|
| 1 | +--- |
| 2 | +title: Refresh an Azure Sentinel analytics rule from an updated template |
| 3 | +description: Learn how to incorporate the changes from updated versions of analytics rule templates into rules created from those templates. |
| 4 | +services: sentinel |
| 5 | +documentationcenter: na |
| 6 | +author: yelevin |
| 7 | +manager: rkarlin |
| 8 | +editor: '' |
| 9 | + |
| 10 | +ms.service: azure-sentinel |
| 11 | +ms.subservice: azure-sentinel |
| 12 | +ms.devlang: na |
| 13 | +ms.topic: how-to |
| 14 | +ms.tgt_pltfrm: na |
| 15 | +ms.workload: na |
| 16 | +ms.date: 10/03/2021 |
| 17 | +ms.author: yelevin |
| 18 | + |
| 19 | +--- |
| 20 | +# Refresh an Azure Sentinel analytics rule from an updated template |
| 21 | + |
| 22 | +> [!IMPORTANT] |
| 23 | +> |
| 24 | +> - This feature is in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability. |
| 25 | +
|
| 26 | +## Introduction |
| 27 | + |
| 28 | +Azure Sentinel comes with [analytics rule templates](detect-threats-built-in.md) that you turn into active rules by effectively creating a copy of them – that’s what happens when you create a rule from a template. At that point, however, the active rule is no longer connected to the template. If changes are made by Microsoft engineers – or anyone, for that matter – to a rule template, any rules created from that template beforehand are not dynamically updated to match the new template. |
| 29 | + |
| 30 | +However, you can get notified when a template is updated, and you can have the option to update your rules to the new version of the template. This article will show you how to do that, and what to keep in mind. |
| 31 | + |
| 32 | +## Get notified of changes to a template |
| 33 | + |
| 34 | +You can see which rules have had their templates updated by the appearance of the "*Update available*" badge on the rule in the list on the **Active rules** tab. |
| 35 | + |
| 36 | +1. On the **Analytics** blade, select the **Active rules** tab. |
| 37 | + |
| 38 | +1. Select any rule showing the "*Update available*" badge. |
| 39 | + |
| 40 | + :::image type="content" source="media/refresh-analytics-rule-from-updated-template/see-rules-with-updated-template.png" alt-text="Screenshot of active rules list, with badge indicating a template update is available." lightbox="media/refresh-analytics-rule-from-updated-template/see-rules-with-updated-template.png"::: |
| 41 | + |
| 42 | +1. Scroll down to the bottom of the details pane, where you'll see two version numbers: the version of the template from which the rule was created, and the latest available version of the template. |
| 43 | + |
| 44 | + :::image type="content" source="media/refresh-analytics-rule-from-updated-template/scroll-down-to-version-numbers.png" alt-text="Screenshot of details pane. Scroll down to see template version numbers."::: |
| 45 | + |
| 46 | + The number is in a “1.0.0” format – major version, minor version, and build. |
| 47 | + (For the time being, the build number is not in use and will always be 0.) |
| 48 | + |
| 49 | + - A difference in the *major version* number indicates that something essential in the template was changed, that could affect how the rule detects threats or even its ability to function altogether. This is a change you will want to include in your rules. |
| 50 | + |
| 51 | + - A difference in the *minor version* number indicates a minor improvement in the template – a cosmetic change or something similar – that would be “nice to have” but is not critical to maintaining the rule’s functionality, efficacy, or performance. This is a change that you could just as easily take or leave. |
| 52 | + |
| 53 | + |
| 54 | +## Update an analytics rule from a template |
| 55 | + |
| 56 | +### Compare your active rule with the new template version |
| 57 | + |
| 58 | +Having selected a rule and determined that you want to consider updating it, select **Review and update** on the details pane (see above). You'll see that the **Analytics rule wizard** now has a **Compare to latest version** tab. |
| 59 | + |
| 60 | +On this tab you'll see a side-by-side comparison between the YAML representations of the existing rule and the latest version of the template. |
| 61 | + |
| 62 | +:::image type="content" source="media/refresh-analytics-rule-from-updated-template/compare-template-versions.png" alt-text="Screenshot of 'Compare to latest version' tab in Analytics rule wizard."::: |
| 63 | + |
| 64 | +> [!NOTE] |
| 65 | +> Updating this rule will overwrite your existing rule with the latest version of the template. |
| 66 | +Any automation step or logic that makes reference to the existing rule should be verified, in case the referenced names have changed. Also, any customizations you made in creating the original rule may be overwritten. |
| 67 | + |
| 68 | +### Update your rule with the new template version |
| 69 | + |
| 70 | +- If the changes made to the new version of the template are acceptable to you, and nothing else in your original rule has been affected, select **Review and update** to validate and apply the changes. |
| 71 | + |
| 72 | +- If you want to further customize the rule or re-apply any changes that might otherwise be overwritten, select **Next : Custom changes**. If you choose this, you will cycle through the remaining tabs of the [Analytics rule wizard](detect-threats-custom.md) to make those changes, after which you will validate and apply the changes on the **Review and update** tab. |
| 73 | + |
| 74 | +## Next steps |
| 75 | +In this document, you learned how to update your Azure Sentinel analytics rules to new template versions. To learn more about Azure Sentinel, see the following articles: |
| 76 | + |
| 77 | +- Learn more about [analytics rules](detect-threats-built-in.md). |
| 78 | +- See more details about the [analytics rule wizard](detect-threats-custom.md). |
0 commit comments