Forum Discussion
ARM template for deploying a workbook template to Microsoft Sentinel
Hi Jason,
You are quite right. It's moving quite a long way from the original question but altering the Id string is all that is required to deploy an object to a different subscription.
In Azure, objects can clip together like Lego blocks based on the "provider" element. The Id string refences where something is deployed to and it tells Azure what type of object is being deployed (although most of the time that is also shown as the type property). You dont actually need the name property either - that's always the last element if the Id.
I'm familiar with the argument for deploying everything as code. These content templates are vesioned and are being updated constantly - it will be one headache to keep the versioning in your code templates up-to-date and if they go down the path of not allowing SOC engineers to create detection rules or update content through the portal it will be a tragedy. If your client also wants data connectors also deployed through code that becomes an almighty world of pain and also a security risk as your build pipeline has to be super-privileged with god rights in all systems.
From an Engineer's perspective, seeing Azure as REST objects is really helpful in understanding how it really works and there are still rare times when REST can get around issues with ARM. I use REST all the time as I'm troubleshooting in my sandpit but I still use Bicep (or ARM) when delivering solutions for customers as it's a standard solution that is officially supported by Microsoft. Once you have a JSON object you can find the type of object with Microsoft's https://learn.microsoft.com/en-us/azure/templates/microsoft.securityinsights/contenttemplates?pivots=deployment-language-bicep and it's almost a straight copy and paste of values against properties.
Hey Jason,
You'll need to change your default category to "sentinel". With the example you linked, "category": "[parameters('workbookType')]" specifies the the category is set from the parameter workbookType.
Also make sure that the workbook is deployed to the same Resource Group as Sentinel.
Hello Laurie,
Thank you very much for your reply.
Can I check that you mean an actual workbook instance?
Where I am struggling is with the direct Template and deploying that...
So, I am using this...
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceName": {
"type": "string",
"defaultValue": "my-workbook-template",
"metadata": {
"description": "The unique name for this workbook template instance"
}
}
},
"resources": [
{
"name": "[parameters('resourceName')]",
"type": "microsoft.insights/workbooktemplates",
"location": "[resourceGroup().location]",
"apiVersion": "2019-10-17-preview",
"dependsOn": [],
"properties": {
"galleries": [
{
"name": "A Workbook Template",
"category": "Deployed Templates",
"order": 100,
"type": "workbook",
"resourceType": "Azure Monitor"
}
],
"templateData": <PASTE-COPIED-WORKBOOK_TEMPLATE_HERE>
}
}
]
}
...and then adding the JSON content for a Workbook Template at "templateData"
So, is it possible to add the Template to the Microsoft Sentinel Gallery is what I am asking?
Thank you for being so helpful. Much appreciated.
Jason
Hey Jason,
Thanks for the clarification. You are quite right, what I was referring to was deploying individual workbooks by template - as long as the category is "sentinel", the example on the page you referenced works in deploying custom sourced workbooks.But this isnt what you were getting at. Your question was (I believe) about populating the templates section of the Sentinel workbooks blade. I don't have the right answer for you unfortunately.
From the documentation, something like this I believed would have worked (it doesn't):{ "$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "workbookDisplayName": { "type": "string", "defaultValue": "Sentinel Workbook Template", "metadata": { "description": "The friendly name for the workbook that is used in the Gallery or Saved List. Needs to be unique in the scope of the resource group and source" } }, "workbookDescription": { "type": "string", "defaultValue": "A sample Sentinel workbook template", "metadata": { "description": "Description for the workbook" } }, "workbookSourceId": { "type": "string", "metadata": { "description": "The id of resource instance to which the workbook will be associated" } }, "workbookId": { "type": "string", "defaultValue": "438ebb27-5c19-4dbd-9a88-9424f8a65361", "metadata": { "description": "The unique guid for this workbook template" } } }, "resources": [ { "name": "[parameters('workbookId')]", "type": "Microsoft.Insights/workbookTemplates", "location": "[resourceGroup().location]", "apiVersion": "2020-11-20", "properties": { "priority": 1, "galleries": [ { "name": "Microsoft Sentinel Example", "category": "Microsoft Sentinel", "order": 100, "type": "workbook", "resourceType": "microsoft.operationalinsights/workspaces" } ], "templateData": { "strings": { "title": "[parameters('workbookDisplayName')]", "description": "[parameters('workbookDescription')]" }, "workbook": { "version": "Notebook/1.0", "items": [ { "type": 1, "content": { "json": "{\"name\": \"Welcome Section\", \"type\": \"markdown\", \"content\": \"## Welcome to your Sentinel workbook!\"}" } } ] } } }, "tags": { "hidden-title": "[parameters('workbookDisplayName')]", "hidden-link": "[parameters('workbookSourceId')]" } } ], "outputs": { "workbookTemplateId": { "type": "string", "value": "[resourceId('Microsoft.Insights/workbookTemplates', parameters('workbookId'))]" } } }I'm surprised that the specifics about the properties that are needed to specify the Microsoft Sentinel gallery don't seem to be documented anywhere. These seem to be case sensitive too.
"galleries": [
{
"name": "Microsoft Sentinel Example",
"category": "Microsoft Sentinel",
"order": 100,
"type": "workbook",
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
That page shows eleven combinations for different types of galleries but nothing for Sentinel.
https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-automateI had thought that using hidden titles and links might have solved this - but it was of no help. Hopefully someone from Microsoft can provide some deeper insights! I'm really curious now too! :)
Hi Laurie,
I have just tried the following...with no luck! The Template deploys to the Resource Group, and I can open the Workbook from there, but it is not available in the Microsoft Sentinel Gallery!
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"resourceName": {
"type": "string",
"defaultValue": "azure-activity-workbook-template",
"metadata": {
"description": "The unique name for this workbook template instance"
}
}
},
"resources": [
{
"name": "[parameters('resourceName')]",
"type": "microsoft.insights/workbooktemplates",
"location": "[resourceGroup().location]",
"apiVersion": "2019-10-17-preview",
"dependsOn": [],
"properties": {
"galleries": [
{
"name": "A Workbook Template for Azure Activity",
"category": "Microsoft Sentinel",
"order": 100,
"type": "workbook",
"resourceType": "microsoft.operationalinsights/workspaces"
}
],
"templateData": <REST OF JSON FOR WORKBOOK TEMPLATE>