Just a quick heads-up tip for those that might be affected by this scenario eventually. Some might call this a “best practice” but I know many people hate that term. Hence, my use of the term “tip” instead.
When Azure Sentinel Analytics Rules are updated from Microsoft, any changes you have made to the original rule will revert to updated version.
To ensure your changes are retained, if you want to make adjustments to the original Analytics Rule, Duplicate it first, make the changes, and then Disable the original rule.
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
[Subscribe to the Bi-Weekly Azure Security Center Newsletter]