Tip: Duplicate and Deprecate to Modify Azure Sentinel Analytics Rules

Just a quick heads-up tip for those that might be affected by this scenario eventually. Some might call this a “best practice” but I know many people hate that term. Hence, my use of the term “tip” instead.

When Azure Sentinel Analytics Rules are updated from Microsoft, any changes you have made to the original rule will revert to updated version.

To ensure your changes are retained, if you want to make adjustments to the original Analytics Rule, Duplicate it first, make the changes, and then Disable the original rule.

Duplicate and make changes
Disable original


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]

[Subscribe to the Bi-Weekly Azure Security Center Newsletter]