Can you please fix the validation failures.

@v-mchatla - Please have a look at the history of this PR.
Have mentioned in the beginning about watchlist being scanned for schema.

Seems line #132 from this file causing the failure as schema validation is done in the first place before discounting it as a watchlist.
https://github.com/Azure/Azure-Sentinel/blob/master/.script/tests/KqlvalidationsTests/KqlValidationTests.cs

@aprakash13 have mentioned about addressing this earlier.

Do not see the source code for _queryValidator.ValidateSyntax to fix this further.
Please let me know for more inputs.
Thank you.

private void ValidateKql(string id, string queryStr)
        {
            var validationResult = _queryValidator.ValidateSyntax(queryStr);
            var firstErrorLocation = (Line: 0, Col: 0);
            if (!validationResult.IsValid)
            {
                firstErrorLocation = GetLocationInQuery(queryStr, validationResult.Diagnostics.First(d => d.Severity == "Error").Start);
            }

            var listOfDiagnostics = validationResult.Diagnostics;

            bool isQueryValid = !(from p in listOfDiagnostics
                               where !p.Message.Contains("_GetWatchlist") //We do not validate the getWatchList, since the result schema is not known
                               select p).Any();

Hi @samikroy
We will look into it.
Thanks

Hi @samikroy,
Can you please share the watchlist being used in the query.
Thanks

Hi @samikroy,
Can you please share the watchlist being used in the query to resolve validation failures.
Thanks

Hi @samikroy, Can you please share the watchlist being used in the query to resolve validation failures. Thanks

@v-mchatla & @v-spadarthi - Please refer this
https://learn.microsoft.com/en-us/azure/sentinel/watchlist-schemas?WT.mc_id=Portal-Microsoft_Azure_SentinelUS#vip-users

Hi @samikroy,
Thanks for sharing the details. I have occupied with other work. I will work on it today and provide you the update.
Thanks

Hi @samikroy,
I have verified the watchlist and everything is working fine. Checking with my internal team on how to handle this KQL Validations
Thanks

Hi @samikroy,
I'm already working with my internal team, will keep you posted.
Thanks

Hi @samikroy,
To fix the validation error you need to add below details in .script\tests\KqlvalidationsTests\SkipValidationsTemplates.json
{    "id": "29e99017-e28d-47be-8b9a-c8c711f8a903",    "templateName": "NRT_AuthenticationMethodsChangedforVIPUsers.yaml",    "validationFailReason": "The name 'User Principal Name' does not refer to any known column, table, variable or function"  }
Let me know if you need any details.
Thanks

Hi @samikroy,
Please resolve the conflict and also accept license.
Thanks