I’ve seen a few questions around this recently, so it’s worth highlighting here.
The Microsoft 365 Defender connector is in public preview and the intent for this connector is to eventually consolidate all the Defender-type service connections into a single connector. Awesome intent. Logical. However, because it’s in preview, it’s not quite at full capability yet.
When you enable the Preview Data Connector for Microsoft 365 Defender you are given the choice of disabling the original Analytics Rules for the original connectors. See the next image for an example.
Disabling the original Analytics Rules could stop alerts from being generated from those services that are not quite ready to work with the consolidated connector. MCAS is one of those.
To resolve, just go into the active Analytics Rules blade and reenable the disabled rules.
P.S. Thanks for participating in our Public Previews!
UPDATE: My good buddy Sreedar has now developed a PowerShell script to automate reenabling the disabled rules. Go here: andedevsecops/BulkUpdateSentinelAlertRules (github.com)
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
One thought on “How to Reenable Analytics Rules Disabled by Enabling the Microsoft 365 Defender (Preview) Alerts”