A new feature has been added for Analytics Rules in Azure Sentinel that allows you to verify the changes prior to accepting to update the rule from the updated template.
Our Analytics Rules are updated from time-to-time for various reasons. Mostly, they are updated to improve detection. But, there may be times a rule that has been created using one of our templates has an update but you don’t want to lose any of your environment-specific modifications.
A new feature (in preview) has shown up in the Azure Sentinel console today to help.
When an active rule has an updated template ready on our GitHub repo (https://aka.ms/ASGitHub), a Compare with Template button will show up.
Once you click on it, you’ll be whisked away to the new interface for comparing the templates updates. Notice that the rest of the Analytics Rules wizard remains the same, we’ve just added a new step at the front for the comparison.
Click the Review and Update option jumps you to the last step in the wizard, effectively choosing to accept our updates. You can also jump through the standard wizard process by clicking the Next: Custom changes button so you can customize our updated template to better align with your team’s requirements, i.e., severity, schedule, automation, etc.
For deeper knowledge of this new feature, refer to our Docs: https://cda.ms/2SC
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Azure Sentinel Newsletter]
[Subscribe to the Bi-Weekly Azure Security Center Newsletter]