Introduction
As I stated in my last post, Microsoft Sentinel is changing the way that templates are created in a new instance of Microsoft Sentinel. You can read the post here: A tale of two … Analytic Rule template APIs – Yet Another Security Blog (garybushey.com) to get more information on it.
In that post, I mentioned that there are new REST APIs around solutions. This post will go over how to install a new solution using these new REST APIs.
Content Packages REST API
There is a new REST API called “Content Packages” that will allow you to list and get Microsoft Sentinel solutions. Now, if you are like me and like looking into REST APIs, you may notice that there is also the ability to Install and Uninstall.
I have not tried the Uninstall REST API call since I don’t want to uninstall solutions. However, I did try the Install REST API and I will tell you that, as of the 2023-06-01-preview, it does NOT work. You can use it and the solution will show up as installed however, none of the resources that make up the solution will be installed. After all, it is in preview 🙂
Hopefully this will be fixed in a later version and I will be trying each new version to see if it gets fixed.
So, how do we do the install? WE use these new REST APIs to get the needed information and then the tried and true deployment REST API to perform the deployment. You can still use the ARM template like we did in this post if you like: Programmatically enable Microsoft Sentinel solutions – Yet Another Security Blog (garybushey.com) but this new way seems to be a bit cleaner.
Get the list of solutions
This is an optional step if you know the name of the solution you want to install. Keep in mind, that when I say name, I don’t mean “Azure Active Directory” but rather “azuresentinel.azure-sentinel-solution-azureactived-sl-qzpv3znpi3bmg” (the last string of number and letters is a version ID number).
You can get the listing of all the solutions by calling:
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/contentPackages?api-version=2023-06-01-previewand then make the typical call to call the REST API and get the results:
$results = (Invoke-RestMethod -Method "Get" -Uri $url -Headers $authHeader ).valueTo find the specific solution you want to install, you can use the name, “Azure Active Directory” mentioned above in the code below:
$solution = $results | Where-Object {$_.properties.displayName -Contains "Azure Active Directory"}And then you can get the needed name by referencing:
$solution.nameWe will then use that to get the specific solution information. When calling the list REST API, there is certain information that is not sent. This is probably to save network traffic.
So, to get a specific solution call:
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/contentPackages/{packageId}?api-version=2023-06-01-previewIt is kind of annoying that this REST API references “packageId” and the information is saved as “name”, but that is what makes it interesting. 🙂
Now that we have the solution we need, we can setup the body that is needed in the next PUT call. You will need to know your workspace’s name and the region where it is located (like “eastus”)
$installBody = @{"properties" = @{
"parameters" = @{
"workspace" = @{"value" = $workspaceName }
"workspace-location" = @{"value" = $workspaceLocation }
}
"template" = $solution.properties.packagedContent
"mode" = "Incremental"
}
}You are going to always set “mode” to “Incremental” so that you don’t overwrite existing information that you don’t want to.
You will be calling the REST API:
https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.Resources/deployments/{deploymentName}?api-version=2021-04-01{deploymentName} can be anything you want but it should be unique. I recommend something like “Deployment” + the solution’s name.
UPDATE: The deployment name has to be 64 or less characters so you may need to do a substring call to make sure it works.
$deploymentName = ("Deployment" + $solution.name).substring(0,63)Now, make a call to invoke the REST API:
$result = Invoke-RestMethod -Uri $installURL -Method Put -Headers $authHeader -Body ($installBody | ConvertTo-Json -EnumsAsStrings -Depth 50)If all goes well, $result will contain all the information about the solution that was deployed.
Summary
Microsoft Sentinel has changed how they work with Solutions. Because of this, there are new REST APIs to call to get them and install them. This post gives you the steps needed to install.
Next, we will talk about how to create an Analytic rule from the newly deployed solutions.
You shouldn’t need to make a full ARM deployment for every solution that you want to install – you can just call the solution install API: https://learn.microsoft.com/en-us/rest/api/securityinsights/content-package/install?view=rest-securityinsights-2023-11-01&tabs=HTTP
When I wrote this, that API did work as advertised. It said it installed everything, but it didn’t. I have not tried it recently to see if it has been updated and working correctly.
Interesting. You’re right, I just hadn’t validated it yet on a fresh Sentinel instance. The other issue is that the “List Solutions” API at /contentPackages/ only returns already-installed packages. I am finding that the API endpoint that returns products seems to be /contentProductPackages/. I’m having some difficulty getting the properties/packagedContent/ bit to expand, which seems to contain the json ARM template for deployment. Have you had any luck expanding properties on the Azure API?
Take a look at the SharePoint REST API book I wrote and see if I answer your question there. https://garybushey.com/2023/11/27/programming-book-version-1-0-finally-ready/