Removing Deprecated Analytics Rules in Microsoft Sentinel
Hey, Your IOCs are Out of Date
Outdated IOCs can indicate that you may have Analytics Rules in Microsoft Sentinel that are doing you no good and just taking up compute space. There are many that exist in the Rule Templates section of the Analytics Rules blade in Microsoft Sentinel, but if you are using any of those as Active Rules, you may want to consider some clean-up.
Thanks to my good buddy, Andrea Fisher, for pointing this out.
To see if you’re using any of the outdated rules, use the search facility and look for [Deprecated] rules. Mark them and delete them.
You’ll also see in the rule description an indication that the IOCs are out of date and will supply a recommendation to implement Microsoft's Threat Intelligence solution as shown:
This query has been deprecated as the associated IoCs (Indicators of Compromise) are outdated and no longer relevant. To ensure effective threat detection, it is recommended to implement Microsoft's Threat Intelligence solution, which enables matching your log data with the most up-to-date IoCs generated by Microsoft. This solution can be installed from the Microsoft Sentinel Content Hub if not currently deployed. More details on the Content Hub can be found here: https://learn.microsoft.com/azure/sentinel/sentinel-solutions-deploy
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]
Hi Rod,
Are there any cost when you enable this?
Best regards