Deploying Microsoft Sentinel Analytics Rules that are Already Enabled

The Repositories feature in Microsoft Sentinel is a popular way to deploy uniform content using a CI/CD pipeline to a single or to multiple Sentinel workspaces.

The default for Analytics Rules is to deploy into the workspace as disabled. But many organizations prefer to deliver the updated or new content as ready-to-go and enabled already.

You can accomplish this by modifying the deployment file (.json) so that each Analytics Rule in each rule section is enabled. Just alter the enabled value from ‘false’ to ‘true’.

You can make this change in the GitHub repository, but as a best practice I recommended altering the value before uploading it to the repository. You can create automation to modify this value in bulk across the entire json file to enable all the Analytics Rules at once during deployment.

=========================

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]

Author

Leave a Reply