Forum Discussion

StefanHartmann1's avatar
StefanHartmann1
Copper Contributor
Oct 24, 2024

Issue while deploying Sentienl Rules

I know that when deleting a Sentinel rule, you need to wait a specific amount of time before it can be redeployed. However, in this tenant, we've been waiting for almost a month and are still getting...
analytics
apis
Content
siem
jdom's avatar
jdom
Copper Contributor
Nov 22, 2024

Hi StefanHartmann1 

I've seen this in instances where there are still traces relating to that original ID, not allowing overwriting.

Note that the ID is the Name, you can use this PS query below to see the state of the rule:

Get-AzSentinelAlertRule -ResourceGroupName <RG-Name> -WorkspaceName <LogAnalytics-Name> `
 | where Name -eq "<Rule-ID>"

 

And the equivalent removal PS: https://learn.microsoft.com/en-us/powershell/module/az.securityinsights/remove-azsentinelalertrule?view=azps-13.0.0


Outside of that you will have three options:

  1. If the same GUID is not explicitly required, deploy the rule under a new ID.
  2. Raise a Microsoft support case
  3. Continue waiting.

 

Feel free to reply if you have any issues!

emilio123's avatar
emilio123
Copper Contributor
Aug 05, 2025

None of these options work in a detection-as-code context where you need to delete and republish rules often, as is our case. This is terrible UX and architecture, I really hope Microsoft realizes the negative impacts is has on customers and fixes this problem.

Resources