Sign in Subscribe
Automation

Automate Microsoft Sentinel Updates: A Complete PowerShell Toolkit

🌐 Security at Scale: Sentinel Updates Without the Hassle! 🌐

Toby G

7 min read

Published on 10 March 2025

Introduction

Microsoft Sentinel has become a cornerstone of modern security operations, providing organisations with powerful SIEM and SOAR capabilities. However, maintaining a Sentinel deployment requires regular updates to ensure you have the latest threat detection capabilities, workbooks, and solutions. This maintenance burden can quickly become overwhelming for security teams already stretched thin.

Today, I'm excited to share a robust collection of PowerShell scripts created by Microsoft MVP/MCT Charbel Nemnom that automate critical Microsoft Sentinel update tasks. This toolkit represents a significant advancement in Sentinel operations management, allowing security teams to focus on threat hunting and incident response rather than administrative maintenance.

View on GitHub

The Challenge: Keeping Sentinel Current

Before exploring these automation solutions, let's understand the challenges security teams face when maintaining Microsoft Sentinel:

  • Analytics Rule Updates: Microsoft regularly releases updates to built-in detection rules, but updating them manually is time-consuming and error-prone
  • Content Hub Management: Solutions in the Content Hub frequently receive updates, but applying these updates across multiple solutions is tedious
  • Workbook Maintenance: Keeping saved workbooks in sync with their latest templates requires careful version tracking
  • Scale Issues: Large organisations with multiple workspaces face compounding maintenance challenges

These challenges can lead to security gaps when important updates aren't applied promptly, or to inefficient use of security analysts' time when they're focused on maintenance rather than security work.

The Solution: A PowerShell-Based Automation Toolkit

The automation toolkit consists of three powerful PowerShell scripts, each addressing a specific aspect of Sentinel maintenance:

  1. Update-AnalyticsRules.ps1: Automatically updates all default Microsoft Sentinel Analytics Rules
  2. Update-ContentHub.ps1: Updates all Content Hub Solutions at scale
  3. Update-SentinelWorkbooks.ps1: Updates saved workbooks to their latest template versions

Let's explore each script in detail.

Script 1: Update-AnalyticsRules.ps1

This script focuses on one of the most critical components of Sentinel - the Analytics Rules that power your threat detection capabilities.

Key Features

  • Bulk Rule Updates: Updates all default Microsoft Sentinel Analytics Rules in a single operation
  • Rule Preservation: Intelligently preserves tuned or modified rules to avoid overwriting customisations
  • Entity Mapping Retention: Maintains custom entity mappings when updating rules
  • Managed Identity Support: Designed to run in Azure Automation with system-assigned managed identity

How It Works

The script follows a sophisticated workflow:

  1. Authentication: Connects to Azure using a system-assigned managed identity
  2. Rule Discovery: Identifies all enabled Analytics Rules that have a template
  3. Template Comparison: Checks if newer versions of the rules are available
  4. Smart Updates: Updates outdated rules while preserving custom entity mappings and details
  5. Metadata Updates: Updates metadata for each rule to maintain proper tracking

Here's a key code section that demonstrates how the script intelligently handles entity mappings:

# Convert existing (pre-updated) and latest entity mappings to hash tables
$currentMappings = ConvertToHashTable $preUpdatedRuleEntityMappings
$newMappings = ConvertToHashTable $ruleEntityMappings

# Initialize final mappings
$finalMappings = @()

# Process the new mappings
foreach ($entityType in $newMappings.Keys) {
    if ($currentMappings.ContainsKey($entityType)) {
        # Entity exists in both current and new mappings
        $currentFields = $currentMappings[$entityType]
        $newFields = $newMappings[$entityType]

        # Combine current and new fields
        $updatedFields = @()
        foreach ($newField in $newFields) {
            $updatedFields += $newField # Add new mapping
        }

        # Retain fields that are not updated in the new mappings
        foreach ($currentField in $currentFields) {
            if (-not $updatedFields | Where-Object { $_.identifier -eq $currentField.identifier }) {
                $updatedFields += $currentField
            }
        }

        $finalMappings += [PSCustomObject]@{
            entityType    = $entityType
            fieldMappings = $updatedFields
        }
    }
    else {
        # Entity is new, add it
        $finalMappings += [PSCustomObject]@{
            entityType    = $entityType
            fieldMappings = $newMappings[$entityType]
        }
    }
}

This approach ensures that Microsoft's latest detection capabilities are implemented while preserving any custom field mappings your team has created.

Script 2: Update-ContentHub.ps1

The Microsoft Sentinel Content Hub provides valuable pre-packaged solutions for various security scenarios. This script automates the update process for these solutions.

