Forum Discussion
Update content package Metadata
Hello Sentinel community and Microsoft.
Ive been working on a script where i use this command:
https://learn.microsoft.com/en-us/rest/api/securityinsights/content-package/install?view=rest-securityinsights-2024-09-01&tabs=HTTP
Ive managed to successfully create everything from retrieving whats installed, uninstalling, reinstalling and lastly updating (updating needed to be "list, delete, install" however :'), there was no flag for "update available").
However, now to my issue. As this work like a charm through powershell, the metadata and hyperlinking is not being deployed - at all.
So i have my 40 content packages successfully installed through the REST-api, but then i have to visit the content hub in sentinel in the GUI, filter for "installed" and mark them all, then press "install". When i do this the metadata and hyperlinking is created. (Its most noticeable that the analytic rules for the content hubs are not available under analytic rules -> Rule templates after installing through the rest api). But once you press install button in the GUI, they appear.
So i looked in to the request that is made when pressing the button. It uses another API version, fine, i can add that to my script. But it also uses 2 variables that are not documented and encrypted-data. they are called c and t:
Im also located in EU and it makes a request to SentinelUS. im OK with that, also as mentioned, another API version (2020-06-01) while the REST APi to install content packages above has 2024-09-01.
NP.
But i can not simulate this last request as the variables are encrypted and not available through the install rest api. They are also not possible to simulate. it ONLY works in the GUI when pressing install.
Lastly i get another API version back when it successfully ran through install in GUI, so in total its 3 api versions.
Here is my code snippet i tried (it is basically a mimic of the post request in the network tab of the browser then pressing "install" on the package in content hub, after i successfully installed it through the official rest api).
function Refresh-WorkspaceMetadata {
param (
[Parameter(Mandatory = $true)]
[string]$SubscriptionId,
[Parameter(Mandatory = $true)]
[string]$ResourceGroup,
[Parameter(Mandatory = $true)]
[string]$WorkspaceName,
[Parameter(Mandatory = $true)]
[string]$AccessToken
)
# Use the API version from the portal sample
$apiVeri = "?api-version="
$RefreshapiVersion = "2020-06-01"
# Build the batch endpoint URL with the query string on the batch URI
$batchUri = "https://management.azure.com/\$batch$apiVeri$RefreshapiVersion"
# Construct a relative URL for the workspace resource.
# Append dummy t and c parameters to mimic the portal's request.
$workspaceUrl = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroup/providers/Microsoft.OperationalInsights/workspaces/$WorkspaceName$apiVeri$RefreshapiVersion&t=123456789&c=dummy"
# Create a batch payload with several GET requests
$requests = @()
for ($i = 0; $i -lt 5; $i++) {
$requests += @{
httpMethod = "GET"
name = [guid]::NewGuid().ToString()
requestHeaderDetails = @{ commandName = "Microsoft_Azure_SentinelUS.ContenthubWorkspaceClient/get" }
url = $workspaceUrl
}
}
$body = @{
requests = $requests
} | ConvertTo-Json -Depth 5
try {
$response = Invoke-RestMethod -Uri $batchUri -Method Post -Headers @{
"Authorization" = "Bearer $AccessToken"
"Content-Type" = "application/json"
} -Body $body
Write-Host "[+] Workspace metadata refresh triggered successfully." -ForegroundColor Green
}
catch {
Write-Host "[!] Failed to trigger workspace metadata refresh. Error: $_" -ForegroundColor Red
}
}
Refresh-WorkspaceMetadata -SubscriptionId $subscriptionId
-ResourceGroup $resourceGroup
-WorkspaceName $workspaceName
-AccessToken $accessToken(note: i have variables higher up in my script for subscriptionid, resourcegroup, workspacename and token etc).
Ive tried with and without mimicing the T and C variable. none works.
So for me, currently, installing content hub packages for sentinel is always:
- Install through script to get all 40 packages
- Visit webpage, filter for 'Installed', mark them and press 'Install'
- You now have all metadata and hyperlinking available to you in your Sentinel (such as hunting rules, analytic rules, workbooks, playbooks -templates).
Anyone else manage to get around this or is it "GUI" gated ?
Greatly appreciated.
As you have stated, that API doesn't work completely (not really sure why it is there). If you watch what MS Sentinel does when a solution is deployed, it uses "/subscriptions/$($SubscriptionId)/resourcegroups/$($ResourceGroup)/providers/Microsoft.Resources/deployments/" + the deployment name.
Take a look at the All-In-One V2's PowerShell script to see how we used this command to deploy the selected solutions: Azure-Sentinel/Tools/Sentinel-All-In-One/v2 at master · Azure/Azure-Sentinel
Thanks Gary. Im going to check that out indeed!
I worked around mine yesterday by installing manually through the portal (gui). then extracting (get/list) all the content packages and content templates. But that results in a massive static list (i want to just manage the package to be honest and then just install everything within as it can be only hunting rules, analytic rules or other stuff). dosent matter if its installed in content hub, as long as its not deployed). That would have ment that if i do a new deployment, it always get everything latest. rather then have a static massive list to curate. What actually get deployed however, that is managed through devops and is indeed a very curated list (connectors, analytic rules, workbooks). But for content hub... man :D
Once again, thanks Gary.
I cant edit the post above. But i tried a few different versions to mimic the GUI "install" and i notice just now that the rest api for installing content packages ONLY installs the content package (not its content, such as hunting rules, analytic rules, etc etc, which is automatically installed when u select the package in the GUI). Im going back to the drawingboard (perhaps its not working as intended).
_________________
edit2:
It does look like an API limitation. Despite the documentation implying that installing a content package should also provision all of its nested content (templates, analytic rules, workbooks, etc. via Install template https://learn.microsoft.com/en-us/rest/api/securityinsights/content-template/install?view=rest-securityinsights-2024-09-01&tabs=HTTP), but you are not allowed to list all content hub packages - only install/uninstall (which in it self meens you have to had installed them once, list them once, extract the name and then use in your script). you can only list/get once they are already installed. So you have no way to list the templates or id's for those to request installation of them, unless already installed?
it feels like listing content hub packages AND their content from the content hub without installing first is a vital part to get this to work - that is missing.Replaying from another account to get notification.
I successfully deployed solution + analytics templates + workbook templates.
For playbooks and connector, deployment is successful however they are not visible in templates (automation -> playbook templates), same for connector.
If you want to take about this issue and try to solve it, I am sending you my discord on priv.
Have you managed to get it done? I successfuly deployed analytcis and workbooks however for playbooks and connector, they are being seccesfully deployed but are not visible in templates. I am working with Terraform however this can be easly adapted to API
