Added last two troubleshooting cases

yelevin · yelevin · commit 8406b388af1c · 2024-08-06T15:59:43.000+03:00
diff --git a/articles/sentinel/automate-incident-handling-with-automation-rules.md b/articles/sentinel/automate-incident-handling-with-automation-rules.md
@@ -351,6 +351,15 @@ You can [create and manage automation rules](create-manage-use-automation-rules.
 
     You'll notice that when you create an automation rule from here, the **Create new automation rule** panel has populated all the fields with values from the incident. It names the rule the same name as the incident, applies it to the analytics rule that generated the incident, and uses all the available entities in the incident as conditions of the rule. It also suggests a suppression (closing) action by default, and suggests an expiration date for the rule. You can add or remove conditions and actions, and change the expiration date, as you wish.
 
+### Export and import automation rules (Preview)
+
+Export your automation rules to Azure Resource Manager (ARM) template files, and import rules from these files, as part of managing and controlling your Microsoft Sentinel deployments as code. The export action will create a JSON file in your browser's downloads location, that you can then rename, move, and otherwise handle like any other file.
+
+The exported JSON file is workspace-independent, so it can be imported to other workspaces and even other tenants. As code, it can also be version-controlled, updated, and deployed in a managed CI/CD framework.
+
+The file includes all the parameters defined in the automation rule. Rules of any trigger type can be exported to a JSON file.
+
+For instructions on exporting and importing automation rules, see [Export and import Microsoft Sentinel automation rules](import-export-automation-rules.md).
 
 ## Next steps
 
diff --git a/articles/sentinel/import-export-automation-rules.md b/articles/sentinel/import-export-automation-rules.md
@@ -53,43 +53,16 @@ The file includes all the parameters defined in the automation rule. Rules of an
 
 ## Troubleshooting
 
-- **Analytics rule doesn't exist:** If you export an automation rule [based on a particular analytics rule](create-manage-use-automation-rules.md#define-conditions), and then import it to another workspace that doesn't have that same analytics rule in it, the following things will happen:
-    - The automation rule will successfully deploy in the second workspace.
-    - The automation rule will be automatically disabled.
-    - In the automation rule conditions, the analytics rule drop-down will display as "Unknown rule".
-
-    To allow this automation rule to run in the second workspace:
-    1. Export the referenced analytics rule from the original workspace and import it to the second one.
-    1. Edit the automation rule in the second workspace, choosing the now-present analytics rule from the drop-down.
-    1. Enable the automation rule.
-
-- **Custom details key doesn't exist:** If you export an automation rule with conditions that reference [custom details keys](create-manage-use-automation-rules.md#conditions-based-on-custom-details), and then import it to another workspace where no analytics rules [surface those custom details](surface-custom-details-in-alerts.md), the following things will happen:
-    - The automation rule will successfully deploy in the second workspace.
-    - The automation rule will be automatically disabled.
-    - In the automation rule conditions, the custom details key drop-down will display as "Unknown custom details key".
-
-    To allow this automation rule to run in the second workspace:
-    1. Import or create an analytics rule that will [surface the relevant custom details](surface-custom-details-in-alerts.md) in the second workspace.
-    1. Edit the automation rule in the second workspace, choosing the now-present custom details from the drop-down.
-    1. Enable the automation rule.
-
-- **Playbook doesn't exist:** If you export an automation rule that calls a playbook, and then import it to another workspace that doesn't have access to the playbook, or if the playbook was moved or deleted, the automation rule deployment will fail, and you'll receive an error message with the specific reason.
-
-    To allow this automation rule to deploy properly when imported, make sure that the playbook exists and that the second workspace has access to the resource group that contains the playbook.
-
-- **Expired automation rule:** If an automation rule is past its expiration date when imported, the automation rule deployment will fail and you'll receive an error message.
-
-    To allow this automation rule to deploy properly when imported, choose **one** of the following procedures, depending on the relevant circumstances:
-
-    - **If you don't mind the automation rule running in the original workspace:**
-        1. Edit the automation rule in the original workspace and change its expiration date to a date in the future.
-        1. Export the rule again from the original workspace.
-        1. Import the newly exported version into the second workspace.
-
-    - **If you don't want the rule to run again in the original workspace:**
-        1. Edit the JSON file that represents the exported automation rule.
-        1. Find the expiration date (that appears immediately after the string `"expirationTimeUtc":`) and replace it with a date in the future.
-        1. Save the file and re-import it into the second workspace.
+If you have any issues importing an exported automation rule, consult the following table.
+
+| Behavior (with *error*) | Reason | Suggested action |
+| ----------------------- | ------ | ---------------- |
+| **Imported automation rule is disabled**<br>-*and*-<br>**The rule's *analytics rule* condition displays "Unknown rule"** | The rule contains a condition that refers to an analytics rule that doesn't exist in the target workspace. | <ol><li>Export the referenced analytics rule from the original workspace and import it to the target one.<li>Edit the automation rule in the target workspace, choosing the now-present analytics rule from the drop-down.<li>Enable the automation rule.</ol> |
+| **Imported automation rule is disabled**<br>-*and*-<br>**The rule's *custom details key* condition displays "Unknown custom details key"** | The rule contains a condition that refers to a [custom details key](surface-custom-details-in-alerts.md) that isn't defined in any analytics rules in the target workspace. | <ol><li>Export the referenced analytics rule from the original workspace and import it to the target one.<li>Edit the automation rule in the target workspace, choosing the now-present analytics rule from the drop-down.<li>Enable the automation rule. |
+| **Deployment failed in target workspace, with error message: "\<PLEASE SUPPLY>"** | The playbook was moved.<br>-*or*-<br>The playbook was deleted.<br>-*or*-<br>The target workspace doesn't have access to the playbook. | Make sure the playbook exists, and that the target workspace has the right access to the resource group that contains the playbook. |
+| **Deployment failed in target workspace, with error message: "\<PLEASE SUPPLY>"** | The automation rule was past its defined expiration date when you imported it. | **If you want the rule to remain expired in its original workspace:**<ol><li>Edit the JSON file that represents the exported automation rule.<li>Find the expiration date (that appears immediately after the string `"expirationTimeUtc":`) and replace it with a new expiration date (in the future).<li>Save the file and re-import it into the target workspace.</ol>**If you want the rule to return to active status in its original workspace:**<ol><li>Edit the automation rule in the original workspace and change its expiration date to a date in the future.<li>Export the rule again from the original workspace.<li>Import the newly exported version into the target workspace.</ol> |
+| **Deployment failed in target workspace, with error message: "The JSON file you attempted to import has an invalid format. Please check the file and try again."** | The imported file isn't a valid JSON file. | Check the file for problems and try again. For best results, export the original rule again to a new file, then try the import again. |
+| **Deployment failed in target workspace, with error message: "No resources found in the file. Please ensure the file contains deployment resources and try again."** | The list of resources under the "resources" key in the JSON file is empty. | Check the file for problems and try again. For best results, export the original rule again to a new file, then try the import again. |
 