Key Features

  • Version Checking: Identifies which Content Hub Solutions need updates
  • Preview Control: Optionally includes or excludes preview content from updates
  • Incremental Updates: Applies updates incrementally to minimise disruption
  • Automated Deployment: Handles the complete deployment process for updated solutions

How It Works

The script implements a methodical approach to Content Hub solution updates:

  1. Discovery: Retrieves all installed Content Hub solutions
  2. Version Comparison: Compares installed versions with available versions
  3. Update Filtering: Optionally filters out preview content based on user preference
  4. Deployment: Automatically deploys updated solutions while preserving configurations

A particularly powerful aspect of this script is how it handles the deployment of updates:

$installBody = @{"properties" = @{ 
        "parameters" = @{ 
            "workspace"          = @{"Value" = $workspaceName }
            "workspace-location" = @{"Value" = "" } 
        } 
        "template"   = $packagedContent
        "mode"       = "Incremental" 
    } 
}

$deploymentName = ("ContenthubBulkInstall-" + $solutionDisplayName)
if ($deploymentName.Length -gt 62) {
    $deploymentName = $deploymentName.Substring(0, 62)
}

$installURL = "https://management.azure.com/subscriptions/$subscriptionid/resourcegroups/$resourceGroupName/providers/Microsoft.Resources/deployments/" + $deploymentName + "?api-version=2021-04-01"
$installContentHub = Install-ContentHub -installURL $installURL -installBody ($installBody | ConvertTo-Json -EnumsAsStrings -Depth 50 -EscapeHandling EscapeNonAscii)

By using the "Incremental" deployment mode, the script ensures that only the components that need updating are changed, minimising the risk of disruption to your security operations.

Script 3: Update-SentinelWorkbooks.ps1

Microsoft Sentinel workbooks provide valuable visualisations for security data. This script ensures your saved workbooks stay current with the latest template versions.

Key Features

  • Version Detection: Identifies workbooks that have newer template versions available
  • Seamless Updates: Handles the complete update process, including metadata management
  • GUID Preservation: Maintains proper reference tracking during updates
  • Error Handling: Includes robust error handling for reliable operation

How It Works

The script employs a sophisticated approach to workbook updates:

  1. Inventory Collection: Retrieves all installed workbook templates and saved workbooks
  2. Version Comparison: Identifies workbooks that are outdated compared to their templates
  3. Controlled Updates: For each outdated workbook:
    • Deletes the outdated workbook
    • Deletes the associated metadata
    • Creates a new workbook from the latest template
    • Creates new metadata with proper references

The script handles the complex process of GUID management and parent reference updates:

# Generate a new GUID for the new workbook
Write-Verbose "Generating a new GUID for the new Microsoft Sentinel Workbook [$($installedWorkbookTemplate.properties.displayName)]" -Verbose
$guid = (New-Guid).Guid

# Later in the script...
$workbookParentId = $newWorkbookMetadata.properties.parentId -replace '/[^/]+$', "/$guid"        
$newWorkbookMetadata.properties | Add-Member -NotePropertyName parentId -NotePropertyValue $workbookParentId -Force

This careful handling of references ensures that workbook updates don't break existing dashboards or references.

Implementation Guide

Prerequisites

  • PowerShell 7.x: All scripts require PowerShell 7 or later
  • Az Module: The Azure PowerShell module is required
  • Permissions: System-assigned managed identity with appropriate permissions to:
    • Microsoft.SecurityInsights/*
    • Microsoft.OperationalInsights/*
    • Microsoft.Resources/deployments/*

Deployment Options

The scripts can be deployed in several ways:

  1. Azure Automation: The ideal deployment method, allowing scheduled execution with managed identities
  2. Local Execution: Can be run locally for testing or on-demand updates
  3. DevOps Pipelines: Can be integrated into CI/CD pipelines for more sophisticated workflows

Azure Automation Setup

For optimal results, deploy these scripts in Azure Automation:

  1. Create an Automation Account with system-assigned managed identity
  2. Assign appropriate RBAC permissions to the managed identity
  3. Import the scripts as runbooks
  4. Schedule the runbooks to run at appropriate intervals (e.g., weekly)
  5. Configure appropriate parameters for your environment

Enterprise-Scale Automation with Azure Lighthouse

For Managed Security Service Providers (MSSPs) or organisations with multiple tenants, Azure Lighthouse provides a powerful way to extend these automation capabilities across tenant boundaries. This enables centralised management of Microsoft Sentinel deployments across multiple customer environments or business units.

