Forum Discussion
Custom Detection Rules as Code in Sentinel Repositories: What Your Pipeline Owns Now
Hi Marcel, this is an excellent catch. Moving detections into Git changes more than the deployment method; it transfers responsibility for schema changes and query health to the pipeline owner. I would add a CI stage that extracts and validates the KQL against a non-production workspace, checks for deprecated tables and columns, confirms the required result columns and entity mappings, and prevents accidental changes to rule IDs. A post-deployment health test or small canary detection would also help identify a rule that deployed successfully but no longer returns valid results. I would be very interested to see whether the retired-table test causes the repository sync to fail or whether it reasserts the stale query over the portal-migrated version.