How do I update Sentinel NRT analytical rules?

Mark Newton 25 Reputation points
2023-01-20T16:51:53.7433333+00:00

My Sentinel Analytical NRT type rule, "NRT Creation of expensive computes in Azure" show's an Update is Available. With Scheduled rule types the Update button is visible but not with NRT. How do I update NRT analytical rules? Please and thanks.

Azure Information Protection
Azure Information Protection
An Azure service that is used to control and help secure email, documents, and sensitive data that are shared outside the company.
515 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
971 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,381 questions
0 comments
Accepted answer
  1. David Broggy 5,681 Reputation points MVP
    2023-01-20T19:11:54.98+00:00

    Hi Mark,

    Most of the NRT rules are quite new as you can see from the template versions - most of the versions are 1.0.1, 1.0.2 or 1.0.3.

    Most likely Microsoft just hasn't gotten around to updating any of them.

    afaik, there isn't anything special about how they operate that would change how they're updated in the future.

    Regards.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SanthiSwaroopNaikBukke-4908 595 Reputation points
    2023-01-20T16:53:28.6966667+00:00

    Updating Sentinel NRT analytical rules in Azure Sentinel involves several steps:

    1. Identify the rules that you want to update: Review the existing rules in Azure Sentinel and identify the ones that you want to update.
    2. Modify the rules: You can either modify the rules directly in the Azure Sentinel Log Analytics workspace or export them to a JSON file and make the changes offline.
    3. Import the updated rules: Once the rules are updated, you can import them back into Azure Sentinel. You can use the Azure Sentinel REST API or Azure Sentinel Playbooks to import the updated rules.
    4. Test the updated rules: After importing the updated rules, you should test them to ensure they are working as expected.
    5. Deploy the updated rules: Finally, you can deploy the updated rules to your production environment.

    Here is an example of how to update a rule using Azure Sentinel Playbooks:

    1. Go to Azure Sentinel in the Azure portal
    2. Select Playbooks from the left-side menu
    3. Select the rule you want to update
    4. Select Edit to modify the rule
    5. Select Save to save your changes
    6. Select Deploy to deploy the updated rule to your production environment