Key Benefits of the Lighthouse Approach

  • Centralised Management: Operate a single set of automation runbooks that update Sentinel across all delegated tenants
  • Consistent Security Posture: Ensure all customers or business units benefit from the latest Sentinel updates
  • Operational Efficiency: Reduce management overhead by automating updates across the entire customer portfolio
  • Scalable Security Operations: Easily onboard new tenants to your automated update procedures

Implementation with Lighthouse

To implement these scripts using Azure Lighthouse:

  1. Configure Azure Lighthouse Delegations:
    • Create a delegated resource management offer to your customer tenants
    • Include the necessary permissions for Microsoft Sentinel management:
      • Microsoft.SecurityInsights/*
      • Microsoft.OperationalInsights/workspaces/read
      • Microsoft.OperationalInsights/workspaces/alertRules/*
      • Microsoft.Resources/deployments/*
  2. Create Cross-Tenant Automation:
    • Deploy the automation runbooks in your management tenant
    • Modify the scripts to iterate through delegated tenant subscriptions:
# Get all delegated subscriptions from customers
$delegatedSubscriptions = Get-AzSubscription | Where-Object { $_.State -eq "Enabled" -and $_.TenantId -ne $managementTenantId }

foreach ($subscription in $delegatedSubscriptions) {
    # Set context to the delegated subscription
    Set-AzContext -Subscription $subscription.Id
    
    # Get Sentinel workspaces in this subscription
    $workspaces = Get-AzOperationalInsightsWorkspace | Where-Object {
        Get-AzOperationalInsightsWorkspaceSentinel -ResourceGroupName $_.ResourceGroupName -WorkspaceName $_.Name -ErrorAction SilentlyContinue
    }
    
    foreach ($workspace in $workspaces) {
        Write-Output "Processing workspace: $($workspace.Name) in subscription: $($subscription.Name)"
        
        # Run the update scripts for this workspace
        & .\Update-AnalyticsRules.ps1 -SubscriptionId $subscription.Id -ResourceGroup $workspace.ResourceGroupName -WorkspaceName $workspace.Name
        & .\Update-ContentHub.ps1 -SubscriptionId $subscription.Id -ResourceGroup $workspace.ResourceGroupName -WorkspaceName $workspace.Name
        & .\Update-SentinelWorkbooks.ps1 -SubscriptionId $subscription.Id -ResourceGroup $workspace.ResourceGroupName -WorkspaceName $workspace.Name
    }
}
  1. Schedule and Monitor:
    • Configure the cross-tenant runbooks to execute on a regular schedule
    • Implement logging to track successful updates and any failures across tenants
    • Create dashboards to monitor update status across your entire customer portfolio

Security Considerations for Lighthouse Deployments

When implementing cross-tenant automation, consider these additional security measures:

  • Principle of Least Privilege: Request only the specific permissions needed for Sentinel updates
  • Just-in-Time Access: Consider implementing just-in-time access for manual operations
  • Segregation of Duties: Separate automation identities from human operator identities
  • Audit Logging: Enable Azure Activity Logs to track all cross-tenant operations

MSSP-Specific Benefits

MSSPs implementing this approach can realise several competitive advantages:

  • Reduced Operational Costs: Automate routine maintenance across all customer tenants
  • Faster Update Deployment: Roll out critical security updates to all customers simultaneously
  • Service Differentiation: Offer "always current" Sentinel as a premium service offering
  • Scalable Business Model: Add new customers without linearly increasing operational overhead

This Azure Lighthouse integration transforms these automation scripts from single-tenant tools into a comprehensive, multi-tenant management solution ideal for service providers and large enterprises.

Real-World Benefits

Organisations implementing this toolkit can expect several significant benefits:

1. Enhanced Security Posture

By ensuring Analytics Rules are always current, you'll benefit from Microsoft's latest threat detection capabilities without manual intervention. The automation toolkit ensures you never miss critical security updates.

2. Operational Efficiency

Security analysts can focus on threat hunting and incident response rather than mundane update tasks. A typical enterprise might save 4-6 hours per week that would otherwise be spent on manual updates.

3. Consistent Configuration

The scripts intelligently preserve custom configurations while applying updates, ensuring your detection tuning and customisations aren't lost during updates.

4. Scalability

For organisations with multiple Sentinel workspaces, these scripts can be deployed across all environments, providing consistent update procedures regardless of scale.

Security Considerations

When implementing these automation tools, consider these security best practices:

  • Use managed identities rather than service principals where possible
  • Apply the principle of least privilege to all automation identities
  • Implement proper logging and monitoring for the automation itself
  • Review the results of automated updates to ensure proper functionality
  • Test scripts in a non-production environment before deploying to production

Conclusion

The Microsoft Sentinel Automation Toolkit represents a significant advancement in Sentinel operations management. By automating the update process for Analytics Rules, Content Hub Solutions, and Workbooks, security teams can ensure their Sentinel deployment remains current with minimal effort.

These scripts, developed by Microsoft MVP/MCT Charbel Nemnom, showcase the power of PowerShell automation for security operations. They transform what would otherwise be tedious, manual processes into streamlined, reliable operations that enhance both security and efficiency.

For security teams looking to optimise their Microsoft Sentinel deployment, this automation toolkit is an essential addition to your operations toolbox.

Special thanks to Microsoft MVP/MCT Charbel Nemnom for creating and sharing these valuable scripts with the security community.

Have you implemented automation for Microsoft Sentinel in your environment? Share your experiences in the comments below!