Introduction
One of the great things about Microsoft Sentinel is that it is Software As A Service. That means it can be updated behind the scenes without you, the user, having to do anything. The downside is that this means rule templates can also be updated automatically but you will need to update your rules manually.
The main reason for this is that the Microsoft Sentinel functionality to update the rule updates EVERYTHING! I have an old blog post about how to update your rules, but it updates ALL the rules and ALL the fields (plus it doesn’t work for templates that come from solutions). Not the best way to handle updates.
This blog post will show you how to create a CSV file that shows which rules need to be updated and which fields in that rule need to be updated. Then you can decide what you want to update!
NOTE: Due to how hard it is to test due to rule templates not changing all the time, I cannot guarantee that this code works 100% of the time. I have tested it as much a possible, but I definitely could not test all possible configurations.
All the code can be downloaded from garybushey/SelectRulesFieldsToUpdate: Select which fields to update when a rule is set to be updated. (github.com)
Create the CSV file
The “Export-AzSentinelRulesNeedingUpdates.ps1” script will create the CSV file. There isn’t anything too special about this code. It goes through all the rules and determines which ones have come from a template.
It will then look to see if the rule’s version is different than the template’s version. The only caveat is that you don’t know if the rule came from a Microsoft Sentinel Out Of The Box (OOTB) template or a solution. The code will try to find the template in the list of Microsoft Sentinel OOTB templates and if it does not find it there, it will then check against the solution templates.
One thing I did need to do was to trick the system when loading arrays. There are different ways that the arrays are listed in the templates. They can have actual values, have an empty array, or not there at all. Because of this, I check to make sure the array has a value. If not, I just return a “1” so the PowerShell “Compare-Object” command has something to compare against. The code is:
Function LoadArray ($arrayToCheck) {
$returnValue = $arrayToCheck
if (($null -eq $arrayToCheck) -or ($arrayToCheck.count -eq 0)) {
$returnValue = "1"
}
return $returnValue
}The rest of the code is just doing some comparisons. I do check to make sure the fields exist in the template, probably more than I really need to, but better safe than sorry.
The CSV file
The CSV file has fields for the Update (more on that later), the rule name, the type of rule (like Scheduled or NRT), the current version of the rule, the current version of the template, the rule’s GUID, the template’s GUID (these make it easier to update the rule in the second PowerShell script) and then a field for each of the fields that can be updated.
For each field it will either be “TRUE” is that field is set to be updated or “FALSE” if not. You can also change these values yourself.
For each row, you can enter one of three values for the “Update” column or leave it blank. The different values that can be used are:
| Value | Description |
|---|---|
| A | Update all the fields in the rule with the value from the template and the version number |
| P | Update only those fields that are “TRUE” and the version number |
| V | Do not update any of the fields, only the version number to remove the notice. |
| <blank> | Do nothing with this rule. |
You can always change any of the columns to update. For example, you have modified the description in your rule to add information for your company and you do not want it modified, change the “DescriptionChange” column to “FALSE” and that field will not be updated.
Once you have all the changes made, save the file and run the second script. I have included a sample CV file and an Excel version of the CSV file that highlights the “TRUE” values so you can see what it would look like.
Update the rules
The “Update-AzSentinelRulesFromCSV.ps1” script will read the CSV file and update the rules that need to be updated.
This code will look at each row in the CSV file, load the rule and its corresponding template, and then see which field(s) need to be updated.
For each field, it is assumed that we will use the rule’s value unless the “Update” field is equal to “A” or the corresponding field change column (i,e,. “DescriptionChanged” for “Description”) is set to “TRUE” (or “True’ since PowerShell doesn’t care about case). The code looks like:
$triggerThreshold = $ruleToUpdate.triggerThreshold
if ($rule.TriggerThresholdChanged -eq "True" -or ($rule.update -eq "A")) { $triggerThreshold = $foundTemplate.triggerThreshold }Then depending on what kind of rule it is, the needed field are filled in and the rule is updated, including the rule version. A strange quirk is that you have to set the rule template name each time you set the rule version. I wouldn’t think the rule template name would ever change!
Summary
This post is to show you the code to be able to pick and choose which rules and which rule fields get updated. Again, I have not tested this a thoroughly as I would have liked, but all the tests I ran worked correctly.