Forum Discussion

john66571's avatar
john66571
Iron Contributor
Mar 13, 2025
Solved

Update content package Metadata

Hello Sentinel community and Microsoft. Ive been working on a script where i use this command: https://learn.microsoft.com/en-us/rest/api/securityinsights/content-package/install?view=rest-security...
apis
automation
Content
siem
soar
  • GaryBushey's avatar
    GaryBushey
    Mar 13, 2025

    As you have stated, that API doesn't work completely (not really sure why it is there).  If you watch what MS Sentinel does when a solution is deployed, it uses "/subscriptions/$($SubscriptionId)/resourcegroups/$($ResourceGroup)/providers/Microsoft.Resources/deployments/" + the deployment name.

     

    Take a look at the All-In-One V2's PowerShell script to see how we used this command to deploy the selected solutions: Azure-Sentinel/Tools/Sentinel-All-In-One/v2 at master · Azure/Azure-Sentinel

john66571's avatar
john66571
Iron Contributor
Mar 13, 2025

I cant edit the post above. But i tried a few different versions to mimic the GUI "install" and i notice just now that the rest api for installing content packages ONLY installs the content package (not its content, such as hunting rules, analytic rules, etc etc, which is automatically installed when u select the package in the GUI).  Im going back to the drawingboard (perhaps its not working as intended).
_________________
edit2:
It does look like an API limitation. Despite the documentation implying that installing a content package should also provision all of its nested content (templates, analytic rules, workbooks, etc. via Install template https://learn.microsoft.com/en-us/rest/api/securityinsights/content-template/install?view=rest-securityinsights-2024-09-01&tabs=HTTP), but you are not allowed to list all content hub packages - only install/uninstall (which in it self meens you have to had installed them once, list them once, extract the name and then use in your script).  you can only list/get once they are already installed. So you have no way to list the templates or id's for those to request installation of them, unless already installed?
it feels like listing content hub packages AND their content from the content hub without installing first is a vital part to get this to work - that is missing.

bisskar's avatar
bisskar
Copper Contributor
Mar 20, 2025

Replaying from another account to get notification.

I successfully deployed solution + analytics templates + workbook templates.

For playbooks and connector, deployment is successful however they are not visible in templates (automation -> playbook templates), same for connector. 

If you want to take about this issue and try to solve it, I am sending you my discord on priv.

Resources