Sentinel-As-Code: Wave 2

About a year ago I published Automating Microsoft Sentinel Deployment, a three-stage pipeline that provisioned infrastructure via Bicep and deployed Content Hub solutions through a single PowerShell script. It worked, but it was limited.

Last month I released Wave 1 of the 2026 rebuild, a ground-up rewrite focused entirely on Content Hub automation. It introduced semantic versioning, customisation protection, a dry-run mode, and a proper five-stage pipeline. A massive step forward.

The last release was missing some features, KQL parsers still were not a supported content type. There was no smart deployment logic, so every run redeployed everything regardless of whether it had changed. And my actual content library, years of detections, hunting queries, and playbooks scattered across dozens of repositories, was still sitting completely outside the automated pipeline.

Wave 1 was solid, but it had gaps. Wave 2 closes them and ships a lot more. The release adds a more robust framework, a substantially larger content library, and a set of operational capabilities that did not exist in Wave 1: a watchlist-driven DCR billing sync, a 111-rule community contribution from David Alonso, a daily drift detector that auto-PRs portal edits back into the repo, 28 new Defender XDR detections, a major playbook catalogue reshuffle, a Pester test suite for the drift functions, and a documentation reorganisation.