You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/manage-analytics-rule-templates.md
+6-4Lines changed: 6 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -43,9 +43,9 @@ With the implementation of template version control, you can see and track the v
43
43
44
44
1. Select any rule of type **Scheduled**.
45
45
46
-
- If the rule displays the "*Update available*" badge, its details pane will have a **Review and update** button next to the **Edit** button (see image 1 below).
46
+
- If the rule displays the "*Update available*" badge, its details pane will have a **Review and update** button next to the **Edit** button (see image 1 in the next step below).
47
47
48
-
- If the rule was created from a template but does not have the "*Update available*" badge, its details pane will have a **Compare with template** button next to the **Edit** button (see images 2 and 3 below).
48
+
- If the rule was created from a template but does not have the "*Update available*" badge, its details pane will have a **Compare with template** button next to the **Edit** button (see images 2 and 3 in the next step below).
49
49
50
50
- If there is only an **Edit** button, the rule was created from scratch, not from a template.
51
51
@@ -64,11 +64,13 @@ With the implementation of template version control, you can see and track the v
64
64
65
65
> [!NOTE]
66
66
> Images 2 and 3 above show two examples of rules created from templates, where the template has not been updated.
67
-
> - Image 2 shows a rule that had been created after Azure Sentinel's initial implementation of template version control in mid-2021 (***EXACT MONTH?***)
68
-
> - Image 3 shows a rule that had been created before that time, so there is no version information for the template. If there is a latest template version available, it is likely a new version of the template.
67
+
> - Image 2 shows a rule that has a version number for its current template. This signals that the rule was created after Azure Sentinel's initial implementation of template version control in October 2021.
68
+
> - Image 3 shows a rule that doesn't have a current template version. This shows that the rule had been created before October 2021. If there is a latest template version available, it's likely a newer version of the template than the one used to create the rule.
69
69
70
70
## Compare your active rule with its template
71
71
72
+
Choose one of the following tabs according to the action you wish to take, to see the instructions for that action:
73
+
72
74
# [Update template](#tab/update)
73
75
74
76
Having selected a rule and determined that you want to consider updating it, select **Review and update** on the details pane (see above). You'll see that the **Analytics rule wizard** now has a **Compare to latest version** tab.
Copy file name to clipboardExpand all lines: articles/sentinel/whats-new.md
+13Lines changed: 13 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -30,8 +30,21 @@ If you're looking for items older than six months, you'll find them in the [Arch
30
30
31
31
## October 2021
32
32
33
+
-[Manage template versions for your scheduled analytics rules (Public preview)](#manage-template-versions-for-your-scheduled-analytics-rules-public-preview)
### Manage template versions for your scheduled analytics rules (Public preview)
37
+
38
+
When you create analytics rules from [built-in Azure Sentinel rule templates](detect-threats-built-in.md), you effectively create a copy of the template. Past that point, the active rule is ***not*** dynamically updated to match any changes that get made to the originating template.
39
+
40
+
However, rules created from templates ***do*** remember which templates they came from, which allows you two advantages:
41
+
42
+
- If you made changes to a rule when creating it from a template (or at any time after that), you can always revert the rule back to its original version (as a copy of the template).
43
+
44
+
- You can get notified when a template is updated, and you'll have the choice to update your rules to the new version of their templates or leave them as they are.
45
+
46
+
[Learn how to manage these tasks](manage-analytics-rule-templates.md), and what to keep in mind. These procedures apply to any [Scheduled](detect-threats-built-in.md#scheduled) analytics rules created from templates.
47
+
35
48
### DHCP normalization schema (Public preview)
36
49
37
50
The Azure Sentinel Information Model (ASIM) now supports a DHCP normalization schema, which is used to describe events reported by a DHCP server and is used by Azure Sentinel to enable source-agnostic analytics.
0 commit comments