Duplicate Content After Deploying a Microsoft Sentinel Solution

I’ve been asked this a couple times recently and thought it necessary to expose and highlight.

When you deploy a Microsoft Sentinel solution, it creates the content in the Microsoft Sentinel environment that’s associated with the solution. Things like Analytics Rules, Workbooks, Data Connectors, Parsers, Hunting Queries, etc. that are necessary for the Solution to function are deployed automatically.

However, if – for some reason – the Solution is deployed again, everything that has already been deployed will be duplicated – not overwritten. So, just let your team know to check before clicking willy-nilly in the Solutions area.

If you have duplicates because of this, disable or delete the ones you don’t need.

An example of this is shown in the image below.

BTW: This is covered in the Known Issues doc in the Solutions area of the Microsoft Sentinel GitHub repository. If you’ve not read this doc, get familiar with it.


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Azure Sentinel Newsletter]

[Subscribe to the Bi-Weekly Azure Security Center Newsletter]