Updating a Sentinel Analytic Rule KQL Query¶
This page contains instructions to update an analytic rule's KQL query in Sentinel. This process is simple and requires minimal actions to be performed.
Instructions¶
-
Go to the affected Sentinel workspace.
If you are unsure where to find your workspaces, visit this link -> https://portal.azure.com/sentinel.
-
Once you have selected your Sentinel workspace, on the left hand side of the screen, navigate to Configuration -> Analytics.
(You may need to expand the sub-menus).
-
Search for and select the affected analytic rule.
-
Click on the Edit button.
If the rule fly-out menu is not opening when selecting the rule, go to the right of the rule and click on the 3 dots button -> Edit.
-
Select the Set rule logic tab.
-
Locate the Rule query section.
Edit the existing query in place, or paste in the updated query into the query text box.
-
Select the Review + create tab.
-
At the bottom of the page -> click on the Save button to save the changes to the analytic rule.