A new way to install Microsoft Sentinel solutions


As I stated in my last post, Microsoft Sentinel is changing the way that templates are created in a new instance of Microsoft Sentinel. You can read the post here: A tale of two … Analytic Rule template APIs – Yet Another Security Blog (garybushey.com) to get more information on it.

In that post, I mentioned that there are new REST APIs around solutions. This post will go over how to install a new solution using these new REST APIs.

Content Packages REST API

There is a new REST API called “Content Packages” that will allow you to list and get Microsoft Sentinel solutions. Now, if you are like me and like looking into REST APIs, you may notice that there is also the ability to Install and Uninstall.

I have not tried the Uninstall REST API call since I don’t want to uninstall solutions. However, I did try the Install REST API and I will tell you that, as of the 2023-06-01-preview, it does NOT work. You can use it and the solution will show up as installed however, none of the resources that make up the solution will be installed. After all, it is in preview 🙂

Hopefully this will be fixed in a later version and I will be trying each new version to see if it gets fixed.

So, how do we do the install? WE use these new REST APIs to get the needed information and then the tried and true deployment REST API to perform the deployment. You can still use the ARM template like we did in this post if you like: Programmatically enable Microsoft Sentinel solutions – Yet Another Security Blog (garybushey.com) but this new way seems to be a bit cleaner.

Get the list of solutions

This is an optional step if you know the name of the solution you want to install. Keep in mind, that when I say name, I don’t mean “Azure Active Directory” but rather “azuresentinel.azure-sentinel-solution-azureactived-sl-qzpv3znpi3bmg” (the last string of number and letters is a version ID number).

You can get the listing of all the solutions by calling:


and then make the typical call to call the REST API and get the results:

$results = (Invoke-RestMethod -Method "Get" -Uri $url -Headers $authHeader ).value

To find the specific solution you want to install, you can use the name, “Azure Active Directory” mentioned above in the code below:

$solution = $results | Where-Object {$_.properties.displayName -Contains "Azure Active Directory"}

And then you can get the needed name by referencing:


We will then use that to get the specific solution information. When calling the list REST API, there is certain information that is not sent. This is probably to save network traffic.

So, to get a specific solution call:


It is kind of annoying that this REST API references “packageId” and the information is saved as “name”, but that is what makes it interesting. 🙂

Now that we have the solution we need, we can setup the body that is needed in the next PUT call. You will need to know your workspace’s name and the region where it is located (like “eastus”)

$installBody = @{"properties" = @{
        "parameters" = @{
            "workspace"          = @{"value" = $workspaceName }
            "workspace-location" = @{"value" = $workspaceLocation }
        "template"   = $solution.properties.packagedContent
        "mode"       = "Incremental"

You are going to always set “mode” to “Incremental” so that you don’t overwrite existing information that you don’t want to.

You will be calling the REST API:


{deploymentName} can be anything you want but it should be unique. I recommend something like “Deployment” + the solution’s name.

UPDATE: The deployment name has to be 64 or less characters so you may need to do a substring call to make sure it works.

$deploymentName = ("Deployment" + $solution.name).substring(0,63)

Now, make a call to invoke the REST API:

$result = Invoke-RestMethod -Uri $installURL -Method Put -Headers $authHeader -Body ($installBody | ConvertTo-Json -EnumsAsStrings -Depth 50)

If all goes well, $result will contain all the information about the solution that was deployed.


Microsoft Sentinel has changed how they work with Solutions. Because of this, there are new REST APIs to call to get them and install them. This post gives you the steps needed to install.

Next, we will talk about how to create an Analytic rule from the newly deployed solutions.

4 thoughts on “A new way to install Microsoft Sentinel solutions

Leave a Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.