Forum Discussion

john66571's avatar
john66571
Iron Contributor
Mar 13, 2025
Solved

Update content package Metadata

Hello Sentinel community and Microsoft. Ive been working on a script where i use this command: https://learn.microsoft.com/en-us/rest/api/securityinsights/content-package/install?view=rest-security...
apis
automation
Content
siem
soar
  • GaryBushey's avatar
    GaryBushey
    Mar 13, 2025

    As you have stated, that API doesn't work completely (not really sure why it is there).  If you watch what MS Sentinel does when a solution is deployed, it uses "/subscriptions/$($SubscriptionId)/resourcegroups/$($ResourceGroup)/providers/Microsoft.Resources/deployments/" + the deployment name.

     

    Take a look at the All-In-One V2's PowerShell script to see how we used this command to deploy the selected solutions: Azure-Sentinel/Tools/Sentinel-All-In-One/v2 at master · Azure/Azure-Sentinel

GaryBushey's avatar
GaryBushey
Bronze Contributor
Mar 13, 2025

As you have stated, that API doesn't work completely (not really sure why it is there).  If you watch what MS Sentinel does when a solution is deployed, it uses "/subscriptions/$($SubscriptionId)/resourcegroups/$($ResourceGroup)/providers/Microsoft.Resources/deployments/" + the deployment name.

 

Take a look at the All-In-One V2's PowerShell script to see how we used this command to deploy the selected solutions: Azure-Sentinel/Tools/Sentinel-All-In-One/v2 at master · Azure/Azure-Sentinel

  • john66571's avatar
    john66571
    Iron Contributor
    Nov 06, 2025

    Just to confirm, i revisited the all-in-onev2 script above and got it to work. i can now feed my list of content hub packages and it will install the content (including linkage to metadata). It sure takes some time (quicker to just mark and click in portal). but it works!
    it also works to remove and delete content the same way :).  

    marked as solution! (alltho i had to do some powerSh3lL magic and walla!).

  • john66571's avatar
    john66571
    Iron Contributor
    Mar 14, 2025

    Thanks Gary. Im going to check that out indeed!

    I worked around mine yesterday by installing manually through the portal (gui). then extracting (get/list) all the content packages and content templates. But that results in a massive static list (i want to just manage the package to be honest and then just install everything within as it can be only hunting rules, analytic rules or other stuff). dosent matter if its installed in content hub, as long as its not deployed). That would have ment  that if i do a new  deployment, it always get everything latest. rather then have a static massive list to curate. What actually get deployed however, that is managed through devops and is indeed a very curated list (connectors, analytic rules, workbooks).  But for content hub... man :D

    Once again, thanks Gary.

Resources