Forum Discussion
ARM template for deploying a workbook template to Microsoft Sentinel
Hi Jason,
You are quite right. It's moving quite a long way from the original question but altering the Id string is all that is required to deploy an object to a different subscription.
In Azure, objects can clip together like Lego blocks based on the "provider" element. The Id string refences where something is deployed to and it tells Azure what type of object is being deployed (although most of the time that is also shown as the type property). You dont actually need the name property either - that's always the last element if the Id.
I'm familiar with the argument for deploying everything as code. These content templates are vesioned and are being updated constantly - it will be one headache to keep the versioning in your code templates up-to-date and if they go down the path of not allowing SOC engineers to create detection rules or update content through the portal it will be a tragedy. If your client also wants data connectors also deployed through code that becomes an almighty world of pain and also a security risk as your build pipeline has to be super-privileged with god rights in all systems.
From an Engineer's perspective, seeing Azure as REST objects is really helpful in understanding how it really works and there are still rare times when REST can get around issues with ARM. I use REST all the time as I'm troubleshooting in my sandpit but I still use Bicep (or ARM) when delivering solutions for customers as it's a standard solution that is officially supported by Microsoft. Once you have a JSON object you can find the type of object with Microsoft's https://learn.microsoft.com/en-us/azure/templates/microsoft.securityinsights/contenttemplates?pivots=deployment-language-bicep and it's almost a straight copy and paste of values against properties.
Hi Laurie_Rhodes,
I have marked your last reply as the Solution.
I know REST API, but you have made me look at it differently from what I needed here.
I will keep you informed (briefly) on how I proceed.
Laurie, I like your blog/website. How do I log in to it, mate?
I want to contribute with constructive comments when necessary.
Jason
Thanks for the feedback Jason :)
I don't really have the time to manage a website with content moderation so I keep it locked and just focussed on my technical notes that I think may be of benefit to others. I'm glad you found it of use!
Hi Laurie_Rhodes,
When I try to execute your Push-Azureobject, I get the following error:
.
PS C:\WINDOWS\system32> $file = "C:\Users\Jason\OneDrive\Desktop\_ARM-PS-TEMPLATES\WorkspaceUsage.json"
PS C:\WINDOWS\system32> Get-jsonfile -Path $file | Push-Azureobject -authHeader $header -apiversions $AzAPIVersions
Invoke-RestMethod : {"error":{"code":"BadRequest","message":"Unable to translate bytes [A3] at index 943 from specified code page to Unicode."}}
At line:58 char:5
+ Invoke-RestMethod -Uri $uri -Method PUT -Headers $authHeader -Bod ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand.
.
.
I understand this likely relates to “unknown, unrecognized, or unrepresentable characters” in the JSON file and needs to process an Encoding dependency; how have you dealt with this in your environment or the PowerShell scripting for the AZRest module?
Hi Jason,
Everything I typically do is in English with either ANSI or Unicode, If you go to my website, have a look at the "about" menu and you will find an address that you can use to email me directly with the text file you are using and we can sort it out together after Christmas. :)Hi Laurie_Rhodes,
Thanks again mate.
Of course, I will do that.
Like you, I'm taking a few days off now.
I hope you have a great XMAS with your family.
Jason