0

I am attempting to deploy an ARM Template (execution using PowerShell) for any Analytic Rule to a Microsoft Sentinel instance.

I have been following this link: https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-automate#next-steps.

I am struggling with ensuring the Workbook is deployed to the Microsoft Sentinel workbook gallery and NOT the Azure Monitor one.

The link includes a sample ARM template where you can add templateData (JSON code), which represents the workbook you wish to deploy.

properties": { "galleries": [ { "name": "A Workbook Template", "category": "Deployed Templates", "order": 100, "type": "workbook", "resourceType": "Azure Monitor" } ], "templateData": <PASTE-COPIED-WORKBOOK_TEMPLATE_HERE>

I get it working to deploy to the Azure Monitor workbook gallery but not for it to be present in the Microsoft Sentinel one.

Jason

Improve this question
12
  • Have you tried any code so far? @Jason Smyth Commented Dec 16, 2024 at 14:25
  • I am not sure what you mean. If you mean deploying the ARM template, then yes. As I said, it deploys it to the Azure Monitor gallery through PowerShell, not the Microsoft Sentinel one. Commented Dec 16, 2024 at 17:07
  • I have the JSON code in a file. Not sure how to add an attachment... Commented Dec 16, 2024 at 17:09
  • Open the file and copy the code. Edit it in the above question. @Jason Smyth Commented Dec 17, 2024 at 3:06
  • Where I am struggling is with the direct Template and deploying that... So, I am using this... '"properties": { "galleries": [ { "name": "A Workbook Template", "category": "Deployed Templates", "order": 100, "type": "workbook", "resourceType": "Azure Monitor" } ], "templateData": <PASTE-COPIED-WORKBOOK_TEMPLATE_HERE> Commented Dec 17, 2024 at 10:35

1 Answer 1

Reset to default
0

If you want to deploy the workbook template to Microsoft sentinel instead of Azure Monitor, it all depends on the resource type basically when deploying through an ARM template.

The required type is "type": "Microsoft.SecurityInsights/contenttemplates"

Reference Microsoft community Blog for more detailed information as well as for the complete script.

If still the issue persists with the above approach, you can use the New-azresource PowerShell command with the provided resource type to achieve the requirement.

New-AzResource -ResourceGroupName xxx -ResourceType "Microsoft.SecurityInsights/contenttemplates" ` -ResourceName "$workspaceName/Microsoft.Insights/$workbook" -Location $location ` -PropertyObject @{ galleries = @( @{ name = $workbook category = $Category order = 80 type = "workbook" resourceType = "Microsoft.OperationalInsights/workspaces/providers" } ) templateData = TemplateData } -ApiVersion "2020-10-01-preview"
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.