 ## Next steps
 
diff --git a/articles/sentinel/whats-new.md b/articles/sentinel/whats-new.md
@@ -20,9 +20,20 @@ The listed features were released in the last three months. For information abou
 
 ## August 2024
 
+- [Export and import automation rules (Preview)](#export-and-import-automation-rules-preview)
 - [New Auxiliary logs retention plan (Preview)](#new-auxiliary-logs-retention-plan-preview)
 - [Create summary rules for large sets of data (Preview)](#create-summary-rules-in-microsoft-sentinel-for-large-sets-of-data-preview)
 
+### Export and import automation rules (Preview)
+
+You can now export your automation rules to Azure Resource Manager (ARM) template files, and import rules from these files, as part of managing and controlling your Microsoft Sentinel deployments as code. The export action will create a JSON file in your browser's downloads location, that you can then rename, move, and otherwise handle like any other file.
+
+The exported JSON file is workspace-independent, so it can be imported to other workspaces and even other tenants. As code, it can also be version-controlled, updated, and deployed in a managed CI/CD framework.
+
+The file includes all the parameters defined in the automation rule. Rules of any trigger type can be exported to a JSON file.
+
+Learn more about [exporting and importing automation rules](import-export-automation-rules.md).
+
 ### New Auxiliary logs retention plan (Preview)
 
 The new **Auxiliary logs** retention plan for Log Analytics tables allows you to ingest large quantities of high-volume logs with supplemental value for security at a much lower cost. Auxiliary logs are available with interactive retention for 30 days, in which you can run simple, single-table queries on them, such as to summarize and aggregate the data. Following that 30-day period, auxiliary log data goes to long-term retention, which you can define for up to 12 years, at ultra-low cost. This plan also allows you to run search jobs on the data in long-term retention, extracting only the records you want to a new table that you can treat like a regular Log Analytics table, with full query capabilities.
@@ -83,20 +94,9 @@ Microsoft Sentinel is now generally available within the Microsoft unified secur
 
 ## June 2024
 
-- [Export and import automation rules (Preview)](#export-and-import-automation-rules-preview)
 - [Codeless Connector Platform now generally available](#codeless-connector-platform-now-generally-available)
 - [Advanced threat indicator search capability available](#advanced-threat-indicator-search-capability-available)
 
-### Export and import automation rules (Preview)
-
-You can now export your automation rules to Azure Resource Manager (ARM) template files, and import rules from these files, as part of managing and controlling your Microsoft Sentinel deployments as code. The export action will create a JSON file in your browser's downloads location, that you can then rename, move, and otherwise handle like any other file.
-
-The exported JSON file is workspace-independent, so it can be imported to other workspaces and even other tenants. As code, it can also be version-controlled, updated, and deployed in a managed CI/CD framework.
-
-The file includes all the parameters defined in the automation rule. Rules of any trigger type can be exported to a JSON file.
-
-Learn more about [exporting and importing automation rules](import-export-automation-rules.md).
-
 ### Codeless Connector Platform now generally available
 
 The Codeless Connector Platform (CCP), is now generally available (GA). Check out the [announcement blog post](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-create-your-own-codeless-data-connector/ba-p/4174439).
