Issue while deploying Sentienl Rules

Hi @StefanHartmann1​ 

Normally, the soft-delete state for analytics rules lasts up to 14 days, but if the deletion was tied to a deployment via ARM/Bicep/Terraform, the ID can get “stuck” in the resource provider’s cache for much longer. In some cases, the only way to reuse the same ID is to open a Microsoft support ticket so they can manually clear it from the backend. If reusing the exact same ID is critical, I’d recommend raising a support case with the Microsoft.SecurityInsights resource provider details and rule name/ID — otherwise, changing the ruleId (GUID) in your template is the quickest workaround.

Feel free to reply if you have any issues!

Hi StefanHartmann1 

I've seen this in instances where there are still traces relating to that original ID, not allowing overwriting.

Note that the ID is the Name, you can use this PS query below to see the state of the rule:

Get-AzSentinelAlertRule -ResourceGroupName <RG-Name> -WorkspaceName <LogAnalytics-Name> `
 | where Name -eq "<Rule-ID>"

And the equivalent removal PS: https://learn.microsoft.com/en-us/powershell/module/az.securityinsights/remove-azsentinelalertrule?view=azps-13.0.0


Outside of that you will have three options:

1. If the same GUID is not explicitly required, deploy the rule under a new ID.
2. Raise a Microsoft support case
3. Continue waiting.

Feel free to reply if you have any issues!