Updating Microsoft Sentinel Solutions Creates Duplicates

I’ve seen this asked several times recently, so it’s something that is noticeable and curious.

It’s true: When an update is available for a Microsoft Sentinel Solution, instead of just providing a normal updating process, you may have noticed it takes you through the entire creation wizard like it’s the first time. Unfortunately, this is how it currently works. And, yes, it does create duplicate because it acts like it’s the first time enabling it -every time.

So, check your Analytics Rules, Workbooks, Hunting queries, etc. If you’ve updated a Solution, you will find duplicate like the following examples.

Duplicate Analytics Rules and Workbooks

If you’re like me, duplicates drive you nuts. You can safely delete the duplicates. For things like duplicate Analytics Rules, the old one will be disabled. For Workbooks, a creation date is stamped on the name so you can quickly identify the old one to delete.


[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Bi-Weekly Defender for Cloud Newsletter]

[Learn KQL with the Must Learn KQL series and book]


Leave a Reply